/mandos/trunk : revision 907

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to plugins.d/mandos-client.xml

Committer: Teddy Hogeborn
Date: 2017-08-20 16:20:54 UTC
Revision ID: teddy@recompile.se-20170820162054-jwig602syxx2k4l0

Alter copyright notices slightly.  Actual license is unchanged!

This alters all copyright notices to use the Free Software
Foundation's recommendations for license notices; from
<https://www.gnu.org/licenses/gpl-howto.html>:

  For programs that are more than one file, it is better to replace
  “this program” with the name of the program, and begin the statement
  with a line saying “This file is part of NAME”.

* DBUS-API: Use program name "Mandos" explicitly in license notice.
* debian/copyright: - '' -
* initramfs-unpack: - '' -
* legalnotice.xml: - '' -
* mandos: - '' -
* mandos-ctl: - '' -
* mandos-keygen: - '' -
* mandos-monitor: - '' -
* plugin-helpers/mandos-client-iprouteadddel.c: - '' -
* plugin-runner.c: - '' -
* plugins.d/askpass-fifo.c: - '' -
* plugins.d/mandos-client.c: - '' -
* plugins.d/password-prompt.c: - '' -
* plugins.d/plymouth.c: - '' -
* plugins.d/splashy.c: - '' -
* plugins.d/usplash.c: - '' -

files added:
initramfs-tools-hook-conf

files removed:
debian/mandos-client.templates

debian/mandos.templates

initramfs-tools-conf

initramfs-tools-script-stop

mandos-to-cryptroot-unlock

files modified:
DBUS-API

INSTALL

Makefile

NEWS

TODO

clients.conf

common.ent

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/rules

debian/watch

init.d-mandos

initramfs-tools-hook

initramfs-tools-script

initramfs-unpack

intro.xml

mandos

mandos-clients.conf.xml

mandos-ctl

mandos-ctl.xml

mandos-keygen

mandos-keygen.xml

mandos-monitor

mandos-monitor.xml

mandos-options.xml

mandos.conf.xml

mandos.lsm

mandos.xml

network-hooks.d/bridge

network-hooks.d/openvpn

network-hooks.d/wireless

overview.xml

plugin-helpers/mandos-client-iprouteadddel.c

plugin-runner.c

plugin-runner.xml

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/mandos-client.c

plugins.d/mandos-client.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

Show diffs side-by-side

added added

removed removed

plugins.d/mandos-client.xml

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY COMMANDNAME "mandos-client">

<!ENTITY TIMESTAMP "2019-02-10">

<!ENTITY TIMESTAMP "2017-02-23">

<!ENTITY % common SYSTEM "../common.ent">

%common;

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

</group>

<sbr/>

<group>

100

<arg choice="plain"><option>--tls-privkey

101

102

<arg choice="plain"><option>-t

103

104

</group>

105

<sbr/>

106

<group>

107

<arg choice="plain"><option>--tls-pubkey

108

109

<arg choice="plain"><option>-T

110

111

</group>

112

<sbr/>

113

<arg>

114

<option>--priority <replaceable>STRING</replaceable></option>

115

</arg>

169

153

brings up network interfaces, uses the interfaces’ IPv6

170

154

link-local addresses to get network connectivity, uses Zeroconf

171

155

to find servers on the local network, and communicates with

172

servers using TLS with a raw public key to ensure authenticity

173

and confidentiality. This client program keeps running, trying

174

all servers on the network, until it receives a satisfactory

175

reply or a TERM signal. After all servers have been tried, all

156

servers using TLS with an OpenPGP key to ensure authenticity and

157

confidentiality. This client program keeps running, trying all

158

servers on the network, until it receives a satisfactory reply

159

or a TERM signal. After all servers have been tried, all

176

160

servers are periodically retried. If no servers are found it

177

161

will wait indefinitely for new servers to appear.

178

162

</para>

322

306

</varlistentry>

323

307

324

308

325

<term><option>--tls-pubkey=<replaceable

326

>FILE</replaceable></option></term>

327

<term><option>-T

328

329

330

<para>

331

TLS raw public key file name. The default name is

332

<quote><filename>/conf/conf.d/mandos/tls-pubkey.pem</filename

333

></quote>.

334

</para>

335

</listitem>

336

</varlistentry>

337

338

339

<term><option>--tls-privkey=<replaceable

340

>FILE</replaceable></option></term>

341

<term><option>-t

342

343

344

<para>

345

TLS secret key file name. The default name is

346

<quote><filename>/conf/conf.d/mandos/tls-privkey.pem</filename

347

></quote>.

348

</para>

349

</listitem>

350

</varlistentry>

351

352

353

309

<term><option>--priority=<replaceable

354

310

>STRING</replaceable></option></term>

355

311

365

321

<para>

366

322

Sets the number of bits to use for the prime number in the

367

323

TLS Diffie-Hellman key exchange. The default value is

368

selected automatically based on the GnuTLS security

369

profile set in its priority string. Note that if the

370

<option>--dh-params</option> option is used, the values

371

from that file will be used instead.

324

selected automatically based on the OpenPGP key. Note

325

that if the <option>--dh-params</option> option is used,

326

the values from that file will be used instead.

372

327

</para>

373

328

</listitem>

374

329

</varlistentry>

726

681

</listitem>

727

682

</varlistentry>

728

683

729

<term><filename>/conf/conf.d/mandos/tls-pubkey.pem</filename

730

></term>

731

<term><filename>/conf/conf.d/mandos/tls-privkey.pem</filename

732

></term>

733

734

<para>

735

Public and private raw key files, in <quote>PEM</quote>

736

format. These are the default file names, they can be

737

changed with the <option>--tls-pubkey</option> and

738

<option>--tls-privkey</option> options.

739

</para>

740

</listitem>

741

</varlistentry>

742

743

684

<term><filename

744

685

class="directory">/lib/mandos/network-hooks.d</filename></term>

745

686

787

728

</informalexample>

788

729

789

730

<para>

790

Run in debug mode, and use custom keys:

731

Run in debug mode, and use a custom key:

791

732

</para>

792

733

<para>

793

734

794

735

795

<userinput>&COMMANDNAME; --debug --pubkey keydir/pubkey.txt --seckey keydir/seckey.txt --tls-pubkey keydir/tls-pubkey.pem --tls-privkey keydir/tls-privkey.pem</userinput>

736

<userinput>&COMMANDNAME; --debug --pubkey keydir/pubkey.txt --seckey keydir/seckey.txt</userinput>

796

737

797

738

</para>

798

739

</informalexample>

799

740

800

741

<para>

801

Run in debug mode, with custom keys, and do not use Zeroconf

742

Run in debug mode, with a custom key, and do not use Zeroconf

802

743

to locate a server; connect directly to the IPv6 link-local

803

744

address <quote><systemitem class="ipaddress"

804

745

>fe80::aede:48ff:fe71:f6f2</systemitem></quote>, port 4711,

807

748

<para>

808

749

809

750

810

<userinput>&COMMANDNAME; --debug --pubkey keydir/pubkey.txt --seckey keydir/seckey.txt --tls-pubkey keydir/tls-pubkey.pem --tls-privkey keydir/tls-privkey.pem --connect fe80::aede:48ff:fe71:f6f2:4711 --interface eth2</userinput>

751

<userinput>&COMMANDNAME; --debug --pubkey keydir/pubkey.txt --seckey keydir/seckey.txt --connect fe80::aede:48ff:fe71:f6f2:4711 --interface eth2</userinput>

811

752

812

753

</para>

813

754

</informalexample>

837

778

<para>

838

779

The only remaining weak point is that someone with physical

839

780

access to the client hard drive might turn off the client

840

computer, read the OpenPGP and TLS keys directly from the hard

841

drive, and communicate with the server. To safeguard against

842

this, the server is supposed to notice the client disappearing

843

and stop giving out the encrypted data. Therefore, it is

844

important to set the timeout and checker interval values tightly

845

on the server. See <citerefentry><refentrytitle

781

computer, read the OpenPGP keys directly from the hard drive,

782

and communicate with the server. To safeguard against this, the

783

server is supposed to notice the client disappearing and stop

784

giving out the encrypted data. Therefore, it is important to

785

set the timeout and checker interval values tightly on the

786

server. See <citerefentry><refentrytitle

846

787

>mandos</refentrytitle><manvolnum>8</manvolnum></citerefentry>.

847

788

</para>

848

789

<para>

908

849

<para>

909

850

GnuTLS is the library this client uses to implement TLS for

910

851

communicating securely with the server, and at the same time

911

send the public key to the server.

852

send the public OpenPGP key to the server.

912

853

</para>

913

854

</listitem>

914

855

</varlistentry>

980

921

</varlistentry>

981

922

982

923

<term>

983

RFC 7250: <citetitle>Using Raw Public Keys in Transport

984

Layer Security (TLS) and Datagram Transport Layer Security

985

(DTLS)</citetitle>

986

</term>

987

988

<para>

989

This is implemented by GnuTLS in version 3.6.6 and is, if

990

present, used by this program so that raw public keys can be

991

used.

992

</para>

993

</listitem>

994

</varlistentry>

995

996

<term>

997

924

RFC 6091: <citetitle>Using OpenPGP Keys for Transport Layer

998

925

Security</citetitle>

999

926

</term>

1000

927

1001

928

<para>

1002

This is implemented by GnuTLS before version 3.6.0 and is,

1003

if present, used by this program so that OpenPGP keys can be

1004

used.

929

This is implemented by GnuTLS and used by this program so

930

that OpenPGP keys can be used.

1005

931

</para>

1006

932

</listitem>

1007

933

</varlistentry>

Older »