/mandos/trunk : revision 95

3

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

4

<!ENTITY VERSION "1.0">

5

<!ENTITY COMMANDNAME "mandos">

6

<!ENTITY TIMESTAMP "2008-09-02">

7

6

]>

8

7

9

8

10

9

11

<title>Mandos Manual</title>

10

<title>&COMMANDNAME;</title>

12

11

13

<productname>Mandos</productname>

12

<productname>&COMMANDNAME;</productname>

14

13

<productnumber>&VERSION;</productnumber>

15

<date>&TIMESTAMP;</date>

16

14

17

15

18

16

<firstname>Björn</firstname>

34

32

<holder>Teddy Hogeborn</holder>

35

33

<holder>Björn Påhlsson</holder>

36

34

</copyright>

37

<xi:include href="legalnotice.xml"/>

35

36

<para>

37

This manual page is free software: you can redistribute it

38

and/or modify it under the terms of the GNU General Public

39

License as published by the Free Software Foundation,

40

either version 3 of the License, or (at your option) any

41

later version.

42

</para>

43

44

<para>

45

This manual page is distributed in the hope that it will

46

be useful, but WITHOUT ANY WARRANTY; without even the

47

implied warranty of MERCHANTABILITY or FITNESS FOR A

48

PARTICULAR PURPOSE. See the GNU General Public License

49

for more details.

50

</para>

51

52

<para>

53

You should have received a copy of the GNU General Public

54

License along with this program; If not, see

55

<ulink url="http://www.gnu.org/licenses/"/>.

56

</para>

57

</legalnotice>

38

58

</refentryinfo>

39

59

40

60

45

65

46

66

<refname><command>&COMMANDNAME;</command></refname>

47

67

48

Gives encrypted passwords to authenticated Mandos clients

68

Sends encrypted passwords to authenticated Mandos clients

49

69

</refpurpose>

50

70

</refnamediv>

51

71

52

72

53

73

54

74

<command>&COMMANDNAME;</command>

55

<group>

56

<arg choice="plain"><option>--interface

57

58

<arg choice="plain"><option>-i

59

60

</group>

61

<sbr/>

62

<group>

63

<arg choice="plain"><option>--address

64

<replaceable>ADDRESS</replaceable></option></arg>

65

<arg choice="plain"><option>-a

66

<replaceable>ADDRESS</replaceable></option></arg>

67

</group>

68

<sbr/>

69

<group>

70

<arg choice="plain"><option>--port

71

72

<arg choice="plain"><option>-p

73

74

</group>

75

<sbr/>

76

<arg><option>--priority

77

<replaceable>PRIORITY</replaceable></option></arg>

78

<sbr/>

79

<arg><option>--servicename

80

81

<sbr/>

82

<arg><option>--configdir

83

<replaceable>DIRECTORY</replaceable></option></arg>

84

<sbr/>

85

<arg><option>--debug</option></arg>

75

<arg>--interface<arg choice="plain">IF</arg></arg>

76

<arg>--address<arg choice="plain">ADDRESS</arg></arg>

77

78

<arg>--priority<arg choice="plain">PRIORITY</arg></arg>

79

<arg>--servicename<arg choice="plain">NAME</arg></arg>

80

<arg>--configdir<arg choice="plain">DIRECTORY</arg></arg>

81

<arg>--debug</arg>

82

</cmdsynopsis>

83

84

<command>&COMMANDNAME;</command>

85

86

<arg>-a<arg choice="plain">ADDRESS</arg></arg>

87

88

<arg>--priority<arg choice="plain">PRIORITY</arg></arg>

89

<arg>--servicename<arg choice="plain">NAME</arg></arg>

90

<arg>--configdir<arg choice="plain">DIRECTORY</arg></arg>

91

<arg>--debug</arg>

86

92

</cmdsynopsis>

87

93

88

94

<command>&COMMANDNAME;</command>

89

95

90

91

96

97

92

98

</group>

93

99

</cmdsynopsis>

94

100

95

101

<command>&COMMANDNAME;</command>

96

<arg choice="plain"><option>--version</option></arg>

102

<arg choice="plain">--version</arg>

97

103

</cmdsynopsis>

98

104

99

105

<command>&COMMANDNAME;</command>

100

<arg choice="plain"><option>--check</option></arg>

106

<arg choice="plain">--check</arg>

101

107

</cmdsynopsis>

102

108

</refsynopsisdiv>

103

109

115

121

Any authenticated client is then given the stored pre-encrypted

116

122

password for that specific client.

117

123

</para>

124

118

125

</refsect1>

119

126

120

127

121

128

<title>PURPOSE</title>

129

122

130

<para>

123

131

The purpose of this is to enable <emphasis>remote and unattended

124

132

rebooting</emphasis> of client host computer with an

125

133

<emphasis>encrypted root file system</emphasis>. See <xref

126

134

linkend="overview"/> for details.

127

135

</para>

136

128

137

</refsect1>

129

138

130

139

131

140

<title>OPTIONS</title>

141

132

142

133

143

134

135

144

136

145

137

146

<para>

138

147

Show a help message and exit

139

148

</para>

140

149

</listitem>

141

150

</varlistentry>

142

151

143

152

144

<term><option>--interface</option>

145

146

147

153

<term><literal>-i</literal>, <literal>--interface <replaceable>

154

IF</replaceable></literal></term>

148

155

149

156

<xi:include href="mandos-options.xml" xpointer="interface"/>

150

157

</listitem>

151

158

</varlistentry>

152

159

153

160

154

<term><option>--address

155

<replaceable>ADDRESS</replaceable></option></term>

156

<term><option>-a

157

<replaceable>ADDRESS</replaceable></option></term>

161

<term><literal>-a</literal>, <literal>--address <replaceable>

162

ADDRESS</replaceable></literal></term>

158

163

159

164

<xi:include href="mandos-options.xml" xpointer="address"/>

160

165

</listitem>

161

166

</varlistentry>

162

167

163

168

164

<term><option>--port

165

166

<term><option>-p

167

169

170

PORT</replaceable></literal></term>

168

171

169

172

<xi:include href="mandos-options.xml" xpointer="port"/>

170

173

</listitem>

171

174

</varlistentry>

172

175

173

176

174

<term><option>--check</option></term>

177

<term><literal>--check</literal></term>

175

178

176

179

<para>

177

180

Run the server’s self-tests. This includes any unit

179

182

</para>

180

183

</listitem>

181

184

</varlistentry>

182

185

183

186

184

<term><option>--debug</option></term>

187

<term><literal>--debug</literal></term>

185

188

186

189

<xi:include href="mandos-options.xml" xpointer="debug"/>

187

190

</listitem>

188

191

</varlistentry>

189

192

190

193

191

<term><option>--priority <replaceable>

192

PRIORITY</replaceable></option></term>

194

<term><literal>--priority <replaceable>

195

PRIORITY</replaceable></literal></term>

193

196

194

197

<xi:include href="mandos-options.xml" xpointer="priority"/>

195

198

</listitem>

196

199

</varlistentry>

197

200

198

201

199

<term><option>--servicename

200

202

<term><literal>--servicename <replaceable>NAME</replaceable>

203

</literal></term>

201

204

202

205

<xi:include href="mandos-options.xml"

203

206

xpointer="servicename"/>

205

208

</varlistentry>

206

209

207

210

208

<term><option>--configdir

209

<replaceable>DIRECTORY</replaceable></option></term>

211

<term><literal>--configdir <replaceable>DIR</replaceable>

212

</literal></term>

210

213

211

214

<para>

212

215

Directory to search for configuration files. Default is

220

223

</varlistentry>

221

224

222

225

223

<term><option>--version</option></term>

226

<term><literal>--version</literal></term>

224

227

225

228

<para>

226

229

Prints the program version and exit.

236

239

<para>

237

240

This program is the server part. It is a normal server program

238

241

and will run in a normal system environment, not in an initial

239

<acronym>RAM</acronym> disk environment.

242

RAM disk environment.

240

243

</para>

241

244

</refsect1>

242

245

334

337

<title>ENVIRONMENT</title>

335

338

336

339

337

340

338

341

339

342

<para>

340

343

To start the configured checker (see <xref

445

448

Normal invocation needs no options:

446

449

</para>

447

450

<para>

448

<userinput>&COMMANDNAME;</userinput>

451

<userinput>mandos</userinput>

449

452

</para>

450

453

</informalexample>

451

454

458

461

<para>

459

462

460

463

461

<userinput>&COMMANDNAME; --debug --configdir ~/mandos --servicename Test</userinput>

464

<userinput>mandos --debug --configdir ~/mandos --servicename Test</userinput>

462

465

463

466

</para>

464

467

</informalexample>

470

473

<para>

471

474

472

475

473

<userinput>&COMMANDNAME; --interface eth7 --address fe80::aede:48ff:fe71:f6f2</userinput>

476

<userinput>mandos --interface eth7 --address fe80::aede:48ff:fe71:f6f2</userinput>

474

477

475

478

</para>

476

479

</informalexample>

517

520

restarting servers if it is suspected that a client has, in

518

521

fact, been compromised by parties who may now be running a

519

522

fake Mandos client with the keys from the non-encrypted

520

initial <acronym>RAM</acronym> image of the client host. What

521

should be done in that case (if restarting the server program

522

really is necessary) is to stop the server program, edit the

523

initial RAM image of the client host. What should be done in

524

that case (if restarting the server program really is

525

necessary) is to stop the server program, edit the

523

526

configuration file to omit any suspect clients, and restart

524

527

the server program.

525

528

</para>

535

538

536

539

<para>

537

540

541

<refentrytitle>mandos.conf</refentrytitle>

542

538

543

<refentrytitle>mandos-clients.conf</refentrytitle>

539

544

540

<refentrytitle>mandos.conf</refentrytitle>

541

542

545

<refentrytitle>password-request</refentrytitle>

543

546

<manvolnum>8mandos</manvolnum></citerefentry>, <citerefentry>

544

547

569

572

</varlistentry>

570

573

571

574

<term>

572

<ulink url="http://www.gnu.org/software/gnutls/"

573

>GnuTLS</ulink>

575

<ulink

576

url="http://www.gnu.org/software/gnutls/">GnuTLS</ulink>

574

577

</term>

575

578

576

579

<para>

582

585

</varlistentry>

583

586

584

587

<term>

585

RFC 4291: <citetitle>IP Version 6 Addressing

586

Architecture</citetitle>

588

<citation>RFC 4291: <citetitle>IP Version 6 Addressing

589

Architecture</citetitle>, section 2.5.6, Link-Local IPv6

590

Unicast Addresses</citation>

587

591

</term>

588

592

589

590

591

<term>Section 2.2: <citetitle>Text Representation of

592

Addresses</citetitle></term>

593

594

</varlistentry>

595

596

<term>Section 2.5.5.2: <citetitle>IPv4-Mapped IPv6

597

Address</citetitle></term>

598

599

</varlistentry>

600

601

<term>Section 2.5.6, <citetitle>Link-Local IPv6 Unicast

602

Addresses</citetitle></term>

603

604

<para>

605

The clients use IPv6 link-local addresses, which are

606

immediately usable since a link-local addresses is

607

automatically assigned to a network interfaces when it

608

is brought up.

609

</para>

610

</listitem>

611

</varlistentry>

612

</variablelist>

593

<para>

594

The clients use IPv6 link-local addresses, which are

595

immediately usable since a link-local addresses is

596

automatically assigned to a network interfaces when it is

597

brought up.

598

</para>

613

599

</listitem>

614

600

</varlistentry>

615

601

616

602

<term>

617

RFC 4346: <citetitle>The Transport Layer Security (TLS)

618

Protocol Version 1.1</citetitle>

603

<citation>RFC 4346: <citetitle>The Transport Layer Security

604

(TLS) Protocol Version 1.1</citetitle></citation>

619

605

</term>

620

606

621

607

<para>

625

611

</varlistentry>

626

612

627

613

<term>

628

RFC 4880: <citetitle>OpenPGP Message Format</citetitle>

614

<citation>RFC 4880: <citetitle>OpenPGP Message

615

Format</citetitle></citation>

629

616

</term>

630

617

631

618

<para>

635

622

</varlistentry>

636

623

637

624

<term>

638

RFC 5081: <citetitle>Using OpenPGP Keys for Transport Layer

639

Security</citetitle>

625

<citation>RFC 5081: <citetitle>Using OpenPGP Keys for

626

Transport Layer Security</citetitle></citation>

640

627

</term>

641

628

642

629

<para>

648

635

</variablelist>

649

636

</refsect1>

650

637

</refentry>

651

652

653

654

655