/mandos/trunk

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to intro.xml

Committer: Teddy Hogeborn
Date: 2018-08-15 09:26:02 UTC
Revision ID: teddy@recompile.se-20180815092602-xoyb5s6gf8376i7u

http://bugs.debian.org/894495

mandos-client: Set system clock if necessary

* plugins.d/mandos-client.c (init_gpgme/import_key): If the system
  clock is not set, or set to january 1970, set the system clock to
  the more plausible value that is the mtime of the key file.  This is
  required by GnuPG to be able to import the keys.  (We can't pass the
  --ignore-time-conflict or the --ignore-valid-from options though
  GPGME.)

files added:
initramfs-tools-hook-conf

files removed:
initramfs-tools-conf

initramfs-tools-script-stop

mandos-to-cryptroot-unlock

files modified:
DBUS-API

INSTALL

Makefile

NEWS

clients.conf

common.ent

debian/changelog

debian/control

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.postinst

debian/mandos-client.postrm

initramfs-tools-hook

initramfs-tools-script

intro.xml

mandos

mandos-clients.conf.xml

mandos-ctl

mandos-keygen

mandos-keygen.xml

mandos-monitor

mandos-options.xml

mandos.lsm

mandos.xml

overview.xml

plugin-runner.c

plugin-runner.xml

plugins.d/mandos-client.c

plugins.d/mandos-client.xml

Show diffs side-by-side

added added

removed removed

1

1

<?xml version="1.0" encoding="UTF-8"?>

2

2

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

3

3

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

4

<!ENTITY TIMESTAMP "2019-02-09">

4

<!ENTITY TIMESTAMP "2018-02-08">

5

5

<!ENTITY % common SYSTEM "common.ent">

6

6

%common;

7

7

]>

67

67

The computers run a small client program in the initial RAM disk

68

68

environment which will communicate with a server over a network.

69

69

All network communication is encrypted using TLS. The clients

70

are identified by the server using a TLS public key; each client

70

are identified by the server using an OpenPGP key; each client

71

71

has one unique to it. The server sends the clients an encrypted

72

72

password. The encrypted password is decrypted by the clients

73

using a separate OpenPGP key, and the password is then used to

73

using the same OpenPGP key, and the password is then used to

74

74

unlock the root file system, whereupon the computers can

75

75

continue booting normally.

76

76

</para>

200

200

<para>

201

201

No. The server only gives out the passwords to clients which

202

202

have <emphasis>in the TLS handshake</emphasis> proven that

203

they do indeed hold the private key corresponding to that

204

client.

203

they do indeed hold the OpenPGP private key corresponding to

204

that client.

205

205

</para>

206

206

</refsect2>

207

207

Older »