/mandos/trunk : revision 953

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to INSTALL

Committer: Teddy Hogeborn
Date: 2018-08-19 01:35:11 UTC
Revision ID: teddy@recompile.se-20180819013511-cku25q9yeub3dnr0

Adapt to changes in cryptsetup; use "cryptroot-unlock" program

* Makefile (install-client-nokey): Also install new script files
  "mandos-to-cryptroot-unlock" and "initramfs-tools-script-stop".
* debian/mandos-client.dirs: Add
  "usr/share/initramfs-tools/scripts/local-premount".
* initramfs-tools-hook: Also copy "mandos-to-cryptroot-unlock".
* initramfs-tools-script: Only modify keyscript setting in cryptroot
  file if the file exists, otherwise start
  "mandos-to-cryptroot-unlock" in background.
* initramfs-tools-script-stop: New script to make sure plugin-runner
  has stopped before continuing.
* mandos-to-cryptroot-unlock: New script to run plugin-runner and feed
  any password it gets into the "cryptroot-unlock" program.

files added:
.bzr-builddeb

.bzr-builddeb/default.conf

.bzrignore

DBUS-API

INSTALL

NEWS

README

bugs.xml

common.ent

dbus-mandos.conf

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.examples

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/po

debian/rules

debian/source

debian/source/format

debian/source/local-options

debian/upstream

debian/upstream/signing-key.asc

debian/watch

default-mandos

init.d-mandos

initramfs-tools-script-stop

initramfs-unpack

intro.xml

legalnotice.xml

mandos-ctl

mandos-ctl.xml

mandos-monitor

mandos-monitor.xml

mandos-to-cryptroot-unlock

mandos.lsm

mandos.service

network-hooks.d

network-hooks.d/bridge

network-hooks.d/bridge.conf

network-hooks.d/openvpn

network-hooks.d/openvpn.conf

network-hooks.d/wireless

network-hooks.d/wireless.conf

plugin-helpers

plugin-helpers/mandos-client-iprouteadddel.c

plugin-runner.conf

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

tmpfiles.d-mandos.conf

files removed:
plugins.d/usplash

files renamed:
plugins.d/password-request.c => plugins.d/mandos-client.c

plugins.d/password-request.xml => plugins.d/mandos-client.xml

files modified:
Makefile

TODO

clients.conf

initramfs-tools-hook

initramfs-tools-hook-conf

initramfs-tools-script

mandos

mandos-clients.conf.xml

mandos-keygen

mandos-keygen.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.xml

overview.xml

plugin-runner.c

plugin-runner.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

Show diffs side-by-side

added added

removed removed

INSTALL

-*- org -*-

* Prerequisites

** Operating System

Debian 8.0 "jessie" or Ubuntu 15.10 "Wily Werewolf" (or later).

This is mostly for the support scripts which make sure that the

client is installed and started in the initial RAM disk environment

and that the initial RAM file system image file is automatically

made unreadable. The server and client programs themselves *could*

be run in other distributions, but they *are* specific to GNU/Linux

systems, and are not written with portabillity to other Unixes in

mind.

** Libraries

The following libraries and packages are needed. (It is possible

that it might work with older versions of some of these, but these

versions are confirmed to work. Newer versions are almost

certainly OK.)

*** Documentation

These are required to build the manual pages for both the server

and client:

+ DocBook 4.5 http://www.docbook.org/

Note: DocBook 5.0 is not compatible.

+ DocBook XSL stylesheets 1.71.0

http://wiki.docbook.org/DocBookXslStylesheets

Package names:

docbook docbook-xsl

To build just the documentation, run the command "make doc". Then

the manual page "mandos.8", for example, can be read by running

"man -l mandos.8".

*** Mandos Server

+ GnuTLS 3.3 https://www.gnutls.org/

+ Avahi 0.6.16 http://www.avahi.org/

+ Python 2.7 https://www.python.org/

+ dbus-python 0.82.4 https://dbus.freedesktop.org/doc/dbus-python/

+ PyGObject 3.7.1 https://wiki.gnome.org/Projects/PyGObject

+ pkg-config https://www.freedesktop.org/wiki/Software/pkg-config/

+ Urwid 1.0.1 http://urwid.org/

(Only needed by the "mandos-monitor" tool.)

Strongly recommended:

+ fping 2.4b2-to-ipv6 http://www.fping.org/

+ ssh-keyscan from OpenSSH http://www.openssh.com/

Package names:

avahi-daemon python python-dbus python-gi python-urwid pkg-config

fping ssh-client

*** Mandos Client

+ GNU C Library 2.16 https://gnu.org/software/libc/

+ initramfs-tools 0.85i

https://tracker.debian.org/pkg/initramfs-tools

+ GnuTLS 3.3 https://www.gnutls.org/

+ Avahi 0.6.16 http://www.avahi.org/

+ GnuPG 1.4.9 https://www.gnupg.org/

+ GPGME 1.1.6 https://www.gnupg.org/related_software/gpgme/

+ pkg-config https://www.freedesktop.org/wiki/Software/pkg-config/

Strongly recommended:

+ OpenSSH http://www.openssh.com/

Package names:

initramfs-tools libgnutls-dev libavahi-core-dev gnupg

libgpgme11-dev pkg-config ssh

* Installing the Mandos server

1. Do "make doc".

2. On the computer to run as a Mandos server, run the following

command:

For Debian: su -c 'make install-server'

For Ubuntu: sudo make install-server

(This creates a configuration without any clients configured; you

need an actually configured client to do that; see below.)

* Installing the Mandos client.

1. Do "make all doc".

2. On the computer to run as a Mandos client, run the following

command:

For Debian: su -c 'make install-client'

For Ubuntu: sudo make install-client

This will also create an OpenPGP key, which will take some time

and entropy, so be patient.

3. Run the following command:

100

For Debian: su -c 'mandos-keygen --password'

101

For Ubuntu: sudo mandos-keygen --password

102

103

When prompted, enter the password/passphrase for the encrypted

104

root file system on this client computer. The command will

105

output a section of text, starting with a [section header]. Copy

106

and append this to the file "/etc/mandos/clients.conf" *on the

107

server computer*.

108

109

4. Configure the client to use any special configuration needed for

110

your local system. Note: This is not necessary if the server is

111

present on the same wired local network as the client. If you do

112

make changes to /etc/mandos/plugin-runner.conf, the initrd.img

113

file must be updated, possibly using the following command:

114

115

# update-initramfs -k all -u

116

117

5. On the server computer, start the server by running the command

118

For Debian: su -c 'invoke-rc.d mandos start'

119

For Ubuntu: sudo service mandos start

120

121

At this point, it is possible to verify that the correct password

122

will be received by the client by running the command:

123

124

# /usr/lib/mandos/plugins.d/mandos-client \

125

--pubkey=/etc/keys/mandos/pubkey.txt \

126

--seckey=/etc/keys/mandos/seckey.txt; echo

127

128

This command should retrieve the password from the server,

129

decrypt it, and output it to standard output.

130

131

After this, the client computer should be able to reboot without

132

needing a password entered on the console, as long as it does not

133

take more than five minutes to reboot.

134

135

* Further customizations

136

137

You may want to tighten or loosen the timeouts in the server

138

configuration files; see mandos.conf(5) and mandos-clients.conf(5).

139

If IPsec is not used and SSH is not installed, it is suggested that

140

a more cryptographically secure checker program is used and

141

configured, since, without IPsec, ping packets can be faked.

142

143

#+STARTUP: showall

Older »