/mandos/trunk : revision 955

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to plugins.d/mandos-client.xml

Committer: Teddy Hogeborn
Date: 2018-08-19 14:32:00 UTC
Revision ID: teddy@recompile.se-20180819143200-8j8sc2hv4ovjqo11

Remove workaround for old mkinitramfs-kpkg

* Makefile (install-client-nokey): Do not install
  "initramfs-tools-hook-conf".
* debian/control (mandos-client/Depends): Add "(>= 0.99)" to
  dependency on "initramfs-tools", since that is the version which
  removed mkinitramfs-kpkg.
* debian/mandos-client.dirs: Remove
  "usr/share/initramfs-tools/conf-hooks.d".
* initramfs-tools-hook-conf: Removed.

files added:
.bzr-builddeb

.bzr-builddeb/default.conf

DBUS-API

INSTALL

NEWS

README

bugs.xml

common.ent

dbus-mandos.conf

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.examples

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/po

debian/rules

debian/source

debian/source/format

debian/source/local-options

debian/upstream

debian/upstream/signing-key.asc

debian/watch

default-mandos

init.d-mandos

initramfs-tools-conf

initramfs-tools-script-stop

initramfs-unpack

intro.xml

mandos-ctl

mandos-ctl.xml

mandos-monitor

mandos-monitor.xml

mandos-to-cryptroot-unlock

mandos.lsm

mandos.service

network-hooks.d

network-hooks.d/bridge

network-hooks.d/bridge.conf

network-hooks.d/openvpn

network-hooks.d/openvpn.conf

network-hooks.d/wireless

network-hooks.d/wireless.conf

plugin-helpers

plugin-helpers/mandos-client-iprouteadddel.c

plugin-runner.conf

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

tmpfiles.d-mandos.conf

files removed:
initramfs-tools-hook-conf

plugins.d/usplash

files renamed:
plugins.d/password-request.c => plugins.d/mandos-client.c

plugins.d/password-request.xml => plugins.d/mandos-client.xml

files modified:
.bzrignore

Makefile

TODO

clients.conf

initramfs-tools-hook

initramfs-tools-script

legalnotice.xml

mandos

mandos-clients.conf.xml

mandos-keygen

mandos-keygen.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.xml

overview.xml

plugin-runner.c

plugin-runner.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

Show diffs side-by-side

added added

removed removed

plugins.d/mandos-client.xml

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY VERSION "1.0">

<!ENTITY COMMANDNAME "password-request">

<!ENTITY TIMESTAMP "2008-09-03">

<!ENTITY COMMANDNAME "mandos-client">

<!ENTITY TIMESTAMP "2018-02-08">

<!ENTITY % common SYSTEM "../common.ent">

%common;

<title>Mandos Manual</title>

<productname>Mandos</productname>

<productnumber>&VERSION;</productnumber>

<productnumber>&version;</productnumber>

<date>&TIMESTAMP;</date>

<firstname>Björn</firstname>

<surname>Påhlsson</surname>

<email>belorn@fukt.bsnet.se</email>

<email>belorn@recompile.se</email>

</address>

</author>

<firstname>Teddy</firstname>

<surname>Hogeborn</surname>

<email>teddy@fukt.bsnet.se</email>

<email>teddy@recompile.se</email>

</address>

</author>

</authorgroup>

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

<xi:include href="../legalnotice.xml"/>

</refentryinfo>

<refentrytitle>&COMMANDNAME;</refentrytitle>

<manvolnum>8mandos</manvolnum>

<refname><command>&COMMANDNAME;</command></refname>

Client for mandos

Client for <application>Mandos</application>

</refpurpose>

</refnamediv>

<command>&COMMANDNAME;</command>

<group>

<arg choice="plain"><option>--connect

<replaceable>IPADDR</replaceable><literal>:</literal

<replaceable>ADDRESS</replaceable><literal>:</literal

><replaceable>PORT</replaceable></option></arg>

<arg choice="plain"><option>-c

<replaceable>IPADDR</replaceable><literal>:</literal

<replaceable>ADDRESS</replaceable><literal>:</literal

><replaceable>PORT</replaceable></option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--keydir

<replaceable>DIRECTORY</replaceable></option></arg>

<arg choice="plain"><option>-d

<replaceable>DIRECTORY</replaceable></option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--interface

<arg choice="plain"><option>-i

<replaceable>NAME</replaceable><arg rep='repeat'

>,<replaceable>NAME</replaceable></arg></option></arg>

<arg choice="plain"><option>-i <replaceable>NAME</replaceable

><arg rep='repeat'>,<replaceable>NAME</replaceable></arg

></option></arg>

</group>

<sbr/>

<group>

104

</arg>

105

<sbr/>

100

106

<arg>

107

<option>--dh-params <replaceable>FILE</replaceable></option>

108

</arg>

109

<sbr/>

110

<arg>

111

<option>--delay <replaceable>SECONDS</replaceable></option>

112

</arg>

113

<sbr/>

114

<arg>

115

<option>--retry <replaceable>SECONDS</replaceable></option>

116

</arg>

117

<sbr/>

118

<arg>

119

<option>--network-hook-dir

120

121

</arg>

122

<sbr/>

123

<arg>

101

124

<option>--debug</option>

102

125

</arg>

103

126

</cmdsynopsis>

120

143

</group>

121

144

</cmdsynopsis>

122

145

</refsynopsisdiv>

123

146

124

147

125

148

<title>DESCRIPTION</title>

126

149

<para>

127

150

<command>&COMMANDNAME;</command> is a client program that

128

151

communicates with <citerefentry><refentrytitle

129

152

>mandos</refentrytitle><manvolnum>8</manvolnum></citerefentry>

130

to get a password. It uses IPv6 link-local addresses to get

131

network connectivity, Zeroconf to find servers, and TLS with an

132

OpenPGP key to ensure authenticity and confidentiality. It

133

keeps running, trying all servers on the network, until it

134

receives a satisfactory reply or a TERM signal is recieved.

153

to get a password. In slightly more detail, this client program

154

brings up network interfaces, uses the interfaces’ IPv6

155

link-local addresses to get network connectivity, uses Zeroconf

156

to find servers on the local network, and communicates with

157

servers using TLS with an OpenPGP key to ensure authenticity and

158

confidentiality. This client program keeps running, trying all

159

servers on the network, until it receives a satisfactory reply

160

or a TERM signal. After all servers have been tried, all

161

servers are periodically retried. If no servers are found it

162

will wait indefinitely for new servers to appear.

163

</para>

164

<para>

165

The network interfaces are selected like this: If any interfaces

166

are specified using the <option>--interface</option> option,

167

those interface are used. Otherwise,

168

<command>&COMMANDNAME;</command> will use all interfaces that

169

are not loopback interfaces, are not point-to-point interfaces,

170

are capable of broadcasting and do not have the NOARP flag (see

171

<citerefentry><refentrytitle>netdevice</refentrytitle>

172

<manvolnum>7</manvolnum></citerefentry>). (If the

173

<option>--connect</option> option is used, point-to-point

174

interfaces and non-broadcast interfaces are accepted.) If any

175

used interfaces are not up and running, they are first taken up

176

(and later taken down again on program exit).

177

</para>

178

<para>

179

Before network interfaces are selected, all <quote>network

180

hooks</quote> are run; see <xref linkend="network-hooks"/>.

135

181

</para>

136

182

<para>

137

183

This program is not meant to be run directly; it is really meant

184

230

assumed to separate the address from the port number.

185

231

</para>

186

232

<para>

187

This option is normally only useful for testing and

188

debugging.

233

Normally, Zeroconf would be used to locate Mandos servers,

234

in which case this option would only be used when testing

235

and debugging.

189

236

</para>

190

237

</listitem>

191

238

</varlistentry>

192

239

193

240

194

<term><option>--keydir=<replaceable

195

>DIRECTORY</replaceable></option></term>

196

<term><option>-d

197

<replaceable>DIRECTORY</replaceable></option></term>

198

199

<para>

200

Directory to read the OpenPGP key files

201

<filename>pubkey.txt</filename> and

202

<filename>seckey.txt</filename> from. The default is

203

<filename>/conf/conf.d/mandos</filename> (in the initial

204

<acronym>RAM</acronym> disk environment).

205

</para>

206

</listitem>

207

</varlistentry>

208

209

210

<term><option>--interface=

211

241

<term><option>--interface=<replaceable

242

>NAME</replaceable><arg rep='repeat'>,<replaceable

243

>NAME</replaceable></arg></option></term>

212

244

<term><option>-i

213

245

<replaceable>NAME</replaceable><arg rep='repeat'>,<replaceable

246

>NAME</replaceable></arg></option></term>

214

247

215

248

<para>

216

Network interface that will be brought up and scanned for

217

Mandos servers to connect to. The default it

218

<quote><literal>eth0</literal></quote>.

249

Comma separated list of network interfaces that will be

250

brought up and scanned for Mandos servers to connect to.

251

The default is the empty string, which will automatically

252

use all appropriate interfaces.

253

</para>

254

<para>

255

If the <option>--connect</option> option is used, and

256

exactly one interface name is specified (except

257

<quote><literal>none</literal></quote>), this specifies

258

the interface to use to connect to the address given.

259

</para>

260

<para>

261

Note that since this program will normally run in the

262

initial RAM disk environment, the interface must be an

263

interface which exists at that stage. Thus, the interface

264

can normally not be a pseudo-interface such as

265

<quote>br0</quote> or <quote>tun0</quote>; such interfaces

266

will not exist until much later in the boot process, and

267

can not be used by this program, unless created by a

268

<quote>network hook</quote> — see <xref

269

linkend="network-hooks"/>.

270

</para>

271

<para>

272

<replaceable>NAME</replaceable> can be the string

273

<quote><literal>none</literal></quote>; this will make

274

<command>&COMMANDNAME;</command> only bring up interfaces

275

specified <emphasis>before</emphasis> this string. This

276

is not recommended, and only meant for advanced users.

219

277

</para>

220

278

</listitem>

221

279

</varlistentry>

227

285

228

286

229

287

<para>

230

OpenPGP public key file base name. This will be combined

231

with the directory from the <option>--keydir</option>

232

option to form an absolute file name. The default name is

233

<quote><literal>pubkey.txt</literal></quote>.

288

OpenPGP public key file name. The default name is

289

<quote><filename>/conf/conf.d/mandos/pubkey.txt</filename

290

></quote>.

234

291

</para>

235

292

</listitem>

236

293

</varlistentry>

237

294

238

295

239

296

<term><option>--seckey=<replaceable

240

297

>FILE</replaceable></option></term>

242

299

243

300

244

301

<para>

245

OpenPGP secret key file base name. This will be combined

246

with the directory from the <option>--keydir</option>

247

option to form an absolute file name. The default name is

248

<quote><literal>seckey.txt</literal></quote>.

302

OpenPGP secret key file name. The default name is

303

<quote><filename>/conf/conf.d/mandos/seckey.txt</filename

304

></quote>.

249

305

</para>

250

306

</listitem>

251

307

</varlistentry>

258

314

xpointer="priority"/>

259

315

</listitem>

260

316

</varlistentry>

261

317

262

318

263

319

<term><option>--dh-bits=<replaceable

264

320

>BITS</replaceable></option></term>

265

321

266

322

<para>

267

323

Sets the number of bits to use for the prime number in the

268

TLS Diffie-Hellman key exchange. Default is 1024.

324

TLS Diffie-Hellman key exchange. The default value is

325

selected automatically based on the OpenPGP key. Note

326

that if the <option>--dh-params</option> option is used,

327

the values from that file will be used instead.

328

</para>

329

</listitem>

330

</varlistentry>

331

332

333

<term><option>--dh-params=<replaceable

334

>FILE</replaceable></option></term>

335

336

<para>

337

Specifies a PEM-encoded PKCS#3 file to read the parameters

338

needed by the TLS Diffie-Hellman key exchange from. If

339

this option is not given, or if the file for some reason

340

could not be used, the parameters will be generated on

341

startup, which will take some time and processing power.

342

Those using servers running under time, power or processor

343

constraints may want to generate such a file in advance

344

and use this option.

345

</para>

346

</listitem>

347

</varlistentry>

348

349

350

<term><option>--delay=<replaceable

351

>SECONDS</replaceable></option></term>

352

353

<para>

354

After bringing a network interface up, the program waits

355

for the interface to arrive in a <quote>running</quote>

356

state before proceeding. During this time, the kernel log

357

level will be lowered to reduce clutter on the system

358

console, alleviating any other plugins which might be

359

using the system console. This option sets the upper

360

limit of seconds to wait. The default is 2.5 seconds.

361

</para>

362

</listitem>

363

</varlistentry>

364

365

366

<term><option>--retry=<replaceable

367

>SECONDS</replaceable></option></term>

368

369

<para>

370

All Mandos servers are tried repeatedly until a password

371

is received. This value specifies, in seconds, how long

372

between each successive try <emphasis>for the same

373

server</emphasis>. The default is 10 seconds.

374

</para>

375

</listitem>

376

</varlistentry>

377

378

379

<term><option>--network-hook-dir=<replaceable

380

>DIR</replaceable></option></term>

381

382

<para>

383

Network hook directory. The default directory is

384

<quote><filename class="directory"

385

>/lib/mandos/network-hooks.d</filename></quote>.

269

386

</para>

270

387

</listitem>

271

388

</varlistentry>

304

421

</para>

305

422

</listitem>

306

423

</varlistentry>

307

424

308

425

309

426

<term><option>--version</option></term>

310

427

316

433

</varlistentry>

317

434

</variablelist>

318

435

</refsect1>

319

436

320

437

321

438

<title>OVERVIEW</title>

322

439

<xi:include href="../overview.xml"/>

331

448

<filename>/etc/crypttab</filename>, but it would then be

332

449

impossible to enter a password for the encrypted root disk at

333

450

the console, since this program does not read from the console

334

at all. This is why a separate plugin does that, which will be

335

run in parallell to this one by the plugin runner.

451

at all. This is why a separate plugin runner (<citerefentry>

452

<refentrytitle>plugin-runner</refentrytitle>

453

<manvolnum>8mandos</manvolnum></citerefentry>) is used to run

454

both this program and others in in parallel,

455

<emphasis>one</emphasis> of which (<citerefentry>

456

<refentrytitle>password-prompt</refentrytitle>

457

<manvolnum>8mandos</manvolnum></citerefentry>) will prompt for

458

passwords on the system console.

336

459

</para>

337

460

</refsect1>

338

461

343

466

server could be found and the password received from it could be

344

467

successfully decrypted and output on standard output. The

345

468

program will exit with a non-zero exit status only if a critical

346

error occurs. Otherwise, it will forever connect to new

347

<application>Mandos</application> servers as they appear, trying

348

to get a decryptable password.

469

error occurs. Otherwise, it will forever connect to any

470

discovered <application>Mandos</application> servers, trying to

471

get a decryptable password and print it.

349

472

</para>

350

473

</refsect1>

351

474

352

475

353

476

<title>ENVIRONMENT</title>

477

478

479

<term><envar>MANDOSPLUGINHELPERDIR</envar></term>

480

481

<para>

482

This environment variable will be assumed to contain the

483

directory containing any helper executables. The use and

484

nature of these helper executables, if any, is

485

purposefully not documented.

486

</para>

487

</listitem>

488

</varlistentry>

489

</variablelist>

354

490

<para>

355

This program does not use any environment variables, not even

356

the ones provided by <citerefentry><refentrytitle

491

This program does not use any other environment variables, not

492

even the ones provided by <citerefentry><refentrytitle

357

493

>cryptsetup</refentrytitle><manvolnum>8</manvolnum>

358

494

</citerefentry>.

359

495

</para>

360

496

</refsect1>

361

497

362

498

499

<title>NETWORK HOOKS</title>

500

<para>

501

If a network interface like a bridge or tunnel is required to

502

find a Mandos server, this requires the interface to be up and

503

running before <command>&COMMANDNAME;</command> starts looking

504

for Mandos servers. This can be accomplished by creating a

505

<quote>network hook</quote> program, and placing it in a special

506

directory.

507

</para>

508

<para>

509

Before the network is used (and again before program exit), any

510

runnable programs found in the network hook directory are run

511

with the argument <quote><literal>start</literal></quote> or

512

<quote><literal>stop</literal></quote>. This should bring up or

513

down, respectively, any network interface which

514

<command>&COMMANDNAME;</command> should use.

515

</para>

516

517

<title>REQUIREMENTS</title>

518

<para>

519

A network hook must be an executable file, and its name must

520

consist entirely of upper and lower case letters, digits,

521

underscores, periods, and hyphens.

522

</para>

523

<para>

524

A network hook will receive one argument, which can be one of

525

the following:

526

</para>

527

528

529

<term><literal>start</literal></term>

530

531

<para>

532

This should make the network hook create (if necessary)

533

and bring up a network interface.

534

</para>

535

</listitem>

536

</varlistentry>

537

538

539

540

<para>

541

This should make the network hook take down a network

542

interface, and delete it if it did not exist previously.

543

</para>

544

</listitem>

545

</varlistentry>

546

547

<term><literal>files</literal></term>

548

549

<para>

550

This should make the network hook print, <emphasis>one

551

file per line</emphasis>, all the files needed for it to

552

run. (These files will be copied into the initial RAM

553

filesystem.) Typical use is for a network hook which is

554

a shell script to print its needed binaries.

555

</para>

556

<para>

557

It is not necessary to print any non-executable files

558

already in the network hook directory, these will be

559

copied implicitly if they otherwise satisfy the name

560

requirements.

561

</para>

562

</listitem>

563

</varlistentry>

564

565

<term><literal>modules</literal></term>

566

567

<para>

568

This should make the network hook print, <emphasis>on

569

separate lines</emphasis>, all the kernel modules needed

570

for it to run. (These modules will be copied into the

571

initial RAM filesystem.) For instance, a tunnel

572

interface needs the

573

<quote><literal>tun</literal></quote> module.

574

</para>

575

</listitem>

576

</varlistentry>

577

</variablelist>

578

<para>

579

The network hook will be provided with a number of environment

580

variables:

581

</para>

582

583

584

<term><envar>MANDOSNETHOOKDIR</envar></term>

585

586

<para>

587

The network hook directory, specified to

588

<command>&COMMANDNAME;</command> by the

589

<option>--network-hook-dir</option> option. Note: this

590

should <emphasis>always</emphasis> be used by the

591

network hook to refer to itself or any files in the hook

592

directory it may require.

593

</para>

594

</listitem>

595

</varlistentry>

596

597

<term><envar>DEVICE</envar></term>

598

599

<para>

600

The network interfaces, as specified to

601

<command>&COMMANDNAME;</command> by the

602

<option>--interface</option> option, combined to one

603

string and separated by commas. If this is set, and

604

does not contain the interface a hook will bring up,

605

there is no reason for a hook to continue.

606

</para>

607

</listitem>

608

</varlistentry>

609

610

611

612

<para>

613

This will be the same as the first argument;

614

i.e. <quote><literal>start</literal></quote>,

615

<quote><literal>stop</literal></quote>,

616

<quote><literal>files</literal></quote>, or

617

<quote><literal>modules</literal></quote>.

618

</para>

619

</listitem>

620

</varlistentry>

621

622

<term><envar>VERBOSITY</envar></term>

623

624

<para>

625

This will be the <quote><literal>1</literal></quote> if

626

the <option>--debug</option> option is passed to

627

<command>&COMMANDNAME;</command>, otherwise

628

<quote><literal>0</literal></quote>.

629

</para>

630

</listitem>

631

</varlistentry>

632

633

<term><envar>DELAY</envar></term>

634

635

<para>

636

This will be the same as the <option>--delay</option>

637

option passed to <command>&COMMANDNAME;</command>. Is

638

only set if <envar>MODE</envar> is

639

<quote><literal>start</literal></quote> or

640

<quote><literal>stop</literal></quote>.

641

</para>

642

</listitem>

643

</varlistentry>

644

645

<term><envar>CONNECT</envar></term>

646

647

<para>

648

This will be the same as the <option>--connect</option>

649

option passed to <command>&COMMANDNAME;</command>. Is

650

only set if <option>--connect</option> is passed and

651

<envar>MODE</envar> is

652

<quote><literal>start</literal></quote> or

653

<quote><literal>stop</literal></quote>.

654

</para>

655

</listitem>

656

</varlistentry>

657

</variablelist>

658

<para>

659

A hook may not read from standard input, and should be

660

restrictive in printing to standard output or standard error

661

unless <varname>VERBOSITY</varname> is

662

<quote><literal>1</literal></quote>.

663

</para>

664

</refsect2>

665

</refsect1>

666

667

363

668

<title>FILES</title>

364

<para>

365

</para>

669

670

671

<term><filename>/conf/conf.d/mandos/pubkey.txt</filename

672

></term>

673

<term><filename>/conf/conf.d/mandos/seckey.txt</filename

674

></term>

675

676

<para>

677

OpenPGP public and private key files, in <quote>ASCII

678

Armor</quote> format. These are the default file names,

679

they can be changed with the <option>--pubkey</option> and

680

<option>--seckey</option> options.

681

</para>

682

</listitem>

683

</varlistentry>

684

685

<term><filename

686

class="directory">/lib/mandos/network-hooks.d</filename></term>

687

688

<para>

689

Directory where network hooks are located. Change this

690

with the <option>--network-hook-dir</option> option. See

691

<xref linkend="network-hooks"/>.

692

</para>

693

</listitem>

694

</varlistentry>

695

</variablelist>

366

696

</refsect1>

367

697

368

698

369

699

370

<para>

371

</para>

700

<xi:include href="../bugs.xml"/>

372

701

</refsect1>

373

702

374

703

375

704

<title>EXAMPLE</title>

376

705

<para>

706

Note that normally, command line options will not be given

707

directly, but via options for the Mandos <citerefentry

708

><refentrytitle>plugin-runner</refentrytitle>

709

<manvolnum>8mandos</manvolnum></citerefentry>.

377

710

</para>

711

712

<para>

713

Normal invocation needs no options, if the network interfaces

714

can be automatically determined:

715

</para>

716

<para>

717

<userinput>&COMMANDNAME;</userinput>

718

</para>

719

</informalexample>

720

721

<para>

722

Search for Mandos servers (and connect to them) using one

723

specific interface:

724

</para>

725

<para>

726

727

<userinput>&COMMANDNAME; --interface eth1</userinput>

728

</para>

729

</informalexample>

730

731

<para>

732

Run in debug mode, and use a custom key:

733

</para>

734

<para>

735

736

737

<userinput>&COMMANDNAME; --debug --pubkey keydir/pubkey.txt --seckey keydir/seckey.txt</userinput>

738

739

</para>

740

</informalexample>

741

742

<para>

743

Run in debug mode, with a custom key, and do not use Zeroconf

744

to locate a server; connect directly to the IPv6 link-local

745

address <quote><systemitem class="ipaddress"

746

>fe80::aede:48ff:fe71:f6f2</systemitem></quote>, port 4711,

747

using interface eth2:

748

</para>

749

<para>

750

751

752

<userinput>&COMMANDNAME; --debug --pubkey keydir/pubkey.txt --seckey keydir/seckey.txt --connect fe80::aede:48ff:fe71:f6f2:4711 --interface eth2</userinput>

753

754

</para>

755

</informalexample>

378

756

</refsect1>

379

757

380

758

381

759

<title>SECURITY</title>

382

760

<para>

761

This program is set-uid to root, but will switch back to the

762

original (and presumably non-privileged) user and group after

763

bringing up the network interface.

764

</para>

765

<para>

766

To use this program for its intended purpose (see <xref

767

linkend="purpose"/>), the password for the root file system will

768

have to be given out to be stored in a server computer, after

769

having been encrypted using an OpenPGP key. This encrypted data

770

which will be stored in a server can only be decrypted by the

771

OpenPGP key, and the data will only be given out to those

772

clients who can prove they actually have that key. This key,

773

however, is stored unencrypted on the client side in its initial

774

<acronym>RAM</acronym> disk image file system. This is normally

775

readable by all, but this is normally fixed during installation

776

of this program; file permissions are set so that no-one is able

777

to read that file.

778

</para>

779

<para>

780

The only remaining weak point is that someone with physical

781

access to the client hard drive might turn off the client

782

computer, read the OpenPGP keys directly from the hard drive,

783

and communicate with the server. To safeguard against this, the

784

server is supposed to notice the client disappearing and stop

785

giving out the encrypted data. Therefore, it is important to

786

set the timeout and checker interval values tightly on the

787

server. See <citerefentry><refentrytitle

788

>mandos</refentrytitle><manvolnum>8</manvolnum></citerefentry>.

789

</para>

790

<para>

791

It will also help if the checker program on the server is

792

configured to request something from the client which can not be

793

spoofed by someone else on the network, like SSH server key

794

fingerprints, and unlike unencrypted <acronym>ICMP</acronym>

795

echo (<quote>ping</quote>) replies.

796

</para>

797

<para>

798

<emphasis>Note</emphasis>: This makes it completely insecure to

799

have <application >Mandos</application> clients which dual-boot

800

to another operating system which is <emphasis>not</emphasis>

801

trusted to keep the initial <acronym>RAM</acronym> disk image

802

confidential.

383

803

</para>

384

804

</refsect1>

385

805

386

806

387

807

388

808

<para>

809

<citerefentry><refentrytitle>intro</refentrytitle>

810

<manvolnum>8mandos</manvolnum></citerefentry>,

811

<citerefentry><refentrytitle>cryptsetup</refentrytitle>

812

<manvolnum>8</manvolnum></citerefentry>,

813

<citerefentry><refentrytitle>crypttab</refentrytitle>

814

<manvolnum>5</manvolnum></citerefentry>,

389

815

<citerefentry><refentrytitle>mandos</refentrytitle>

390

816

<manvolnum>8</manvolnum></citerefentry>,

391

817

<citerefentry><refentrytitle>password-prompt</refentrytitle>

393

819

<citerefentry><refentrytitle>plugin-runner</refentrytitle>

394

820

<manvolnum>8mandos</manvolnum></citerefentry>

395

821

</para>

396

397

398

<ulink url="http://www.zeroconf.org/">Zeroconf</ulink>

399

</para></listitem>

400

401

402

<ulink url="http://www.avahi.org/">Avahi</ulink>

403

</para></listitem>

404

405

406

<ulink

407

url="http://www.gnu.org/software/gnutls/">GnuTLS</ulink>

408

</para></listitem>

409

410

411

<ulink

412

url="http://www.gnupg.org/related_software/gpgme/"

413

>GPGME</ulink>

414

</para></listitem>

415

416

417

<citation>RFC 4880: <citetitle>OpenPGP Message

418

Format</citetitle></citation>

419

</para></listitem>

420

421

422

<citation>RFC 5081: <citetitle>Using OpenPGP Keys for

423

Transport Layer Security</citetitle></citation>

424

</para></listitem>

425

426

427

<citation>RFC 4291: <citetitle>IP Version 6 Addressing

428

Architecture</citetitle>, section 2.5.6, Link-Local IPv6

429

Unicast Addresses</citation>

430

</para></listitem>

431

</itemizedlist>

822

823

824

<term>

825

<ulink url="http://www.zeroconf.org/">Zeroconf</ulink>

826

</term>

827

828

<para>

829

Zeroconf is the network protocol standard used for finding

830

Mandos servers on the local network.

831

</para>

832

</listitem>

833

</varlistentry>

834

835

<term>

836

<ulink url="http://www.avahi.org/">Avahi</ulink>

837

</term>

838

839

<para>

840

Avahi is the library this program calls to find Zeroconf

841

services.

842

</para>

843

</listitem>

844

</varlistentry>

845

846

<term>

847

<ulink url="https://www.gnutls.org/">GnuTLS</ulink>

848

</term>

849

850

<para>

851

GnuTLS is the library this client uses to implement TLS for

852

communicating securely with the server, and at the same time

853

send the public OpenPGP key to the server.

854

</para>

855

</listitem>

856

</varlistentry>

857

858

<term>

859

<ulink url="https://www.gnupg.org/related_software/gpgme/"

860

>GPGME</ulink>

861

</term>

862

863

<para>

864

GPGME is the library used to decrypt the OpenPGP data sent

865

by the server.

866

</para>

867

</listitem>

868

</varlistentry>

869

870

<term>

871

RFC 4291: <citetitle>IP Version 6 Addressing

872

Architecture</citetitle>

873

</term>

874

875

876

877

<term>Section 2.2: <citetitle>Text Representation of

878

Addresses</citetitle></term>

879

880

</varlistentry>

881

882

<term>Section 2.5.5.2: <citetitle>IPv4-Mapped IPv6

883

Address</citetitle></term>

884

885

</varlistentry>

886

887

<term>Section 2.5.6, <citetitle>Link-Local IPv6 Unicast

888

Addresses</citetitle></term>

889

890

<para>

891

This client uses IPv6 link-local addresses, which are

892

immediately usable since a link-local addresses is

893

automatically assigned to a network interface when it

894

is brought up.

895

</para>

896

</listitem>

897

</varlistentry>

898

</variablelist>

899

</listitem>

900

</varlistentry>

901

902

<term>

903

RFC 5246: <citetitle>The Transport Layer Security (TLS)

904

Protocol Version 1.2</citetitle>

905

</term>

906

907

<para>

908

TLS 1.2 is the protocol implemented by GnuTLS.

909

</para>

910

</listitem>

911

</varlistentry>

912

913

<term>

914

RFC 4880: <citetitle>OpenPGP Message Format</citetitle>

915

</term>

916

917

<para>

918

The data received from the server is binary encrypted

919

OpenPGP data.

920

</para>

921

</listitem>

922

</varlistentry>

923

924

<term>

925

RFC 6091: <citetitle>Using OpenPGP Keys for Transport Layer

926

Security</citetitle>

927

</term>

928

929

<para>

930

This is implemented by GnuTLS and used by this program so

931

that OpenPGP keys can be used.

932

</para>

933

</listitem>

934

</varlistentry>

935

</variablelist>

432

936

</refsect1>

433

434

937

</refentry>

938

435

939

436

940

437

941

Older »