/mandos/trunk : revision 962

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos.conf.xml

Committer: Teddy Hogeborn
Date: 2019-02-09 23:23:26 UTC
Revision ID: teddy@recompile.se-20190209232326-z1z2kzpgfixz7iaj

Add support for using raw public keys in TLS (RFC 7250)

Since GnuTLS removed support for OpenPGP keys in TLS (RFC 6091), and
no other library supports it, we have to change the protocol to use
something else.  We choose to use "raw public keys" (RFC 7250).  Since
we still use OpenPGP keys to decrypt the secret password, this means
that each client will have two keys: One OpenPGP key and one TLS
public/private key, and the key ID of the latter key is used to
identify clients instead of the fingerprint of the OpenPGP key.

Note that this code is still compatible with GnuTLS before version
3.6.0 (when OpenPGP key support was removed).  This commit merely adds
support for using raw pulic keys instead with GnuTLS 3.6.6. or later.

* DBUS-API (Signals/ClientNotFound): Change name of first parameter
                                     from "Fingerprint" to "KeyID".
  (Mandos Client Interface/Properties/KeyID): New.
* INSTALL: Document conflict with GnuTLS 3.6.0 (which removed OpenPGP
           key support) up until 3.6.6, when support for raw public
           keys was added.  Also document new dependency of client on
           "gnutls-bin" package (for certtool).
* Makefile (run-client): Depend on TLS key files, and also pass them
                         as arguments to client.
  (keydir/tls-privkey.pem, keydir/tls-pubkey.pem): New.
  (confdir/clients.conf): Add dependency on TLS public key.
  (purge-client): Add removal of TLS key files.
* clients.conf ([foo]/key_id, [bar]/key_id): New.
* debian/control (Source: mandos/Build-Depends): Also allow
                                                 libgnutls30 (>= 3.6.6)
  (Package: mandos/Depends): - '' -
  (Package: mandos/Description): Alter description to match new
                                 design.
  (Package: mandos-client/Description): - '' -
  (Package: mandos-client/Depends): Move "gnutls-bin | openssl" to
                                    here from "Recommends".
* debian/mandos-client.README.Debian: Add --tls-privkey and
                                      --tls-pubkey options to test
                                      command.
* debian/mandos-client.postinst (create_key): Renamed to "create_keys"
                                             (all callers changed),
                                             and also create TLS key.
* debian/mandos-client.postrm (purge): Also remove TLS key files.
* intro.xml (DESCRIPTION): Describe new dual-key design.
* mandos (GnuTLS): Define different functions depending on whether
                   support for raw public keys is detected.
  (Client.key_id): New attribute.
  (ClientDBus.KeyID_dbus_property): New method.
  (ProxyClient.__init__): Take new "key_id" parameter.
  (ClientHandler.handle): Use key IDs when using raw public keys and
                          use fingerprints when using OpenPGP keys.
  (ClientHandler.peer_certificate): Also handle raw public keys.
  (ClientHandler.key_id): New.
  (MandosServer.handle_ipc): Pass key ID over the pipe IPC.  Also
                             check for key ID matches when looking up
                             clients.
  (main): Default GnuTLS priority string depends on whether we are
          using raw public keys or not.  When unpickling clients, set
          key_id if not set in the pickle.
  (main/MandosDBusService.ClientNotFound): Change name of first
                                           parameter from
                                           "Fingerprint" to "KeyID".
* mandos-clients.conf.xml (OPTIONS): Document new "key_id" option.
  (OPTIONS/secret): Mention new key ID matchning.
  (EXPANSION/RUNTIME EXPANSION): Add new "key_id" option.
  (EXAMPLE): - '' -
* mandos-ctl (tablewords, main/keywords): Add new "KeyID" property.
* mandos-keygen: Create TLS key files.  New "--tls-keytype" (-T)
                 option.  Alter help text to be more clear about key
                 types.  When in password mode, also output "key_id"
                 option.
* mandos-keygen.xml (SYNOPSIS): Add new "--tls-keytype" (-T) option.
  (DESCRIPTION): Alter to match new dual-key design.
  (OVERVIEW): - '' -
  (FILES): Add TLS key files.
* mandos-options.xml (priority): Document new default priority string
                                 when using raw public keys.
* mandos.xml (NETWORK PROTOCOL): Describe new protocol using key ID.
  (BUGS): Remove issue about checking expire times of OpenPGP keys,
          since TLS public keys do not have expiration times.
  (SECURITY/CLIENT): Alter description to match new design.
  (SEE ALSO/GnuTLS): - '' -
  (SEE ALSO): Add reference to RFC 7250, and alter description of when
              RFC 6091 is used.
* overview.xml: Alter text to match new design.
* plugin-runner.xml (EXAMPLE): Add --tls-pubkey and --tls-privkey
                               options to mandos-client options.
* plugins.d/mandos-client.c: Use raw public keys when compiling with
                             supporting GnuTLS versions. Add new
                             "--tls-pubkey" and "--tls-privkey"
                             options (which do nothing if GnuTLS
                             library does not support raw public
                             keys).  Alter text throughout to reflect
                             new design.  Only generate new DH
                             parameters (based on size of OpenPGP key)
                             when using OpenPGP in TLS.  Default
                             GnuTLS priority string depends on whether
                             we are using raw public keys or not.
* plugins.d/mandos-client.xml (SYNOPSIS): Add new "--tls-privkey" (-t)
                                          and "--tls-pubkey" (-T)
                                          options.
  (DESCRIPTION): Describe new dual-key design.
  (OPTIONS): Document new "--tls-privkey" (-t) and "--tls-pubkey" (-T)
             options.
  (OPTIONS/--dh-bits): No longer necessarily depends on OpenPGP key
                       size.
  (FILES): Add default locations for TLS public and private key files.
  (EXAMPLE): Use new --tls-pubkey and --tls-privkey options.
  (SECURITY): Alter wording slightly to reflect new dual-key design.
  (SEE ALSO/GnuTLS): Alter description to match new design.
  (SEE ALSO): Add reference to RFC 7250, and alter description of when
              RFC 6091 is used.

files added:
.bzr-builddeb

.bzr-builddeb/default.conf

.bzrignore

DBUS-API

INSTALL

NEWS

README

bugs.xml

common.ent

dbus-mandos.conf

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.examples

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/po

debian/rules

debian/source

debian/source/format

debian/source/local-options

debian/upstream

debian/upstream/signing-key.asc

debian/watch

default-mandos

init.d-mandos

initramfs-tools-conf

initramfs-tools-script

initramfs-tools-script-stop

initramfs-unpack

intro.xml

legalnotice.xml

mandos-ctl

mandos-ctl.xml

mandos-keygen.xml

mandos-monitor

mandos-monitor.xml

mandos-options.xml

mandos-to-cryptroot-unlock

mandos.lsm

mandos.service

network-hooks.d

network-hooks.d/bridge

network-hooks.d/bridge.conf

network-hooks.d/openvpn

network-hooks.d/openvpn.conf

network-hooks.d/wireless

network-hooks.d/wireless.conf

overview.xml

plugin-helpers

plugin-helpers/mandos-client-iprouteadddel.c

plugin-runner.conf

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

tmpfiles.d-mandos.conf

files removed:
initramfs-tools-hook-conf

network-protocol.txt

files renamed:
mandos-client.c => plugin-runner.c

mandos-client.xml => plugin-runner.xml

plugins.d/password-request.c => plugins.d/mandos-client.c

plugins.d/password-request.xml => plugins.d/mandos-client.xml

files modified:
Makefile

TODO

clients.conf

initramfs-tools-hook

mandos

mandos-clients.conf.xml

mandos-keygen

mandos.conf

mandos.conf.xml

mandos.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

Show diffs side-by-side

added added

removed removed

mandos.conf.xml

<?xml version='1.0' encoding='UTF-8'?>

<?xml-stylesheet type="text/xsl"

href="http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl"?>

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY VERSION "1.0">

<!ENTITY CONFNAME "mandos.conf">

<!ENTITY CONFPATH "<filename>/etc/mandos/mandos.conf</filename>">

<!ENTITY TIMESTAMP "2018-02-08">

<!ENTITY % common SYSTEM "common.ent">

%common;

<title>&CONFNAME;</title>

<productname>&CONFNAME;</productname>

<productnumber>&VERSION;</productnumber>

<title>Mandos Manual</title>

<productname>Mandos</productname>

<productnumber>&version;</productnumber>

<date>&TIMESTAMP;</date>

<firstname>Björn</firstname>

<surname>Påhlsson</surname>

<email>belorn@fukt.bsnet.se</email>

<email>belorn@recompile.se</email>

</address>

</author>

<firstname>Teddy</firstname>

<surname>Hogeborn</surname>

<email>teddy@fukt.bsnet.se</email>

<email>teddy@recompile.se</email>

</address>

</author>

</authorgroup>

<holder>Teddy Hogeborn & Björn Påhlsson</holder>

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

<para>

This manual page is free software: you can redistribute it

and/or modify it under the terms of the GNU General Public

License as published by the Free Software Foundation,

either version 3 of the License, or (at your option) any

later version.

</para>

<para>

This manual page is distributed in the hope that it will

be useful, but WITHOUT ANY WARRANTY; without even the

implied warranty of MERCHANTABILITY or FITNESS FOR A

PARTICULAR PURPOSE. See the GNU General Public License

for more details.

</para>

<para>

You should have received a copy of the GNU General Public

License along with this program; If not, see

<ulink url="http://www.gnu.org/licenses/"/>.

</para>

</legalnotice>

<xi:include href="legalnotice.xml"/>

</refentryinfo>

<refentrytitle>&CONFNAME;</refentrytitle>

<refname><filename>&CONFNAME;</filename></refname>

Configuration file for Mandos

Configuration file for the Mandos server

</refpurpose>

</refnamediv>

&CONFPATH;

</synopsis>

<synopsis>&CONFPATH;</synopsis>

</refsynopsisdiv>

<title>DESCRIPTION</title>

<para>

The file &CONFPATH; is a simple configuration file for mandos

and is looked on at startup of the service. The configuration

file must start with <literal>[server]</literal>. The format for

the rest is a simple VAR = VALUE pair. Values may not be empty.

</para>

<para>

The paramters are:

</para>

The file &CONFPATH; is a simple configuration file for

<citerefentry><refentrytitle>mandos</refentrytitle>

<manvolnum>8</manvolnum></citerefentry>, and is read by it at

startup. The configuration file starts with <quote><literal

>[DEFAULT]</literal></quote> on a line by itself, followed by

any number of <quote><varname><replaceable>option</replaceable

></varname>=<replaceable>value</replaceable></quote> entries,

with continuations in the style of RFC 822. <quote><varname

><replaceable>option</replaceable></varname>: <replaceable

>value</replaceable></quote> is also accepted. Note that

leading whitespace is removed from values. Lines beginning with

<quote>#</quote> or <quote>;</quote> are ignored and may be used

to provide comments.

</para>

</refsect1>

<title>OPTIONS</title>

<term><literal>interface</literal></term>

<para>

This option allows you to override the default network

interfaces. By default mandos will not bind to any

100

specific interface but instead use default avahi-server

101

behaviour.

102

</para>

103

</listitem>

104

</varlistentry>

105

106

107

<term><literal>address</literal></term>

108

109

<para>

110

This option allows you to override the default network

111

address. By default mandos will not bind to any

112

specific address but instead use default avahi-server

113

behaviour.

114

</para>

115

</listitem>

116

</varlistentry>

117

118

119

120

121

<para>

122

This option allows you to override the default port to

123

listen on. By default mandos will not specify any specific

124

port and instead use a random port given by the OS from

125

the use of INADDR_ANY.

126

</para>

127

</listitem>

128

</varlistentry>

129

130

131

<term><literal>debug</literal></term>

132

133

<para>

134

This option allows you to modify debug mode with a true/false

135

boolean value. By default is debug set to <literal>false</literal>.

136

</para>

137

</listitem>

138

</varlistentry>

139

140

141

<term><literal>priority</literal></term>

142

143

<para>

144

This option allows you to override the default gnutls

145

priority that will be used in gnutls session. See

146

<citerefentry><refentrytitle>gnutls_priority_init

147

</refentrytitle><manvolnum>3</manvolnum></citerefentry>for

148

more information on gnutls priority strings.

149

</para>

150

</listitem>

151

</varlistentry>

152

153

154

<term><literal>servicename</literal></term>

155

156

<para>

157

This option allows you to override the default Zeroconf

158

service name use to announce mandos as a avahi service. By

159

default mandos will use "Mandos".

160

</para>

<term><option>interface<literal> = </literal><replaceable

>NAME</replaceable></option></term>

<xi:include href="mandos-options.xml" xpointer="interface"/>

</listitem>

</varlistentry>

100

<term><option>address<literal> = </literal><replaceable

101

>ADDRESS</replaceable></option></term>

102

103

<xi:include href="mandos-options.xml" xpointer="address"/>

104

</listitem>

105

</varlistentry>

106

107

108

<term><option>port<literal> = </literal><replaceable

109

>NUMBER</replaceable></option></term>

110

111

<xi:include href="mandos-options.xml" xpointer="port"/>

112

</listitem>

113

</varlistentry>

114

115

116

<term><option>debug<literal> = </literal>{ <literal

117

>1</literal> | <literal>yes</literal> | <literal

118

>true</literal> | <literal>on</literal> | <literal

119

>0</literal> | <literal>no</literal> | <literal

120

>false</literal> | <literal>off</literal> }</option></term>

121

122

<xi:include href="mandos-options.xml" xpointer="debug"/>

123

</listitem>

124

</varlistentry>

125

126

127

<term><option>priority<literal> = </literal><replaceable

128

>STRING</replaceable></option></term>

129

130

<xi:include href="mandos-options.xml" xpointer="priority"/>

131

</listitem>

132

</varlistentry>

133

134

135

<term><option>servicename<literal> = </literal

136

><replaceable>NAME</replaceable></option></term>

137

138

<xi:include href="mandos-options.xml"

139

xpointer="servicename"/>

140

</listitem>

141

</varlistentry>

142

143

144

<term><option>use_dbus<literal> = </literal>{ <literal

145

>1</literal> | <literal>yes</literal> | <literal

146

>true</literal> | <literal>on</literal> | <literal

147

>0</literal> | <literal>no</literal> | <literal

148

>false</literal> | <literal>off</literal> }</option></term>

149

150

<xi:include href="mandos-options.xml" xpointer="dbus"/>

151

</listitem>

152

</varlistentry>

153

154

155

<term><option>use_ipv6<literal> = </literal>{ <literal

156

>1</literal> | <literal>yes</literal> | <literal

157

>true</literal> | <literal>on</literal> | <literal

158

>0</literal> | <literal>no</literal> | <literal

159

>false</literal> | <literal>off</literal> }</option></term>

160

161

<xi:include href="mandos-options.xml" xpointer="ipv6"/>

162

</listitem>

163

</varlistentry>

164

165

166

<term><option>restore<literal> = </literal>{ <literal

167

>1</literal> | <literal>yes</literal> | <literal

168

>true</literal> | <literal>on</literal> | <literal

169

>0</literal> | <literal>no</literal> | <literal

170

>false</literal> | <literal>off</literal> }</option></term>

171

172

<xi:include href="mandos-options.xml" xpointer="restore"/>

173

</listitem>

174

</varlistentry>

175

176

177

<term><option>statedir<literal> = </literal><replaceable

178

>DIRECTORY</replaceable></option></term>

179

180

<xi:include href="mandos-options.xml" xpointer="statedir"/>

181

</listitem>

182

</varlistentry>

183

184

185

<term><option>socket<literal> = </literal><replaceable

186

>NUMBER</replaceable></option></term>

187

188

<xi:include href="mandos-options.xml" xpointer="socket"/>

161

189

</listitem>

162

190

</varlistentry>

163

191

164

192

</variablelist>

165

193

</refsect1>

166

167

168

<title>EXAMPLES</title>

169

170

171

[server]

172

# A configuration example

173

interface = eth0

174

address = 2001:DB8:

175

port = 1025

176

debug = true

177

priority = SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP

178

servicename = Mandos

179

</programlisting>

180

</informalexample>

181

</refsect1>

182

194

183

195

184

196

<title>FILES</title>

186

198

The file described here is &CONFPATH;

187

199

</para>

188

200

</refsect1>

201

202

203

204

<para>

205

The <literal>[DEFAULT]</literal> is necessary because the Python

206

built-in module <systemitem class="library">ConfigParser</systemitem>

207

requires it.

208

</para>

209

<xi:include href="bugs.xml"/>

210

</refsect1>

211

212

213

<title>EXAMPLE</title>

214

215

<para>

216

No options are actually required:

217

</para>

218

219

[DEFAULT]

220

</programlisting>

221

</informalexample>

222

223

<para>

224

An example using all the options:

225

</para>

226

227

[DEFAULT]

228

# A configuration example

229

interface = eth0

230

address = fe80::aede:48ff:fe71:f6f2

231

port = 1025

232

debug = True

233

priority = SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA

234

servicename = Daena

235

use_dbus = False

236

use_ipv6 = True

237

restore = True

238

statedir = /var/lib/mandos

239

</programlisting>

240

</informalexample>

241

</refsect1>

242

243

244

245

<para>

246

<citerefentry><refentrytitle>intro</refentrytitle>

247

<manvolnum>8mandos</manvolnum></citerefentry>,

248

<citerefentry><refentrytitle>gnutls_priority_init</refentrytitle

249

><manvolnum>3</manvolnum></citerefentry>,

250

<citerefentry><refentrytitle>mandos</refentrytitle>

251

<manvolnum>8</manvolnum></citerefentry>,

252

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

253

254

</para>

255

256

257

258

<term>

259

RFC 4291: <citetitle>IP Version 6 Addressing

260

Architecture</citetitle>

261

</term>

262

263

264

265

<term>Section 2.2: <citetitle>Text Representation of

266

Addresses</citetitle></term>

267

268

</varlistentry>

269

270

<term>Section 2.5.5.2: <citetitle>IPv4-Mapped IPv6

271

Address</citetitle></term>

272

273

</varlistentry>

274

275

<term>Section 2.5.6, <citetitle>Link-Local IPv6 Unicast

276

Addresses</citetitle></term>

277

278

<para>

279

The clients use IPv6 link-local addresses, which are

280

immediately usable since a link-local addresses is

281

automatically assigned to a network interface when it

282

is brought up.

283

</para>

284

</listitem>

285

</varlistentry>

286

</variablelist>

287

</listitem>

288

</varlistentry>

289

290

<term>

291

<ulink url="http://www.zeroconf.org/">Zeroconf</ulink>

292

</term>

293

294

<para>

295

Zeroconf is the network protocol standard used by clients

296

for finding the Mandos server on the local network.

297

</para>

298

</listitem>

299

</varlistentry>

300

</variablelist>

301

</refsect1>

189

302

</refentry>

303

304

305

306

307

Older »