/mandos/trunk : revision 964

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos.xml

Committer: Teddy Hogeborn
Date: 2019-02-09 23:34:15 UTC
Revision ID: teddy@recompile.se-20190209233415-m1ntebuepwna1xg1

Doc fix: Change some "/etc/mandos" to "/etc/keys/mandos"

* clients.conf: Change "/etc/mandos" to "/etc/keys/mandos" where
appropriate
* mandos-keygen.xml: - '' -

files added:
bugs.xml

initramfs-tools-conf

initramfs-tools-script-stop

mandos-to-cryptroot-unlock

plugin-helpers

plugin-helpers/mandos-client-iprouteadddel.c

tmpfiles.d-mandos.conf

files removed:
initramfs-tools-hook-conf

files modified:
DBUS-API

INSTALL

Makefile

NEWS

README

TODO

clients.conf

common.ent

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.dirs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/rules

debian/watch

init.d-mandos

initramfs-tools-hook

initramfs-tools-script

initramfs-unpack

intro.xml

legalnotice.xml

mandos

mandos-clients.conf.xml

mandos-ctl

mandos-ctl.xml

mandos-keygen

mandos-keygen.xml

mandos-monitor

mandos-monitor.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.lsm

mandos.service

mandos.xml

network-hooks.d/bridge

network-hooks.d/openvpn

network-hooks.d/wireless

overview.xml

plugin-runner.c

plugin-runner.xml

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/mandos-client.c

plugins.d/mandos-client.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

Show diffs side-by-side

added added

removed removed

mandos.xml

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY COMMANDNAME "mandos">

<!ENTITY TIMESTAMP "2013-10-26">

<!ENTITY TIMESTAMP "2019-02-09">

<!ENTITY % common SYSTEM "common.ent">

%common;

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

106

111

107

112

<sbr/>

108

113

<arg><option>--foreground</option></arg>

114

<sbr/>

115

<arg><option>--no-zeroconf</option></arg>

109

116

</cmdsynopsis>

110

117

111

118

<command>&COMMANDNAME;</command>

234

241

<term><option>--priority <replaceable>

235

242

PRIORITY</replaceable></option></term>

236

243

237

<xi:include href="mandos-options.xml"

238

xpointer="priority_compat"/>

244

<xi:include href="mandos-options.xml" xpointer="priority"/>

239

245

</listitem>

240

246

</varlistentry>

241

247

323

329

</listitem>

324

330

</varlistentry>

325

331

332

333

<term><option>--no-zeroconf</option></term>

334

335

<xi:include href="mandos-options.xml" xpointer="zeroconf"/>

336

</listitem>

337

</varlistentry>

338

326

339

</variablelist>

327

340

</refsect1>

328

341

348

361

start a TLS protocol handshake with a slight quirk: the Mandos

349

362

server program acts as a TLS <quote>client</quote> while the

350

363

connecting Mandos client acts as a TLS <quote>server</quote>.

351

The Mandos client must supply an OpenPGP certificate, and the

352

fingerprint of this certificate is used by the Mandos server to

353

look up (in a list read from <filename>clients.conf</filename>

354

at start time) which binary blob to give the client. No other

355

authentication or authorization is done by the server.

364

The Mandos client must supply a TLS public key, and the key ID

365

of this public key is used by the Mandos server to look up (in a

366

list read from <filename>clients.conf</filename> at start time)

367

which binary blob to give the client. No other authentication

368

or authorization is done by the server.

356

369

</para>

357

370

<table>

358

371

<title>Mandos Protocol (Version 1)</title><tgroup cols="3"><thead>

378

391

</emphasis></entry>

379

392

</row>

380

393

<row>

381

<entry>OpenPGP public key (part of TLS handshake)</entry>

394

<entry>Public key (part of TLS handshake)</entry>

382

395

383

396

</row>

384

397

<row>

531

544

</listitem>

532

545

</varlistentry>

533

546

534

535

</varlistentry>

536

537

547

<term><filename

538

548

class="directory">/var/lib/mandos</filename></term>

539

549

545

555

</listitem>

546

556

</varlistentry>

547

557

548

558

549

559

550

560

<para>

551

561

The Unix domain socket to where local syslog messages are

576

586

<para>

577

587

There is no fine-grained control over logging and debug output.

578

588

</para>

579

<para>

580

This server does not check the expire time of clients’ OpenPGP

581

keys.

582

</para>

589

<xi:include href="bugs.xml"/>

583

590

</refsect1>

584

591

585

592

635

642

<title>CLIENTS</title>

636

643

<para>

637

644

The server only gives out its stored data to clients which

638

does have the OpenPGP key of the stored fingerprint. This is

639

guaranteed by the fact that the client sends its OpenPGP

640

public key in the TLS handshake; this ensures it to be

641

genuine. The server computes the fingerprint of the key

642

itself and looks up the fingerprint in its list of

643

clients. The <filename>clients.conf</filename> file (see

645

does have the correct key ID of the stored key ID. This is

646

guaranteed by the fact that the client sends its public key in

647

the TLS handshake; this ensures it to be genuine. The server

648

computes the key ID of the key itself and looks up the key ID

649

in its list of clients. The <filename>clients.conf</filename>

650

file (see

644

651

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

645

652

<manvolnum>5</manvolnum></citerefentry>)

646

653

<emphasis>must</emphasis> be made non-readable by anyone

698

705

</varlistentry>

699

706

700

707

<term>

701

<ulink url="http://www.gnu.org/software/gnutls/"

702

>GnuTLS</ulink>

708

<ulink url="https://gnutls.org/">GnuTLS</ulink>

703

709

</term>

704

710

705

711

<para>

706

712

GnuTLS is the library this server uses to implement TLS for

707

713

communicating securely with the client, and at the same time

708

confidently get the client’s public OpenPGP key.

714

confidently get the client’s public key.

709

715

</para>

710

716

</listitem>

711

717

</varlistentry>

743

749

</varlistentry>

744

750

745

751

<term>

746

RFC 4346: <citetitle>The Transport Layer Security (TLS)

747

Protocol Version 1.1</citetitle>

752

RFC 5246: <citetitle>The Transport Layer Security (TLS)

753

Protocol Version 1.2</citetitle>

748

754

</term>

749

755

750

756

<para>

751

TLS 1.1 is the protocol implemented by GnuTLS.

757

TLS 1.2 is the protocol implemented by GnuTLS.

752

758

</para>

753

759

</listitem>

754

760

</varlistentry>

764

770

</varlistentry>

765

771

766

772

<term>

767

RFC 5081: <citetitle>Using OpenPGP Keys for Transport Layer

768

Security</citetitle>

769

</term>

770

771

<para>

772

This is implemented by GnuTLS and used by this server so

773

that OpenPGP keys can be used.

773

RFC 7250: <citetitle>Using Raw Public Keys in Transport

774

Layer Security (TLS) and Datagram Transport Layer Security

775

(DTLS)</citetitle>

776

</term>

777

778

<para>

779

This is implemented by GnuTLS version 3.6.6 and is, if

780

present, used by this server so that raw public keys can be

781

used.

782

</para>

783

</listitem>

784

</varlistentry>

785

786

<term>

787

RFC 6091: <citetitle>Using OpenPGP Keys for Transport Layer

788

Security (TLS) Authentication</citetitle>

789

</term>

790

791

<para>

792

This is implemented by GnuTLS before version 3.6.0 and is,

793

if present, used by this server so that OpenPGP keys can be

794

used.

774

795

</para>

775

796

</listitem>

776

797

</varlistentry>

Older »