/mandos/trunk : revision 99

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos.xml

Committer: Teddy Hogeborn
Date: 2008-08-24 10:49:09 UTC
mfrom: (24.1.63 mandos)
Revision ID: teddy@fukt.bsnet.se-20080824104909-loh761dpgglkvos1

* mandos (fingerprint): Bug fix: Check crtverify.value, not crtverify.

* mandos-keygen (password): Also print "host = ".

* plugins.d/password-request.c (pgp_packet_decrypt): Only print
                                                     detailed result
                                                     of decryption if
                                                     it failed.

files added:
plugins.d/usplash

files removed:
.bzr-builddeb

.bzr-builddeb/default.conf

.bzrignore

DBUS-API

INSTALL

NEWS

README

common.ent

dbus-mandos.conf

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/po

debian/rules

debian/source

debian/source/format

debian/source/local-options

debian/watch

default-mandos

init.d-mandos

intro.xml

legalnotice.xml

mandos-ctl

mandos-ctl.xml

mandos-monitor

mandos-monitor.xml

mandos.lsm

plugin-runner.conf

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

files renamed:
plugins.d/mandos-client.c => plugins.d/password-request.c

plugins.d/mandos-client.xml => plugins.d/password-request.xml

files modified:
Makefile

TODO

clients.conf

initramfs-tools-hook

initramfs-tools-hook-conf

initramfs-tools-script

mandos

mandos-clients.conf.xml

mandos-keygen

mandos-keygen.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.xml

overview.xml

plugin-runner.c

plugin-runner.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

Show diffs side-by-side

added added

removed removed

mandos.xml

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY VERSION "1.0">

<!ENTITY COMMANDNAME "mandos">

<!ENTITY TIMESTAMP "2011-11-26">

<!ENTITY % common SYSTEM "common.ent">

%common;

<title>Mandos Manual</title>

<title>&COMMANDNAME;</title>

<productname>Mandos</productname>

<productnumber>&version;</productnumber>

<date>&TIMESTAMP;</date>

<productname>&COMMANDNAME;</productname>

<productnumber>&VERSION;</productnumber>

<firstname>Björn</firstname>

<surname>Påhlsson</surname>

<email>belorn@recompile.se</email>

<email>belorn@fukt.bsnet.se</email>

</address>

</author>

<firstname>Teddy</firstname>

<surname>Hogeborn</surname>

<email>teddy@recompile.se</email>

<email>teddy@fukt.bsnet.se</email>

</address>

</author>

</authorgroup>

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

<xi:include href="legalnotice.xml"/>

<para>

This manual page is free software: you can redistribute it

and/or modify it under the terms of the GNU General Public

License as published by the Free Software Foundation,

either version 3 of the License, or (at your option) any

later version.

</para>

<para>

This manual page is distributed in the hope that it will

be useful, but WITHOUT ANY WARRANTY; without even the

implied warranty of MERCHANTABILITY or FITNESS FOR A

PARTICULAR PURPOSE. See the GNU General Public License

for more details.

</para>

<para>

You should have received a copy of the GNU General Public

License along with this program; If not, see

<ulink url="http://www.gnu.org/licenses/"/>.

</para>

</legalnotice>

</refentryinfo>

<refentrytitle>&COMMANDNAME;</refentrytitle>

<refname><command>&COMMANDNAME;</command></refname>

Gives encrypted passwords to authenticated Mandos clients

Sends encrypted passwords to authenticated Mandos clients

</refpurpose>

</refnamediv>

<command>&COMMANDNAME;</command>

<group>

<arg choice="plain"><option>--interface

<arg choice="plain"><option>-i

</group>

<sbr/>

<group>

<arg choice="plain"><option>--address

<replaceable>ADDRESS</replaceable></option></arg>

<arg choice="plain"><option>-a

<replaceable>ADDRESS</replaceable></option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--port

<arg choice="plain"><option>-p

</group>

<sbr/>

<arg><option>--priority

<replaceable>PRIORITY</replaceable></option></arg>

<sbr/>

<arg><option>--servicename

<sbr/>

<arg><option>--configdir

<replaceable>DIRECTORY</replaceable></option></arg>

<sbr/>

<arg><option>--debug</option></arg>

<sbr/>

<arg><option>--debuglevel

<replaceable>LEVEL</replaceable></option></arg>

<sbr/>

<sbr/>

<sbr/>

<arg><option>--no-restore</option></arg>

<sbr/>

100

<arg><option>--statedir

101

<replaceable>DIRECTORY</replaceable></option></arg>

<arg>--interface<arg choice="plain">IF</arg></arg>

<arg>--address<arg choice="plain">ADDRESS</arg></arg>

<arg>--priority<arg choice="plain">PRIORITY</arg></arg>

<arg>--servicename<arg choice="plain">NAME</arg></arg>

<arg>--configdir<arg choice="plain">DIRECTORY</arg></arg>

<arg>--debug</arg>

</cmdsynopsis>

<command>&COMMANDNAME;</command>

<arg>-a<arg choice="plain">ADDRESS</arg></arg>

<arg>--priority<arg choice="plain">PRIORITY</arg></arg>

<arg>--servicename<arg choice="plain">NAME</arg></arg>

<arg>--configdir<arg choice="plain">DIRECTORY</arg></arg>

<arg>--debug</arg>

102

</cmdsynopsis>

103

104

<command>&COMMANDNAME;</command>

105

106

107

108

</group>

109

</cmdsynopsis>

110

100

111

101

<command>&COMMANDNAME;</command>

112

<arg choice="plain"><option>--version</option></arg>

102

<arg choice="plain">--version</arg>

113

103

</cmdsynopsis>

114

104

115

105

<command>&COMMANDNAME;</command>

116

<arg choice="plain"><option>--check</option></arg>

106

<arg choice="plain">--check</arg>

117

107

</cmdsynopsis>

118

108

</refsynopsisdiv>

119

109

120

110

121

111

<title>DESCRIPTION</title>

122

112

<para>

123

113

<command>&COMMANDNAME;</command> is a server daemon which

124

114

handles incoming request for passwords for a pre-defined list of

125

client host computers. For an introduction, see

126

<citerefentry><refentrytitle>intro</refentrytitle>

127

<manvolnum>8mandos</manvolnum></citerefentry>. The Mandos server

128

uses Zeroconf to announce itself on the local network, and uses

129

TLS to communicate securely with and to authenticate the

130

clients. The Mandos server uses IPv6 to allow Mandos clients to

131

use IPv6 link-local addresses, since the clients will probably

132

not have any other addresses configured (see <xref

133

linkend="overview"/>). Any authenticated client is then given

134

the stored pre-encrypted password for that specific client.

115

client host computers. The Mandos server uses Zeroconf to

116

announce itself on the local network, and uses TLS to

117

communicate securely with and to authenticate the clients. The

118

Mandos server uses IPv6 to allow Mandos clients to use IPv6

119

link-local addresses, since the clients will probably not have

120

any other addresses configured (see <xref linkend="overview"/>).

121

Any authenticated client is then given the stored pre-encrypted

122

password for that specific client.

135

123

</para>

124

136

125

</refsect1>

137

126

138

127

139

128

<title>PURPOSE</title>

129

140

130

<para>

141

131

The purpose of this is to enable <emphasis>remote and unattended

142

132

rebooting</emphasis> of client host computer with an

143

133

<emphasis>encrypted root file system</emphasis>. See <xref

144

134

linkend="overview"/> for details.

145

135

</para>

136

146

137

</refsect1>

147

138

148

139

149

140

<title>OPTIONS</title>

141

150

142

151

143

152

153

144

154

145

155

146

<para>

156

147

Show a help message and exit

157

148

</para>

158

149

</listitem>

159

150

</varlistentry>

160

151

161

152

162

<term><option>--interface</option>

163

164

165

153

<term><literal>-i</literal>, <literal>--interface <replaceable>

154

IF</replaceable></literal></term>

166

155

167

156

<xi:include href="mandos-options.xml" xpointer="interface"/>

168

157

</listitem>

169

158

</varlistentry>

170

159

171

160

172

<term><option>--address

173

<replaceable>ADDRESS</replaceable></option></term>

174

<term><option>-a

175

<replaceable>ADDRESS</replaceable></option></term>

161

<term><literal>-a</literal>, <literal>--address <replaceable>

162

ADDRESS</replaceable></literal></term>

176

163

177

164

<xi:include href="mandos-options.xml" xpointer="address"/>

178

165

</listitem>

179

166

</varlistentry>

180

167

181

168

182

<term><option>--port

183

184

<term><option>-p

185

169

170

PORT</replaceable></literal></term>

186

171

187

172

<xi:include href="mandos-options.xml" xpointer="port"/>

188

173

</listitem>

189

174

</varlistentry>

190

175

191

176

192

<term><option>--check</option></term>

177

<term><literal>--check</literal></term>

193

178

194

179

<para>

195

180

Run the server’s self-tests. This includes any unit

197

182

</para>

198

183

</listitem>

199

184

</varlistentry>

200

185

201

186

202

<term><option>--debug</option></term>

187

<term><literal>--debug</literal></term>

203

188

204

189

<xi:include href="mandos-options.xml" xpointer="debug"/>

205

190

</listitem>

206

191

</varlistentry>

207

208

209

<term><option>--debuglevel

210

<replaceable>LEVEL</replaceable></option></term>

211

212

<para>

213

Set the debugging log level.

214

<replaceable>LEVEL</replaceable> is a string, one of

215

<quote><literal>CRITICAL</literal></quote>,

216

<quote><literal>ERROR</literal></quote>,

217

<quote><literal>WARNING</literal></quote>,

218

<quote><literal>INFO</literal></quote>, or

219

<quote><literal>DEBUG</literal></quote>, in order of

220

increasing verbosity. The default level is

221

<quote><literal>WARNING</literal></quote>.

222

</para>

223

</listitem>

224

</varlistentry>

225

226

227

<term><option>--priority <replaceable>

228

PRIORITY</replaceable></option></term>

192

193

194

<term><literal>--priority <replaceable>

195

PRIORITY</replaceable></literal></term>

229

196

230

197

<xi:include href="mandos-options.xml" xpointer="priority"/>

231

198

</listitem>

232

199

</varlistentry>

233

200

234

201

235

<term><option>--servicename

236

202

<term><literal>--servicename <replaceable>NAME</replaceable>

203

</literal></term>

237

204

238

205

<xi:include href="mandos-options.xml"

239

206

xpointer="servicename"/>

240

207

</listitem>

241

208

</varlistentry>

242

209

243

210

244

<term><option>--configdir

245

<replaceable>DIRECTORY</replaceable></option></term>

211

<term><literal>--configdir <replaceable>DIR</replaceable>

212

</literal></term>

246

213

247

214

<para>

248

215

Directory to search for configuration files. Default is

254

221

</para>

255

222

</listitem>

256

223

</varlistentry>

257

224

258

225

259

<term><option>--version</option></term>

226

<term><literal>--version</literal></term>

260

227

261

228

<para>

262

229

Prints the program version and exit.

263

230

</para>

264

231

</listitem>

265

232

</varlistentry>

266

267

268

269

270

<xi:include href="mandos-options.xml" xpointer="dbus"/>

271

<para>

272

See also <xref linkend="dbus_interface"/>.

273

</para>

274

</listitem>

275

</varlistentry>

276

277

278

279

280

<xi:include href="mandos-options.xml" xpointer="ipv6"/>

281

</listitem>

282

</varlistentry>

283

284

285

<term><option>--no-restore</option></term>

286

287

<xi:include href="mandos-options.xml" xpointer="restore"/>

288

</listitem>

289

</varlistentry>

290

291

292

<term><option>--statedir

293

<replaceable>DIRECTORY</replaceable></option></term>

294

295

<xi:include href="mandos-options.xml" xpointer="statedir"/>

296

</listitem>

297

</varlistentry>

298

233

</variablelist>

299

234

</refsect1>

300

235

301

236

302

237

<title>OVERVIEW</title>

303

238

<xi:include href="overview.xml"/>

304

239

<para>

305

240

This program is the server part. It is a normal server program

306

241

and will run in a normal system environment, not in an initial

307

<acronym>RAM</acronym> disk environment.

242

RAM disk environment.

308

243

</para>

309

244

</refsect1>

310

245

311

246

312

247

<title>NETWORK PROTOCOL</title>

313

248

<para>

365

300

</row>

366

301

</tbody></tgroup></table>

367

302

</refsect1>

368

303

369

304

370

305

<title>CHECKING</title>

371

306

<para>

372

307

The server will, by default, continually check that the clients

373

308

are still up. If a client has not been confirmed as being up

374

309

for some time, the client is assumed to be compromised and is no

375

longer eligible to receive the encrypted password. (Manual

376

intervention is required to re-enable a client.) The timeout,

377

extended timeout, checker program, and interval between checks

378

can be configured both globally and per client; see

379

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

380

<manvolnum>5</manvolnum></citerefentry>. A client successfully

381

receiving its password will also be treated as a successful

382

checker run.

383

</para>

384

</refsect1>

385

386

387

<title>APPROVAL</title>

388

<para>

389

The server can be configured to require manual approval for a

390

client before it is sent its secret. The delay to wait for such

391

approval and the default action (approve or deny) can be

392

configured both globally and per client; see <citerefentry>

310

longer eligible to receive the encrypted password. The timeout,

311

checker program, and interval between checks can be configured

312

both globally and per client; see <citerefentry>

393

313

<refentrytitle>mandos-clients.conf</refentrytitle>

394

<manvolnum>5</manvolnum></citerefentry>. By default all clients

395

will be approved immediately without delay.

396

</para>

397

<para>

398

This can be used to deny a client its secret if not manually

399

approved within a specified time. It can also be used to make

400

the server delay before giving a client its secret, allowing

401

optional manual denying of this specific client.

402

</para>

403

314

<manvolnum>5</manvolnum></citerefentry>.

315

</para>

404

316

</refsect1>

405

317

406

318

407

319

<title>LOGGING</title>

408

320

<para>

412

324

and also show them on the console.

413

325

</para>

414

326

</refsect1>

415

416

417

<title>D-BUS INTERFACE</title>

418

<para>

419

The server will by default provide a D-Bus system bus interface.

420

This interface will only be accessible by the root user or a

421

Mandos-specific user, if such a user exists. For documentation

422

of the D-Bus API, see the file <filename>DBUS-API</filename>.

423

</para>

424

</refsect1>

425

327

426

328

427

329

<title>EXIT STATUS</title>

428

330

<para>

430

332

critical error is encountered.

431

333

</para>

432

334

</refsect1>

433

335

434

336

435

337

<title>ENVIRONMENT</title>

436

338

437

339

438

340

439

341

440

342

<para>

441

343

To start the configured checker (see <xref

450

352

</varlistentry>

451

353

</variablelist>

452

354

</refsect1>

453

454

355

356

455

357

<title>FILES</title>

456

358

<para>

457

359

Use the <option>--configdir</option> option to change where

480

382

</listitem>

481

383

</varlistentry>

482

384

483

<term><filename>/var/run/mandos.pid</filename></term>

484

485

<para>

486

The file containing the process id of the

487

<command>&COMMANDNAME;</command> process started last.

488

</para>

489

</listitem>

490

</varlistentry>

491

492

<term><filename

493

class="directory">/var/lib/mandos</filename></term>

494

495

<para>

496

Directory where persistent state will be saved. Change

497

this with the <option>--statedir</option> option. See

498

also the <option>--no-restore</option> option.

385

<term><filename>/var/run/mandos/mandos.pid</filename></term>

386

387

<para>

388

The file containing the process id of

389

<command>&COMMANDNAME;</command>.

499

390

</para>

500

391

</listitem>

501

392

</varlistentry>

529

420

backtrace. This could be considered a feature.

530

421

</para>

531

422

<para>

423

Currently, if a client is declared <quote>invalid</quote> due to

424

having timed out, the server does not record this fact onto

425

permanent storage. This has some security implications, see

426

<xref linkend="CLIENTS"/>.

427

</para>

428

<para>

429

There is currently no way of querying the server of the current

430

status of clients, other than analyzing its <systemitem

431

class="service">syslog</systemitem> output.

432

</para>

433

<para>

532

434

There is no fine-grained control over logging and debug output.

533

435

</para>

534

436

<para>

535

437

Debug mode is conflated with running in the foreground.

536

438

</para>

537

439

<para>

538

This server does not check the expire time of clients’ OpenPGP

539

keys.

440

The console log messages does not show a timestamp.

540

441

</para>

541

442

</refsect1>

542

443

547

448

Normal invocation needs no options:

548

449

</para>

549

450

<para>

550

<userinput>&COMMANDNAME;</userinput>

451

<userinput>mandos</userinput>

551

452

</para>

552

453

</informalexample>

553

454

554

455

<para>

555

456

Run the server in debug mode, read configuration files from

556

the <filename class="directory">~/mandos</filename> directory,

557

and use the Zeroconf service name <quote>Test</quote> to not

558

collide with any other official Mandos server on this host:

457

the <filename>~/mandos</filename> directory, and use the

458

Zeroconf service name <quote>Test</quote> to not collide with

459

any other official Mandos server on this host:

559

460

</para>

560

461

<para>

561

462

562

463

563

<userinput>&COMMANDNAME; --debug --configdir ~/mandos --servicename Test</userinput>

464

<userinput>mandos --debug --configdir ~/mandos --servicename Test</userinput>

564

465

565

466

</para>

566

467

</informalexample>

572

473

<para>

573

474

574

475

575

<userinput>&COMMANDNAME; --interface eth7 --address fe80::aede:48ff:fe71:f6f2</userinput>

476

<userinput>mandos --interface eth7 --address fe80::aede:48ff:fe71:f6f2</userinput>

576

477

577

478

</para>

578

479

</informalexample>

579

480

</refsect1>

580

481

581

482

582

483

<title>SECURITY</title>

583

484

584

485

<title>SERVER</title>

585

486

<para>

586

487

Running this <command>&COMMANDNAME;</command> server program

587

488

should not in itself present any security risk to the host

588

computer running it. The program switches to a non-root user

589

soon after startup.

489

computer running it. The program does not need any special

490

privileges to run, and is designed to run as a non-root user.

590

491

</para>

591

492

</refsect2>

592

493

593

494

<title>CLIENTS</title>

594

495

<para>

595

496

The server only gives out its stored data to clients which

602

503

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

603

504

<manvolnum>5</manvolnum></citerefentry>)

604

505

<emphasis>must</emphasis> be made non-readable by anyone

605

except the user starting the server (usually root).

506

except the user running the server.

606

507

</para>

607

508

<para>

608

509

As detailed in <xref linkend="checking"/>, the status of all

610

511

compromised if they are gone for too long.

611

512

</para>

612

513

<para>

514

If a client is compromised, its downtime should be duly noted

515

by the server which would therefore declare the client

516

invalid. But if the server was ever restarted, it would

517

re-read its client list from its configuration file and again

518

regard all clients therein as valid, and hence eligible to

519

receive their passwords. Therefore, be careful when

520

restarting servers if it is suspected that a client has, in

521

fact, been compromised by parties who may now be running a

522

fake Mandos client with the keys from the non-encrypted

523

initial RAM image of the client host. What should be done in

524

that case (if restarting the server program really is

525

necessary) is to stop the server program, edit the

526

configuration file to omit any suspect clients, and restart

527

the server program.

528

</para>

529

<para>

613

530

For more details on client-side security, see

614

<citerefentry><refentrytitle>mandos-client</refentrytitle>

531

<citerefentry><refentrytitle>password-request</refentrytitle>

615

532

<manvolnum>8mandos</manvolnum></citerefentry>.

616

533

</para>

617

534

</refsect2>

618

535

</refsect1>

619

536

620

537

621

538

622

539

<para>

623

<citerefentry><refentrytitle>intro</refentrytitle>

624

<manvolnum>8mandos</manvolnum></citerefentry>,

625

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

626

<manvolnum>5</manvolnum></citerefentry>,

627

<citerefentry><refentrytitle>mandos.conf</refentrytitle>

628

<manvolnum>5</manvolnum></citerefentry>,

629

<citerefentry><refentrytitle>mandos-client</refentrytitle>

630

<manvolnum>8mandos</manvolnum></citerefentry>,

631

632

540

541

<refentrytitle>mandos.conf</refentrytitle>

542

543

<refentrytitle>mandos-clients.conf</refentrytitle>

544

545

<refentrytitle>password-request</refentrytitle>

546

<manvolnum>8mandos</manvolnum></citerefentry>, <citerefentry>

547

548

</citerefentry>

633

549

</para>

634

550

635

551

656

572

</varlistentry>

657

573

658

574

<term>

659

<ulink url="http://www.gnu.org/software/gnutls/"

660

>GnuTLS</ulink>

575

<ulink

576

url="http://www.gnu.org/software/gnutls/">GnuTLS</ulink>

661

577

</term>

662

578

663

579

<para>

669

585

</varlistentry>

670

586

671

587

<term>

672

RFC 4291: <citetitle>IP Version 6 Addressing

673

Architecture</citetitle>

588

<citation>RFC 4291: <citetitle>IP Version 6 Addressing

589

Architecture</citetitle>, section 2.5.6, Link-Local IPv6

590

Unicast Addresses</citation>

674

591

</term>

675

592

676

677

678

<term>Section 2.2: <citetitle>Text Representation of

679

Addresses</citetitle></term>

680

681

</varlistentry>

682

683

<term>Section 2.5.5.2: <citetitle>IPv4-Mapped IPv6

684

Address</citetitle></term>

685

686

</varlistentry>

687

688

<term>Section 2.5.6, <citetitle>Link-Local IPv6 Unicast

689

Addresses</citetitle></term>

690

691

<para>

692

The clients use IPv6 link-local addresses, which are

693

immediately usable since a link-local addresses is

694

automatically assigned to a network interfaces when it

695

is brought up.

696

</para>

697

</listitem>

698

</varlistentry>

699

</variablelist>

593

<para>

594

The clients use IPv6 link-local addresses, which are

595

immediately usable since a link-local addresses is

596

automatically assigned to a network interfaces when it is

597

brought up.

598

</para>

700

599

</listitem>

701

600

</varlistentry>

702

601

703

602

<term>

704

RFC 4346: <citetitle>The Transport Layer Security (TLS)

705

Protocol Version 1.1</citetitle>

603

<citation>RFC 4346: <citetitle>The Transport Layer Security

604

(TLS) Protocol Version 1.1</citetitle></citation>

706

605

</term>

707

606

708

607

<para>

712

611

</varlistentry>

713

612

714

613

<term>

715

RFC 4880: <citetitle>OpenPGP Message Format</citetitle>

614

<citation>RFC 4880: <citetitle>OpenPGP Message

615

Format</citetitle></citation>

716

616

</term>

717

617

718

618

<para>

722

622

</varlistentry>

723

623

724

624

<term>

725

RFC 5081: <citetitle>Using OpenPGP Keys for Transport Layer

726

Security</citetitle>

625

<citation>RFC 5081: <citetitle>Using OpenPGP Keys for

626

Transport Layer Security</citetitle></citation>

727

627

</term>

728

628

729

629

<para>

735

635

</variablelist>

736

636

</refsect1>

737

637

</refentry>

738

739

740

741

742

Older »