/mandos/trunk : revision 99

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos.xml

Committer: Teddy Hogeborn
Date: 2008-08-24 10:49:09 UTC
mfrom: (24.1.63 mandos)
Revision ID: teddy@fukt.bsnet.se-20080824104909-loh761dpgglkvos1

* mandos (fingerprint): Bug fix: Check crtverify.value, not crtverify.

* mandos-keygen (password): Also print "host = ".

* plugins.d/password-request.c (pgp_packet_decrypt): Only print
                                                     detailed result
                                                     of decryption if
                                                     it failed.

files added:
initramfs-tools-hook-conf

plugins.d/usplash

files removed:
.bzr-builddeb

.bzr-builddeb/default.conf

.bzrignore

DBUS-API

INSTALL

NEWS

README

bugs.xml

common.ent

dbus-mandos.conf

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.examples

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/po

debian/rules

debian/source

debian/source/format

debian/source/local-options

debian/upstream

debian/upstream/signing-key.asc

debian/watch

default-mandos

init.d-mandos

initramfs-tools-conf

initramfs-tools-script-stop

initramfs-unpack

intro.xml

legalnotice.xml

mandos-ctl

mandos-ctl.xml

mandos-monitor

mandos-monitor.xml

mandos-to-cryptroot-unlock

mandos.lsm

mandos.service

network-hooks.d

network-hooks.d/bridge

network-hooks.d/bridge.conf

network-hooks.d/openvpn

network-hooks.d/openvpn.conf

network-hooks.d/wireless

network-hooks.d/wireless.conf

plugin-helpers

plugin-helpers/mandos-client-iprouteadddel.c

plugin-runner.conf

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

tmpfiles.d-mandos.conf

files renamed:
plugins.d/mandos-client.c => plugins.d/password-request.c

plugins.d/mandos-client.xml => plugins.d/password-request.xml

files modified:
Makefile

TODO

clients.conf

initramfs-tools-hook

initramfs-tools-script

mandos

mandos-clients.conf.xml

mandos-keygen

mandos-keygen.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.xml

overview.xml

plugin-runner.c

plugin-runner.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

Show diffs side-by-side

added added

removed removed

mandos.xml

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY VERSION "1.0">

<!ENTITY COMMANDNAME "mandos">

<!ENTITY TIMESTAMP "2019-02-09">

<!ENTITY % common SYSTEM "common.ent">

%common;

<title>Mandos Manual</title>

<title>&COMMANDNAME;</title>

<productname>Mandos</productname>

<productnumber>&version;</productnumber>

<date>&TIMESTAMP;</date>

<productname>&COMMANDNAME;</productname>

<productnumber>&VERSION;</productnumber>

<firstname>Björn</firstname>

<surname>Påhlsson</surname>

<email>belorn@recompile.se</email>

<email>belorn@fukt.bsnet.se</email>

</address>

</author>

<firstname>Teddy</firstname>

<surname>Hogeborn</surname>

<email>teddy@recompile.se</email>

<email>teddy@fukt.bsnet.se</email>

</address>

</author>

</authorgroup>

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

<xi:include href="legalnotice.xml"/>

<para>

This manual page is free software: you can redistribute it

and/or modify it under the terms of the GNU General Public

License as published by the Free Software Foundation,

either version 3 of the License, or (at your option) any

later version.

</para>

<para>

This manual page is distributed in the hope that it will

be useful, but WITHOUT ANY WARRANTY; without even the

implied warranty of MERCHANTABILITY or FITNESS FOR A

PARTICULAR PURPOSE. See the GNU General Public License

for more details.

</para>

<para>

You should have received a copy of the GNU General Public

License along with this program; If not, see

<ulink url="http://www.gnu.org/licenses/"/>.

</para>

</legalnotice>

</refentryinfo>

<refentrytitle>&COMMANDNAME;</refentrytitle>

<refname><command>&COMMANDNAME;</command></refname>

Gives encrypted passwords to authenticated Mandos clients

Sends encrypted passwords to authenticated Mandos clients

</refpurpose>

</refnamediv>

<command>&COMMANDNAME;</command>

<group>

<arg choice="plain"><option>--interface

<arg choice="plain"><option>-i

</group>

<sbr/>

<group>

<arg choice="plain"><option>--address

<replaceable>ADDRESS</replaceable></option></arg>

<arg choice="plain"><option>-a

<replaceable>ADDRESS</replaceable></option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--port

<arg choice="plain"><option>-p

</group>

<sbr/>

<arg><option>--priority

<replaceable>PRIORITY</replaceable></option></arg>

<sbr/>

<arg><option>--servicename

<sbr/>

<arg><option>--configdir

<replaceable>DIRECTORY</replaceable></option></arg>

<sbr/>

<arg><option>--debug</option></arg>

<sbr/>

<arg><option>--debuglevel

<replaceable>LEVEL</replaceable></option></arg>

100

<sbr/>

101

102

<sbr/>

103

104

<sbr/>

105

<arg><option>--no-restore</option></arg>

106

<sbr/>

107

<arg><option>--statedir

108

<replaceable>DIRECTORY</replaceable></option></arg>

109

<sbr/>

110

<arg><option>--socket

111

112

<sbr/>

113

<arg><option>--foreground</option></arg>

114

<sbr/>

115

<arg><option>--no-zeroconf</option></arg>

<arg>--interface<arg choice="plain">IF</arg></arg>

<arg>--address<arg choice="plain">ADDRESS</arg></arg>

<arg>--priority<arg choice="plain">PRIORITY</arg></arg>

<arg>--servicename<arg choice="plain">NAME</arg></arg>

<arg>--configdir<arg choice="plain">DIRECTORY</arg></arg>

<arg>--debug</arg>

</cmdsynopsis>

<command>&COMMANDNAME;</command>

<arg>-a<arg choice="plain">ADDRESS</arg></arg>

<arg>--priority<arg choice="plain">PRIORITY</arg></arg>

<arg>--servicename<arg choice="plain">NAME</arg></arg>

<arg>--configdir<arg choice="plain">DIRECTORY</arg></arg>

<arg>--debug</arg>

116

</cmdsynopsis>

117

118

<command>&COMMANDNAME;</command>

119

120

121

122

</group>

123

</cmdsynopsis>

124

100

125

101

<command>&COMMANDNAME;</command>

126

<arg choice="plain"><option>--version</option></arg>

102

<arg choice="plain">--version</arg>

127

103

</cmdsynopsis>

128

104

129

105

<command>&COMMANDNAME;</command>

130

<arg choice="plain"><option>--check</option></arg>

106

<arg choice="plain">--check</arg>

131

107

</cmdsynopsis>

132

108

</refsynopsisdiv>

133

109

134

110

135

111

<title>DESCRIPTION</title>

136

112

<para>

137

113

<command>&COMMANDNAME;</command> is a server daemon which

138

114

handles incoming request for passwords for a pre-defined list of

139

client host computers. For an introduction, see

140

<citerefentry><refentrytitle>intro</refentrytitle>

141

<manvolnum>8mandos</manvolnum></citerefentry>. The Mandos server

142

uses Zeroconf to announce itself on the local network, and uses

143

TLS to communicate securely with and to authenticate the

144

clients. The Mandos server uses IPv6 to allow Mandos clients to

145

use IPv6 link-local addresses, since the clients will probably

146

not have any other addresses configured (see <xref

147

linkend="overview"/>). Any authenticated client is then given

148

the stored pre-encrypted password for that specific client.

115

client host computers. The Mandos server uses Zeroconf to

116

announce itself on the local network, and uses TLS to

117

communicate securely with and to authenticate the clients. The

118

Mandos server uses IPv6 to allow Mandos clients to use IPv6

119

link-local addresses, since the clients will probably not have

120

any other addresses configured (see <xref linkend="overview"/>).

121

Any authenticated client is then given the stored pre-encrypted

122

password for that specific client.

149

123

</para>

124

150

125

</refsect1>

151

126

152

127

153

128

<title>PURPOSE</title>

129

154

130

<para>

155

131

The purpose of this is to enable <emphasis>remote and unattended

156

132

rebooting</emphasis> of client host computer with an

157

133

<emphasis>encrypted root file system</emphasis>. See <xref

158

134

linkend="overview"/> for details.

159

135

</para>

136

160

137

</refsect1>

161

138

162

139

163

140

<title>OPTIONS</title>

141

164

142

165

143

166

167

144

168

145

169

146

<para>

170

147

Show a help message and exit

171

148

</para>

172

149

</listitem>

173

150

</varlistentry>

174

151

175

152

176

<term><option>--interface</option>

177

178

179

153

<term><literal>-i</literal>, <literal>--interface <replaceable>

154

IF</replaceable></literal></term>

180

155

181

156

<xi:include href="mandos-options.xml" xpointer="interface"/>

182

157

</listitem>

183

158

</varlistentry>

184

159

185

160

186

<term><option>--address

187

<replaceable>ADDRESS</replaceable></option></term>

188

<term><option>-a

189

<replaceable>ADDRESS</replaceable></option></term>

161

<term><literal>-a</literal>, <literal>--address <replaceable>

162

ADDRESS</replaceable></literal></term>

190

163

191

164

<xi:include href="mandos-options.xml" xpointer="address"/>

192

165

</listitem>

193

166

</varlistentry>

194

167

195

168

196

<term><option>--port

197

198

<term><option>-p

199

169

170

PORT</replaceable></literal></term>

200

171

201

172

<xi:include href="mandos-options.xml" xpointer="port"/>

202

173

</listitem>

203

174

</varlistentry>

204

175

205

176

206

<term><option>--check</option></term>

177

<term><literal>--check</literal></term>

207

178

208

179

<para>

209

180

Run the server’s self-tests. This includes any unit

211

182

</para>

212

183

</listitem>

213

184

</varlistentry>

214

185

215

186

216

<term><option>--debug</option></term>

187

<term><literal>--debug</literal></term>

217

188

218

189

<xi:include href="mandos-options.xml" xpointer="debug"/>

219

190

</listitem>

220

191

</varlistentry>

221

222

223

<term><option>--debuglevel

224

<replaceable>LEVEL</replaceable></option></term>

225

226

<para>

227

Set the debugging log level.

228

<replaceable>LEVEL</replaceable> is a string, one of

229

<quote><literal>CRITICAL</literal></quote>,

230

<quote><literal>ERROR</literal></quote>,

231

<quote><literal>WARNING</literal></quote>,

232

<quote><literal>INFO</literal></quote>, or

233

<quote><literal>DEBUG</literal></quote>, in order of

234

increasing verbosity. The default level is

235

<quote><literal>WARNING</literal></quote>.

236

</para>

237

</listitem>

238

</varlistentry>

239

240

241

<term><option>--priority <replaceable>

242

PRIORITY</replaceable></option></term>

192

193

194

<term><literal>--priority <replaceable>

195

PRIORITY</replaceable></literal></term>

243

196

244

197

<xi:include href="mandos-options.xml" xpointer="priority"/>

245

198

</listitem>

246

199

</varlistentry>

247

200

248

201

249

<term><option>--servicename

250

202

<term><literal>--servicename <replaceable>NAME</replaceable>

203

</literal></term>

251

204

252

205

<xi:include href="mandos-options.xml"

253

206

xpointer="servicename"/>

254

207

</listitem>

255

208

</varlistentry>

256

209

257

210

258

<term><option>--configdir

259

<replaceable>DIRECTORY</replaceable></option></term>

211

<term><literal>--configdir <replaceable>DIR</replaceable>

212

</literal></term>

260

213

261

214

<para>

262

215

Directory to search for configuration files. Default is

268

221

</para>

269

222

</listitem>

270

223

</varlistentry>

271

224

272

225

273

<term><option>--version</option></term>

226

<term><literal>--version</literal></term>

274

227

275

228

<para>

276

229

Prints the program version and exit.

277

230

</para>

278

231

</listitem>

279

232

</varlistentry>

280

281

282

283

284

<xi:include href="mandos-options.xml" xpointer="dbus"/>

285

<para>

286

See also <xref linkend="dbus_interface"/>.

287

</para>

288

</listitem>

289

</varlistentry>

290

291

292

293

294

<xi:include href="mandos-options.xml" xpointer="ipv6"/>

295

</listitem>

296

</varlistentry>

297

298

299

<term><option>--no-restore</option></term>

300

301

<xi:include href="mandos-options.xml" xpointer="restore"/>

302

<para>

303

See also <xref linkend="persistent_state"/>.

304

</para>

305

</listitem>

306

</varlistentry>

307

308

309

<term><option>--statedir

310

<replaceable>DIRECTORY</replaceable></option></term>

311

312

<xi:include href="mandos-options.xml" xpointer="statedir"/>

313

</listitem>

314

</varlistentry>

315

316

317

<term><option>--socket

318

319

320

<xi:include href="mandos-options.xml" xpointer="socket"/>

321

</listitem>

322

</varlistentry>

323

324

325

<term><option>--foreground</option></term>

326

327

<xi:include href="mandos-options.xml"

328

xpointer="foreground"/>

329

</listitem>

330

</varlistentry>

331

332

333

<term><option>--no-zeroconf</option></term>

334

335

<xi:include href="mandos-options.xml" xpointer="zeroconf"/>

336

</listitem>

337

</varlistentry>

338

339

233

</variablelist>

340

234

</refsect1>

341

235

342

236

343

237

<title>OVERVIEW</title>

344

238

<xi:include href="overview.xml"/>

345

239

<para>

346

240

This program is the server part. It is a normal server program

347

241

and will run in a normal system environment, not in an initial

348

<acronym>RAM</acronym> disk environment.

242

RAM disk environment.

349

243

</para>

350

244

</refsect1>

351

245

352

246

353

247

<title>NETWORK PROTOCOL</title>

354

248

<para>

361

255

start a TLS protocol handshake with a slight quirk: the Mandos

362

256

server program acts as a TLS <quote>client</quote> while the

363

257

connecting Mandos client acts as a TLS <quote>server</quote>.

364

The Mandos client must supply a TLS public key, and the key ID

365

of this public key is used by the Mandos server to look up (in a

366

list read from <filename>clients.conf</filename> at start time)

367

which binary blob to give the client. No other authentication

368

or authorization is done by the server.

258

The Mandos client must supply an OpenPGP certificate, and the

259

fingerprint of this certificate is used by the Mandos server to

260

look up (in a list read from <filename>clients.conf</filename>

261

at start time) which binary blob to give the client. No other

262

authentication or authorization is done by the server.

369

263

</para>

370

264

<table>

371

265

<title>Mandos Protocol (Version 1)</title><tgroup cols="3"><thead>

391

285

</emphasis></entry>

392

286

</row>

393

287

<row>

394

<entry>Public key (part of TLS handshake)</entry>

288

<entry>OpenPGP public key (part of TLS handshake)</entry>

395

289

396

290

</row>

397

291

<row>

406

300

</row>

407

301

</tbody></tgroup></table>

408

302

</refsect1>

409

303

410

304

411

305

<title>CHECKING</title>

412

306

<para>

413

307

The server will, by default, continually check that the clients

414

308

are still up. If a client has not been confirmed as being up

415

309

for some time, the client is assumed to be compromised and is no

416

longer eligible to receive the encrypted password. (Manual

417

intervention is required to re-enable a client.) The timeout,

418

extended timeout, checker program, and interval between checks

419

can be configured both globally and per client; see

420

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

310

longer eligible to receive the encrypted password. The timeout,

311

checker program, and interval between checks can be configured

312

both globally and per client; see <citerefentry>

313

<refentrytitle>mandos-clients.conf</refentrytitle>

421

314

<manvolnum>5</manvolnum></citerefentry>.

422

315

</para>

423

316

</refsect1>

424

425

426

<title>APPROVAL</title>

427

<para>

428

The server can be configured to require manual approval for a

429

client before it is sent its secret. The delay to wait for such

430

approval and the default action (approve or deny) can be

431

configured both globally and per client; see <citerefentry>

432

<refentrytitle>mandos-clients.conf</refentrytitle>

433

<manvolnum>5</manvolnum></citerefentry>. By default all clients

434

will be approved immediately without delay.

435

</para>

436

<para>

437

This can be used to deny a client its secret if not manually

438

approved within a specified time. It can also be used to make

439

the server delay before giving a client its secret, allowing

440

optional manual denying of this specific client.

441

</para>

442

443

</refsect1>

444

317

445

318

446

319

<title>LOGGING</title>

447

320

<para>

448

321

The server will send log message with various severity levels to

449

<filename class="devicefile">/dev/log</filename>. With the

322

<filename>/dev/log</filename>. With the

450

323

<option>--debug</option> option, it will log even more messages,

451

324

and also show them on the console.

452

325

</para>

453

326

</refsect1>

454

455

456

<title>PERSISTENT STATE</title>

457

<para>

458

Client settings, initially read from

459

<filename>clients.conf</filename>, are persistent across

460

restarts, and run-time changes will override settings in

461

<filename>clients.conf</filename>. However, if a setting is

462

<emphasis>changed</emphasis> (or a client added, or removed) in

463

<filename>clients.conf</filename>, this will take precedence.

464

</para>

465

</refsect1>

466

467

468

<title>D-BUS INTERFACE</title>

469

<para>

470

The server will by default provide a D-Bus system bus interface.

471

This interface will only be accessible by the root user or a

472

Mandos-specific user, if such a user exists. For documentation

473

of the D-Bus API, see the file <filename>DBUS-API</filename>.

474

</para>

475

</refsect1>

476

327

477

328

478

329

<title>EXIT STATUS</title>

479

330

<para>

481

332

critical error is encountered.

482

333

</para>

483

334

</refsect1>

484

335

485

336

486

337

<title>ENVIRONMENT</title>

487

338

488

339

489

340

490

341

491

342

<para>

492

343

To start the configured checker (see <xref

501

352

</varlistentry>

502

353

</variablelist>

503

354

</refsect1>

504

505

355

356

506

357

<title>FILES</title>

507

358

<para>

508

359

Use the <option>--configdir</option> option to change where

531

382

</listitem>

532

383

</varlistentry>

533

384

534

<term><filename>/run/mandos.pid</filename></term>

535

536

<para>

537

The file containing the process id of the

538

<command>&COMMANDNAME;</command> process started last.

539

<emphasis >Note:</emphasis> If the <filename

540

class="directory">/run</filename> directory does not

541

exist, <filename>/var/run/mandos.pid</filename> will be

542

used instead.

543

</para>

544

</listitem>

545

</varlistentry>

546

547

<term><filename

548

class="directory">/var/lib/mandos</filename></term>

549

550

<para>

551

Directory where persistent state will be saved. Change

552

this with the <option>--statedir</option> option. See

553

also the <option>--no-restore</option> option.

554

</para>

555

</listitem>

556

</varlistentry>

557

558

385

<term><filename>/var/run/mandos/mandos.pid</filename></term>

386

387

<para>

388

The file containing the process id of

389

<command>&COMMANDNAME;</command>.

390

</para>

391

</listitem>

392

</varlistentry>

393

394

559

395

560

396

<para>

561

397

The Unix domain socket to where local syslog messages are

584

420

backtrace. This could be considered a feature.

585

421

</para>

586

422

<para>

423

Currently, if a client is declared <quote>invalid</quote> due to

424

having timed out, the server does not record this fact onto

425

permanent storage. This has some security implications, see

426

<xref linkend="CLIENTS"/>.

427

</para>

428

<para>

429

There is currently no way of querying the server of the current

430

status of clients, other than analyzing its <systemitem

431

class="service">syslog</systemitem> output.

432

</para>

433

<para>

587

434

There is no fine-grained control over logging and debug output.

588

435

</para>

589

<xi:include href="bugs.xml"/>

436

<para>

437

Debug mode is conflated with running in the foreground.

438

</para>

439

<para>

440

The console log messages does not show a timestamp.

441

</para>

590

442

</refsect1>

591

443

592

444

596

448

Normal invocation needs no options:

597

449

</para>

598

450

<para>

599

<userinput>&COMMANDNAME;</userinput>

451

<userinput>mandos</userinput>

600

452

</para>

601

453

</informalexample>

602

454

603

455

<para>

604

456

Run the server in debug mode, read configuration files from

605

the <filename class="directory">~/mandos</filename> directory,

606

and use the Zeroconf service name <quote>Test</quote> to not

607

collide with any other official Mandos server on this host:

457

the <filename>~/mandos</filename> directory, and use the

458

Zeroconf service name <quote>Test</quote> to not collide with

459

any other official Mandos server on this host:

608

460

</para>

609

461

<para>

610

462

611

463

612

<userinput>&COMMANDNAME; --debug --configdir ~/mandos --servicename Test</userinput>

464

<userinput>mandos --debug --configdir ~/mandos --servicename Test</userinput>

613

465

614

466

</para>

615

467

</informalexample>

621

473

<para>

622

474

623

475

624

<userinput>&COMMANDNAME; --interface eth7 --address fe80::aede:48ff:fe71:f6f2</userinput>

476

<userinput>mandos --interface eth7 --address fe80::aede:48ff:fe71:f6f2</userinput>

625

477

626

478

</para>

627

479

</informalexample>

628

480

</refsect1>

629

481

630

482

631

483

<title>SECURITY</title>

632

484

633

485

<title>SERVER</title>

634

486

<para>

635

487

Running this <command>&COMMANDNAME;</command> server program

636

488

should not in itself present any security risk to the host

637

computer running it. The program switches to a non-root user

638

soon after startup.

489

computer running it. The program does not need any special

490

privileges to run, and is designed to run as a non-root user.

639

491

</para>

640

492

</refsect2>

641

493

642

494

<title>CLIENTS</title>

643

495

<para>

644

496

The server only gives out its stored data to clients which

645

does have the correct key ID of the stored key ID. This is

646

guaranteed by the fact that the client sends its public key in

647

the TLS handshake; this ensures it to be genuine. The server

648

computes the key ID of the key itself and looks up the key ID

649

in its list of clients. The <filename>clients.conf</filename>

650

file (see

497

does have the OpenPGP key of the stored fingerprint. This is

498

guaranteed by the fact that the client sends its OpenPGP

499

public key in the TLS handshake; this ensures it to be

500

genuine. The server computes the fingerprint of the key

501

itself and looks up the fingerprint in its list of

502

clients. The <filename>clients.conf</filename> file (see

651

503

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

652

504

<manvolnum>5</manvolnum></citerefentry>)

653

505

<emphasis>must</emphasis> be made non-readable by anyone

654

except the user starting the server (usually root).

506

except the user running the server.

655

507

</para>

656

508

<para>

657

509

As detailed in <xref linkend="checking"/>, the status of all

659

511

compromised if they are gone for too long.

660

512

</para>

661

513

<para>

514

If a client is compromised, its downtime should be duly noted

515

by the server which would therefore declare the client

516

invalid. But if the server was ever restarted, it would

517

re-read its client list from its configuration file and again

518

regard all clients therein as valid, and hence eligible to

519

receive their passwords. Therefore, be careful when

520

restarting servers if it is suspected that a client has, in

521

fact, been compromised by parties who may now be running a

522

fake Mandos client with the keys from the non-encrypted

523

initial RAM image of the client host. What should be done in

524

that case (if restarting the server program really is

525

necessary) is to stop the server program, edit the

526

configuration file to omit any suspect clients, and restart

527

the server program.

528

</para>

529

<para>

662

530

For more details on client-side security, see

663

<citerefentry><refentrytitle>mandos-client</refentrytitle>

531

<citerefentry><refentrytitle>password-request</refentrytitle>

664

532

<manvolnum>8mandos</manvolnum></citerefentry>.

665

533

</para>

666

534

</refsect2>

667

535

</refsect1>

668

536

669

537

670

538

671

539

<para>

672

<citerefentry><refentrytitle>intro</refentrytitle>

673

<manvolnum>8mandos</manvolnum></citerefentry>,

674

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

675

<manvolnum>5</manvolnum></citerefentry>,

676

<citerefentry><refentrytitle>mandos.conf</refentrytitle>

677

<manvolnum>5</manvolnum></citerefentry>,

678

<citerefentry><refentrytitle>mandos-client</refentrytitle>

679

<manvolnum>8mandos</manvolnum></citerefentry>,

680

681

540

541

<refentrytitle>mandos.conf</refentrytitle>

542

543

<refentrytitle>mandos-clients.conf</refentrytitle>

544

545

<refentrytitle>password-request</refentrytitle>

546

<manvolnum>8mandos</manvolnum></citerefentry>, <citerefentry>

547

548

</citerefentry>

682

549

</para>

683

550

684

551

705

572

</varlistentry>

706

573

707

574

<term>

708

<ulink url="https://gnutls.org/">GnuTLS</ulink>

575

<ulink

576

url="http://www.gnu.org/software/gnutls/">GnuTLS</ulink>

709

577

</term>

710

578

711

579

<para>

712

580

GnuTLS is the library this server uses to implement TLS for

713

581

communicating securely with the client, and at the same time

714

confidently get the client’s public key.

582

confidently get the client’s public OpenPGP key.

715

583

</para>

716

584

</listitem>

717

585

</varlistentry>

718

586

719

587

<term>

720

RFC 4291: <citetitle>IP Version 6 Addressing

721

Architecture</citetitle>

588

<citation>RFC 4291: <citetitle>IP Version 6 Addressing

589

Architecture</citetitle>, section 2.5.6, Link-Local IPv6

590

Unicast Addresses</citation>

722

591

</term>

723

592

724

725

726

<term>Section 2.2: <citetitle>Text Representation of

727

Addresses</citetitle></term>

728

729

</varlistentry>

730

731

<term>Section 2.5.5.2: <citetitle>IPv4-Mapped IPv6

732

Address</citetitle></term>

733

734

</varlistentry>

735

736

<term>Section 2.5.6, <citetitle>Link-Local IPv6 Unicast

737

Addresses</citetitle></term>

738

739

<para>

740

The clients use IPv6 link-local addresses, which are

741

immediately usable since a link-local addresses is

742

automatically assigned to a network interfaces when it

743

is brought up.

744

</para>

745

</listitem>

746

</varlistentry>

747

</variablelist>

593

<para>

594

The clients use IPv6 link-local addresses, which are

595

immediately usable since a link-local addresses is

596

automatically assigned to a network interfaces when it is

597

brought up.

598

</para>

748

599

</listitem>

749

600

</varlistentry>

750

601

751

602

<term>

752

RFC 5246: <citetitle>The Transport Layer Security (TLS)

753

Protocol Version 1.2</citetitle>

603

<citation>RFC 4346: <citetitle>The Transport Layer Security

604

(TLS) Protocol Version 1.1</citetitle></citation>

754

605

</term>

755

606

756

607

<para>

757

TLS 1.2 is the protocol implemented by GnuTLS.

608

TLS 1.1 is the protocol implemented by GnuTLS.

758

609

</para>

759

610

</listitem>

760

611

</varlistentry>

761

612

762

613

<term>

763

RFC 4880: <citetitle>OpenPGP Message Format</citetitle>

614

<citation>RFC 4880: <citetitle>OpenPGP Message

615

Format</citetitle></citation>

764

616

</term>

765

617

766

618

<para>

770

622

</varlistentry>

771

623

772

624

<term>

773

RFC 7250: <citetitle>Using Raw Public Keys in Transport

774

Layer Security (TLS) and Datagram Transport Layer Security

775

(DTLS)</citetitle>

776

</term>

777

778

<para>

779

This is implemented by GnuTLS version 3.6.6 and is, if

780

present, used by this server so that raw public keys can be

781

used.

782

</para>

783

</listitem>

784

</varlistentry>

785

786

<term>

787

RFC 6091: <citetitle>Using OpenPGP Keys for Transport Layer

788

Security (TLS) Authentication</citetitle>

789

</term>

790

791

<para>

792

This is implemented by GnuTLS before version 3.6.0 and is,

793

if present, used by this server so that OpenPGP keys can be

794

used.

625

<citation>RFC 5081: <citetitle>Using OpenPGP Keys for

626

Transport Layer Security</citetitle></citation>

627

</term>

628

629

<para>

630

This is implemented by GnuTLS and used by this server so

631

that OpenPGP keys can be used.

795

632

</para>

796

633

</listitem>

797

634

</varlistentry>

798

635

</variablelist>

799

636

</refsect1>

800

637

</refentry>

801

802

803

804

805

Older »