/mandos/trunk : revision 1127

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to intro.xml

Committer: Teddy Hogeborn
Date: 2019-07-27 10:11:45 UTC
Revision ID: teddy@recompile.se-20190727101145-jnpbpf8220gldbcd

Add dracut(8) support

Add support for the dracut(8) system for generating initramfs image
files; dracut is an alternative to the "initramfs-tools" package.

* .bzrignore (dracut-module/password-agent): Ignore new binary file.
* dracut-module: New directory for the dracut module.
* INSTALL (Prerequisites/Libraries/Mandos Client): Add dracut as an
                                                   alternative to
                                                   initramfs-tools,
                                                   and also add GLib.
* Makefile (DRACUTMODULE, GLIB_CFLAGS, GLIB_LIBS): New.
  (CPROGS): Add "dracut-module/password-agent".
  (DOCS): Add "dracut-module/password-agent.8mandos".
  (dracut-module/password-agent.8mandos): New.
  (dracut-module/password-agent.8mandos.xhtml): - '' -
  (dracut-module/password-agent): - '' -
  (check): Add command to run tests of password-agent(8mandos).
  (install-client-nokey): Also install the dracut module directory,
                          its files, and the password-agent(8mandos)
                          manual page.
  (install-client): To update the initramfs image file, run
                    update-initramfs or dracut depending on what is
                    installed.
  (uninstall-client): - '' - and also uninstall the the files in the
                      dracut module directory, that directory itself,
                      and the password-agent(8mandos) manual page.
* debian/control (Build-Depends): Add "libglib2.0-dev (>=2.40)".
  (Package: mandos-client/Depends): Add "dracut (>= 044+241-3)" as an
                                    alternative dependency to
                                    initramfs-tools.
  (Package: mandos-client/Conflicts): New; set to
                                      "dracut-config-generic".
  (debian/mandos-client.README.Debian): Document alternative commands
                                        to update the initramfs image
                                        for when dracut is used.
* debian/mandos-client.postinst (update_initramfs): Use alternative
                                                    commands to update
                                                    the initramfs
                                                    image for when
                                                    dracut is used.
* debian/tests/control (password-agent, password-agent-suid): Add two
                                                              new tests.
* dracut-module/ask-password-mandos.path: New.
* dracut-module/ask-password-mandos.service: - '' -
* dracut-module/cmdline-mandos.sh: - '' -
* dracut-module/module-setup.sh: - '' -
* dracut-module/password-agent.c: - '' -
* dracut-module/password-agent.xml: - '' -
* initramfs-unpack: Use the dracut "skipcpio" command, if available.
                    Also be more flexible and try hard to detect where
                    compressed data starts.
* plugins.d/mandos-client.xml (SECURITY): Be more precise that the
                                          mandos-client binary might
                                          not always be setuid, but
                                          that the program assumes
                                          that it has been started
                                          that way.
* plugins.d/password-prompt.c: Add new "--prompt" option.
  (conflict_detection): First try to detect the new PID file of
                        plymouth.
  (main): Define and use new "prompt" variable.
* plugins.d/password-prompt.xml (SYNOPSIS): Show new --prompt option.
  (DESCRIPTION): Describe new behavior of looking for plymouth PID
                 file.
  (OPTIONS): Document new "--prompt" option.
  (ENVIRONMENT): Clarify that the CRYPTTAB_SOURCE and CRYPTTAB_NAME
                 environment variables are not used if the --prompt
                 option is used.  Remove unnecessarily specific
                 details about where the CRYPTTAB_SOURCE and
                 CRYPTTAB_NAME comes from, since this can now be
                 either initramfs-tools or dracut.
  (SEE ALSO): Remove superfluous crypttab(5) reference, and add commas
              to separate the other references.
* plugins.d/plymouth.c: Add new "--prompt" and "--debug" options.
  (debug): New global flag.
  (fprintf_plus): New function, used for debug output.
  (exec_and_wait): Add extra "const" to "argv" argument.
  (main): Define and use new "prompt" variable.  Add debug output.
  (main/options, main/parse_opt): New; used to parse options.
* plugins.d/plymouth.xml (SYNOPSIS): Show new options.
  (OPTIONS): Document new options.
  (ENVIRONMENT): Clarify that the cryptsource and crypttarget
                 environment variables are not used if the --prompt
                 option is used.  Remove unnecessarily specific
                 details about where the cryptsource and crypttarget
                 comes from, since this can now be either
                 initramfs-tools or dracut.
  (EXAMPLE): Add an example using an option.
  (SEE ALSO): Remove superfluous crypttab(5) reference.
* plugins.d/splashy.xml (ENVIRONMENT): Clarify that the cryptsource
                                       and crypttarget environment
                                       variables are not used if the
                                       --prompt option is used.
                                       Remove unnecessarily specific
                                       details about where the
                                       cryptsource and crypttarget
                                       comes from, since this can now
                                       be either initramfs-tools or
                                       dracut.
  (SEE ALSO): Remove superfluous crypttab(5) reference.
* plugins.d/usplash.xml (ENVIRONMENT): Clarify that the cryptsource
                                       and crypttarget environment
                                       variables are not used if the
                                       --prompt option is used.
                                       Remove unnecessarily specific
                                       details about where the
                                       cryptsource and crypttarget
                                       comes from, since this can now
                                       be either initramfs-tools or
                                       dracut.
  (SEE ALSO): Remove superfluous crypttab(5) reference.

files added:
bugs.xml

debian/mandos-client.examples

debian/mandos-client.templates

debian/mandos.templates

debian/tests

debian/tests/control

debian/upstream

debian/upstream/signing-key.asc

dracut-module

dracut-module/ask-password-mandos.path

dracut-module/ask-password-mandos.service

dracut-module/cmdline-mandos.sh

dracut-module/module-setup.sh

dracut-module/password-agent.c

dracut-module/password-agent.xml

initramfs-tools-conf

initramfs-tools-conf-hook

initramfs-tools-script-stop

initramfs-unpack

mandos-to-cryptroot-unlock

mandos.service

plugin-helpers

plugin-helpers/mandos-client-iprouteadddel.c

tmpfiles.d-mandos.conf

files removed:
initramfs-tools-hook-conf

files modified:
.bzrignore

DBUS-API

INSTALL

Makefile

NEWS

README

TODO

clients.conf

common.ent

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.dirs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/rules

debian/watch

init.d-mandos

initramfs-tools-hook

initramfs-tools-script

intro.xml

legalnotice.xml

mandos

mandos-clients.conf.xml

mandos-ctl

mandos-ctl.xml

mandos-keygen

mandos-keygen.xml

mandos-monitor

mandos-monitor.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.lsm

mandos.xml

network-hooks.d/bridge

network-hooks.d/openvpn

network-hooks.d/wireless

overview.xml

plugin-runner.c

plugin-runner.xml

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/mandos-client.c

plugins.d/mandos-client.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

Show diffs side-by-side

added added

removed removed

intro.xml

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY TIMESTAMP "2012-01-01">

<!ENTITY TIMESTAMP "2019-04-10">

<!ENTITY % common SYSTEM "common.ent">

%common;

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

The computers run a small client program in the initial RAM disk

environment which will communicate with a server over a network.

All network communication is encrypted using TLS. The clients

are identified by the server using an OpenPGP key; each client

are identified by the server using a TLS public key; each client

has one unique to it. The server sends the clients an encrypted

password. The encrypted password is decrypted by the clients

using the same OpenPGP key, and the password is then used to

using a separate OpenPGP key, and the password is then used to

unlock the root file system, whereupon the computers can

continue booting normally.

</para>

<title>INTRODUCTION</title>

<para>

<!-- This paragraph is a combination and paraphrase of two

quotes from the 1995 movie “The Usual Suspects”. -->

You know how it is. You’ve heard of it happening. The Man

comes and takes away your servers, your friends’ servers, the

servers of everybody in the same hosting facility. The servers

122

131

</para>

123

132

<para>

124

133

So, at boot time, the Mandos client will ask for its encrypted

125

data over the network, decrypt it to get the password, use it to

126

decrypt the root file, and continue booting.

134

data over the network, decrypt the data to get the password, use

135

the password to decrypt the root file system, and the client can

136

then continue booting.

127

137

</para>

128

138

<para>

129

139

Now, of course the initial RAM disk image is not on the

135

145

long, and will no longer give out the encrypted key. The timing

136

146

here is the only real weak point, and the method, frequency and

137

147

timeout of the server’s checking can be adjusted to any desired

138

level of paranoia

148

level of paranoia.

139

149

</para>

140

150

<para>

141

151

(The encrypted keys on the Mandos server is on its normal file

192

202

<para>

193

203

No. The server only gives out the passwords to clients which

194

204

have <emphasis>in the TLS handshake</emphasis> proven that

195

they do indeed hold the OpenPGP private key corresponding to

196

that client.

205

they do indeed hold the private key corresponding to that

206

client.

207

</para>

208

</refsect2>

209

210

211

<title>How about sniffing the network traffic and decrypting it

212

later by physically grabbing the Mandos client and using its

213

key?</title>

214

<para>

215

We only use <acronym>PFS</acronym> (Perfect Forward Security)

216

key exchange algorithms in TLS, which protects against this.

197

217

</para>

198

218

</refsect2>

199

219

215

235

</para>

216

236

</refsect2>

217

237

218

219

<title>Faking ping replies?</title>

238

239

<title>Faking checker results?</title>

220

240

<para>

221

The default for the server is to use

241

If the Mandos client does not have an SSH server, the default

242

is for the Mandos server to use

222

243

<quote><literal>fping</literal></quote>, the replies to which

223

244

could be faked to eliminate the timeout. But this could

224

245

easily be changed to any shell command, with any security

225

measures you like. It could, for instance, be changed to an

226

SSH command with strict keychecking, which could not be faked.

227

Or IPsec could be used for the ping packets, making them

228

secure.

246

measures you like. If the Mandos client

247

<emphasis>has</emphasis> an SSH server, the default

248

configuration (as generated by

249

<command>mandos-keygen</command> with the

250

<option>--password</option> option) is for the Mandos server

251

to use an <command>ssh-keyscan</command> command with strict

252

keychecking, which can not be faked. Alternatively, IPsec

253

could be used for the ping packets, making them secure.

229

254

</para>

230

255

</refsect2>

231

256

</refsect1>

360

385

</para>

361

386

</refsect1>

362

387

388

389

390

<xi:include href="bugs.xml"/>

391

</refsect1>

392

363

393

364

394

365

395

<para>

393

423

394

424

395

425

<term>

396

<ulink url="http://www.recompile.se/mandos">Mandos</ulink>

426

<ulink url="https://www.recompile.se/mandos">Mandos</ulink>

397

427

</term>

398

428

399

429

<para>

Older »