/mandos/trunk : revision 1274

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to plugins.d/mandos-client.xml

Committer: Teddy Hogeborn
Date: 2023-02-11 06:58:15 UTC
Revision ID: teddy@recompile.se-20230211065815-jtffi61tbdrgr875

Suppress warnings

Suppress warnings about mlock()ing uninitialized memory and reading an
ievent struct.

* dracut-module/password-agent.c (send_password_to_socket): Suppress
  "-Wmaybe-uninitialized" when mlock()ing password send buffer.
  (test_read_inotify_event_IN_DELETE_badname): When reading from
    a struct ievent, suppress "-Wstringop-overread".

files added:
bugs.xml

debian/mandos-client.templates

debian/mandos.templates

debian/po/POTFILES.in

debian/po/de.po

debian/po/en_US.po

debian/po/es.po

debian/po/fr.po

debian/po/nl.po

debian/po/pt.po

debian/po/pt_BR.po

debian/po/sv.po

debian/po/templates.pot

debian/source/lintian-overrides

debian/tests

debian/tests/control

debian/upstream

debian/upstream/metadata

debian/upstream/signing-key.asc

dracut-module

dracut-module/ask-password-mandos.path

dracut-module/ask-password-mandos.service

dracut-module/cmdline-mandos.sh

dracut-module/module-setup.sh

dracut-module/password-agent.c

dracut-module/password-agent.xml

initramfs-tools-conf

initramfs-tools-conf-hook

initramfs-tools-script-stop

initramfs-unpack

mandos-to-cryptroot-unlock

mandos.service

plugin-helpers

plugin-helpers/mandos-client-iprouteadddel.c

sysusers.d-mandos.conf

tmpfiles.d-mandos.conf

files removed:
initramfs-tools-hook-conf

files modified:
.bzrignore

DBUS-API

INSTALL

Makefile

NEWS

README

TODO

clients.conf

common.ent

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.dirs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/rules

debian/watch

init.d-mandos

initramfs-tools-hook

initramfs-tools-script

intro.xml

legalnotice.xml

mandos

mandos-clients.conf.xml

mandos-ctl

mandos-ctl.xml

mandos-keygen

mandos-keygen.xml

mandos-monitor

mandos-monitor.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.lsm

mandos.xml

network-hooks.d/bridge

network-hooks.d/openvpn

network-hooks.d/wireless

overview.xml

plugin-runner.c

plugin-runner.xml

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/mandos-client.c

plugins.d/mandos-client.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

Show diffs side-by-side

added added

removed removed

plugins.d/mandos-client.xml

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY COMMANDNAME "mandos-client">

<!ENTITY TIMESTAMP "2012-06-17">

<!ENTITY TIMESTAMP "2019-07-24">

<!ENTITY % common SYSTEM "../common.ent">

%common;

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

</group>

<sbr/>

<group>

100

<arg choice="plain"><option>--tls-privkey

101

102

<arg choice="plain"><option>-t

103

104

</group>

105

<sbr/>

106

<group>

107

<arg choice="plain"><option>--tls-pubkey

108

109

<arg choice="plain"><option>-T

110

111

</group>

112

<sbr/>

113

<arg>

114

<option>--priority <replaceable>STRING</replaceable></option>

115

</arg>

119

</arg>

120

<sbr/>

121

<arg>

122

<option>--dh-params <replaceable>FILE</replaceable></option>

123

</arg>

124

<sbr/>

125

<arg>

126

<option>--delay <replaceable>SECONDS</replaceable></option>

100

127

</arg>

101

128

<sbr/>

142

169

brings up network interfaces, uses the interfaces’ IPv6

143

170

link-local addresses to get network connectivity, uses Zeroconf

144

171

to find servers on the local network, and communicates with

145

servers using TLS with an OpenPGP key to ensure authenticity and

146

confidentiality. This client program keeps running, trying all

147

servers on the network, until it receives a satisfactory reply

148

or a TERM signal. After all servers have been tried, all

172

servers using TLS with a raw public key to ensure authenticity

173

and confidentiality. This client program keeps running, trying

174

all servers on the network, until it receives a satisfactory

175

reply or a TERM signal. After all servers have been tried, all

149

176

servers are periodically retried. If no servers are found it

150

177

will wait indefinitely for new servers to appear.

151

178

</para>

218

245

assumed to separate the address from the port number.

219

246

</para>

220

247

<para>

221

This option is normally only useful for testing and

222

debugging.

248

Normally, Zeroconf would be used to locate Mandos servers,

249

in which case this option would only be used when testing

250

and debugging.

223

251

</para>

224

252

</listitem>

225

253

</varlistentry>

258

286

<para>

259

287

<replaceable>NAME</replaceable> can be the string

260

288

<quote><literal>none</literal></quote>; this will make

261

<command>&COMMANDNAME;</command> not bring up

262

<emphasis>any</emphasis> interfaces specified

263

<emphasis>after</emphasis> this string. This is not

264

recommended, and only meant for advanced users.

289

<command>&COMMANDNAME;</command> only bring up interfaces

290

specified <emphasis>before</emphasis> this string. This

291

is not recommended, and only meant for advanced users.

265

292

</para>

266

293

</listitem>

267

294

</varlistentry>

295

322

</varlistentry>

296

323

297

324

325

<term><option>--tls-pubkey=<replaceable

326

>FILE</replaceable></option></term>

327

<term><option>-T

328

329

330

<para>

331

TLS raw public key file name. The default name is

332

<quote><filename>/conf/conf.d/mandos/tls-pubkey.pem</filename

333

></quote>.

334

</para>

335

</listitem>

336

</varlistentry>

337

338

339

<term><option>--tls-privkey=<replaceable

340

>FILE</replaceable></option></term>

341

<term><option>-t

342

343

344

<para>

345

TLS secret key file name. The default name is

346

<quote><filename>/conf/conf.d/mandos/tls-privkey.pem</filename

347

></quote>.

348

</para>

349

</listitem>

350

</varlistentry>

351

352

298

353

<term><option>--priority=<replaceable

299

354

>STRING</replaceable></option></term>

300

355

309

364

310

365

<para>

311

366

Sets the number of bits to use for the prime number in the

312

TLS Diffie-Hellman key exchange. Default is 1024.

367

TLS Diffie-Hellman key exchange. The default value is

368

selected automatically based on the GnuTLS security

369

profile set in its priority string. Note that if the

370

<option>--dh-params</option> option is used, the values

371

from that file will be used instead.

372

</para>

373

</listitem>

374

</varlistentry>

375

376

377

<term><option>--dh-params=<replaceable

378

>FILE</replaceable></option></term>

379

380

<para>

381

Specifies a PEM-encoded PKCS#3 file to read the parameters

382

needed by the TLS Diffie-Hellman key exchange from. If

383

this option is not given, or if the file for some reason

384

could not be used, the parameters will be generated on

385

startup, which will take some time and processing power.

386

Those using servers running under time, power or processor

387

constraints may want to generate such a file in advance

388

and use this option.

313

389

</para>

314

390

</listitem>

315

391

</varlistentry>

442

518

443

519

444

520

<title>ENVIRONMENT</title>

521

522

523

<term><envar>MANDOSPLUGINHELPERDIR</envar></term>

524

525

<para>

526

This environment variable will be assumed to contain the

527

directory containing any helper executables. The use and

528

nature of these helper executables, if any, is purposely

529

not documented.

530

</para>

531

</listitem>

532

</varlistentry>

533

</variablelist>

445

534

<para>

446

This program does not use any environment variables, not even

447

the ones provided by <citerefentry><refentrytitle

535

This program does not use any other environment variables, not

536

even the ones provided by <citerefentry><refentrytitle

448

537

>cryptsetup</refentrytitle><manvolnum>8</manvolnum>

449

538

</citerefentry>.

450

539

</para>

512

601

It is not necessary to print any non-executable files

513

602

already in the network hook directory, these will be

514

603

copied implicitly if they otherwise satisfy the name

515

requirement.

604

requirements.

516

605

</para>

517

606

</listitem>

518

607

</varlistentry>

637

726

</listitem>

638

727

</varlistentry>

639

728

729

<term><filename>/conf/conf.d/mandos/tls-pubkey.pem</filename

730

></term>

731

<term><filename>/conf/conf.d/mandos/tls-privkey.pem</filename

732

></term>

733

734

<para>

735

Public and private raw key files, in <quote>PEM</quote>

736

format. These are the default file names, they can be

737

changed with the <option>--tls-pubkey</option> and

738

<option>--tls-privkey</option> options.

739

</para>

740

</listitem>

741

</varlistentry>

742

640

743

<term><filename

641

744

class="directory">/lib/mandos/network-hooks.d</filename></term>

642

745

650

753

</variablelist>

651

754

</refsect1>

652

755

653

654

655

656

657

756

757

758

<xi:include href="../bugs.xml"/>

759

</refsect1>

658

760

659

761

660

762

<title>EXAMPLE</title>

666

768

</para>

667

769

668

770

<para>

669

Normal invocation needs no options, if the network interface

771

Normal invocation needs no options, if the network interfaces

670

772

can be automatically determined:

671

773

</para>

672

774

<para>

675

777

</informalexample>

676

778

677

779

<para>

678

Search for Mandos servers (and connect to them) using another

679

interface:

780

Search for Mandos servers (and connect to them) using one

781

specific interface:

680

782

</para>

681

783

<para>

682

784

685

787

</informalexample>

686

788

687

789

<para>

688

Run in debug mode, and use a custom key:

790

Run in debug mode, and use custom keys:

689

791

</para>

690

792

<para>

691

793

692

794

693

<userinput>&COMMANDNAME; --debug --pubkey keydir/pubkey.txt --seckey keydir/seckey.txt</userinput>

795

<userinput>&COMMANDNAME; --debug --pubkey keydir/pubkey.txt --seckey keydir/seckey.txt --tls-pubkey keydir/tls-pubkey.pem --tls-privkey keydir/tls-privkey.pem</userinput>

694

796

695

797

</para>

696

798

</informalexample>

697

799

698

800

<para>

699

Run in debug mode, with a custom key, and do not use Zeroconf

801

Run in debug mode, with custom keys, and do not use Zeroconf

700

802

to locate a server; connect directly to the IPv6 link-local

701

803

address <quote><systemitem class="ipaddress"

702

804

>fe80::aede:48ff:fe71:f6f2</systemitem></quote>, port 4711,

705

807

<para>

706

808

707

809

708

<userinput>&COMMANDNAME; --debug --pubkey keydir/pubkey.txt --seckey keydir/seckey.txt --connect fe80::aede:48ff:fe71:f6f2:4711 --interface eth2</userinput>

810

<userinput>&COMMANDNAME; --debug --pubkey keydir/pubkey.txt --seckey keydir/seckey.txt --tls-pubkey keydir/tls-pubkey.pem --tls-privkey keydir/tls-privkey.pem --connect fe80::aede:48ff:fe71:f6f2:4711 --interface eth2</userinput>

709

811

710

812

</para>

711

813

</informalexample>

714

816

715

817

<title>SECURITY</title>

716

818

<para>

717

This program is set-uid to root, but will switch back to the

718

original (and presumably non-privileged) user and group after

719

bringing up the network interface.

819

This program assumes that it is set-uid to root, and will switch

820

back to the original (and presumably non-privileged) user and

821

group after bringing up the network interface.

720

822

</para>

721

823

<para>

722

824

To use this program for its intended purpose (see <xref

735

837

<para>

736

838

The only remaining weak point is that someone with physical

737

839

access to the client hard drive might turn off the client

738

computer, read the OpenPGP keys directly from the hard drive,

739

and communicate with the server. To safeguard against this, the

740

server is supposed to notice the client disappearing and stop

741

giving out the encrypted data. Therefore, it is important to

742

set the timeout and checker interval values tightly on the

743

server. See <citerefentry><refentrytitle

840

computer, read the OpenPGP and TLS keys directly from the hard

841

drive, and communicate with the server. To safeguard against

842

this, the server is supposed to notice the client disappearing

843

and stop giving out the encrypted data. Therefore, it is

844

important to set the timeout and checker interval values tightly

845

on the server. See <citerefentry><refentrytitle

744

846

>mandos</refentrytitle><manvolnum>8</manvolnum></citerefentry>.

745

847

</para>

746

848

<para>

747

849

It will also help if the checker program on the server is

748

850

configured to request something from the client which can not be

749

spoofed by someone else on the network, unlike unencrypted

750

<acronym>ICMP</acronym> echo (<quote>ping</quote>) replies.

851

spoofed by someone else on the network, like SSH server key

852

fingerprints, and unlike unencrypted <acronym>ICMP</acronym>

853

echo (<quote>ping</quote>) replies.

751

854

</para>

752

855

<para>

753

856

<emphasis>Note</emphasis>: This makes it completely insecure to

788

891

</varlistentry>

789

892

790

893

<term>

791

<ulink url="http://www.avahi.org/">Avahi</ulink>

894

<ulink url="https://www.avahi.org/">Avahi</ulink>

792

895

</term>

793

896

794

897

<para>

799

902

</varlistentry>

800

903

801

904

<term>

802

<ulink url="http://www.gnu.org/software/gnutls/"

803

>GnuTLS</ulink>

905

<ulink url="https://www.gnutls.org/">GnuTLS</ulink>

804

906

</term>

805

907

806

908

<para>

807

909

GnuTLS is the library this client uses to implement TLS for

808

910

communicating securely with the server, and at the same time

809

send the public OpenPGP key to the server.

911

send the public key to the server.

810

912

</para>

811

913

</listitem>

812

914

</varlistentry>

813

915

814

916

<term>

815

<ulink url="http://www.gnupg.org/related_software/gpgme/"

917

<ulink url="https://www.gnupg.org/related_software/gpgme/"

816

918

>GPGME</ulink>

817

919

</term>

818

920

846

948

<para>

847

949

This client uses IPv6 link-local addresses, which are

848

950

immediately usable since a link-local addresses is

849

automatically assigned to a network interfaces when it

951

automatically assigned to a network interface when it

850

952

is brought up.

851

953

</para>

852

954

</listitem>

856

958

</varlistentry>

857

959

858

960

<term>

859

RFC 4346: <citetitle>The Transport Layer Security (TLS)

860

Protocol Version 1.1</citetitle>

961

RFC 5246: <citetitle>The Transport Layer Security (TLS)

962

Protocol Version 1.2</citetitle>

861

963

</term>

862

964

863

965

<para>

864

TLS 1.1 is the protocol implemented by GnuTLS.

966

TLS 1.2 is the protocol implemented by GnuTLS.

865

967

</para>

866

968

</listitem>

867

969

</varlistentry>

878

980

</varlistentry>

879

981

880

982

<term>

881

RFC 5081: <citetitle>Using OpenPGP Keys for Transport Layer

983

RFC 7250: <citetitle>Using Raw Public Keys in Transport

984

Layer Security (TLS) and Datagram Transport Layer Security

985

(DTLS)</citetitle>

986

</term>

987

988

<para>

989

This is implemented by GnuTLS in version 3.6.6 and is, if

990

present, used by this program so that raw public keys can be

991

used.

992

</para>

993

</listitem>

994

</varlistentry>

995

996

<term>

997

RFC 6091: <citetitle>Using OpenPGP Keys for Transport Layer

882

998

Security</citetitle>

883

999

</term>

884

1000

885

1001

<para>

886

This is implemented by GnuTLS and used by this program so

887

that OpenPGP keys can be used.

1002

This is implemented by GnuTLS before version 3.6.0 and is,

1003

if present, used by this program so that OpenPGP keys can be

1004

used.

888

1005

</para>

889

1006

</listitem>

890

1007

</varlistentry>

Older »