/mandos/trunk : revision 1274

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to plugins.d/mandos-client.xml

Committer: Teddy Hogeborn
Date: 2023-02-11 06:58:15 UTC
Revision ID: teddy@recompile.se-20230211065815-jtffi61tbdrgr875

Suppress warnings

Suppress warnings about mlock()ing uninitialized memory and reading an
ievent struct.

* dracut-module/password-agent.c (send_password_to_socket): Suppress
  "-Wmaybe-uninitialized" when mlock()ing password send buffer.
  (test_read_inotify_event_IN_DELETE_badname): When reading from
    a struct ievent, suppress "-Wstringop-overread".

files added:
bugs.xml

debian/mandos-client.templates

debian/mandos.templates

debian/po/POTFILES.in

debian/po/de.po

debian/po/en_US.po

debian/po/es.po

debian/po/fr.po

debian/po/nl.po

debian/po/pt.po

debian/po/pt_BR.po

debian/po/sv.po

debian/po/templates.pot

debian/source/lintian-overrides

debian/tests

debian/tests/control

debian/upstream/metadata

dracut-module

dracut-module/ask-password-mandos.path

dracut-module/ask-password-mandos.service

dracut-module/cmdline-mandos.sh

dracut-module/module-setup.sh

dracut-module/password-agent.c

dracut-module/password-agent.xml

initramfs-tools-conf

initramfs-tools-conf-hook

initramfs-tools-script-stop

mandos-to-cryptroot-unlock

sysusers.d-mandos.conf

tmpfiles.d-mandos.conf

files removed:
initramfs-tools-hook-conf

files modified:
.bzrignore

DBUS-API

INSTALL

Makefile

NEWS

README

TODO

clients.conf

common.ent

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.dirs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/rules

debian/watch

init.d-mandos

initramfs-tools-hook

initramfs-tools-script

initramfs-unpack

intro.xml

legalnotice.xml

mandos

mandos-clients.conf.xml

mandos-ctl

mandos-ctl.xml

mandos-keygen

mandos-keygen.xml

mandos-monitor

mandos-monitor.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.lsm

mandos.service

mandos.xml

network-hooks.d/bridge

network-hooks.d/openvpn

network-hooks.d/wireless

overview.xml

plugin-helpers/mandos-client-iprouteadddel.c

plugin-runner.c

plugin-runner.xml

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/mandos-client.c

plugins.d/mandos-client.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

Show diffs side-by-side

added added

removed removed

plugins.d/mandos-client.xml

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY COMMANDNAME "mandos-client">

<!ENTITY TIMESTAMP "2015-07-06">

<!ENTITY TIMESTAMP "2019-07-24">

<!ENTITY % common SYSTEM "../common.ent">

%common;

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

</group>

<sbr/>

<group>

100

<arg choice="plain"><option>--tls-privkey

101

102

<arg choice="plain"><option>-t

103

104

</group>

105

<sbr/>

106

<group>

107

<arg choice="plain"><option>--tls-pubkey

108

109

<arg choice="plain"><option>-T

110

111

</group>

112

<sbr/>

113

<arg>

114

<option>--priority <replaceable>STRING</replaceable></option>

115

</arg>

119

</arg>

100

120

<sbr/>

101

121

<arg>

122

<option>--dh-params <replaceable>FILE</replaceable></option>

123

</arg>

124

<sbr/>

125

<arg>

102

126

<option>--delay <replaceable>SECONDS</replaceable></option>

103

127

</arg>

104

128

<sbr/>

145

169

brings up network interfaces, uses the interfaces’ IPv6

146

170

link-local addresses to get network connectivity, uses Zeroconf

147

171

to find servers on the local network, and communicates with

148

servers using TLS with an OpenPGP key to ensure authenticity and

149

confidentiality. This client program keeps running, trying all

150

servers on the network, until it receives a satisfactory reply

151

or a TERM signal. After all servers have been tried, all

172

servers using TLS with a raw public key to ensure authenticity

173

and confidentiality. This client program keeps running, trying

174

all servers on the network, until it receives a satisfactory

175

reply or a TERM signal. After all servers have been tried, all

152

176

servers are periodically retried. If no servers are found it

153

177

will wait indefinitely for new servers to appear.

154

178

</para>

298

322

</varlistentry>

299

323

300

324

325

<term><option>--tls-pubkey=<replaceable

326

>FILE</replaceable></option></term>

327

<term><option>-T

328

329

330

<para>

331

TLS raw public key file name. The default name is

332

<quote><filename>/conf/conf.d/mandos/tls-pubkey.pem</filename

333

></quote>.

334

</para>

335

</listitem>

336

</varlistentry>

337

338

339

<term><option>--tls-privkey=<replaceable

340

>FILE</replaceable></option></term>

341

<term><option>-t

342

343

344

<para>

345

TLS secret key file name. The default name is

346

<quote><filename>/conf/conf.d/mandos/tls-privkey.pem</filename

347

></quote>.

348

</para>

349

</listitem>

350

</varlistentry>

351

352

301

353

<term><option>--priority=<replaceable

302

354

>STRING</replaceable></option></term>

303

355

313

365

<para>

314

366

Sets the number of bits to use for the prime number in the

315

367

TLS Diffie-Hellman key exchange. The default value is

316

selected automatically based on the OpenPGP key.

368

selected automatically based on the GnuTLS security

369

profile set in its priority string. Note that if the

370

<option>--dh-params</option> option is used, the values

371

from that file will be used instead.

372

</para>

373

</listitem>

374

</varlistentry>

375

376

377

<term><option>--dh-params=<replaceable

378

>FILE</replaceable></option></term>

379

380

<para>

381

Specifies a PEM-encoded PKCS#3 file to read the parameters

382

needed by the TLS Diffie-Hellman key exchange from. If

383

this option is not given, or if the file for some reason

384

could not be used, the parameters will be generated on

385

startup, which will take some time and processing power.

386

Those using servers running under time, power or processor

387

constraints may want to generate such a file in advance

388

and use this option.

317

389

</para>

318

390

</listitem>

319

391

</varlistentry>

453

525

<para>

454

526

This environment variable will be assumed to contain the

455

527

directory containing any helper executables. The use and

456

nature of these helper executables, if any, is

457

purposefully not documented.

528

nature of these helper executables, if any, is purposely

529

not documented.

458

530

</para>

459

531

</listitem>

460

532

</varlistentry>

654

726

</listitem>

655

727

</varlistentry>

656

728

729

<term><filename>/conf/conf.d/mandos/tls-pubkey.pem</filename

730

></term>

731

<term><filename>/conf/conf.d/mandos/tls-privkey.pem</filename

732

></term>

733

734

<para>

735

Public and private raw key files, in <quote>PEM</quote>

736

format. These are the default file names, they can be

737

changed with the <option>--tls-pubkey</option> and

738

<option>--tls-privkey</option> options.

739

</para>

740

</listitem>

741

</varlistentry>

742

657

743

<term><filename

658

744

class="directory">/lib/mandos/network-hooks.d</filename></term>

659

745

667

753

</variablelist>

668

754

</refsect1>

669

755

670

671

672

673

674

756

757

758

<xi:include href="../bugs.xml"/>

759

</refsect1>

675

760

676

761

677

762

<title>EXAMPLE</title>

702

787

</informalexample>

703

788

704

789

<para>

705

Run in debug mode, and use a custom key:

790

Run in debug mode, and use custom keys:

706

791

</para>

707

792

<para>

708

793

709

794

710

<userinput>&COMMANDNAME; --debug --pubkey keydir/pubkey.txt --seckey keydir/seckey.txt</userinput>

795

<userinput>&COMMANDNAME; --debug --pubkey keydir/pubkey.txt --seckey keydir/seckey.txt --tls-pubkey keydir/tls-pubkey.pem --tls-privkey keydir/tls-privkey.pem</userinput>

711

796

712

797

</para>

713

798

</informalexample>

714

799

715

800

<para>

716

Run in debug mode, with a custom key, and do not use Zeroconf

801

Run in debug mode, with custom keys, and do not use Zeroconf

717

802

to locate a server; connect directly to the IPv6 link-local

718

803

address <quote><systemitem class="ipaddress"

719

804

>fe80::aede:48ff:fe71:f6f2</systemitem></quote>, port 4711,

722

807

<para>

723

808

724

809

725

<userinput>&COMMANDNAME; --debug --pubkey keydir/pubkey.txt --seckey keydir/seckey.txt --connect fe80::aede:48ff:fe71:f6f2:4711 --interface eth2</userinput>

810

<userinput>&COMMANDNAME; --debug --pubkey keydir/pubkey.txt --seckey keydir/seckey.txt --tls-pubkey keydir/tls-pubkey.pem --tls-privkey keydir/tls-privkey.pem --connect fe80::aede:48ff:fe71:f6f2:4711 --interface eth2</userinput>

726

811

727

812

</para>

728

813

</informalexample>

731

816

732

817

<title>SECURITY</title>

733

818

<para>

734

This program is set-uid to root, but will switch back to the

735

original (and presumably non-privileged) user and group after

736

bringing up the network interface.

819

This program assumes that it is set-uid to root, and will switch

820

back to the original (and presumably non-privileged) user and

821

group after bringing up the network interface.

737

822

</para>

738

823

<para>

739

824

To use this program for its intended purpose (see <xref

752

837

<para>

753

838

The only remaining weak point is that someone with physical

754

839

access to the client hard drive might turn off the client

755

computer, read the OpenPGP keys directly from the hard drive,

756

and communicate with the server. To safeguard against this, the

757

server is supposed to notice the client disappearing and stop

758

giving out the encrypted data. Therefore, it is important to

759

set the timeout and checker interval values tightly on the

760

server. See <citerefentry><refentrytitle

840

computer, read the OpenPGP and TLS keys directly from the hard

841

drive, and communicate with the server. To safeguard against

842

this, the server is supposed to notice the client disappearing

843

and stop giving out the encrypted data. Therefore, it is

844

important to set the timeout and checker interval values tightly

845

on the server. See <citerefentry><refentrytitle

761

846

>mandos</refentrytitle><manvolnum>8</manvolnum></citerefentry>.

762

847

</para>

763

848

<para>

806

891

</varlistentry>

807

892

808

893

<term>

809

<ulink url="http://www.avahi.org/">Avahi</ulink>

894

<ulink url="https://www.avahi.org/">Avahi</ulink>

810

895

</term>

811

896

812

897

<para>

817

902

</varlistentry>

818

903

819

904

<term>

820

<ulink url="http://www.gnu.org/software/gnutls/"

821

>GnuTLS</ulink>

905

<ulink url="https://www.gnutls.org/">GnuTLS</ulink>

822

906

</term>

823

907

824

908

<para>

825

909

GnuTLS is the library this client uses to implement TLS for

826

910

communicating securely with the server, and at the same time

827

send the public OpenPGP key to the server.

911

send the public key to the server.

828

912

</para>

829

913

</listitem>

830

914

</varlistentry>

831

915

832

916

<term>

833

<ulink url="http://www.gnupg.org/related_software/gpgme/"

917

<ulink url="https://www.gnupg.org/related_software/gpgme/"

834

918

>GPGME</ulink>

835

919

</term>

836

920

874

958

</varlistentry>

875

959

876

960

<term>

877

RFC 4346: <citetitle>The Transport Layer Security (TLS)

878

Protocol Version 1.1</citetitle>

961

RFC 5246: <citetitle>The Transport Layer Security (TLS)

962

Protocol Version 1.2</citetitle>

879

963

</term>

880

964

881

965

<para>

882

TLS 1.1 is the protocol implemented by GnuTLS.

966

TLS 1.2 is the protocol implemented by GnuTLS.

883

967

</para>

884

968

</listitem>

885

969

</varlistentry>

896

980

</varlistentry>

897

981

898

982

<term>

899

RFC 5081: <citetitle>Using OpenPGP Keys for Transport Layer

983

RFC 7250: <citetitle>Using Raw Public Keys in Transport

984

Layer Security (TLS) and Datagram Transport Layer Security

985

(DTLS)</citetitle>

986

</term>

987

988

<para>

989

This is implemented by GnuTLS in version 3.6.6 and is, if

990

present, used by this program so that raw public keys can be

991

used.

992

</para>

993

</listitem>

994

</varlistentry>

995

996

<term>

997

RFC 6091: <citetitle>Using OpenPGP Keys for Transport Layer

900

998

Security</citetitle>

901

999

</term>

902

1000

903

1001

<para>

904

This is implemented by GnuTLS and used by this program so

905

that OpenPGP keys can be used.

1002

This is implemented by GnuTLS before version 3.6.0 and is,

1003

if present, used by this program so that OpenPGP keys can be

1004

used.

906

1005

</para>

907

1006

</listitem>

908

1007

</varlistentry>

Older »