To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to plugins.d/password-request.xml
- browse files at revision 148
- compare with another revision
- download diff
- download tarball
- view history from revision 148
- Committer: Teddy Hogeborn
- Date: 2008-09-03 17:34:29 UTC
- Revision ID: teddy@fukt.bsnet.se-20080903173429-db2mjtddf7mgbx8z
* plugins.d/password-request.xml (OVERVIEW): Refer to
password-prompt(8) by
name.
(SECURITY): Improved wording. Add paragraph about insecurity of
ping.
(SEE ALSO): Add references to cryptsetup(8) and crypttab(5).
Changed to be a <variablelist> and added text.
password-prompt(8) by
name.
(SECURITY): Improved wording. Add paragraph about insecurity of
ping.
(SEE ALSO): Add references to cryptsetup(8) and crypttab(5).
Changed to be a <variablelist> and added text.
- files modified:
- TODO
added
removed
plugins.d/password-request.xml
336
336
<filename>/etc/crypttab</filename>, but it would then be
337
337
impossible to enter a password for the encrypted root disk at
338
338
the console, since this program does not read from the console
339
at all. This is why a separate plugin does that, which will be
340
run in parallell to this one by the plugin runner.
339
at all. This is why a separate plugin (<citerefentry>
340
<refentrytitle>password-prompt</refentrytitle>
341
<manvolnum>8mandos</manvolnum></citerefentry>) does that, which
342
will be run in parallell to this one by the plugin runner.
341
343
</para>
342
344
</refsect1>
343
345
446
448
<title>SECURITY</title>
447
449
<para>
448
450
This program is set-uid to root, but will switch back to the
449
original user and group after bringing up the network interface.
451
original (and presumably non-privileged) user and group after
452
bringing up the network interface.
450
453
</para>
451
454
<para>
452
455
To use this program for its intended purpose (see <xref
474
477
>mandos</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
475
478
</para>
476
479
<para>
477
<emphasis>Note</emphasis>: This makes it impossible to have
478
<application >Mandos</application> clients which dual-boot to
479
another operating system which does <emphasis>not</emphasis> run
480
a <application>Mandos</application> client.
480
It will also help if the checker program on the server is
481
configured to request something from the client which can not be
482
spoofed by someone else on the network, unlike unencrypted
483
<acronym>ICMP</acronym> echo (<quote>ping</quote>) replies.
484
</para>
485
<para>
486
<emphasis>Note</emphasis>: This makes it completely insecure to
487
have <application >Mandos</application> clients which dual-boot
488
to another operating system which is <emphasis>not</emphasis>
489
trusted to keep the initial <acronym>RAM</acronym> disk image
490
confidential.
481
491
</para>
482
492
</refsect1>
483
493
484
494
<refsect1 id="see_also">
485
495
<title>SEE ALSO</title>
486
496
<para>
497
<citerefentry><refentrytitle>cryptsetup</refentrytitle>
498
<manvolnum>8</manvolnum></citerefentry>,
499
<citerefentry><refentrytitle>crypttab</refentrytitle>
500
<manvolnum>5</manvolnum></citerefentry>,
487
501
<citerefentry><refentrytitle>mandos</refentrytitle>
488
502
<manvolnum>8</manvolnum></citerefentry>,
489
503
<citerefentry><refentrytitle>password-prompt</refentrytitle>
491
505
<citerefentry><refentrytitle>plugin-runner</refentrytitle>
492
506
<manvolnum>8mandos</manvolnum></citerefentry>
493
507
</para>
494
<itemizedlist>
495
<listitem><para>
496
<ulink url="http://www.zeroconf.org/">Zeroconf</ulink>
497
</para></listitem>
498
499
<listitem><para>
500
<ulink url="http://www.avahi.org/">Avahi</ulink>
501
</para></listitem>
502
503
<listitem><para>
504
<ulink
505
url="http://www.gnu.org/software/gnutls/">GnuTLS</ulink>
506
</para></listitem>
507
508
<listitem><para>
509
<ulink
510
url="http://www.gnupg.org/related_software/gpgme/"
511
>GPGME</ulink>
512
</para></listitem>
513
514
<listitem><para>
515
<citation>RFC 4880: <citetitle>OpenPGP Message
516
Format</citetitle></citation>
517
</para></listitem>
518
519
<listitem><para>
520
<citation>RFC 5081: <citetitle>Using OpenPGP Keys for
521
Transport Layer Security</citetitle></citation>
522
</para></listitem>
523
524
<listitem><para>
525
<citation>RFC 4291: <citetitle>IP Version 6 Addressing
526
Architecture</citetitle>, section 2.5.6, Link-Local IPv6
527
Unicast Addresses</citation>
528
</para></listitem>
529
</itemizedlist>
508
<variablelist>
509
<varlistentry>
510
<term>
511
<ulink url="http://www.zeroconf.org/">Zeroconf</ulink>
512
</term>
513
<listitem>
514
<para>
515
Zeroconf is the network protocol standard used for finding
516
Mandos servers on the local network.
517
</para>
518
</listitem>
519
</varlistentry>
520
<varlistentry>
521
<term>
522
<ulink url="http://www.avahi.org/">Avahi</ulink>
523
</term>
524
<listitem>
525
<para>
526
Avahi is the library this program calls to find Zeroconf
527
services.
528
</para>
529
</listitem>
530
</varlistentry>
531
<varlistentry>
532
<term>
533
<ulink url="http://www.gnu.org/software/gnutls/"
534
>GnuTLS</ulink>
535
</term>
536
<listitem>
537
<para>
538
GnuTLS is the library this client uses to implement TLS for
539
communicating securely with the server, and at the same time
540
send the public OpenPGP key to the server.
541
</para>
542
</listitem>
543
</varlistentry>
544
<varlistentry>
545
<term>
546
<ulink url="http://www.gnupg.org/related_software/gpgme/"
547
>GPGME</ulink>
548
</term>
549
<listitem>
550
<para>
551
GPGME is the library used to decrypt the OpenPGP data sent
552
by the server.
553
</para>
554
</listitem>
555
</varlistentry>
556
<varlistentry>
557
<term>
558
RFC 4291: <citetitle>IP Version 6 Addressing
559
Architecture</citetitle>
560
</term>
561
<listitem>
562
<variablelist>
563
<varlistentry>
564
<term>Section 2.2: <citetitle>Text Representation of
565
Addresses</citetitle></term>
566
<listitem><para/></listitem>
567
</varlistentry>
568
<varlistentry>
569
<term>Section 2.5.5.2: <citetitle>IPv4-Mapped IPv6
570
Address</citetitle></term>
571
<listitem><para/></listitem>
572
</varlistentry>
573
<varlistentry>
574
<term>Section 2.5.6, <citetitle>Link-Local IPv6 Unicast
575
Addresses</citetitle></term>
576
<listitem>
577
<para>
578
This client uses IPv6 link-local addresses, which are
579
immediately usable since a link-local addresses is
580
automatically assigned to a network interfaces when it
581
is brought up.
582
</para>
583
</listitem>
584
</varlistentry>
585
</variablelist>
586
</listitem>
587
</varlistentry>
588
<varlistentry>
589
<term>
590
RFC 4346: <citetitle>The Transport Layer Security (TLS)
591
Protocol Version 1.1</citetitle>
592
</term>
593
<listitem>
594
<para>
595
TLS 1.1 is the protocol implemented by GnuTLS.
596
</para>
597
</listitem>
598
</varlistentry>
599
<varlistentry>
600
<term>
601
RFC 4880: <citetitle>OpenPGP Message Format</citetitle>
602
</term>
603
<listitem>
604
<para>
605
The data received from the server is binary encrypted
606
OpenPGP data.
607
</para>
608
</listitem>
609
</varlistentry>
610
<varlistentry>
611
<term>
612
RFC 5081: <citetitle>Using OpenPGP Keys for Transport Layer
613
Security</citetitle>
614
</term>
615
<listitem>
616
<para>
617
This is implemented by GnuTLS and used by this program so
618
that OpenPGP keys can be used.
619
</para>
620
</listitem>
621
</varlistentry>
622
</variablelist>
530
623
</refsect1>
531
624
532
625
</refentry>
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0