/mandos/trunk : revision 738.1.1

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to intro.xml

Committer: Teddy Hogeborn
Date: 2015-06-28 16:35:27 UTC
mto: This revision was merged to the branch mainline in revision 759.
Revision ID: teddy@recompile.se-20150628163527-cky0ec59zew7teua

Add a plugin helper directory, available to all plugins.

* Makefile (PLUGIN_HELPERS): New; list of plugin helpers.
  (CPROGS): Appended "$(PLUGIN_HELPERS)".
* initramfs-tools-hook: Create new plugin helper directory, and copy
                        plugin helpers provided by the system and/or
                        by the local administrator.
  (PLUGINHELPERDIR): New.
* plugin-runner.c: Take new --plugin-helper-dir option and provide
                   environment variable to all plugins.
  (PHDIR): New; set to "/lib/mandos/plugin-helpers".
  (main/pluginhelperdir): New.
  (main/options): New option "--plugin-helper-dir".
  (main/parse_opt, main/parse_opt_config_file): Accept new option.
  (main): Use new option to set MANDOSPLUGINHELPERDIR environment
          variable as if using --global-env MANDOSPLUGINHELPERDIR=...
* plugin-runner.xml: Document new --plugin-helper-dir option.
  (SYNOPSIS, OPTIONS): Add "--plugin-helper-dir" option.
  (PLUGINS/WRITING PLUGINS): Document new environment variable
                             available to plugins.
  (ENVIRONMENT): Document new environment variable
                 "MANDOSPLUGINHELPERDIR" affected by the new
                 --plugin-helper-dir option.

files added:
initramfs-tools-hook-conf

files removed:
bugs.xml

debian/mandos-client.templates

debian/mandos.templates

initramfs-tools-conf

initramfs-tools-script-stop

mandos-to-cryptroot-unlock

plugin-helpers/mandos-client-iprouteadddel.c

tmpfiles.d-mandos.conf

files modified:
DBUS-API

INSTALL

Makefile

NEWS

README

TODO

clients.conf

common.ent

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.dirs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/rules

debian/watch

init.d-mandos

initramfs-tools-hook

initramfs-tools-script

initramfs-unpack

intro.xml

legalnotice.xml

mandos

mandos-clients.conf.xml

mandos-ctl

mandos-ctl.xml

mandos-keygen

mandos-keygen.xml

mandos-monitor

mandos-monitor.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.lsm

mandos.service

mandos.xml

network-hooks.d/bridge

network-hooks.d/openvpn

network-hooks.d/wireless

overview.xml

plugin-runner.c

plugin-runner.xml

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/mandos-client.c

plugins.d/mandos-client.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

Show diffs side-by-side

added added

removed removed

intro.xml

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY TIMESTAMP "2019-02-10">

<!ENTITY TIMESTAMP "2014-06-22">

<!ENTITY % common SYSTEM "common.ent">

%common;

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

The computers run a small client program in the initial RAM disk

environment which will communicate with a server over a network.

All network communication is encrypted using TLS. The clients

are identified by the server using a TLS public key; each client

are identified by the server using an OpenPGP key; each client

has one unique to it. The server sends the clients an encrypted

password. The encrypted password is decrypted by the clients

using a separate OpenPGP key, and the password is then used to

using the same OpenPGP key, and the password is then used to

unlock the root file system, whereupon the computers can

continue booting normally.

</para>

<title>INTRODUCTION</title>

<para>

<!-- This paragraph is a combination and paraphrase of two

quotes from the 1995 movie “The Usual Suspects”. -->

You know how it is. You’ve heard of it happening. The Man

comes and takes away your servers, your friends’ servers, the

servers of everybody in the same hosting facility. The servers

201

192

<para>

202

193

No. The server only gives out the passwords to clients which

203

194

have <emphasis>in the TLS handshake</emphasis> proven that

204

they do indeed hold the private key corresponding to that

205

client.

206

</para>

207

</refsect2>

208

209

210

<title>How about sniffing the network traffic and decrypting it

211

later by physically grabbing the Mandos client and using its

212

key?</title>

213

<para>

214

We only use <acronym>PFS</acronym> (Perfect Forward Security)

215

key exchange algorithms in TLS, which protects against this.

195

they do indeed hold the OpenPGP private key corresponding to

196

that client.

216

197

</para>

217

198

</refsect2>

218

199

384

365

</para>

385

366

</refsect1>

386

367

387

388

389

<xi:include href="bugs.xml"/>

390

</refsect1>

391

392

368

393

369

394

370

<para>

422

398

423

399

424

400

<term>

425

<ulink url="https://www.recompile.se/mandos">Mandos</ulink>

401

<ulink url="http://www.recompile.se/mandos">Mandos</ulink>

426

402

</term>

427

403

428

404

<para>

Older »