/mandos/trunk : revision 953

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to plugins.d/mandos-client.xml

Committer: Teddy Hogeborn
Date: 2018-08-19 01:35:11 UTC
Revision ID: teddy@recompile.se-20180819013511-cku25q9yeub3dnr0

Adapt to changes in cryptsetup; use "cryptroot-unlock" program

* Makefile (install-client-nokey): Also install new script files
  "mandos-to-cryptroot-unlock" and "initramfs-tools-script-stop".
* debian/mandos-client.dirs: Add
  "usr/share/initramfs-tools/scripts/local-premount".
* initramfs-tools-hook: Also copy "mandos-to-cryptroot-unlock".
* initramfs-tools-script: Only modify keyscript setting in cryptroot
  file if the file exists, otherwise start
  "mandos-to-cryptroot-unlock" in background.
* initramfs-tools-script-stop: New script to make sure plugin-runner
  has stopped before continuing.
* mandos-to-cryptroot-unlock: New script to run plugin-runner and feed
  any password it gets into the "cryptroot-unlock" program.

files added:
initramfs-tools-hook-conf

files removed:
initramfs-tools-conf

files modified:
DBUS-API

INSTALL

Makefile

NEWS

TODO

clients.conf

common.ent

debian/changelog

debian/control

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.postinst

debian/mandos-client.postrm

initramfs-tools-hook

initramfs-tools-script-stop *

intro.xml

mandos

mandos-clients.conf.xml

mandos-ctl

mandos-keygen

mandos-keygen.xml

mandos-monitor

mandos-options.xml

mandos-to-cryptroot-unlock *

mandos.lsm

mandos.xml

overview.xml

plugin-runner.xml

plugins.d/mandos-client.c

plugins.d/mandos-client.xml

Show diffs side-by-side

added added

removed removed

plugins.d/mandos-client.xml

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY COMMANDNAME "mandos-client">

<!ENTITY TIMESTAMP "2019-02-09">

<!ENTITY TIMESTAMP "2018-02-08">

<!ENTITY % common SYSTEM "../common.ent">

%common;

</group>

<sbr/>

<group>

<arg choice="plain"><option>--tls-privkey

100

101

<arg choice="plain"><option>-t

102

103

</group>

104

<sbr/>

105

<group>

106

<arg choice="plain"><option>--tls-pubkey

107

108

<arg choice="plain"><option>-T

109

110

</group>

111

<sbr/>

112

<arg>

113

<option>--priority <replaceable>STRING</replaceable></option>

114

100

</arg>

168

154

brings up network interfaces, uses the interfaces’ IPv6

169

155

link-local addresses to get network connectivity, uses Zeroconf

170

156

to find servers on the local network, and communicates with

171

servers using TLS with a raw public key to ensure authenticity

172

and confidentiality. This client program keeps running, trying

173

all servers on the network, until it receives a satisfactory

174

reply or a TERM signal. After all servers have been tried, all

157

servers using TLS with an OpenPGP key to ensure authenticity and

158

confidentiality. This client program keeps running, trying all

159

servers on the network, until it receives a satisfactory reply

160

or a TERM signal. After all servers have been tried, all

175

161

servers are periodically retried. If no servers are found it

176

162

will wait indefinitely for new servers to appear.

177

163

</para>

321

307

</varlistentry>

322

308

323

309

324

<term><option>--tls-pubkey=<replaceable

325

>FILE</replaceable></option></term>

326

<term><option>-T

327

328

329

<para>

330

TLS raw public key file name. The default name is

331

<quote><filename>/conf/conf.d/mandos/tls-pubkey.pem</filename

332

></quote>.

333

</para>

334

</listitem>

335

</varlistentry>

336

337

338

<term><option>--tls-privkey=<replaceable

339

>FILE</replaceable></option></term>

340

<term><option>-t

341

342

343

<para>

344

TLS secret key file name. The default name is

345

<quote><filename>/conf/conf.d/mandos/tls-privkey.pem</filename

346

></quote>.

347

</para>

348

</listitem>

349

</varlistentry>

350

351

352

310

<term><option>--priority=<replaceable

353

311

>STRING</replaceable></option></term>

354

312

364

322

<para>

365

323

Sets the number of bits to use for the prime number in the

366

324

TLS Diffie-Hellman key exchange. The default value is

367

selected automatically based on the GnuTLS security

368

profile set in its priority string. Note that if the

369

<option>--dh-params</option> option is used, the values

370

from that file will be used instead.

325

selected automatically based on the OpenPGP key. Note

326

that if the <option>--dh-params</option> option is used,

327

the values from that file will be used instead.

371

328

</para>

372

329

</listitem>

373

330

</varlistentry>

725

682

</listitem>

726

683

</varlistentry>

727

684

728

<term><filename>/conf/conf.d/mandos/tls-pubkey.pem</filename

729

></term>

730

<term><filename>/conf/conf.d/mandos/tls-privkey.pem</filename

731

></term>

732

733

<para>

734

Public and private raw key files, in <quote>PEM</quote>

735

format. These are the default file names, they can be

736

changed with the <option>--tls-pubkey</option> and

737

<option>--tls-privkey</option> options.

738

</para>

739

</listitem>

740

</varlistentry>

741

742

685

<term><filename

743

686

class="directory">/lib/mandos/network-hooks.d</filename></term>

744

687

786

729

</informalexample>

787

730

788

731

<para>

789

Run in debug mode, and use custom keys:

732

Run in debug mode, and use a custom key:

790

733

</para>

791

734

<para>

792

735

793

736

794

<userinput>&COMMANDNAME; --debug --pubkey keydir/pubkey.txt --seckey keydir/seckey.txt --tls-pubkey keydir/tls-pubkey.pem --tls-privkey keydir/tls-privkey.pem</userinput>

737

<userinput>&COMMANDNAME; --debug --pubkey keydir/pubkey.txt --seckey keydir/seckey.txt</userinput>

795

738

796

739

</para>

797

740

</informalexample>

798

741

799

742

<para>

800

Run in debug mode, with custom keys, and do not use Zeroconf

743

Run in debug mode, with a custom key, and do not use Zeroconf

801

744

to locate a server; connect directly to the IPv6 link-local

802

745

address <quote><systemitem class="ipaddress"

803

746

>fe80::aede:48ff:fe71:f6f2</systemitem></quote>, port 4711,

806

749

<para>

807

750

808

751

809

<userinput>&COMMANDNAME; --debug --pubkey keydir/pubkey.txt --seckey keydir/seckey.txt --tls-pubkey keydir/tls-pubkey.pem --tls-privkey keydir/tls-privkey.pem --connect fe80::aede:48ff:fe71:f6f2:4711 --interface eth2</userinput>

752

<userinput>&COMMANDNAME; --debug --pubkey keydir/pubkey.txt --seckey keydir/seckey.txt --connect fe80::aede:48ff:fe71:f6f2:4711 --interface eth2</userinput>

810

753

811

754

</para>

812

755

</informalexample>

836

779

<para>

837

780

The only remaining weak point is that someone with physical

838

781

access to the client hard drive might turn off the client

839

computer, read the OpenPGP and TLS keys directly from the hard

840

drive, and communicate with the server. To safeguard against

841

this, the server is supposed to notice the client disappearing

842

and stop giving out the encrypted data. Therefore, it is

843

important to set the timeout and checker interval values tightly

844

on the server. See <citerefentry><refentrytitle

782

computer, read the OpenPGP keys directly from the hard drive,

783

and communicate with the server. To safeguard against this, the

784

server is supposed to notice the client disappearing and stop

785

giving out the encrypted data. Therefore, it is important to

786

set the timeout and checker interval values tightly on the

787

server. See <citerefentry><refentrytitle

845

788

>mandos</refentrytitle><manvolnum>8</manvolnum></citerefentry>.

846

789

</para>

847

790

<para>

907

850

<para>

908

851

GnuTLS is the library this client uses to implement TLS for

909

852

communicating securely with the server, and at the same time

910

send the public key to the server.

853

send the public OpenPGP key to the server.

911

854

</para>

912

855

</listitem>

913

856

</varlistentry>

979

922

</varlistentry>

980

923

981

924

<term>

982

RFC 7250: <citetitle>Using Raw Public Keys in Transport

983

Layer Security (TLS) and Datagram Transport Layer Security

984

(DTLS)</citetitle>

985

</term>

986

987

<para>

988

This is implemented by GnuTLS in version 3.6.6 and is, if

989

present, used by this program so that raw public keys can be

990

used.

991

</para>

992

</listitem>

993

</varlistentry>

994

995

<term>

996

925

RFC 6091: <citetitle>Using OpenPGP Keys for Transport Layer

997

926

Security</citetitle>

998

927

</term>

999

928

1000

929

<para>

1001

This is implemented by GnuTLS before version 3.6.0 and is,

1002

if present, used by this program so that OpenPGP keys can be

1003

used.

930

This is implemented by GnuTLS and used by this program so

931

that OpenPGP keys can be used.

1004

932

</para>

1005

933

</listitem>

1006

934

</varlistentry>

Older »