=== modified file 'Makefile'
--- Makefile 2008-08-15 20:47:22 +0000
+++ Makefile 2008-08-18 05:24:20 +0000
@@ -20,8 +20,16 @@
# MANDIR=/usr/local/man
MANDIR=/usr/share/man
+GNUTLS_CFLAGS=$(shell libgnutls-config --cflags)
+GNUTLS_LIBS=$(shell libgnutls-config --libs)
+AVAHI_CFLAGS=$(shell pkg-config --cflags-only-I avahi-core)
+AVAHI_LIBS=$(shell pkg-config --libs avahi-core)
+GPGME_CFLAGS=$(shell gpgme-config --cflags)
+GPGME_LIBS=$(shell gpgme-config --libs)
+
# Do not change these two
-CFLAGS=$(WARN) $(DEBUG) $(FORTIFY) $(COVERAGE) $(OPTIMIZE) $(LANGUAGE)
+CFLAGS=$(WARN) $(DEBUG) $(FORTIFY) $(COVERAGE) $(OPTIMIZE) \
+ $(LANGUAGE) $(GNUTLS_CFLAGS) $(AVAHI_CFLAGS) $(GPGME_CFLAGS)
LDFLAGS=$(COVERAGE)
DOCBOOKTOMAN=xsltproc --nonet \
@@ -29,7 +37,10 @@
--param make.year.ranges 1 \
--param make.single.year.ranges 1 \
--param man.output.quietly 1 \
- --param man.authors.section.enabled 0
+ --param man.authors.section.enabled 0 \
+ /usr/share/xml/docbook/stylesheet/nwalsh/manpages/docbook.xsl
+# DocBook-to-man post-processing to fix a \n escape bug
+MANPOST=sed --in-place --expression='s,\\en,\en,g;s,\\een,\\en,g'
PLUGINS=plugins.d/password-prompt plugins.d/password-request
PROGS=plugin-runner $(PLUGINS)
@@ -38,32 +49,26 @@
plugins.d/password-prompt.8mandos mandos.conf.5 \
mandos-clients.conf.5
-objects=$(shell for p in $(PROGS); do echo $${p}.o; done)
+objects=$(addsuffix .o,$(PROGS))
all: $(PROGS)
doc: $(DOCS)
%.5: %.xml
- cd $(dir $^); $(DOCBOOKTOMAN) $(notdir $^)
+ cd $(dir $^); $(DOCBOOKTOMAN) $(notdir $^) $(MANPOST) $(notdir $@)
%.8: %.xml
- cd $(dir $^); $(DOCBOOKTOMAN) $(notdir $^)
+ cd $(dir $^); $(DOCBOOKTOMAN) $(notdir $^); $(MANPOST) $(notdir $@)
%.8mandos: %.xml
- cd $(dir $^); $(DOCBOOKTOMAN) $(notdir $^)
-
-plugin-runner: plugin-runner.o
- $(LINK.o) -lgnutls $(COMMON) $^ $(LOADLIBES) $(LDLIBS) -o $@
+ cd $(dir $^); $(DOCBOOKTOMAN) $(notdir $^); $(MANPOST) $(notdir $@)
plugins.d/password-request: plugins.d/password-request.o
- $(LINK.o) -lgnutls -lavahi-core -lgpgme $(COMMON) $^ \
- $(LOADLIBES) $(LDLIBS) -o $@
-
-plugins.d/password-prompt: plugins.d/password-prompt.o
- $(LINK.o) $(COMMON) $^ $(LOADLIBES) $(LDLIBS) -o $@
-
-.PHONY : all clean distclean run-client run-server install \
+ $(LINK.o) $(GNUTLS_LIBS) $(AVAHI_LIBS) $(GPGME_LIBS) \
+ $(COMMON) $^ $(LOADLIBES) $(LDLIBS) -o $@
+
+.PHONY : all doc clean distclean run-client run-server install \
install-server install-client uninstall uninstall-server \
uninstall-client purge purge-server purge-client
=== modified file 'TODO'
--- TODO 2008-08-16 20:31:21 +0000
+++ TODO 2008-08-18 05:57:11 +0000
@@ -2,130 +2,102 @@
* [#A] README file
-* Plugin-runner
+* plugin-runner
** [#B] Add more comments to code
** [#B] Add more if(debug) calls
** [#B] Seperate more code to function for more readability
** [#A] Man page: man8/plugin-runner.8mandos
-*** DESCRIPTION
- Describe the plus sign syntax for passing options from crypttab
*** EXIT STATUS
- Text needed
*** EXAMPLES
Examples of normal usage, debug usage, debugging single or all
- plugins, examples of crypttab lines with plus syntax, etc.
+ plugins, etc.
*** FILES
- Text needed
*** SECURITY
- Text needed
-*** NOTES
- Text needed
+ Note the danger of using this program, since you might lock
+ yourself out of your system without any means of entering the root
+ file system password. This is, however, very unlikely considering
+ the fallback to getpass(3).
*** BUGS
- Text needed
*** SEE ALSO
- Explaining test on what you can read
-** Keydir move: /etc/mandos -> /etc/keys/mandos
- Must create in preinst if not pre-depending on cryptsetup
+ Explaining text on what you can read
-* Password-request
+* password-request
** [#A] Man page: man8/password-request.8mandos
-** [#B] Temporarily lower kernel log level
- for less printouts during sucessfull boot.
+*** SYNOPSIS
+ Document short options
*** DESCRIPTION
- Move options to new OPTIONS section.
State that this command is not meant to be invoked directly, but
is run as a plugin from mandos-client(8) and only run in the
initrd environment, not the real system.
+*** PURPOSE
+ As in mandos.xml
+*** OVERVIEW
+ As in mandos.xml
*** EXIT STATUS
- Create this section
-*** EXAMPLES
+*** ENVIRONMENT
+ Note that it does *not* currently use cryptsource or crypttarget.
+*** FILES
+ Describe the key files and the key ring files. Also note that
+ they should normally have been automatically created.
+*** BUGS
+*** EXAMPLE
Examples of normal usage, debug usage, debugging by connecting
directly, etc.
-*** FILES
- Describe the key files and the key ring files. Also note that
- they should normally have been automatically created.
-*** DIAGNOSTICS
- Create this section
*** SECURITY
- Create this section
-*** NOTES
- Create this section (if needed)
-*** BUGS
- Create this section
*** SEE ALSO
- Refer to mandos-client(8mandos) and password-prompt(8mandos)
-*** ENVIRONMENT
- Document use of "cryptsource" and "crypttarget".
+ Update from mandos.xml
+** [#B] Temporarily lower kernel log level
+ for less printouts during sucessfull boot.
** IPv4 support
** use strsep instead of strtok?
** Do not depend on GnuPG key rings on disk
This would mean creating new GnuPG key rings with GPGME by
importing the key files from scratch on every program start.
+** Keydir move: /etc/mandos -> /etc/keys/mandos
+ Must create in preinst if not pre-depending on cryptsetup
-* Password-prompt
+* password-prompt
** [#A] Man page: man8/password-prompt.8mandos
+*** SYNOPSIS
+ Document short options
*** DESCRIPTION
- Move options to new OPTIONS section.
+ Note that this is more or less a simple getpass(3) wrapper, even
+ though actual use of getpass(3) is not guaranteed.
*** EXIT STATUS
- Create this section
-*** EXAMPLES
+*** ENVIRONMENT
+ Document use of "cryptsource" and "crypttarget".
+*** FILES
+*** BUGS
+*** EXAMPLE
Examples of normal usage, debug usage, with a prefix, etc.
-*** DIAGNOSTICS
- Create this section
*** SECURITY
- Create this section
Not much to do here but it is noteworthy to state the danger of
not having a fallback option.
-*** NOTES
- Note that this is more or less a simple getpass(3) wrapper, even
- though actual use of getpass(3) is not guaranteed.
-*** BUGS
- Create this section
*** SEE ALSO
Refer to mandos-client(8mandos) and password-request(8mandos)
+ and also, perhaps, to cryptsetup(8)?
** Use getpass(3)?
Man page says "obsolete", but [[info:libc:getpass][GNU LibC Manual: Reading Passwords]]
does not. See also [[http://sources.redhat.com/ml/libc-alpha/2003-05/msg00251.html][Marcus Brinkmann: Re: getpass obsolete?]] and
[[http://article.gmane.org/gmane.comp.lib.glibc.alpha/4906][Petter Reinholdtsen: Re: getpass obsolete?]], and especially also
[[http://www.steve.org.uk/Reference/Unix/faq_4.html#SEC48][Unix Programming FAQ 3.1 How can I make my program not echo input?]]
-* Mandos (server)
-** [#A] Command man page: man8/mandos.8
-*** DESCRIPTION
- Move options to new OPTIONS section
-*** EXIT STATUS
- Create this section
-*** EXAMPLES
- Create this section
-*** FILES
- Describe briefly that the server gets global settings from
- mandos.conf and clients from clients.conf, but refer to their man
- pages for more details.
-*** DIAGNOSTICS
- Create this section
-*** SECURITY
- Create this section
-*** NOTES
- Create this section (if needed)
-*** BUGS
- Create this section
-*** SEE ALSO
- Refer to the client man page
+* mandos (server)
** [#A] Config file man page: man5/mandos.conf (mandos.conf)
** [#A] Config file man page: man5/mandos-clients.conf (clients.conf)
** [#A] /etc/init.d/mandos-server :teddy:
-** Log level
+** [#B] Log level :bugs:
** /etc/mandos/clients.d/*.conf
Watch this directory and add/remove/update clients?
** config for TXT record
-** Run-time communication with server
+** [#B] Run-time communication with server :bugs:
Probably using D-Bus
See also [[*Mandos-tools]]
-** Implement --foreground
+** Implement --foreground :bugs:
[[info:standards:Option%20Table][Table of Long Options]]
** Implement --socket
[[info:standards:Option%20Table][Table of Long Options]]
-** Date+time on console log messages
+** Date+time on console log messages :bugs:
Is this the default?
* Mandos-tools/utilities
@@ -135,26 +107,24 @@
** Enable client
* Installer
-** Client
-*** DONE [#A] Change initrd.img file to not be publically readable
- /usr/share/initramfs-tools/conf-hooks.d/mandos
- UMASK=027
+** Client-side
*** Update initrd.img after installation
-** Server
+ This seems to use some kind of "trigger" system
+*** Keydir move: /etc/mandos -> /etc/keys/mandos
+ Must create in preinst if not pre-depending on cryptsetup
+*** mandos-keygen
+**** [#A] Output cut-and-paste ready snippet for clients.conf.
+** Server-side
*** [#A] Create mandos user and group for server
*** [#A] Create /var/run/mandos directory with perm and ownership
-** mandos-keygen
-*** [#A] Command man page: man8/mandos-keygen.8
-*** [#A] Output cut-and-paste ready snippet for clients.conf.
-
* [#A] Package
** /usr/share/initramfs-tools/hooks/mandos
-*** Do not install in initrd.img if configured not to
+*** Do not install in initrd.img if configured not to.
Use "/etc/initramfs-tools/conf.d/mandos"? Definitely a debconf
question.
** /etc/bash_completion.d/mandos
-*** From xml sources directly?
+ From XML sources directly?
** unperish
** bzr-builddeb
=== modified file 'mandos-keygen'
--- mandos-keygen 2008-08-12 23:13:41 +0000
+++ mandos-keygen 2008-08-18 05:24:20 +0000
@@ -70,7 +70,7 @@
-n|--name) KEYNAME="$2"; shift 2;;
-e|--email) KEYEMAIL="$2"; shift 2;;
-c|--comment) KEYCOMMENT="$2"; shift 2;;
- -x|--expire) KEYCOMMENT="$2"; shift 2;;
+ -x|--expire) KEYEXPIRE="$2"; shift 2;;
-f|--force) FORCE=yes; shift;;
-v|--version) echo "$0 $VERSION"; exit;;
-h|--help) help; exit;;
@@ -188,12 +188,12 @@
# Export keys from key rings to key files
gpg --no-random-seed-file --quiet --batch --no-tty --armor \
- --no-default-keyring --secret-keyring "$SECRING" \
+ --no-default-keyring --no-options --secret-keyring "$SECRING" \
--keyring "$PUBRING" --export-options export-minimal \
--comment "$FILECOMMENT" --output "$SECKEYFILE" \
--export-secret-keys
gpg --no-random-seed-file --quiet --batch --no-tty --armor \
- --no-default-keyring --secret-keyring "$SECRING" \
+ --no-default-keyring --no-options --secret-keyring "$SECRING" \
--keyring "$PUBRING" --export-options export-minimal \
--comment "$FILECOMMENT" --output "$PUBKEYFILE" \
--export
=== added file 'mandos-keygen.xml'
--- mandos-keygen.xml 1970-01-01 00:00:00 +0000
+++ mandos-keygen.xml 2008-08-18 05:24:20 +0000
@@ -0,0 +1,398 @@
+
+
+
+
+]>
+
+
+
+ &COMMANDNAME;
+
+ &COMMANDNAME;
+ &VERSION;
+
+
+ Björn
+ Påhlsson
+
+ belorn@fukt.bsnet.se
+
+
+
+ Teddy
+ Hogeborn
+
+ teddy@fukt.bsnet.se
+
+
+
+
+ 2008
+ Teddy Hogeborn & Björn Påhlsson
+
+
+
+ This manual page is free software: you can redistribute it
+ and/or modify it under the terms of the GNU General Public
+ License as published by the Free Software Foundation,
+ either version 3 of the License, or (at your option) any
+ later version.
+
+
+
+ This manual page is distributed in the hope that it will
+ be useful, but WITHOUT ANY WARRANTY; without even the
+ implied warranty of MERCHANTABILITY or FITNESS FOR A
+ PARTICULAR PURPOSE. See the GNU General Public License
+ for more details.
+
+
+
+ You should have received a copy of the GNU General Public
+ License along with this program; If not, see
+ .
+
+
+
+
+
+ &COMMANDNAME;
+ 8
+
+
+
+ &COMMANDNAME;
+
+ Generate keys for password-request
+ 8mandos
+
+
+
+
+
+ &COMMANDNAME;
+
+
+ directory
+
+
+
+ type
+
+
+
+ bits
+
+
+
+ NAME
+
+
+
+ EMAIL
+
+
+
+ COMMENT
+
+
+
+ TIME
+
+
+
+
+
+
+ &COMMANDNAME;
+
+
+ directory
+
+
+
+ type
+
+
+
+ bits
+
+
+
+ NAME
+
+
+
+ EMAIL
+
+
+
+ COMMENT
+
+
+
+ TIME
+
+
+
+
+
+
+ &COMMANDNAME;
+
+
+
+
+
+
+ &COMMANDNAME;
+
+
+
+
+
+
+
+
+ DESCRIPTION
+
+ &COMMANDNAME; is a program to generate the
+ OpenPGP keys used by
+ password-request
+ 8mandos. The keys are
+ normally written to /etc/mandos for later installation into the
+ initrd image, but this, like most things, can be changed with
+ command line options.
+
+
+
+
+ PURPOSE
+
+
+ The purpose of this is to enable remote and unattended
+ rebooting of client host computer with an
+ encrypted root file system. See for details.
+
+
+
+
+
+ OPTIONS
+
+
+
+ -h, --help
+
+
+ Show a help message and exit
+
+
+
+
+
+ -d, --dir
+ directory
+
+
+ Target directory for key files.
+
+
+
+
+
+ -t, --type
+ type
+
+
+ Key type. Default is DSA.
+
+
+
+
+
+ -l, --length
+ bits
+
+
+ Key length in bits. Default is 1024.
+
+
+
+
+
+ -e, --email
+ address
+
+
+ Email address of key. Default is empty.
+
+
+
+
+
+ -c, --comment
+ comment
+
+
+ Comment field for key. The default value is
+ "Mandos client key".
+
+
+
+
+
+ -x, --expire
+ time
+
+
+ Key expire time. Default is no expiration. See
+ gpg
+ 1 for syntax.
+
+
+
+
+
+ -f, --force
+
+
+ Force overwriting old keys.
+
+
+
+
+
+
+
+ OVERVIEW
+ &OVERVIEW;
+
+ This program is a small program to generate new OpenPGP keys for
+ new Mandos clients.
+
+
+
+
+ EXIT STATUS
+
+ The exit status will be 0 if new keys were successfully created,
+ otherwise not.
+
+
+
+
+ ENVIRONMENT
+
+
+ TMPDIR
+
+
+ If set, temporary files will be created here. See
+ mktemp
+ 1.
+
+
+
+
+
+
+
+ FILES
+
+ Use the option to change where
+ &COMMANDNAME; will write the key files. The
+ default file names are shown here.
+
+
+
+ /etc/mandos/seckey.txt
+
+
+ OpenPGP secret key file which will be created or
+ overwritten.
+
+
+
+
+ /etc/mandos/pubkey.txt
+
+
+ OpenPGP public key file which will be created or
+ overwritten.
+
+
+
+
+ /tmp
+
+
+ Temporary files will be written here if
+ TMPDIR is not set.
+
+
+
+
+
+
+
+ BUGS
+
+ None are known at this time.
+
+
+
+
+ EXAMPLE
+
+
+ Normal invocation needs no options:
+
+
+ mandos-keygen
+
+
+
+
+ Create keys in another directory and of another type. Force
+ overwriting old key files:
+
+
+
+
+mandos-keygen --dir ~/keydir --type RSA --force
+
+
+
+
+
+
+ SECURITY
+
+ The and
+ options can be used to create keys of insufficient security. If
+ in doubt, leave them to the default values.
+
+
+ The key expire time is not guaranteed to be honored by
+ mandos
+ 8.
+
+
+
+
+ SEE ALSO
+
+ password-request
+ 8mandos,
+ mandos
+ 8, and
+ gpg
+ 1
+
+
+
+
=== modified file 'mandos.xml'
--- mandos.xml 2008-08-16 20:31:21 +0000
+++ mandos.xml 2008-08-18 03:50:28 +0000
@@ -1,16 +1,15 @@
-
-
+
+
]>
&COMMANDNAME;
-
+
&COMMANDNAME;&VERSION;
@@ -31,7 +30,8 @@
2008
- Teddy Hogeborn & Björn Påhlsson
+ Teddy Hogeborn
+ Björn Påhlsson
@@ -66,45 +66,76 @@
&COMMANDNAME;
- Sends encrypted passwords to authenticated mandos clients
+ Sends encrypted passwords to authenticated Mandos clients
&COMMANDNAME;
- --interfaceIF
- --addressADDRESS
- --portPORT
- --priorityPRIORITY
- --servicenameNAME
- --configdirDIRECTORY
- --debug
-
-
- &COMMANDNAME;
- --help
-
-
- &COMMANDNAME;
- --version
-
-
- &COMMANDNAME;
- --check
-
+ --interfaceIF
+ --addressADDRESS
+ --portPORT
+ --priorityPRIORITY
+ --servicenameNAME
+ --configdirDIRECTORY
+ --debug
+
+
+ &COMMANDNAME;
+ -iIF
+ -aADDRESS
+ -pPORT
+ --priorityPRIORITY
+ --servicenameNAME
+ --configdirDIRECTORY
+ --debug
+
+
+ &COMMANDNAME;
+
+ -h
+ --help
+
+
+
+ &COMMANDNAME;
+ --version
+
+
+ &COMMANDNAME;
+ --check
+ DESCRIPTION
- &COMMANDNAME; is a server daemon that handels
- incomming passwords request for passwords. Mandos use avahi to
- announce the service, and through gnutls authenticates
- clients. Any authenticated client is then given its encrypted
- password.
-
-
+ &COMMANDNAME; is a server daemon which
+ handles incoming request for passwords for a pre-defined list of
+ client host computers. The Mandos server uses Zeroconf to
+ announce itself on the local network, and uses TLS to
+ communicate securely with and to authenticate the clients. The
+ Mandos server uses IPv6 to allow Mandos clients to use IPv6
+ link-local addresses, since the clients will probably not have
+ any other addresses configured (see ).
+ Any authenticated client is then given the stored pre-encrypted
+ password for that specific client.
+
+
+
+
+
+ PURPOSE
+
+
+ The purpose of this is to enable remote and unattended
+ rebooting of client host computer with an
+ encrypted root file system. See for details.
+
+
+ OPTIONS
@@ -114,7 +145,7 @@
-h, --help
- show a help message and exit
+ Show a help message and exit
@@ -124,45 +155,61 @@
IF
- Bind to interface IF
+ Only announce the server and listen to requests on network
+ interface IF. Default is to
+ use all available interfaces. Note:
+ a failure to bind to the specified interface is not
+ considered critical, and the server does not exit.
-
+
-a, --address
ADDRESS
- Address to listen for requests on
+ If this option is used, the server will only listen to a
+ specific address. This must currently be an IPv6 address;
+ an IPv4 address can be specified using the
+ ::FFFF:192.0.2.3 syntax.
+ Also, if a link-local address is specified, an interface
+ should be set, since a link-local address is only valid on
+ a single interface. By default, the server will listen to
+ all available addresses.
-
+
-p, --port
PORT
- Port number to receive requests on
+ If this option is used, the server to bind to that
+ port. By default, the server will listen to an arbitrary
+ port given by the operating system.
-
+
--check
- Run self-test on the server
+ Run the server’s self-tests. This includes any unit
+ tests, etc.
-
+
--debug
- Debug mode
+ If the server is run in debug mode, it will run in the
+ foreground and print a lot of debugging information. The
+ default is not to run in debug mode.
@@ -172,29 +219,48 @@
PRIORITY
- GnuTLS priority string. See
- gnutls_priority_init
- 3
+ GnuTLS priority string for the TLS handshake with the
+ clients. The default is
+ SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP.
+ See gnutls_priority_init
+ 3
+ for the syntax. Warning: changing
+ this may make the TLS handshake fail, making communication
+ with clients impossible.
-
+
--servicename NAME
- Zeroconf service name
+ Zeroconf service name. The default is
+ Mandos. This only needs
+ to be changed this if it, for some reason, is necessary to
+ run more than one server on the same
+ host, which would not normally be
+ useful. If there are name collisions on the same
+ network, the newer server will
+ automatically rename itself to Mandos
+ #2, and so on; therefore, this option is
+ not needed in that case.
-
+
--configdir DIR
- Directory to search for configuration files
+ Directory to search for configuration files. Default is
+ /etc/mandos. See
+ mandos.conf
+ 5 and
+ mandos-clients.conf
+ 5.
@@ -203,59 +269,419 @@
--version
- Prints the program version
+ Prints the program version and exit.
-
+
+
+ OVERVIEW
+ &OVERVIEW;
+
+ This program is the server part. It is a normal server program
+ and will run in a normal system environment, not in an initial
+ RAM disk environment.
+
+
+
+
+ NETWORK PROTOCOL
+
+ The Mandos server announces itself as a Zeroconf service of type
+ _mandos._tcp. The Mandos
+ client connects to the announced address and port, and sends a
+ line of text where the first whitespace-separated field is the
+ protocol version, which currently is
+ 1. The client and server then
+ start a TLS protocol handshake with a slight quirk: the Mandos
+ server program acts as a TLS client while the
+ connecting Mandos client acts as a TLS server.
+ The Mandos client must supply an OpenPGP certificate, and the
+ fingerprint of this certificate is used by the Mandos server to
+ look up (in a list read from clients.conf
+ at start time) which binary blob to give the client. No other
+ authentication or authorization is done by the server.
+
+
+ Mandos Protocol (Version 1)
+
+ Mandos Client
+ Direction
+ Mandos Server
+
+
+
+ Connect
+ ->
+
+
+ 1\r\en
+ ->
+
+
+ TLS handshake as TLS server
+
+ <->
+ TLS handshake as TLS client
+
+
+
+ OpenPGP public key (part of TLS handshake)
+ ->
+
+
+
+ <-
+ Binary blob (client will assume OpenPGP data)
+
+
+
+ <-
+ Close
+
+
+
+
+
+ CHECKING
+
+ The server will, by default, continually check that the clients
+ are still up. If a client has not been confirmed as being up
+ for some time, the client is assumed to be compromised and is no
+ longer eligible to receive the encrypted password. The timeout,
+ checker program, and interval between checks can be configured
+ both globally and per client; see
+ mandos.conf
+ 5 and
+ mandos-clients.conf
+ 5.
+
+
+
+
+ LOGGING
+
+ The server will send log messaged with various severity levels
+ to /dev/log. With the
+ option, it will log even more messages,
+ and also show them on the console.
+
+
+
EXIT STATUS
+ The server will exit with a non-zero exit status only when a
+ critical error is encountered.
+
+ ENVIRONMENT
+
+
+ PATH
+
+
+ To start the configured checker (see ), the server uses
+ /bin/sh, which in turn uses
+ PATH to search for matching commands if
+ an absolute path is not given. See
+ sh1
+
+
+
+
+
+
+
FILES
-
-
-
-
- NOTES
-
-
+ Use the option to change where
+ &COMMANDNAME; looks for its configurations
+ files. The default file names are listed here.
+
+
+
+ /etc/mandos/mandos.conf
+
+
+ Server-global settings. See
+ mandos.conf
+ 5 for details.
+
+
+
+
+ /etc/mandos/clients.conf
+
+
+ List of clients and client-specific settings. See
+ mandos-clients.conf
+ 5 for details.
+
+
+
+
+ /var/run/mandos/mandos.pid
+
+
+ The file containing the process id of
+ &COMMANDNAME;.
+
+
+
+
+ /dev/log
+
+
+ The Unix domain socket to where local syslog messages are
+ sent.
+
+
+
+
+ /bin/sh
+
+
+ This is used to start the configured checker command for
+ each client. See
+ mandos-clients.conf
+ 5 for details.
+
+
+
+ BUGS
-
-
-
-
- EXAMPLES
-
-
+ This server might, on especially fatal errors, emit a Python
+ backtrace. This could be considered a feature.
+
+
+ Currently, if a client is declared invalid due to
+ having timed out, the server does not record this fact onto
+ permanent storage. This has some security implications, see
+ .
+
+
+ There is currently no way of querying the server of the current
+ status of clients, other than analyzing its syslog output.
+
+
+ There is no fine-grained control over logging and debug output.
+
+
+ Debug mode is conflated with running in the foreground.
+
+
+ The console log messages does not show a timestamp.
+
+
+
+
+ EXAMPLE
+
+
+ Normal invocation needs no options:
+
+
+ mandos
+
+
+
+
+ Run the server in debug mode, read configuration files from
+ the ~/mandos directory, and use the
+ Zeroconf service name Test to not collide with
+ any other official Mandos server on this host:
+
+
+
+
+mandos --debug --configdir ~/mandos --servicename Test
+
+
+
+
+
+ Run the server normally, but only listen to one interface and
+ only on the link-local address on that interface:
+
+
+
+
+mandos --interface eth7 --address fe80::aede:48ff:fe71:f6f2
+
+
+ SECURITY
-
-
+
+ SERVER
+
+ Running this &COMMANDNAME; server program
+ should not in itself present any security risk to the host
+ computer running it. The program does not need any special
+ privileges to run, and is designed to run as a non-root user.
+
+
+
+ CLIENTS
+
+ The server only gives out its stored data to clients which
+ does have the OpenPGP key of the stored fingerprint. This is
+ guaranteed by the fact that the client sends its OpenPGP
+ public key in the TLS handshake; this ensures it to be
+ genuine. The server computes the fingerprint of the key
+ itself and looks up the fingerprint in its list of
+ clients. The clients.conf file (see
+ mandos-clients.conf
+ 5)
+ must be made non-readable by anyone
+ except the user running the server.
+
+
+ As detailed in , the status of all
+ client computers will continually be checked and be assumed
+ compromised if they are gone for too long.
+
+
+ If a client is compromised, its downtime should be duly noted
+ by the server which would therefore declare the client
+ invalid. But if the server was ever restarted, it would
+ re-read its client list from its configuration file and again
+ regard all clients therein as valid, and hence eligible to
+ receive their passwords. Therefore, be careful when
+ restarting servers if it is suspected that a client has, in
+ fact, been compromised by parties who may now be running a
+ fake Mandos client with the keys from the non-encrypted
+ initial RAM image of the client host. What should be done in
+ that case (if restarting the server program really is
+ necessary) is to stop the server program, edit the
+ configuration file to omit any suspect clients, and restart
+ the server program.
+
+
+ For more details on client-side security, see
+ password-request
+ 8mandos.
+
+ SEE ALSO
-
- plugin-runner
- 8mandos,
- password-request
- 8mandos and
- password-prompt
- 8mandos
-
+
+
+
+
+ password-request
+ 8mandos
+
+
+
+
+ This is the actual program which talks to this server.
+ Note that it is normally not invoked directly, and is only
+ run in the initial RAM disk environment, and not on a
+ fully started system.
+
+
+
+
+
+ Zeroconf
+
+
+
+ Zeroconf is the network protocol standard used by clients
+ for finding this Mandos server on the local network.
+
+
+
+
+
+ Avahi
+
+
+
+ Avahi is the library this server calls to implement
+ Zeroconf service announcements.
+
+
+
+
+
+ GnuTLS
+
+
+
+ GnuTLS is the library this server uses to implement TLS for
+ communicating securely with the client, and at the same time
+ confidently get the client’s public OpenPGP key.
+
+
+
+
+
+ RFC 4291: IP Version 6 Addressing
+ Architecture, section 2.5.6, Link-Local IPv6
+ Unicast Addresses
+
+
+
+ The clients use IPv6 link-local addresses, which are
+ immediately usable since a link-local addresses is
+ automatically assigned to a network interfaces when it is
+ brought up.
+
+
+
+
+
+ RFC 4346: The Transport Layer Security
+ (TLS) Protocol Version 1.1
+
+
+
+ TLS 1.1 is the protocol implemented by GnuTLS.
+
+
+
+
+
+ RFC 4880: OpenPGP Message
+ Format
+
+
+
+ The data sent to clients is binary encrypted OpenPGP data.
+
+
+
+
+
+ RFC 5081: Using OpenPGP Keys for
+ Transport Layer Security
+
+
+
+ This is implemented by GnuTLS and used by this server so
+ that OpenPGP keys can be used.
+
+
+
+
-
=== removed file 'network-protocol.txt'
--- network-protocol.txt 2008-08-07 22:30:45 +0000
+++ network-protocol.txt 1970-01-01 00:00:00 +0000
@@ -1,19 +0,0 @@
-The Mandos server announces itself as a Zeroconf service of type
-"_mandos._tcp". The Mandos client sends a line of text where the first
-whitespace-separated field is the protocol version, which currently is
-"1". The client and server then start a TLS protocol handshake with a
-slight quirk: the Mandos server program acts as a TLS "client" while
-the connecting Mandos client acts as a TLS "server". The Mandos
-client must supply an OpenPGP certificate, and the fingerprint of this
-certificate is used by the Mandos server to look up (in a list read
-from a file at start time) which binary blob to give the client. No
-other authentication or authorization is done by the server.
-
-| Mandos Client | | Mandos Server |
-|--------------------------------------------+-----+---------------|
-| Connect | | |
-| "1\r\n" | -> | |
-| TLS handshake | <-> | TLS handshake |
-| OpenPGP public key (part of TLS handshake) | -> | |
-| | <- | Binary blob |
-| | | Close |
=== added file 'overview.xml'
--- overview.xml 1970-01-01 00:00:00 +0000
+++ overview.xml 2008-08-17 22:42:28 +0000
@@ -0,0 +1,13 @@
+
+
+ This is part of the Mandos system for allowing host computers to
+ have encrypted root file systems and also be capable of remote and
+ unattended reboots. The host computers run a small client program
+ in the initial RAM disk environment which will communicate with a
+ server over a network. The clients are identified by the server
+ using a OpenPGP key; each client has one unique to it. The server
+ sends the clients an encrypted password. The encrypted password is
+ decrypted by the clients using the same OpenPGP key, and the
+ password is then used to unlock the root file system, whereupon the
+ host computers can continue booting normally.
+
=== modified file 'plugins.d/password-prompt.xml'
--- plugins.d/password-prompt.xml 2008-08-16 20:31:21 +0000
+++ plugins.d/password-prompt.xml 2008-08-18 05:24:20 +0000
@@ -165,8 +165,14 @@
-
- NOTES
+
+ ENVIRONMENT
+
+
+
+
+
+ FILES
@@ -177,8 +183,8 @@
-
- EXAMPLES
+
+ EXAMPLE
=== modified file 'plugins.d/password-request.c'
--- plugins.d/password-request.c 2008-08-14 21:03:26 +0000
+++ plugins.d/password-request.c 2008-08-17 22:42:28 +0000
@@ -302,7 +302,7 @@
}
static const char * safer_gnutls_strerror (int value) {
- const char *ret = gnutls_strerror (value);
+ const char *ret = gnutls_strerror (value); /* Spurious warning */
if (ret == NULL)
ret = "(unknown)";
return ret;
@@ -341,7 +341,8 @@
/* OpenPGP credentials */
gnutls_certificate_allocate_credentials(&mc->cred);
if (ret != GNUTLS_E_SUCCESS){
- fprintf (stderr, "GnuTLS memory error: %s\n",
+ fprintf (stderr, "GnuTLS memory error: %s\n", /* Spurious
+ warning */
safer_gnutls_strerror(ret));
gnutls_global_deinit ();
return -1;
@@ -475,7 +476,7 @@
fprintf(stderr, "Binding to interface %s\n", interface);
}
- memset(&to, 0, sizeof(to)); /* Spurious warning */
+ memset(&to, 0, sizeof(to));
to.in6.sin6_family = AF_INET6;
/* It would be nice to have a way to detect if we were passed an
IPv4 address here. Now we assume an IPv6 address. */
@@ -661,7 +662,7 @@
flags,
void* userdata) {
mandos_context *mc = userdata;
- assert(r); /* Spurious warning */
+ assert(r);
/* Called whenever a service has been resolved successfully or
timed out */
@@ -703,7 +704,7 @@
flags,
void* userdata) {
mandos_context *mc = userdata;
- assert(b); /* Spurious warning */
+ assert(b);
/* Called whenever a new services becomes available on the LAN or
is removed from the LAN */
@@ -897,7 +898,7 @@
exitcode = EXIT_FAILURE;
goto end;
}
- strcpy(network.ifr_name, interface); /* Spurious warning */
+ strcpy(network.ifr_name, interface);
ret = ioctl(sd, SIOCGIFFLAGS, &network);
if(ret == -1){
perror("ioctl SIOCGIFFLAGS");
=== modified file 'plugins.d/password-request.xml'
--- plugins.d/password-request.xml 2008-08-16 20:31:21 +0000
+++ plugins.d/password-request.xml 2008-08-18 05:24:20 +0000
@@ -120,7 +120,7 @@
IP
- Connect directly to a sepcified mandos server
+ Connect directly to a specified mandos server
@@ -229,17 +229,17 @@
+
+ ENVIRONMENT
+
+
+
+
FILES
-
-
- NOTES
-
-
- BUGS
@@ -247,8 +247,8 @@
-
- EXAMPLES
+
+ EXAMPLE
@@ -261,13 +261,57 @@
SEE ALSO
-
- mandos
- 8,
- plugin-runner
- 8mandos and
- password-prompt
- 8mandos
-
-
+
+
+ mandos
+ 8
+
+
+
+ plugin-runner
+ 8mandos
+
+
+
+ password-prompt
+ 8mandos
+
+
+
+ Zeroconf
+
+
+
+ Avahi
+
+
+
+ GnuTLS
+
+
+
+
+ GPGME
+
+
+
+ RFC 4880: OpenPGP Message
+ Format
+
+
+
+ RFC 5081: Using OpenPGP Keys for
+ Transport Layer Security
+
+
+
+ RFC 4291: IP Version 6 Addressing
+ Architecture, section 2.5.6, Link-Local IPv6
+ Unicast Addresses
+
+
+
+