=== modified file 'Makefile' --- Makefile 2008-08-15 20:47:22 +0000 +++ Makefile 2008-08-18 05:24:20 +0000 @@ -20,8 +20,16 @@ # MANDIR=/usr/local/man MANDIR=/usr/share/man +GNUTLS_CFLAGS=$(shell libgnutls-config --cflags) +GNUTLS_LIBS=$(shell libgnutls-config --libs) +AVAHI_CFLAGS=$(shell pkg-config --cflags-only-I avahi-core) +AVAHI_LIBS=$(shell pkg-config --libs avahi-core) +GPGME_CFLAGS=$(shell gpgme-config --cflags) +GPGME_LIBS=$(shell gpgme-config --libs) + # Do not change these two -CFLAGS=$(WARN) $(DEBUG) $(FORTIFY) $(COVERAGE) $(OPTIMIZE) $(LANGUAGE) +CFLAGS=$(WARN) $(DEBUG) $(FORTIFY) $(COVERAGE) $(OPTIMIZE) \ + $(LANGUAGE) $(GNUTLS_CFLAGS) $(AVAHI_CFLAGS) $(GPGME_CFLAGS) LDFLAGS=$(COVERAGE) DOCBOOKTOMAN=xsltproc --nonet \ @@ -29,7 +37,10 @@ --param make.year.ranges 1 \ --param make.single.year.ranges 1 \ --param man.output.quietly 1 \ - --param man.authors.section.enabled 0 + --param man.authors.section.enabled 0 \ + /usr/share/xml/docbook/stylesheet/nwalsh/manpages/docbook.xsl +# DocBook-to-man post-processing to fix a \n escape bug +MANPOST=sed --in-place --expression='s,\\en,\en,g;s,\\een,\\en,g' PLUGINS=plugins.d/password-prompt plugins.d/password-request PROGS=plugin-runner $(PLUGINS) @@ -38,32 +49,26 @@ plugins.d/password-prompt.8mandos mandos.conf.5 \ mandos-clients.conf.5 -objects=$(shell for p in $(PROGS); do echo $${p}.o; done) +objects=$(addsuffix .o,$(PROGS)) all: $(PROGS) doc: $(DOCS) %.5: %.xml - cd $(dir $^); $(DOCBOOKTOMAN) $(notdir $^) + cd $(dir $^); $(DOCBOOKTOMAN) $(notdir $^) $(MANPOST) $(notdir $@) %.8: %.xml - cd $(dir $^); $(DOCBOOKTOMAN) $(notdir $^) + cd $(dir $^); $(DOCBOOKTOMAN) $(notdir $^); $(MANPOST) $(notdir $@) %.8mandos: %.xml - cd $(dir $^); $(DOCBOOKTOMAN) $(notdir $^) - -plugin-runner: plugin-runner.o - $(LINK.o) -lgnutls $(COMMON) $^ $(LOADLIBES) $(LDLIBS) -o $@ + cd $(dir $^); $(DOCBOOKTOMAN) $(notdir $^); $(MANPOST) $(notdir $@) plugins.d/password-request: plugins.d/password-request.o - $(LINK.o) -lgnutls -lavahi-core -lgpgme $(COMMON) $^ \ - $(LOADLIBES) $(LDLIBS) -o $@ - -plugins.d/password-prompt: plugins.d/password-prompt.o - $(LINK.o) $(COMMON) $^ $(LOADLIBES) $(LDLIBS) -o $@ - -.PHONY : all clean distclean run-client run-server install \ + $(LINK.o) $(GNUTLS_LIBS) $(AVAHI_LIBS) $(GPGME_LIBS) \ + $(COMMON) $^ $(LOADLIBES) $(LDLIBS) -o $@ + +.PHONY : all doc clean distclean run-client run-server install \ install-server install-client uninstall uninstall-server \ uninstall-client purge purge-server purge-client === modified file 'TODO' --- TODO 2008-08-16 20:31:21 +0000 +++ TODO 2008-08-18 05:57:11 +0000 @@ -2,130 +2,102 @@ * [#A] README file -* Plugin-runner +* plugin-runner ** [#B] Add more comments to code ** [#B] Add more if(debug) calls ** [#B] Seperate more code to function for more readability ** [#A] Man page: man8/plugin-runner.8mandos -*** DESCRIPTION - Describe the plus sign syntax for passing options from crypttab *** EXIT STATUS - Text needed *** EXAMPLES Examples of normal usage, debug usage, debugging single or all - plugins, examples of crypttab lines with plus syntax, etc. + plugins, etc. *** FILES - Text needed *** SECURITY - Text needed -*** NOTES - Text needed + Note the danger of using this program, since you might lock + yourself out of your system without any means of entering the root + file system password. This is, however, very unlikely considering + the fallback to getpass(3). *** BUGS - Text needed *** SEE ALSO - Explaining test on what you can read -** Keydir move: /etc/mandos -> /etc/keys/mandos - Must create in preinst if not pre-depending on cryptsetup + Explaining text on what you can read -* Password-request +* password-request ** [#A] Man page: man8/password-request.8mandos -** [#B] Temporarily lower kernel log level - for less printouts during sucessfull boot. +*** SYNOPSIS + Document short options *** DESCRIPTION - Move options to new OPTIONS section. State that this command is not meant to be invoked directly, but is run as a plugin from mandos-client(8) and only run in the initrd environment, not the real system. +*** PURPOSE + As in mandos.xml +*** OVERVIEW + As in mandos.xml *** EXIT STATUS - Create this section -*** EXAMPLES +*** ENVIRONMENT + Note that it does *not* currently use cryptsource or crypttarget. +*** FILES + Describe the key files and the key ring files. Also note that + they should normally have been automatically created. +*** BUGS +*** EXAMPLE Examples of normal usage, debug usage, debugging by connecting directly, etc. -*** FILES - Describe the key files and the key ring files. Also note that - they should normally have been automatically created. -*** DIAGNOSTICS - Create this section *** SECURITY - Create this section -*** NOTES - Create this section (if needed) -*** BUGS - Create this section *** SEE ALSO - Refer to mandos-client(8mandos) and password-prompt(8mandos) -*** ENVIRONMENT - Document use of "cryptsource" and "crypttarget". + Update from mandos.xml +** [#B] Temporarily lower kernel log level + for less printouts during sucessfull boot. ** IPv4 support ** use strsep instead of strtok? ** Do not depend on GnuPG key rings on disk This would mean creating new GnuPG key rings with GPGME by importing the key files from scratch on every program start. +** Keydir move: /etc/mandos -> /etc/keys/mandos + Must create in preinst if not pre-depending on cryptsetup -* Password-prompt +* password-prompt ** [#A] Man page: man8/password-prompt.8mandos +*** SYNOPSIS + Document short options *** DESCRIPTION - Move options to new OPTIONS section. + Note that this is more or less a simple getpass(3) wrapper, even + though actual use of getpass(3) is not guaranteed. *** EXIT STATUS - Create this section -*** EXAMPLES +*** ENVIRONMENT + Document use of "cryptsource" and "crypttarget". +*** FILES +*** BUGS +*** EXAMPLE Examples of normal usage, debug usage, with a prefix, etc. -*** DIAGNOSTICS - Create this section *** SECURITY - Create this section Not much to do here but it is noteworthy to state the danger of not having a fallback option. -*** NOTES - Note that this is more or less a simple getpass(3) wrapper, even - though actual use of getpass(3) is not guaranteed. -*** BUGS - Create this section *** SEE ALSO Refer to mandos-client(8mandos) and password-request(8mandos) + and also, perhaps, to cryptsetup(8)? ** Use getpass(3)? Man page says "obsolete", but [[info:libc:getpass][GNU LibC Manual: Reading Passwords]] does not. See also [[http://sources.redhat.com/ml/libc-alpha/2003-05/msg00251.html][Marcus Brinkmann: Re: getpass obsolete?]] and [[http://article.gmane.org/gmane.comp.lib.glibc.alpha/4906][Petter Reinholdtsen: Re: getpass obsolete?]], and especially also [[http://www.steve.org.uk/Reference/Unix/faq_4.html#SEC48][Unix Programming FAQ 3.1 How can I make my program not echo input?]] -* Mandos (server) -** [#A] Command man page: man8/mandos.8 -*** DESCRIPTION - Move options to new OPTIONS section -*** EXIT STATUS - Create this section -*** EXAMPLES - Create this section -*** FILES - Describe briefly that the server gets global settings from - mandos.conf and clients from clients.conf, but refer to their man - pages for more details. -*** DIAGNOSTICS - Create this section -*** SECURITY - Create this section -*** NOTES - Create this section (if needed) -*** BUGS - Create this section -*** SEE ALSO - Refer to the client man page +* mandos (server) ** [#A] Config file man page: man5/mandos.conf (mandos.conf) ** [#A] Config file man page: man5/mandos-clients.conf (clients.conf) ** [#A] /etc/init.d/mandos-server :teddy: -** Log level +** [#B] Log level :bugs: ** /etc/mandos/clients.d/*.conf Watch this directory and add/remove/update clients? ** config for TXT record -** Run-time communication with server +** [#B] Run-time communication with server :bugs: Probably using D-Bus See also [[*Mandos-tools]] -** Implement --foreground +** Implement --foreground :bugs: [[info:standards:Option%20Table][Table of Long Options]] ** Implement --socket [[info:standards:Option%20Table][Table of Long Options]] -** Date+time on console log messages +** Date+time on console log messages :bugs: Is this the default? * Mandos-tools/utilities @@ -135,26 +107,24 @@ ** Enable client * Installer -** Client -*** DONE [#A] Change initrd.img file to not be publically readable - /usr/share/initramfs-tools/conf-hooks.d/mandos - UMASK=027 +** Client-side *** Update initrd.img after installation -** Server + This seems to use some kind of "trigger" system +*** Keydir move: /etc/mandos -> /etc/keys/mandos + Must create in preinst if not pre-depending on cryptsetup +*** mandos-keygen +**** [#A] Output cut-and-paste ready snippet for clients.conf. +** Server-side *** [#A] Create mandos user and group for server *** [#A] Create /var/run/mandos directory with perm and ownership -** mandos-keygen -*** [#A] Command man page: man8/mandos-keygen.8 -*** [#A] Output cut-and-paste ready snippet for clients.conf. - * [#A] Package ** /usr/share/initramfs-tools/hooks/mandos -*** Do not install in initrd.img if configured not to +*** Do not install in initrd.img if configured not to. Use "/etc/initramfs-tools/conf.d/mandos"? Definitely a debconf question. ** /etc/bash_completion.d/mandos -*** From xml sources directly? + From XML sources directly? ** unperish ** bzr-builddeb === modified file 'mandos-keygen' --- mandos-keygen 2008-08-12 23:13:41 +0000 +++ mandos-keygen 2008-08-18 05:24:20 +0000 @@ -70,7 +70,7 @@ -n|--name) KEYNAME="$2"; shift 2;; -e|--email) KEYEMAIL="$2"; shift 2;; -c|--comment) KEYCOMMENT="$2"; shift 2;; - -x|--expire) KEYCOMMENT="$2"; shift 2;; + -x|--expire) KEYEXPIRE="$2"; shift 2;; -f|--force) FORCE=yes; shift;; -v|--version) echo "$0 $VERSION"; exit;; -h|--help) help; exit;; @@ -188,12 +188,12 @@ # Export keys from key rings to key files gpg --no-random-seed-file --quiet --batch --no-tty --armor \ - --no-default-keyring --secret-keyring "$SECRING" \ + --no-default-keyring --no-options --secret-keyring "$SECRING" \ --keyring "$PUBRING" --export-options export-minimal \ --comment "$FILECOMMENT" --output "$SECKEYFILE" \ --export-secret-keys gpg --no-random-seed-file --quiet --batch --no-tty --armor \ - --no-default-keyring --secret-keyring "$SECRING" \ + --no-default-keyring --no-options --secret-keyring "$SECRING" \ --keyring "$PUBRING" --export-options export-minimal \ --comment "$FILECOMMENT" --output "$PUBKEYFILE" \ --export === added file 'mandos-keygen.xml' --- mandos-keygen.xml 1970-01-01 00:00:00 +0000 +++ mandos-keygen.xml 2008-08-18 05:24:20 +0000 @@ -0,0 +1,398 @@ + + + + +]> + + + + &COMMANDNAME; + + &COMMANDNAME; + &VERSION; + + + Björn + Påhlsson +
+ belorn@fukt.bsnet.se +
+
+ + Teddy + Hogeborn +
+ teddy@fukt.bsnet.se +
+
+
+ + 2008 + Teddy Hogeborn & Björn Påhlsson + + + + This manual page is free software: you can redistribute it + and/or modify it under the terms of the GNU General Public + License as published by the Free Software Foundation, + either version 3 of the License, or (at your option) any + later version. + + + + This manual page is distributed in the hope that it will + be useful, but WITHOUT ANY WARRANTY; without even the + implied warranty of MERCHANTABILITY or FITNESS FOR A + PARTICULAR PURPOSE. See the GNU General Public License + for more details. + + + + You should have received a copy of the GNU General Public + License along with this program; If not, see + . + + +
+ + + &COMMANDNAME; + 8 + + + + &COMMANDNAME; + + Generate keys for password-request + 8mandos + + + + + + &COMMANDNAME; + + + directory + + + + type + + + + bits + + + + NAME + + + + EMAIL + + + + COMMENT + + + + TIME + + + + + + + &COMMANDNAME; + + + directory + + + + type + + + + bits + + + + NAME + + + + EMAIL + + + + COMMENT + + + + TIME + + + + + + + &COMMANDNAME; + + + + + + + &COMMANDNAME; + + + + + + + + + DESCRIPTION + + &COMMANDNAME; is a program to generate the + OpenPGP keys used by + password-request + 8mandos. The keys are + normally written to /etc/mandos for later installation into the + initrd image, but this, like most things, can be changed with + command line options. + + + + + PURPOSE + + + The purpose of this is to enable remote and unattended + rebooting of client host computer with an + encrypted root file system. See for details. + + + + + + OPTIONS + + + + -h, --help + + + Show a help message and exit + + + + + + -d, --dir + directory + + + Target directory for key files. + + + + + + -t, --type + type + + + Key type. Default is DSA. + + + + + + -l, --length + bits + + + Key length in bits. Default is 1024. + + + + + + -e, --email + address + + + Email address of key. Default is empty. + + + + + + -c, --comment + comment + + + Comment field for key. The default value is + "Mandos client key". + + + + + + -x, --expire + time + + + Key expire time. Default is no expiration. See + gpg + 1 for syntax. + + + + + + -f, --force + + + Force overwriting old keys. + + + + + + + + OVERVIEW + &OVERVIEW; + + This program is a small program to generate new OpenPGP keys for + new Mandos clients. + + + + + EXIT STATUS + + The exit status will be 0 if new keys were successfully created, + otherwise not. + + + + + ENVIRONMENT + + + TMPDIR + + + If set, temporary files will be created here. See + mktemp + 1. + + + + + + + + FILES + + Use the option to change where + &COMMANDNAME; will write the key files. The + default file names are shown here. + + + + /etc/mandos/seckey.txt + + + OpenPGP secret key file which will be created or + overwritten. + + + + + /etc/mandos/pubkey.txt + + + OpenPGP public key file which will be created or + overwritten. + + + + + /tmp + + + Temporary files will be written here if + TMPDIR is not set. + + + + + + + + BUGS + + None are known at this time. + + + + + EXAMPLE + + + Normal invocation needs no options: + + + mandos-keygen + + + + + Create keys in another directory and of another type. Force + overwriting old key files: + + + + +mandos-keygen --dir ~/keydir --type RSA --force + + + + + + + SECURITY + + The and + options can be used to create keys of insufficient security. If + in doubt, leave them to the default values. + + + The key expire time is not guaranteed to be honored by + mandos + 8. + + + + + SEE ALSO + + password-request + 8mandos, + mandos + 8, and + gpg + 1 + + + +
=== modified file 'mandos.xml' --- mandos.xml 2008-08-16 20:31:21 +0000 +++ mandos.xml 2008-08-18 03:50:28 +0000 @@ -1,16 +1,15 @@ - - + + ]> &COMMANDNAME; - + &COMMANDNAME; &VERSION; @@ -31,7 +30,8 @@ 2008 - Teddy Hogeborn & Björn Påhlsson + Teddy Hogeborn + Björn Påhlsson @@ -66,45 +66,76 @@ &COMMANDNAME; - Sends encrypted passwords to authenticated mandos clients + Sends encrypted passwords to authenticated Mandos clients &COMMANDNAME; - --interfaceIF - --addressADDRESS - --portPORT - --priorityPRIORITY - --servicenameNAME - --configdirDIRECTORY - --debug - - - &COMMANDNAME; - --help - - - &COMMANDNAME; - --version - - - &COMMANDNAME; - --check - + --interfaceIF + --addressADDRESS + --portPORT + --priorityPRIORITY + --servicenameNAME + --configdirDIRECTORY + --debug + + + &COMMANDNAME; + -iIF + -aADDRESS + -pPORT + --priorityPRIORITY + --servicenameNAME + --configdirDIRECTORY + --debug + + + &COMMANDNAME; + + -h + --help + + + + &COMMANDNAME; + --version + + + &COMMANDNAME; + --check + DESCRIPTION - &COMMANDNAME; is a server daemon that handels - incomming passwords request for passwords. Mandos use avahi to - announce the service, and through gnutls authenticates - clients. Any authenticated client is then given its encrypted - password. - - + &COMMANDNAME; is a server daemon which + handles incoming request for passwords for a pre-defined list of + client host computers. The Mandos server uses Zeroconf to + announce itself on the local network, and uses TLS to + communicate securely with and to authenticate the clients. The + Mandos server uses IPv6 to allow Mandos clients to use IPv6 + link-local addresses, since the clients will probably not have + any other addresses configured (see ). + Any authenticated client is then given the stored pre-encrypted + password for that specific client. + + + + + + PURPOSE + + + The purpose of this is to enable remote and unattended + rebooting of client host computer with an + encrypted root file system. See for details. + + + OPTIONS @@ -114,7 +145,7 @@ -h, --help - show a help message and exit + Show a help message and exit @@ -124,45 +155,61 @@ IF - Bind to interface IF + Only announce the server and listen to requests on network + interface IF. Default is to + use all available interfaces. Note: + a failure to bind to the specified interface is not + considered critical, and the server does not exit. - + -a, --address ADDRESS - Address to listen for requests on + If this option is used, the server will only listen to a + specific address. This must currently be an IPv6 address; + an IPv4 address can be specified using the + ::FFFF:192.0.2.3 syntax. + Also, if a link-local address is specified, an interface + should be set, since a link-local address is only valid on + a single interface. By default, the server will listen to + all available addresses. - + -p, --port PORT - Port number to receive requests on + If this option is used, the server to bind to that + port. By default, the server will listen to an arbitrary + port given by the operating system. - + --check - Run self-test on the server + Run the server’s self-tests. This includes any unit + tests, etc. - + --debug - Debug mode + If the server is run in debug mode, it will run in the + foreground and print a lot of debugging information. The + default is not to run in debug mode. @@ -172,29 +219,48 @@ PRIORITY - GnuTLS priority string. See - gnutls_priority_init - 3 + GnuTLS priority string for the TLS handshake with the + clients. The default is + SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP. + See gnutls_priority_init + 3 + for the syntax. Warning: changing + this may make the TLS handshake fail, making communication + with clients impossible. - + --servicename NAME - Zeroconf service name + Zeroconf service name. The default is + Mandos. This only needs + to be changed this if it, for some reason, is necessary to + run more than one server on the same + host, which would not normally be + useful. If there are name collisions on the same + network, the newer server will + automatically rename itself to Mandos + #2, and so on; therefore, this option is + not needed in that case. - + --configdir DIR - Directory to search for configuration files + Directory to search for configuration files. Default is + /etc/mandos. See + mandos.conf + 5 and + mandos-clients.conf + 5. @@ -203,59 +269,419 @@ --version - Prints the program version + Prints the program version and exit. - + + + OVERVIEW + &OVERVIEW; + + This program is the server part. It is a normal server program + and will run in a normal system environment, not in an initial + RAM disk environment. + + + + + NETWORK PROTOCOL + + The Mandos server announces itself as a Zeroconf service of type + _mandos._tcp. The Mandos + client connects to the announced address and port, and sends a + line of text where the first whitespace-separated field is the + protocol version, which currently is + 1. The client and server then + start a TLS protocol handshake with a slight quirk: the Mandos + server program acts as a TLS client while the + connecting Mandos client acts as a TLS server. + The Mandos client must supply an OpenPGP certificate, and the + fingerprint of this certificate is used by the Mandos server to + look up (in a list read from clients.conf + at start time) which binary blob to give the client. No other + authentication or authorization is done by the server. + + + Mandos Protocol (Version 1) + + Mandos Client + Direction + Mandos Server + + + + Connect + -> + + + 1\r\en + -> + + + TLS handshake as TLS server + + <-> + TLS handshake as TLS client + + + + OpenPGP public key (part of TLS handshake) + -> + + + + <- + Binary blob (client will assume OpenPGP data) + + + + <- + Close + +
+
+ + + CHECKING + + The server will, by default, continually check that the clients + are still up. If a client has not been confirmed as being up + for some time, the client is assumed to be compromised and is no + longer eligible to receive the encrypted password. The timeout, + checker program, and interval between checks can be configured + both globally and per client; see + mandos.conf + 5 and + mandos-clients.conf + 5. + + + + + LOGGING + + The server will send log messaged with various severity levels + to /dev/log. With the + option, it will log even more messages, + and also show them on the console. + + + EXIT STATUS + The server will exit with a non-zero exit status only when a + critical error is encountered. + + ENVIRONMENT + + + PATH + + + To start the configured checker (see ), the server uses + /bin/sh, which in turn uses + PATH to search for matching commands if + an absolute path is not given. See + sh1 + + + + + + + FILES - - - - - NOTES - - + Use the option to change where + &COMMANDNAME; looks for its configurations + files. The default file names are listed here. + + + + /etc/mandos/mandos.conf + + + Server-global settings. See + mandos.conf + 5 for details. + + + + + /etc/mandos/clients.conf + + + List of clients and client-specific settings. See + mandos-clients.conf + 5 for details. + + + + + /var/run/mandos/mandos.pid + + + The file containing the process id of + &COMMANDNAME;. + + + + + /dev/log + + + The Unix domain socket to where local syslog messages are + sent. + + + + + /bin/sh + + + This is used to start the configured checker command for + each client. See + mandos-clients.conf + 5 for details. + + + + BUGS - - - - - EXAMPLES - - + This server might, on especially fatal errors, emit a Python + backtrace. This could be considered a feature. + + + Currently, if a client is declared invalid due to + having timed out, the server does not record this fact onto + permanent storage. This has some security implications, see + . + + + There is currently no way of querying the server of the current + status of clients, other than analyzing its syslog output. + + + There is no fine-grained control over logging and debug output. + + + Debug mode is conflated with running in the foreground. + + + The console log messages does not show a timestamp. + + + + + EXAMPLE + + + Normal invocation needs no options: + + + mandos + + + + + Run the server in debug mode, read configuration files from + the ~/mandos directory, and use the + Zeroconf service name Test to not collide with + any other official Mandos server on this host: + + + + +mandos --debug --configdir ~/mandos --servicename Test + + + + + + Run the server normally, but only listen to one interface and + only on the link-local address on that interface: + + + + +mandos --interface eth7 --address fe80::aede:48ff:fe71:f6f2 + + + SECURITY - - + + SERVER + + Running this &COMMANDNAME; server program + should not in itself present any security risk to the host + computer running it. The program does not need any special + privileges to run, and is designed to run as a non-root user. + + + + CLIENTS + + The server only gives out its stored data to clients which + does have the OpenPGP key of the stored fingerprint. This is + guaranteed by the fact that the client sends its OpenPGP + public key in the TLS handshake; this ensures it to be + genuine. The server computes the fingerprint of the key + itself and looks up the fingerprint in its list of + clients. The clients.conf file (see + mandos-clients.conf + 5) + must be made non-readable by anyone + except the user running the server. + + + As detailed in , the status of all + client computers will continually be checked and be assumed + compromised if they are gone for too long. + + + If a client is compromised, its downtime should be duly noted + by the server which would therefore declare the client + invalid. But if the server was ever restarted, it would + re-read its client list from its configuration file and again + regard all clients therein as valid, and hence eligible to + receive their passwords. Therefore, be careful when + restarting servers if it is suspected that a client has, in + fact, been compromised by parties who may now be running a + fake Mandos client with the keys from the non-encrypted + initial RAM image of the client host. What should be done in + that case (if restarting the server program really is + necessary) is to stop the server program, edit the + configuration file to omit any suspect clients, and restart + the server program. + + + For more details on client-side security, see + password-request + 8mandos. + + SEE ALSO - - plugin-runner - 8mandos, - password-request - 8mandos and - password-prompt - 8mandos - + + + + + password-request + 8mandos + + + + + This is the actual program which talks to this server. + Note that it is normally not invoked directly, and is only + run in the initial RAM disk environment, and not on a + fully started system. + + + + + + Zeroconf + + + + Zeroconf is the network protocol standard used by clients + for finding this Mandos server on the local network. + + + + + + Avahi + + + + Avahi is the library this server calls to implement + Zeroconf service announcements. + + + + + + GnuTLS + + + + GnuTLS is the library this server uses to implement TLS for + communicating securely with the client, and at the same time + confidently get the client’s public OpenPGP key. + + + + + + RFC 4291: IP Version 6 Addressing + Architecture, section 2.5.6, Link-Local IPv6 + Unicast Addresses + + + + The clients use IPv6 link-local addresses, which are + immediately usable since a link-local addresses is + automatically assigned to a network interfaces when it is + brought up. + + + + + + RFC 4346: The Transport Layer Security + (TLS) Protocol Version 1.1 + + + + TLS 1.1 is the protocol implemented by GnuTLS. + + + + + + RFC 4880: OpenPGP Message + Format + + + + The data sent to clients is binary encrypted OpenPGP data. + + + + + + RFC 5081: Using OpenPGP Keys for + Transport Layer Security + + + + This is implemented by GnuTLS and used by this server so + that OpenPGP keys can be used. + + + + -
=== removed file 'network-protocol.txt' --- network-protocol.txt 2008-08-07 22:30:45 +0000 +++ network-protocol.txt 1970-01-01 00:00:00 +0000 @@ -1,19 +0,0 @@ -The Mandos server announces itself as a Zeroconf service of type -"_mandos._tcp". The Mandos client sends a line of text where the first -whitespace-separated field is the protocol version, which currently is -"1". The client and server then start a TLS protocol handshake with a -slight quirk: the Mandos server program acts as a TLS "client" while -the connecting Mandos client acts as a TLS "server". The Mandos -client must supply an OpenPGP certificate, and the fingerprint of this -certificate is used by the Mandos server to look up (in a list read -from a file at start time) which binary blob to give the client. No -other authentication or authorization is done by the server. - -| Mandos Client | | Mandos Server | -|--------------------------------------------+-----+---------------| -| Connect | | | -| "1\r\n" | -> | | -| TLS handshake | <-> | TLS handshake | -| OpenPGP public key (part of TLS handshake) | -> | | -| | <- | Binary blob | -| | | Close | === added file 'overview.xml' --- overview.xml 1970-01-01 00:00:00 +0000 +++ overview.xml 2008-08-17 22:42:28 +0000 @@ -0,0 +1,13 @@ + + + This is part of the Mandos system for allowing host computers to + have encrypted root file systems and also be capable of remote and + unattended reboots. The host computers run a small client program + in the initial RAM disk environment which will communicate with a + server over a network. The clients are identified by the server + using a OpenPGP key; each client has one unique to it. The server + sends the clients an encrypted password. The encrypted password is + decrypted by the clients using the same OpenPGP key, and the + password is then used to unlock the root file system, whereupon the + host computers can continue booting normally. + === modified file 'plugins.d/password-prompt.xml' --- plugins.d/password-prompt.xml 2008-08-16 20:31:21 +0000 +++ plugins.d/password-prompt.xml 2008-08-18 05:24:20 +0000 @@ -165,8 +165,14 @@ - - NOTES + + ENVIRONMENT + + + + + + FILES @@ -177,8 +183,8 @@ - - EXAMPLES + + EXAMPLE === modified file 'plugins.d/password-request.c' --- plugins.d/password-request.c 2008-08-14 21:03:26 +0000 +++ plugins.d/password-request.c 2008-08-17 22:42:28 +0000 @@ -302,7 +302,7 @@ } static const char * safer_gnutls_strerror (int value) { - const char *ret = gnutls_strerror (value); + const char *ret = gnutls_strerror (value); /* Spurious warning */ if (ret == NULL) ret = "(unknown)"; return ret; @@ -341,7 +341,8 @@ /* OpenPGP credentials */ gnutls_certificate_allocate_credentials(&mc->cred); if (ret != GNUTLS_E_SUCCESS){ - fprintf (stderr, "GnuTLS memory error: %s\n", + fprintf (stderr, "GnuTLS memory error: %s\n", /* Spurious + warning */ safer_gnutls_strerror(ret)); gnutls_global_deinit (); return -1; @@ -475,7 +476,7 @@ fprintf(stderr, "Binding to interface %s\n", interface); } - memset(&to, 0, sizeof(to)); /* Spurious warning */ + memset(&to, 0, sizeof(to)); to.in6.sin6_family = AF_INET6; /* It would be nice to have a way to detect if we were passed an IPv4 address here. Now we assume an IPv6 address. */ @@ -661,7 +662,7 @@ flags, void* userdata) { mandos_context *mc = userdata; - assert(r); /* Spurious warning */ + assert(r); /* Called whenever a service has been resolved successfully or timed out */ @@ -703,7 +704,7 @@ flags, void* userdata) { mandos_context *mc = userdata; - assert(b); /* Spurious warning */ + assert(b); /* Called whenever a new services becomes available on the LAN or is removed from the LAN */ @@ -897,7 +898,7 @@ exitcode = EXIT_FAILURE; goto end; } - strcpy(network.ifr_name, interface); /* Spurious warning */ + strcpy(network.ifr_name, interface); ret = ioctl(sd, SIOCGIFFLAGS, &network); if(ret == -1){ perror("ioctl SIOCGIFFLAGS"); === modified file 'plugins.d/password-request.xml' --- plugins.d/password-request.xml 2008-08-16 20:31:21 +0000 +++ plugins.d/password-request.xml 2008-08-18 05:24:20 +0000 @@ -120,7 +120,7 @@ IP - Connect directly to a sepcified mandos server + Connect directly to a specified mandos server @@ -229,17 +229,17 @@ + + ENVIRONMENT + + + + FILES - - - NOTES - - - BUGS @@ -247,8 +247,8 @@ - - EXAMPLES + + EXAMPLE @@ -261,13 +261,57 @@ SEE ALSO - - mandos - 8, - plugin-runner - 8mandos and - password-prompt - 8mandos - - + + + mandos + 8 + + + + plugin-runner + 8mandos + + + + password-prompt + 8mandos + + + + Zeroconf + + + + Avahi + + + + GnuTLS + + + + + GPGME + + + + RFC 4880: OpenPGP Message + Format + + + + RFC 5081: Using OpenPGP Keys for + Transport Layer Security + + + + RFC 4291: IP Version 6 Addressing + Architecture, section 2.5.6, Link-Local IPv6 + Unicast Addresses + + + +