=== modified file 'README' --- README 2008-09-04 07:30:58 +0000 +++ README 2008-09-04 12:38:35 +0000 @@ -48,7 +48,7 @@ the root file, and continue booting. Now, of course the initial RAM disk image is not on the encrypted - root file system, so anyone who had physhical access could take the + root file system, so anyone who had physical access could take the server offline and read the disk with their own tools to get the authentication keys used by a client. *But*, by then the Mandos server should notice that the original server has been offline for @@ -125,7 +125,7 @@ just as well open your servers and read the file system keys right off the memory by running wires to the memory bus. - What this system is designed to protect against is *not* such - determined, focused, and competent attacks, but against the early - morning knock on your door and the sudden absence of all the servers - in your server room. Which it does nicely. + What Mandos is designed to protect against is *not* such determined, + focused, and competent attacks, but against the early morning knock + on your door and the sudden absence of all the servers in your + server room. Which it does nicely. === modified file 'initramfs-tools-hook' --- initramfs-tools-hook 2008-08-24 23:18:18 +0000 +++ initramfs-tools-hook 2008-09-04 12:38:35 +0000 @@ -74,7 +74,7 @@ for file in /etc/mandos/plugins.d/*; do base="`basename \"$file\"`" case "$base" in - *~|.*|*.dpkg-old|*.dpkg-new|*.dpkg-divert) : ;; + *~|.*|\#*\#|*.dpkg-old|*.dpkg-new|*.dpkg-divert) : ;; *) copy_exec "$file" "${PLUGINDIR}";; esac done @@ -85,20 +85,13 @@ copy_exec /usr/bin/gpg fi -# Key files +# Key files and config files for file in /etc/mandos/*; do if [ -d "$file" ]; then continue fi cp --archive --sparse=always "$file" "${DESTDIR}${CONFDIR}" done -# Create key ring files -gpg --no-random-seed-file --quiet --batch --no-tty --armor \ - --no-default-keyring --no-options --enable-dsa2 \ - --homedir "${DESTDIR}${CONFDIR}" --no-permission-warning \ - --trust-model always --import-options import-minimal \ - --import "${DESTDIR}${CONFDIR}/seckey.txt" -chown nobody "${DESTDIR}${CONFDIR}/secring.gpg" # /lib/mandos/plugin-runner will drop priviliges, but needs access to # its plugin directory and its config file. However, since almost all @@ -125,5 +118,6 @@ chmod a+rX "${DESTDIR}$dir" done for dir in /lib /usr/lib; do - chmod --recursive a+rX "${DESTDIR}$dir" + find "${DESTDIR}$dir" \! -perm /u+rw,g+r -prune -o -print0 \ + | xargs --null chmod a+rX done === modified file 'mandos-clients.conf.xml' --- mandos-clients.conf.xml 2008-09-03 19:37:07 +0000 +++ mandos-clients.conf.xml 2008-09-04 13:36:59 +0000 @@ -4,7 +4,7 @@ /etc/mandos/clients.conf"> - + ]> @@ -93,7 +93,7 @@ start time expansion, see . - Uknown options are ignored. The used options are as follows: + Unknown options are ignored. The used options are as follows: === modified file 'mandos.conf.xml' --- mandos.conf.xml 2008-08-31 15:06:39 +0000 +++ mandos.conf.xml 2008-09-04 13:36:59 +0000 @@ -4,7 +4,7 @@ /etc/mandos/mandos.conf"> - + ]> @@ -144,7 +144,7 @@ The [DEFAULT] is necessary because the Python built-in module ConfigParser - requres it. + requires it. === modified file 'mandos.xml' --- mandos.xml 2008-09-03 19:13:50 +0000 +++ mandos.xml 2008-09-04 13:36:59 +0000 @@ -3,7 +3,7 @@ "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [ - + ]> @@ -434,7 +434,7 @@ Debug mode is conflated with running in the foreground. - The console log messages does not show a timestamp. + The console log messages does not show a time stamp. This server does not check the expire time of clients’ OpenPGP === modified file 'plugin-runner.xml' --- plugin-runner.xml 2008-09-02 13:04:42 +0000 +++ plugin-runner.xml 2008-09-04 13:36:59 +0000 @@ -3,7 +3,7 @@ "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [ - + ]> @@ -45,7 +45,7 @@ &COMMANDNAME; - Run Mandos plugins. Pass data from first succesful one. + Run Mandos plugins, pass data from first to succeed. @@ -140,11 +140,11 @@ DESCRIPTION &COMMANDNAME; is a program which is meant to - be specified as keyscript in - crypttab - 5 for the root disk. The - aim of this program is therefore to output a password, which - then cryptsetup + be specified as a keyscript for the root disk in + crypttab + 5. The aim of this + program is therefore to output a password, which then + cryptsetup 8 will use to unlock the root disk. @@ -272,7 +272,7 @@ Re-enable the plugin named PLUGIN. This is only useful to undo a previous option, maybe - from the config file. + from the configuration file. @@ -428,8 +428,8 @@ The plugin must not use resources, like for instance reading - from the standard input, without knowing that no other plugins - are also using it. + from the standard input, without knowing that no other plugin + is also using it. It is useful, but not required, for the plugin to take the @@ -467,7 +467,7 @@ only passes on its environment to all the plugins. The environment passed to plugins can be modified using the and - optins. + options. @@ -562,15 +562,15 @@ - Run plugins from a different directory and add a special - option to the password-request 8mandos plugin: -&COMMANDNAME; --plugin-dir=plugins.d --options-for=password-request:--keydir=keydir +&COMMANDNAME; --plugin-dir=plugins.d --options-for=password-request:--pubkey=keydir/pubkey.txt,--seckey=keydir/seckey.txt @@ -591,9 +591,9 @@ If this program is used as a keyscript in crypttab5 - , there is a risk that if this program fails to - work, there might be no way to boot the system except for - booting from another media and editing the initial RAM disk + , there is a slight risk that if this program + fails to work, there might be no way to boot the system except + for booting from another media and editing the initial RAM disk image to not run this program. This is, however, unlikely, since the password-prompt8mandos === modified file 'plugins.d/password-prompt.xml' --- plugins.d/password-prompt.xml 2008-09-01 08:29:23 +0000 +++ plugins.d/password-prompt.xml 2008-09-04 13:36:59 +0000 @@ -3,7 +3,7 @@ "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [ - + ]> @@ -87,7 +87,7 @@ is not very useful on its own. This program is really meant to run as a plugin in the Mandos client-side system, where it is used as a fallback and - alternative to retriving passwords from a Mandos server. @@ -240,7 +240,7 @@ Show a prefix before the prompt; in this case, a host name. It might be useful to be reminded of which host needs a - password, in case of KVM switches, etc. + password, in case of KVM switches, etc. @@ -270,7 +270,7 @@ >plugin-runner8mandos , and will, when run standalone, outside, in a normal environment, immediately output on its standard output - any presumably secret password it just recieved. Therefore, + any presumably secret password it just received. Therefore, when running this program standalone (which should never normally be done), take care not to type in any real secret password by force of habit, since it would then immediately be === modified file 'plugins.d/password-request.xml' --- plugins.d/password-request.xml 2008-09-03 20:31:19 +0000 +++ plugins.d/password-request.xml 2008-09-04 13:36:59 +0000 @@ -3,7 +3,7 @@ "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [ - + ]> @@ -54,10 +54,10 @@ &COMMANDNAME; @@ -124,7 +124,7 @@ network connectivity, Zeroconf to find servers, and TLS with an OpenPGP key to ensure authenticity and confidentiality. It keeps running, trying all servers on the network, until it - receives a satisfactory reply or a TERM signal is recieved. + receives a satisfactory reply or a TERM signal is received. This program is not meant to be run directly; it is really meant @@ -314,7 +314,7 @@ at all. This is why a separate plugin ( password-prompt 8mandos) does that, which - will be run in parallell to this one by the plugin runner. + will be run in parallel to this one by the plugin runner.