NAME
mandos - Gives encrypted passwords to authenticated Mandos clients
SYNOPSIS
mandos [--interface NAME | -i NAME]
[--address ADDRESS | -a ADDRESS]
[--port PORT | -p PORT]
[--priority PRIORITY]
[--servicename NAME]
[--configdir DIRECTORY]
[--debug]
[--no-ipv6]
mandos {--help | -h}
mandos --version
mandos --check
DESCRIPTION
mandos is a server daemon which handles incoming request for passwords
for a pre-defined list of client host computers. The Mandos server uses
Zeroconf to announce itself on the local network, and uses TLS to
communicate securely with and to authenticate the clients. The Mandos
server uses IPv6 to allow Mandos clients to use IPv6 link-local
addresses, since the clients will probably not have any other addresses
configured (see the section called "OVERVIEW"). Any authenticated
client is then given the stored pre-encrypted password for that
specific client.
PURPOSE
The purpose of this is to enable remote and unattended rebooting of
client host computer with an encrypted root file system. See the
section called "OVERVIEW" for details.
OPTIONS
--help, -h
Show a help message and exit
--interface NAME, -i NAME
If this is specified, the server will only announce the service and
listen to requests on the specified network interface. Default is
to use all available interfaces. Note: a failure to bind to the
specified interface is not considered critical, and the server will
not exit, but instead continue normally.
--address ADDRESS, -a ADDRESS
If this option is used, the server will only listen to the
specified IPv6 address. If a link-local address is specified, an
interface should be set, since a link-local address is only valid
on a single interface. By default, the server will listen to all
available addresses. If set, this must normally be an IPv6 address;
an IPv4 address can only be specified using IPv4-mapped IPv6
address syntax: "::FFFF:192.0.2.3". (Only if IPv6 usage is disabled
(see below) must this be an IPv4 address.)
--port PORT, -p PORT
If this option is used, the server will bind to that port. By
default, the server will listen to an arbitrary port given by the
operating system.
--check
Run the server's self-tests. This includes any unit tests, etc.
--debug
If the server is run in debug mode, it will run in the foreground
and print a lot of debugging information. The default is to not run
in debug mode.
--priority PRIORITY
GnuTLS priority string for the TLS handshake. The default is
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP". See
gnutls_priority_init(3) for the syntax. Warning: changing this may
make the TLS handshake fail, making server-client communication
impossible.
--servicename NAME
Zeroconf service name. The default is "Mandos". This only needs to
be changed if for some reason is would be necessary to run more
than one server on the same host. This would not normally be
useful. If there are name collisions on the same network, the newer
server will automatically rename itself to "Mandos #2", and so on;
therefore, this option is not needed in that case.
--configdir DIRECTORY
Directory to search for configuration files. Default is
"/etc/mandos". See mandos.conf(5) and mandos-clients.conf(5).
--version
Prints the program version and exit.
--no-ipv6
This option controls whether the server will use IPv6 sockets and
addresses. The default is to use IPv6. This option should never
normally be turned off, even in IPv4-only environments. This is
because mandos-client(8mandos) will normally use IPv6 link-local
addresses, and will not be able to find or connect to the server if
this option is turned off. Only advanced users should consider
changing this option.
OVERVIEW
This is part of the Mandos system for allowing computers to have
encrypted root file systems and at the same time be capable of remote
and/or unattended reboots. The computers run a small client program in
the initial RAM disk environment which will communicate with a server
over a network. All network communication is encrypted using TLS. The
clients are identified by the server using an OpenPGP key; each client
has one unique to it. The server sends the clients an encrypted
password. The encrypted password is decrypted by the clients using the
same OpenPGP key, and the password is then used to unlock the root file
system, whereupon the computers can continue booting normally.
This program is the server part. It is a normal server program and will
run in a normal system environment, not in an initial RAM disk
environment.
NETWORK PROTOCOL
The Mandos server announces itself as a Zeroconf service of type
"_mandos._tcp". The Mandos client connects to the announced address and
port, and sends a line of text where the first whitespace-separated
field is the protocol version, which currently is "1". The client and
server then start a TLS protocol handshake with a slight quirk: the
Mandos server program acts as a TLS "client" while the connecting
Mandos client acts as a TLS "server". The Mandos client must supply an
OpenPGP certificate, and the fingerprint of this certificate is used by
the Mandos server to look up (in a list read from clients.conf at start
time) which binary blob to give the client. No other authentication or
authorization is done by the server.
Table 1. Mandos Protocol (Version 1)
+-------------------+-----------+---------------------+
|Mandos Client | Direction | Mandos Server |
+-------------------+-----------+---------------------+
|Connect | -> | |
+-------------------+-----------+---------------------+
|"1\r\n" | -> | |
+-------------------+-----------+---------------------+
|TLS handshake as | <-> | TLS handshake as |
|TLS "server" | | TLS "client" |
+-------------------+-----------+---------------------+
|OpenPGP public key | -> | |
|(part of TLS | | |
|handshake) | | |
+-------------------+-----------+---------------------+
| | <- | Binary blob (client |
| | | will assume OpenPGP |
| | | data) |
+-------------------+-----------+---------------------+
| | <- | Close |
+-------------------+-----------+---------------------+
CHECKING
The server will, by default, continually check that the clients are
still up. If a client has not been confirmed as being up for some time,
the client is assumed to be compromised and is no longer eligible to
receive the encrypted password. (Manual intervention is required to
re-enable a client.) The timeout, checker program, and interval between
checks can be configured both globally and per client; see mandos-
clients.conf(5). A client successfully receiving its password will also
be treated as a successful checker run.
LOGGING
The server will send log message with various severity levels to
/dev/log. With the --debug option, it will log even more messages, and
also show them on the console.
EXIT STATUS
The server will exit with a non-zero exit status only when a critical
error is encountered.
ENVIRONMENT
PATH
To start the configured checker (see the section called
"CHECKING"), the server uses /bin/sh, which in turn uses PATH to
search for matching commands if an absolute path is not given. See
sh(1).
FILES
Use the --configdir option to change where mandos looks for its
configurations files. The default file names are listed here.
/etc/mandos/mandos.conf
Server-global settings. See mandos.conf(5) for details.
/etc/mandos/clients.conf
List of clients and client-specific settings. See mandos-
clients.conf(5) for details.
/var/run/mandos.pid
The file containing the process id of mandos.
/dev/log
The Unix domain socket to where local syslog messages are sent.
/bin/sh
This is used to start the configured checker command for each
client. See mandos-clients.conf(5) for details.
BUGS
This server might, on especially fatal errors, emit a Python backtrace.
This could be considered a feature.
Currently, if a client is declared "invalid" due to having timed out,
the server does not record this fact onto permanent storage. This has
some security implications, see the section called "CLIENTS".
There is currently no way of querying the server of the current status
of clients, other than analyzing its syslog output.
There is no fine-grained control over logging and debug output.
Debug mode is conflated with running in the foreground.
The console log messages do not show a time stamp.
This server does not check the expire time of clients' OpenPGP keys.
EXAMPLE
Normal invocation needs no options:
mandos
Run the server in debug mode, read configuration files from the
~/mandos directory, and use the Zeroconf service name "Test" to not
collide with any other official Mandos server on this host:
mandos --debug --configdir ~/mandos --servicename Test
Run the server normally, but only listen to one interface and only on
the link-local address on that interface:
mandos --interface eth7 --address fe80::aede:48ff:fe71:f6f2
SECURITY
SERVER
Running this mandos server program should not in itself present any
security risk to the host computer running it. The program switches to
a non-root user soon after startup.
CLIENTS
The server only gives out its stored data to clients which does have
the OpenPGP key of the stored fingerprint. This is guaranteed by the
fact that the client sends its OpenPGP public key in the TLS handshake;
this ensures it to be genuine. The server computes the fingerprint of
the key itself and looks up the fingerprint in its list of clients. The
clients.conf file (see mandos-clients.conf(5)) must be made
non-readable by anyone except the user starting the server (usually
root).
As detailed in the section called "CHECKING", the status of all client
computers will continually be checked and be assumed compromised if
they are gone for too long.
If a client is compromised, its downtime should be duly noted by the
server which would therefore declare the client invalid. But if the
server was ever restarted, it would re-read its client list from its
configuration file and again regard all clients therein as valid, and
hence eligible to receive their passwords. Therefore, be careful when
restarting servers if it is suspected that a client has, in fact, been
compromised by parties who may now be running a fake Mandos client with
the keys from the non-encrypted initial RAM image of the client host.
What should be done in that case (if restarting the server program
really is necessary) is to stop the server program, edit the
configuration file to omit any suspect clients, and restart the server
program.
For more details on client-side security, see mandos-client(8mandos).
SEE ALSO
mandos-clients.conf(5), mandos.conf(5), mandos-client(8mandos), sh(1)
Zeroconf[1]
Zeroconf is the network protocol standard used by clients for
finding this Mandos server on the local network.
Avahi[2]
Avahi is the library this server calls to implement Zeroconf
service announcements.
GnuTLS[3]
GnuTLS is the library this server uses to implement TLS for
communicating securely with the client, and at the same time
confidently get the client's public OpenPGP key.
RFC 4291: IP Version 6 Addressing Architecture
Section 2.2: Text Representation of Addresses
Section 2.5.5.2: IPv4-Mapped IPv6 Address
Section 2.5.6, Link-Local IPv6 Unicast Addresses
The clients use IPv6 link-local addresses, which are
immediately usable since a link-local addresses is
automatically assigned to a network interfaces when it is
brought up.
RFC 4346: The Transport Layer Security (TLS) Protocol Version 1.1
TLS 1.1 is the protocol implemented by GnuTLS.
RFC 4880: OpenPGP Message Format
The data sent to clients is binary encrypted OpenPGP data.
RFC 5081: Using OpenPGP Keys for Transport Layer Security
This is implemented by GnuTLS and used by this server so that
OpenPGP keys can be used.
COPYRIGHT
Copyright (C) 2008-2009 Teddy Hogeborn, Bjorn Pahlsson
This manual page is free software: you can redistribute it and/or
modify it under the terms of the GNU General Public License as
published by the Free Software Foundation, either version 3 of the
License, or (at your option) any later version.
This manual page is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
General Public License for more details.
You should have received a copy of the GNU General Public License along
with this program. If not, see http://www.gnu.org/licenses/.
NOTES
1. Zeroconf
http://www.zeroconf.org/
2. Avahi
http://www.avahi.org/
3. GnuTLS
http://www.gnu.org/software/gnutls/