[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Announcement: Mandos - do unattended reboots with encrypted root

Hash: SHA1

Dear debian-boot people; it was suggested to me that debian-boot might
be a proper forum to ask for interested sponsors for our software
package "Mandos", which we just released as version 1.0.3.

It builds these binary packages:
mandos     - a server giving encrypted passwords to Mandos clients
mandos-client - do unattended reboots with an encrypted root file system

The goal of the Mandos system is to enable server computers to have an
encrypted root file system and still be able to reboot automatically
without anyone having to be there and type in a password.

What happens is that we run a small Mandos client program at boot time
in the initial RAM disk environment (initrd), before even networking
is configured, using IPv6 link-local addresses.

The Mandos client connects to the Mandos server.  The Mandos clients
each have an OpenPGP key, which they use to handshake as TLS *servers*
to the Mandos server, which in turn handshakes as a TLS *client*.  The
Mandos server does not have a key, but computes the fingerprint of the
OpenPGP key received from the Mandos client and looks up that
fingerprint in an internal list, and, if the fingerprint is found,
sends the corresponding binary blob to the client.

The binary blob is an encrypted password, which is then decrypted by
the clients using the same OpenPGP key, and the password is then used
to unlock the root file system, whereupon the computers can continue
booting normally.

The server with the passwords continually checks that the client
computers are still up, and if the client is gone for more than a
configurable length of time, the server no longer gives out the
password for that client.

Please read the FAQ in the README file for more information on the
security model:

Oh yes, the project's home page:  http://www.fukt.bsnet.se/mandos

We use the Debian-specific features of the cryptsetup package for
installing into the initial RAM disk image.  We also replace and
supplant the functionality currently supplied by the "askpass"
program; we instead use a system of plugins started in parallel - see
the web site, README file, and the documentation for the plugin runner
program for more information:

The package appears to be lintian clean.

The upload would fix these bugs: 500727, 509398, 509653

The package can be found on mentors.debian.net:
- - URL: http://mentors.debian.net/debian/pool/main/m/mandos
- - Source repository: deb-src http://mentors.debian.net/debian unstable main contrib non-free
- - dget http://mentors.debian.net/debian/pool/main/m/mandos/mandos_1.0.3-1.dsc

I would be glad if someone uploaded this package for me.

Kind regards
 Teddy Hogeborn, Björn Påhlsson

- -- 
The Mandos Project
Version: GnuPG v1.4.6 (GNU/Linux)


Reply to: