NAME¶
pt-tls-client - Simple client using PT-TLS to collect integrity information
SYNOPSIS¶
pt-tls-client |
--connect hostname|address
[--port port] [--certid
hex|--cert file]+ [--keyid
hex|--key file] [--key-type
rsa|ecdsa] [--client
client-id] [--secret
password] [--mutual]
[--options filename]
[--quiet] [--debug
level] |
pt-tls-client |
-h | --help |
DESCRIPTION¶
pt-tls-client is a simple client using the PT-TLS (RFC 6876) transport
protocol to collect integrity measurements on the client platform. PT-TLS does
an initial TLS handshake with certificate-based server authentication and
optional certificate-based client authentication. Alternatively simple
password-based SASL client authentication protected by TLS can be used.
Attribute requests and integrity measurements are exchanged via
the PA-TNC (RFC 5792) message protocol between any number of Integrity
Measurement Verifiers (IMVs) residing on the remote PT-TLS server and
multiple Integrity Measurement Collectors (IMCs) loaded dynamically by the
PT-TLS client according to a list defined by /etc/tnc_config. PA-TNC
messages that contain one or several PA-TNC attributes are multiplexed into
PB-TNC (RFC 5793) client or server data batches which in turn are
transported via PT-TLS.
OPTIONS¶
- -h, --help
- Prints usage information and a short summary of the available
commands.
- -c, --connect hostname|address
- Set the hostname or IP address of the PT-TLS server.
- -p, --port port
- Set the port of the PT-TLS server, default: 271.
- -x, --cert file
- Set the path to an X.509 certificate file. This option can be repeated to
load multiple client and CA certificates.
- -X, --certid hex
- Set the handle of the certificate stored in a smartcard or a TPM 2.0
Trusted Platform Module.
- -k, --key file
- Set the path to the client's PKCS#1 or PKCS#8 private key file
- -t, --key-type type
- Define the type of the private key if stored in PKCS#1 format. Can be
omitted with PKCS#8 keys.
- -K, --keyid hex
- Set the keyid of the private key stored in a smartcard or a TPM 2.0
Trusted Platform Module.
- -i, --client client-id
- Set the username or client ID of the client required for password-based
SASL authentication.
- -s, --secret password
- Set the preshared secret or client password required for password-based
SASL authentication.
- -q, --mutual
- Enable mutual attestation between PT-TLS client and PT-TLS server.
- -v, --debug level
- Set debug level, default: 1.
- -q, --quiet
- Disable debug output to stderr.
- -+, --options file
- Read command line options from file.
EXAMPLES¶
Connect to a PT-TLS server using certificate-based authentication, storing the
private ECDSA key in a file:
pt-tls-client --connect pdp.example.com --cert ca.crt \
--cert client.crt --key client.key --key-type ecdsa
Connect to a PT-TLS server using certificate-based authentication,
storing the private key in a smartcard or a TPM 2.0 Trusted Platform
Module:
pt-tls-client --connect pdp.example.com --cert ca.crt \
--cert client.crt --keyid 0x81010002
Connect to a PT-TLS server listening on port 443, using SASL
password-based authentication:
pt-tls-client --connect pdp.example.com --port 443 --cert ca.crt \
--client jane --password p2Nl9trKlb
