/mandos/release

To get this branch, use:
bzr branch http://bzr.recompile.se/loggerhead/mandos/release
129 by Teddy Hogeborn
* mandos-clients.conf.xml: Changed all single quotes to double quotes
1
<?xml version="1.0" encoding="UTF-8"?>
24.1.23 by Björn Påhlsson
Added manual pages for:
2
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3
	"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
171 by Teddy Hogeborn
Renamed "password-request" to "mandos-client".
4
<!ENTITY COMMANDNAME "mandos-client">
237.7.92 by Teddy Hogeborn
Updated year in copyright notices.
5
<!ENTITY TIMESTAMP "2012-01-01">
217 by Teddy Hogeborn
* .bzrignore: Added "man" directory (created by "make install-html").
6
<!ENTITY % common SYSTEM "../common.ent">
7
%common;
24.1.23 by Björn Påhlsson
Added manual pages for:
8
]>
9
131 by Teddy Hogeborn
* Makefile: Make all DocBook rules include legalnotice.xml as a
10
<refentry xmlns:xi="http://www.w3.org/2001/XInclude">
24.1.23 by Björn Påhlsson
Added manual pages for:
11
  <refentryinfo>
112 by Teddy Hogeborn
* mandos-clients.conf.xml (/refentry/refentryinfo/title): Changed to
12
    <title>Mandos Manual</title>
217 by Teddy Hogeborn
* .bzrignore: Added "man" directory (created by "make install-html").
13
    <!-- NWalsh’s docbook scripts use this to generate the footer: -->
112 by Teddy Hogeborn
* mandos-clients.conf.xml (/refentry/refentryinfo/title): Changed to
14
    <productname>Mandos</productname>
217 by Teddy Hogeborn
* .bzrignore: Added "man" directory (created by "make install-html").
15
    <productnumber>&version;</productnumber>
111 by Teddy Hogeborn
* mandos-clients.conf.xml (ENTITY TIMESTAMP): New. Automatically
16
    <date>&TIMESTAMP;</date>
24.1.23 by Björn Påhlsson
Added manual pages for:
17
    <authorgroup>
18
      <author>
19
	<firstname>Björn</firstname>
20
	<surname>Påhlsson</surname>
21
	<address>
237.11.2 by Teddy Hogeborn
Change "fukt.bsnet.se" to "recompile.se" throughout.
22
	  <email>belorn@recompile.se</email>
24.1.23 by Björn Påhlsson
Added manual pages for:
23
	</address>
24
      </author>
25
      <author>
26
	<firstname>Teddy</firstname>
27
	<surname>Hogeborn</surname>
28
	<address>
237.11.2 by Teddy Hogeborn
Change "fukt.bsnet.se" to "recompile.se" throughout.
29
	  <email>teddy@recompile.se</email>
24.1.23 by Björn Påhlsson
Added manual pages for:
30
	</address>
31
      </author>
32
    </authorgroup>
33
    <copyright>
34
      <year>2008</year>
237.2.9 by Teddy Hogeborn
* README: Update copyright year; add "2009".
35
      <year>2009</year>
237.7.92 by Teddy Hogeborn
Updated year in copyright notices.
36
      <year>2012</year>
128 by Teddy Hogeborn
* plugin-runner.xml (/refentry/refentryinfo/copyright): Split
37
      <holder>Teddy Hogeborn</holder>
38
      <holder>Björn Påhlsson</holder>
24.1.23 by Björn Påhlsson
Added manual pages for:
39
    </copyright>
131 by Teddy Hogeborn
* Makefile: Make all DocBook rules include legalnotice.xml as a
40
    <xi:include href="../legalnotice.xml"/>
24.1.23 by Björn Påhlsson
Added manual pages for:
41
  </refentryinfo>
182 by Teddy Hogeborn
* Makefile (install): Use "install-client-nokey".
42
  
24.1.23 by Björn Påhlsson
Added manual pages for:
43
  <refmeta>
44
    <refentrytitle>&COMMANDNAME;</refentrytitle>
45
    <manvolnum>8mandos</manvolnum>
46
  </refmeta>
47
  
48
  <refnamediv>
49
    <refname><command>&COMMANDNAME;</command></refname>
50
    <refpurpose>
172 by Teddy Hogeborn
* plugins.d/mandos-client.xml (NAME, OVERVIEW, EXIT STATUS): Improved
51
      Client for <application>Mandos</application>
24.1.23 by Björn Påhlsson
Added manual pages for:
52
    </refpurpose>
53
  </refnamediv>
182 by Teddy Hogeborn
* Makefile (install): Use "install-client-nokey".
54
  
24.1.23 by Björn Påhlsson
Added manual pages for:
55
  <refsynopsisdiv>
56
    <cmdsynopsis>
57
      <command>&COMMANDNAME;</command>
118 by Teddy Hogeborn
* mandos-keygen.xml (SYNOPSIS): Fixed tags. Unify short and long
58
      <group>
59
	<arg choice="plain"><option>--connect
156 by Teddy Hogeborn
* mandos-clients.conf.xml (OPTIONS): Improved spelling.
60
	<replaceable>ADDRESS</replaceable><literal>:</literal
118 by Teddy Hogeborn
* mandos-keygen.xml (SYNOPSIS): Fixed tags. Unify short and long
61
	><replaceable>PORT</replaceable></option></arg>
62
	<arg choice="plain"><option>-c
156 by Teddy Hogeborn
* mandos-clients.conf.xml (OPTIONS): Improved spelling.
63
	<replaceable>ADDRESS</replaceable><literal>:</literal
118 by Teddy Hogeborn
* mandos-keygen.xml (SYNOPSIS): Fixed tags. Unify short and long
64
	><replaceable>PORT</replaceable></option></arg>
65
      </group>
66
      <sbr/>
67
      <group>
68
	<arg choice="plain"><option>--interface
69
	<replaceable>NAME</replaceable></option></arg>
70
	<arg choice="plain"><option>-i
71
	<replaceable>NAME</replaceable></option></arg>
72
      </group>
73
      <sbr/>
74
      <group>
75
	<arg choice="plain"><option>--pubkey
76
	<replaceable>FILE</replaceable></option></arg>
77
	<arg choice="plain"><option>-p
78
	<replaceable>FILE</replaceable></option></arg>
79
      </group>
80
      <sbr/>
81
      <group>
82
	<arg choice="plain"><option>--seckey
83
	<replaceable>FILE</replaceable></option></arg>
84
	<arg choice="plain"><option>-s
85
	<replaceable>FILE</replaceable></option></arg>
86
      </group>
87
      <sbr/>
88
      <arg>
89
	<option>--priority <replaceable>STRING</replaceable></option>
90
      </arg>
91
      <sbr/>
92
      <arg>
93
	<option>--dh-bits <replaceable>BITS</replaceable></option>
94
      </arg>
95
      <sbr/>
96
      <arg>
24.1.124 by Björn Påhlsson
Added lower kernel loglevel to reduce clutter on system console.
97
	<option>--delay <replaceable>SECONDS</replaceable></option>
98
      </arg>
99
      <sbr/>
100
      <arg>
24.1.174 by Björn Påhlsson
* Makefile (CFLAGS): Added "-lrt" to include real time library.
101
	<option>--retry <replaceable>SECONDS</replaceable></option>
102
      </arg>
103
      <sbr/>
104
      <arg>
237.16.13 by Teddy Hogeborn
* debian/mandos-client.README.Debian: Document network hook facility.
105
	<option>--network-hook-dir
106
	<replaceable>DIR</replaceable></option>
237.16.5 by teddy at bsnet
* plugins.d/mandos-client.c (SYNOPSIS, OPTIONS): Document
107
      </arg>
108
      <sbr/>
109
      <arg>
118 by Teddy Hogeborn
* mandos-keygen.xml (SYNOPSIS): Fixed tags. Unify short and long
110
	<option>--debug</option>
111
      </arg>
112
    </cmdsynopsis>
113
    <cmdsynopsis>
114
      <command>&COMMANDNAME;</command>
115
      <group choice="req">
129 by Teddy Hogeborn
* mandos-clients.conf.xml: Changed all single quotes to double quotes
116
	<arg choice="plain"><option>--help</option></arg>
117
	<arg choice="plain"><option>-?</option></arg>
118 by Teddy Hogeborn
* mandos-keygen.xml (SYNOPSIS): Fixed tags. Unify short and long
118
      </group>
119
    </cmdsynopsis>
120
    <cmdsynopsis>
121
      <command>&COMMANDNAME;</command>
129 by Teddy Hogeborn
* mandos-clients.conf.xml: Changed all single quotes to double quotes
122
      <arg choice="plain"><option>--usage</option></arg>
118 by Teddy Hogeborn
* mandos-keygen.xml (SYNOPSIS): Fixed tags. Unify short and long
123
    </cmdsynopsis>
124
    <cmdsynopsis>
125
      <command>&COMMANDNAME;</command>
126
      <group choice="req">
129 by Teddy Hogeborn
* mandos-clients.conf.xml: Changed all single quotes to double quotes
127
	<arg choice="plain"><option>--version</option></arg>
128
	<arg choice="plain"><option>-V</option></arg>
118 by Teddy Hogeborn
* mandos-keygen.xml (SYNOPSIS): Fixed tags. Unify short and long
129
      </group>
130
    </cmdsynopsis>
24.1.23 by Björn Påhlsson
Added manual pages for:
131
  </refsynopsisdiv>
182 by Teddy Hogeborn
* Makefile (install): Use "install-client-nokey".
132
  
24.1.23 by Björn Påhlsson
Added manual pages for:
133
  <refsect1 id="description">
134
    <title>DESCRIPTION</title>
135
    <para>
142 by Teddy Hogeborn
* plugins.d/password-request.c (main): Change default GnuTLS priority
136
      <command>&COMMANDNAME;</command> is a client program that
137
      communicates with <citerefentry><refentrytitle
138
      >mandos</refentrytitle><manvolnum>8</manvolnum></citerefentry>
237.2.48 by Teddy Hogeborn
* plugins.d/mandos-client.c (main): Use remove() instead of unlink(),
139
      to get a password.  In slightly more detail, this client program
140
      brings up a network interface, uses the interface’s IPv6
141
      link-local address to get network connectivity, uses Zeroconf to
142
      find servers on the local network, and communicates with servers
143
      using TLS with an OpenPGP key to ensure authenticity and
144
      confidentiality.  This client program keeps running, trying all
145
      servers on the network, until it receives a satisfactory reply
237.7.39 by teddy at bsnet
* plugins.d/mandos-client.c (avahi_loop_with_timeout): Fix warning.
146
      or a TERM signal.  After all servers have been tried, all
147
      servers are periodically retried.  If no servers are found it
148
      will wait indefinitely for new servers to appear.
142 by Teddy Hogeborn
* plugins.d/password-request.c (main): Change default GnuTLS priority
149
    </para>
150
    <para>
237.16.13 by Teddy Hogeborn
* debian/mandos-client.README.Debian: Document network hook facility.
151
      The network interface is selected like this: If an interface is
152
      specified using the <option>--interface</option> option, that
153
      interface is used.  Otherwise, <command>&COMMANDNAME;</command>
154
      will choose any interface that is up and running and is not a
155
      loopback interface, is not a point-to-point interface, is
156
      capable of broadcasting and does not have the NOARP flag (see
157
      <citerefentry><refentrytitle>netdevice</refentrytitle>
158
      <manvolnum>7</manvolnum></citerefentry>).  (If the
159
      <option>--connect</option> option is used, point-to-point
160
      interfaces and non-broadcast interfaces are accepted.)  If no
161
      acceptable interfaces are found, re-run the check but without
162
      the <quote>up and running</quote> requirement, and manually take
163
      the selected interface up (and later take it down on program
164
      exit).
165
    </para>
166
    <para>
167
      Before a network interface is selected, all <quote>network
168
      hooks</quote> are run; see <xref linkend="network-hooks"/>.
169
    </para>
170
    <para>
142 by Teddy Hogeborn
* plugins.d/password-request.c (main): Change default GnuTLS priority
171
      This program is not meant to be run directly; it is really meant
172
      to run as a plugin of the <application>Mandos</application>
173
      <citerefentry><refentrytitle>plugin-runner</refentrytitle>
143 by Teddy Hogeborn
* Makefile (mandos.8): Add dependency on "overview.xml" and
174
      <manvolnum>8mandos</manvolnum></citerefentry>, which runs in the
175
      initial <acronym>RAM</acronym> disk environment because it is
176
      specified as a <quote>keyscript</quote> in the <citerefentry>
177
      <refentrytitle>crypttab</refentrytitle><manvolnum>5</manvolnum>
178
      </citerefentry> file.
142 by Teddy Hogeborn
* plugins.d/password-request.c (main): Change default GnuTLS priority
179
    </para>
180
  </refsect1>
181
  
182
  <refsect1 id="purpose">
183
    <title>PURPOSE</title>
184
    <para>
185
      The purpose of this is to enable <emphasis>remote and unattended
186
      rebooting</emphasis> of client host computer with an
187
      <emphasis>encrypted root file system</emphasis>.  See <xref
188
      linkend="overview"/> for details.
189
    </para>
190
  </refsect1>
191
  
24.1.55 by Björn Påhlsson
updated some partial manual pages
192
  <refsect1 id="options">
193
    <title>OPTIONS</title>
194
    <para>
142 by Teddy Hogeborn
* plugins.d/password-request.c (main): Change default GnuTLS priority
195
      This program is commonly not invoked from the command line; it
196
      is normally started by the <application>Mandos</application>
197
      plugin runner, see <citerefentry><refentrytitle
198
      >plugin-runner</refentrytitle><manvolnum>8mandos</manvolnum>
199
      </citerefentry>.  Any command line options this program accepts
200
      are therefore normally provided by the plugin runner, and not
201
      directly.
24.1.55 by Björn Påhlsson
updated some partial manual pages
202
    </para>
142 by Teddy Hogeborn
* plugins.d/password-request.c (main): Change default GnuTLS priority
203
    
24.1.23 by Björn Påhlsson
Added manual pages for:
204
    <variablelist>
205
      <varlistentry>
127 by Teddy Hogeborn
* plugins.d/password-request.xml (OPTIONS): Make replaceables match
206
	<term><option>--connect=<replaceable
143 by Teddy Hogeborn
* Makefile (mandos.8): Add dependency on "overview.xml" and
207
	>ADDRESS</replaceable><literal>:</literal><replaceable
127 by Teddy Hogeborn
* plugins.d/password-request.xml (OPTIONS): Make replaceables match
208
	>PORT</replaceable></option></term>
209
	<term><option>-c
143 by Teddy Hogeborn
* Makefile (mandos.8): Add dependency on "overview.xml" and
210
	<replaceable>ADDRESS</replaceable><literal>:</literal
127 by Teddy Hogeborn
* plugins.d/password-request.xml (OPTIONS): Make replaceables match
211
	><replaceable>PORT</replaceable></option></term>
24.1.23 by Björn Påhlsson
Added manual pages for:
212
	<listitem>
213
	  <para>
142 by Teddy Hogeborn
* plugins.d/password-request.c (main): Change default GnuTLS priority
214
	    Do not use Zeroconf to locate servers.  Connect directly
215
	    to only one specified <application>Mandos</application>
216
	    server.  Note that an IPv6 address has colon characters in
217
	    it, so the <emphasis>last</emphasis> colon character is
218
	    assumed to separate the address from the port number.
219
	  </para>
220
	  <para>
143 by Teddy Hogeborn
* Makefile (mandos.8): Add dependency on "overview.xml" and
221
	    This option is normally only useful for testing and
222
	    debugging.
24.1.23 by Björn Påhlsson
Added manual pages for:
223
	  </para>
224
	</listitem>
225
      </varlistentry>
142 by Teddy Hogeborn
* plugins.d/password-request.c (main): Change default GnuTLS priority
226
      
24.1.23 by Björn Påhlsson
Added manual pages for:
227
      <varlistentry>
237.2.67 by Teddy Hogeborn
Four new interrelated features:
228
	<term><option>--interface=<replaceable
229
	>NAME</replaceable></option></term>
127 by Teddy Hogeborn
* plugins.d/password-request.xml (OPTIONS): Make replaceables match
230
	<term><option>-i
231
	<replaceable>NAME</replaceable></option></term>
24.1.23 by Björn Påhlsson
Added manual pages for:
232
	<listitem>
233
	  <para>
142 by Teddy Hogeborn
* plugins.d/password-request.c (main): Change default GnuTLS priority
234
	    Network interface that will be brought up and scanned for
269.1.1 by teddy at bsnet
* plugins.d/mandos-client.c: An empty interface name now means to
235
	    Mandos servers to connect to.  The default is the empty
236
	    string, which will automatically choose an appropriate
237
	    interface.
24.1.23 by Björn Påhlsson
Added manual pages for:
238
	  </para>
146 by Teddy Hogeborn
* plugins.d/password-request.xml (OPTIONS): Improved wording.
239
	  <para>
240
	    If the <option>--connect</option> option is used, this
241
	    specifies the interface to use to connect to the address
242
	    given.
243
	  </para>
237.2.48 by Teddy Hogeborn
* plugins.d/mandos-client.c (main): Use remove() instead of unlink(),
244
	  <para>
245
	    Note that since this program will normally run in the
246
	    initial RAM disk environment, the interface must be an
247
	    interface which exists at that stage.  Thus, the interface
248
	    can not be a pseudo-interface such as <quote>br0</quote>
249
	    or <quote>tun0</quote>; such interfaces will not exist
250
	    until much later in the boot process, and can not be used
237.16.13 by Teddy Hogeborn
* debian/mandos-client.README.Debian: Document network hook facility.
251
	    by this program, unless created by a <quote>network
252
	    hook</quote>  see <xref linkend="network-hooks"/>.
237.2.48 by Teddy Hogeborn
* plugins.d/mandos-client.c (main): Use remove() instead of unlink(),
253
	  </para>
237.2.67 by Teddy Hogeborn
Four new interrelated features:
254
	  <para>
269.1.1 by teddy at bsnet
* plugins.d/mandos-client.c: An empty interface name now means to
255
	    <replaceable>NAME</replaceable> can be the string
256
	    <quote><literal>none</literal></quote>; this will not use
257
	    any specific interface, and will not bring up an interface
258
	    on startup.  This is not recommended, and only meant for
259
	    advanced users.
237.2.67 by Teddy Hogeborn
Four new interrelated features:
260
	  </para>
24.1.23 by Björn Påhlsson
Added manual pages for:
261
	</listitem>
118 by Teddy Hogeborn
* mandos-keygen.xml (SYNOPSIS): Fixed tags. Unify short and long
262
      </varlistentry>
142 by Teddy Hogeborn
* plugins.d/password-request.c (main): Change default GnuTLS priority
263
      
24.1.23 by Björn Påhlsson
Added manual pages for:
264
      <varlistentry>
127 by Teddy Hogeborn
* plugins.d/password-request.xml (OPTIONS): Make replaceables match
265
	<term><option>--pubkey=<replaceable
266
	>FILE</replaceable></option></term>
267
	<term><option>-p
268
	<replaceable>FILE</replaceable></option></term>
24.1.23 by Björn Påhlsson
Added manual pages for:
269
	<listitem>
270
	  <para>
151 by Teddy Hogeborn
* plugins.d/password-request.xml (SYNOPSYS): Removed "--keydir".
271
	    OpenPGP public key file name.  The default name is
272
	    <quote><filename>/conf/conf.d/mandos/pubkey.txt</filename
273
	    ></quote>.
24.1.23 by Björn Påhlsson
Added manual pages for:
274
	  </para>
275
	</listitem>
118 by Teddy Hogeborn
* mandos-keygen.xml (SYNOPSIS): Fixed tags. Unify short and long
276
      </varlistentry>
182 by Teddy Hogeborn
* Makefile (install): Use "install-client-nokey".
277
      
24.1.23 by Björn Påhlsson
Added manual pages for:
278
      <varlistentry>
127 by Teddy Hogeborn
* plugins.d/password-request.xml (OPTIONS): Make replaceables match
279
	<term><option>--seckey=<replaceable
280
	>FILE</replaceable></option></term>
281
	<term><option>-s
282
	<replaceable>FILE</replaceable></option></term>
24.1.23 by Björn Påhlsson
Added manual pages for:
283
	<listitem>
284
	  <para>
151 by Teddy Hogeborn
* plugins.d/password-request.xml (SYNOPSYS): Removed "--keydir".
285
	    OpenPGP secret key file name.  The default name is
286
	    <quote><filename>/conf/conf.d/mandos/seckey.txt</filename
287
	    ></quote>.
24.1.23 by Björn Påhlsson
Added manual pages for:
288
	  </para>
289
	</listitem>
118 by Teddy Hogeborn
* mandos-keygen.xml (SYNOPSIS): Fixed tags. Unify short and long
290
      </varlistentry>
24.1.23 by Björn Påhlsson
Added manual pages for:
291
      
292
      <varlistentry>
127 by Teddy Hogeborn
* plugins.d/password-request.xml (OPTIONS): Make replaceables match
293
	<term><option>--priority=<replaceable
294
	>STRING</replaceable></option></term>
24.1.23 by Björn Påhlsson
Added manual pages for:
295
	<listitem>
143 by Teddy Hogeborn
* Makefile (mandos.8): Add dependency on "overview.xml" and
296
	  <xi:include href="../mandos-options.xml"
297
		      xpointer="priority"/>
24.1.23 by Björn Påhlsson
Added manual pages for:
298
	</listitem>
118 by Teddy Hogeborn
* mandos-keygen.xml (SYNOPSIS): Fixed tags. Unify short and long
299
      </varlistentry>
182 by Teddy Hogeborn
* Makefile (install): Use "install-client-nokey".
300
      
24.1.23 by Björn Påhlsson
Added manual pages for:
301
      <varlistentry>
127 by Teddy Hogeborn
* plugins.d/password-request.xml (OPTIONS): Make replaceables match
302
	<term><option>--dh-bits=<replaceable
303
	>BITS</replaceable></option></term>
24.1.23 by Björn Påhlsson
Added manual pages for:
304
	<listitem>
305
	  <para>
142 by Teddy Hogeborn
* plugins.d/password-request.c (main): Change default GnuTLS priority
306
	    Sets the number of bits to use for the prime number in the
307
	    TLS Diffie-Hellman key exchange.  Default is 1024.
24.1.23 by Björn Påhlsson
Added manual pages for:
308
	  </para>
309
	</listitem>
118 by Teddy Hogeborn
* mandos-keygen.xml (SYNOPSIS): Fixed tags. Unify short and long
310
      </varlistentry>
24.1.124 by Björn Påhlsson
Added lower kernel loglevel to reduce clutter on system console.
311
312
      <varlistentry>
313
	<term><option>--delay=<replaceable
314
	>SECONDS</replaceable></option></term>
315
	<listitem>
316
	  <para>
317
	    After bringing the network interface up, the program waits
318
	    for the interface to arrive in a <quote>running</quote>
319
	    state before proceeding.  During this time, the kernel log
320
	    level will be lowered to reduce clutter on the system
321
	    console, alleviating any other plugins which might be
322
	    using the system console.  This option sets the upper
323
	    limit of seconds to wait.  The default is 2.5 seconds.
324
	  </para>
325
	</listitem>
326
      </varlistentry>
24.1.174 by Björn Påhlsson
* Makefile (CFLAGS): Added "-lrt" to include real time library.
327
328
      <varlistentry>
329
	<term><option>--retry=<replaceable
330
	>SECONDS</replaceable></option></term>
331
	<listitem>
332
	  <para>
237.7.39 by teddy at bsnet
* plugins.d/mandos-client.c (avahi_loop_with_timeout): Fix warning.
333
	    All Mandos servers are tried repeatedly until a password
334
	    is received.  This value specifies, in seconds, how long
335
	    between each successive try <emphasis>for the same
336
	    server</emphasis>.  The default is 10 seconds.
24.1.174 by Björn Påhlsson
* Makefile (CFLAGS): Added "-lrt" to include real time library.
337
	  </para>
338
	</listitem>
339
      </varlistentry>
237.16.5 by teddy at bsnet
* plugins.d/mandos-client.c (SYNOPSIS, OPTIONS): Document
340
341
      <varlistentry>
342
	<term><option>--network-hook-dir=<replaceable
343
	>DIR</replaceable></option></term>
344
	<listitem>
345
	  <para>
346
	    Network hook directory.  The default directory is
237.16.7 by teddy at bsnet
* initramfs-tools-hook: Install network hooks (and any required files)
347
	    <quote><filename class="directory"
348
	    >/lib/mandos/network-hooks.d</filename></quote>.
237.16.5 by teddy at bsnet
* plugins.d/mandos-client.c (SYNOPSIS, OPTIONS): Document
349
	  </para>
350
	</listitem>
351
      </varlistentry>
24.1.23 by Björn Påhlsson
Added manual pages for:
352
      
353
      <varlistentry>
127 by Teddy Hogeborn
* plugins.d/password-request.xml (OPTIONS): Make replaceables match
354
	<term><option>--debug</option></term>
24.1.23 by Björn Påhlsson
Added manual pages for:
355
	<listitem>
356
	  <para>
142 by Teddy Hogeborn
* plugins.d/password-request.c (main): Change default GnuTLS priority
357
	    Enable debug mode.  This will enable a lot of output to
358
	    standard error about what the program is doing.  The
359
	    program will still perform all other functions normally.
360
	  </para>
361
	  <para>
362
	    It will also enable debug mode in the Avahi and GnuTLS
363
	    libraries, making them print large amounts of debugging
364
	    output.
24.1.23 by Björn Påhlsson
Added manual pages for:
365
	  </para>
366
	</listitem>
367
      </varlistentry>
368
      
369
      <varlistentry>
127 by Teddy Hogeborn
* plugins.d/password-request.xml (OPTIONS): Make replaceables match
370
	<term><option>--help</option></term>
371
	<term><option>-?</option></term>
24.1.23 by Björn Påhlsson
Added manual pages for:
372
	<listitem>
373
	  <para>
142 by Teddy Hogeborn
* plugins.d/password-request.c (main): Change default GnuTLS priority
374
	    Gives a help message about options and their meanings.
24.1.23 by Björn Påhlsson
Added manual pages for:
375
	  </para>
376
	</listitem>
377
      </varlistentry>
378
      
379
      <varlistentry>
127 by Teddy Hogeborn
* plugins.d/password-request.xml (OPTIONS): Make replaceables match
380
	<term><option>--usage</option></term>
24.1.23 by Björn Påhlsson
Added manual pages for:
381
	<listitem>
382
	  <para>
142 by Teddy Hogeborn
* plugins.d/password-request.c (main): Change default GnuTLS priority
383
	    Gives a short usage message.
24.1.23 by Björn Påhlsson
Added manual pages for:
384
	  </para>
385
	</listitem>
386
      </varlistentry>
182 by Teddy Hogeborn
* Makefile (install): Use "install-client-nokey".
387
      
24.1.23 by Björn Påhlsson
Added manual pages for:
388
      <varlistentry>
127 by Teddy Hogeborn
* plugins.d/password-request.xml (OPTIONS): Make replaceables match
389
	<term><option>--version</option></term>
390
	<term><option>-V</option></term>
24.1.23 by Björn Påhlsson
Added manual pages for:
391
	<listitem>
392
	  <para>
142 by Teddy Hogeborn
* plugins.d/password-request.c (main): Change default GnuTLS priority
393
	    Prints the program version.
24.1.23 by Björn Påhlsson
Added manual pages for:
394
	  </para>
395
	</listitem>
118 by Teddy Hogeborn
* mandos-keygen.xml (SYNOPSIS): Fixed tags. Unify short and long
396
      </varlistentry>
24.1.23 by Björn Påhlsson
Added manual pages for:
397
    </variablelist>
398
  </refsect1>
182 by Teddy Hogeborn
* Makefile (install): Use "install-client-nokey".
399
  
143 by Teddy Hogeborn
* Makefile (mandos.8): Add dependency on "overview.xml" and
400
  <refsect1 id="overview">
401
    <title>OVERVIEW</title>
402
    <xi:include href="../overview.xml"/>
403
    <para>
404
      This program is the client part.  It is a plugin started by
405
      <citerefentry><refentrytitle>plugin-runner</refentrytitle>
406
      <manvolnum>8mandos</manvolnum></citerefentry> which will run in
407
      an initial <acronym>RAM</acronym> disk environment.
408
    </para>
409
    <para>
410
      This program could, theoretically, be used as a keyscript in
411
      <filename>/etc/crypttab</filename>, but it would then be
144 by Teddy Hogeborn
* plugins.d/password-request.xml (OVERVIEW): Improved wording.
412
      impossible to enter a password for the encrypted root disk at
413
      the console, since this program does not read from the console
172 by Teddy Hogeborn
* plugins.d/mandos-client.xml (NAME, OVERVIEW, EXIT STATUS): Improved
414
      at all.  This is why a separate plugin runner (<citerefentry>
415
      <refentrytitle>plugin-runner</refentrytitle>
416
      <manvolnum>8mandos</manvolnum></citerefentry>) is used to run
417
      both this program and others in in parallel,
237.16.13 by Teddy Hogeborn
* debian/mandos-client.README.Debian: Document network hook facility.
418
      <emphasis>one</emphasis> of which (<citerefentry>
419
      <refentrytitle>password-prompt</refentrytitle>
420
      <manvolnum>8mandos</manvolnum></citerefentry>) will prompt for
421
      passwords on the system console.
143 by Teddy Hogeborn
* Makefile (mandos.8): Add dependency on "overview.xml" and
422
    </para>
423
  </refsect1>
424
  
24.1.55 by Björn Påhlsson
updated some partial manual pages
425
  <refsect1 id="exit_status">
426
    <title>EXIT STATUS</title>
427
    <para>
142 by Teddy Hogeborn
* plugins.d/password-request.c (main): Change default GnuTLS priority
428
      This program will exit with a successful (zero) exit status if a
429
      server could be found and the password received from it could be
430
      successfully decrypted and output on standard output.  The
431
      program will exit with a non-zero exit status only if a critical
237.7.39 by teddy at bsnet
* plugins.d/mandos-client.c (avahi_loop_with_timeout): Fix warning.
432
      error occurs.  Otherwise, it will forever connect to any
433
      discovered <application>Mandos</application> servers, trying to
434
      get a decryptable password and print it.
142 by Teddy Hogeborn
* plugins.d/password-request.c (main): Change default GnuTLS priority
435
    </para>
436
  </refsect1>
437
  
143 by Teddy Hogeborn
* Makefile (mandos.8): Add dependency on "overview.xml" and
438
  <refsect1 id="environment">
439
    <title>ENVIRONMENT</title>
440
    <para>
441
      This program does not use any environment variables, not even
442
      the ones provided by <citerefentry><refentrytitle
443
      >cryptsetup</refentrytitle><manvolnum>8</manvolnum>
444
    </citerefentry>.
445
    </para>
446
  </refsect1>
142 by Teddy Hogeborn
* plugins.d/password-request.c (main): Change default GnuTLS priority
447
  
237.16.13 by Teddy Hogeborn
* debian/mandos-client.README.Debian: Document network hook facility.
448
  <refsect1 id="network-hooks">
449
    <title>NETWORK HOOKS</title>
450
    <para>
451
      If a network interface like a bridge or tunnel is required to
452
      find a Mandos server, this requires the interface to be up and
453
      running before <command>&COMMANDNAME;</command> starts looking
454
      for Mandos servers.  This can be accomplished by creating a
455
      <quote>network hook</quote> program, and placing it in a special
456
      directory.
457
    </para>
458
    <para>
459
      Before the network is used (and again before program exit), any
460
      runnable programs found in the network hook directory are run
461
      with the argument <quote><literal>start</literal></quote> or
462
      <quote><literal>stop</literal></quote>.  This should bring up or
463
      down, respectively, any network interface which
464
      <command>&COMMANDNAME;</command> should use.
465
    </para>
466
    <refsect2 id="hook-requirements">
467
      <title>REQUIREMENTS</title>
468
      <para>
469
	A network hook must be an executable file, and its name must
470
	consist entirely of upper and lower case letters, digits,
237.16.14 by teddy at bsnet
Hooks take new "modules" argument, and hook names can contain periods.
471
	underscores, periods, and hyphens.
237.16.13 by Teddy Hogeborn
* debian/mandos-client.README.Debian: Document network hook facility.
472
      </para>
473
      <para>
474
	A network hook will receive one argument, which can be one of
475
	the following:
476
      </para>
477
      <variablelist>
478
	<varlistentry>
479
	  <term><literal>start</literal></term>
480
	  <listitem>
481
	    <para>
482
	      This should make the network hook create (if necessary)
483
	      and bring up a network interface.
484
	    </para>
485
	  </listitem>
486
	</varlistentry>
487
	<varlistentry>
488
	  <term><literal>stop</literal></term>
489
	  <listitem>
490
	    <para>
491
	      This should make the network hook take down a network
492
	      interface, and delete it if it did not exist previously.
493
	    </para>
494
	  </listitem>
495
	</varlistentry>
496
	<varlistentry>
497
	  <term><literal>files</literal></term>
498
	  <listitem>
499
	    <para>
237.16.14 by teddy at bsnet
Hooks take new "modules" argument, and hook names can contain periods.
500
	      This should make the network hook print, <emphasis>one
501
	      file per line</emphasis>, all the files needed for it to
502
	      run.  (These files will be copied into the initial RAM
503
	      filesystem.)  Typical use is for a network hook which is
504
	      a shell script to print its needed binaries.
237.16.13 by Teddy Hogeborn
* debian/mandos-client.README.Debian: Document network hook facility.
505
	    </para>
506
	    <para>
507
	      It is not necessary to print any non-executable files
508
	      already in the network hook directory, these will be
509
	      copied implicitly if they otherwise satisfy the name
510
	      requirement.
511
	    </para>
512
	  </listitem>
513
	</varlistentry>
237.16.14 by teddy at bsnet
Hooks take new "modules" argument, and hook names can contain periods.
514
	<varlistentry>
515
	  <term><literal>modules</literal></term>
516
	  <listitem>
517
	    <para>
518
	      This should make the network hook print, <emphasis>on
519
	      separate lines</emphasis>, all the kernel modules needed
520
	      for it to run.  (These modules will be copied into the
521
	      initial RAM filesystem.)  For instance, a tunnel
522
	      interface needs the
523
	      <quote><literal>tun</literal></quote> module.
524
	    </para>
525
	  </listitem>
526
	</varlistentry>
237.16.13 by Teddy Hogeborn
* debian/mandos-client.README.Debian: Document network hook facility.
527
      </variablelist>
528
      <para>
529
	The network hook will be provided with a number of environment
530
	variables:
531
      </para>
532
      <variablelist>
533
	<varlistentry>
534
	  <term><envar>MANDOSNETHOOKDIR</envar></term>
535
	  <listitem>
536
	    <para>
537
	      The network hook directory, specified to
538
	      <command>&COMMANDNAME;</command> by the
539
	      <option>--network-hook-dir</option> option.  Note: this
540
	      should <emphasis>always</emphasis> be used by the
237.16.14 by teddy at bsnet
Hooks take new "modules" argument, and hook names can contain periods.
541
	      network hook to refer to itself or any files in the hook
542
	      directory it may require.
237.16.13 by Teddy Hogeborn
* debian/mandos-client.README.Debian: Document network hook facility.
543
	    </para>
544
	  </listitem>
545
	</varlistentry>
546
	<varlistentry>
547
	  <term><envar>DEVICE</envar></term>
548
	  <listitem>
549
	    <para>
550
	      The network interface, as specified to
551
	      <command>&COMMANDNAME;</command> by the
552
	      <option>--interface</option> option.  If this is not the
553
	      interface a hook will bring up, there is no reason for a
554
	      hook to continue.
555
	    </para>
556
	  </listitem>
557
	</varlistentry>
558
	<varlistentry>
559
	  <term><envar>MODE</envar></term>
560
	  <listitem>
561
	    <para>
562
	      This will be the same as the first argument;
563
	      i.e. <quote><literal>start</literal></quote>,
237.16.14 by teddy at bsnet
Hooks take new "modules" argument, and hook names can contain periods.
564
	      <quote><literal>stop</literal></quote>,
565
	      <quote><literal>files</literal></quote>, or
566
	      <quote><literal>modules</literal></quote>.
237.16.13 by Teddy Hogeborn
* debian/mandos-client.README.Debian: Document network hook facility.
567
	    </para>
568
	  </listitem>
569
	</varlistentry>
570
	<varlistentry>
571
	  <term><envar>VERBOSITY</envar></term>
572
	  <listitem>
573
	    <para>
574
	      This will be the <quote><literal>1</literal></quote> if
575
	      the <option>--debug</option> option is passed to
576
	      <command>&COMMANDNAME;</command>, otherwise
577
	      <quote><literal>0</literal></quote>.
578
	    </para>
579
	  </listitem>
580
	</varlistentry>
581
	<varlistentry>
582
	  <term><envar>DELAY</envar></term>
583
	  <listitem>
584
	    <para>
585
	      This will be the same as the <option>--delay</option>
237.17.1 by teddy at recompile
Add wireless network hook
586
	      option passed to <command>&COMMANDNAME;</command>.  Is
587
	      only set if <envar>MODE</envar> is
588
	      <quote><literal>start</literal></quote> or
589
	      <quote><literal>stop</literal></quote>.
590
	    </para>
591
	  </listitem>
592
	</varlistentry>
593
	<varlistentry>
594
	  <term><envar>CONNECT</envar></term>
595
	  <listitem>
596
	    <para>
597
	      This will be the same as the <option>--connect</option>
598
	      option passed to <command>&COMMANDNAME;</command>.  Is
599
	      only set if <option>--connect</option> is passed and
600
	      <envar>MODE</envar> is
601
	      <quote><literal>start</literal></quote> or
602
	      <quote><literal>stop</literal></quote>.
237.16.13 by Teddy Hogeborn
* debian/mandos-client.README.Debian: Document network hook facility.
603
	    </para>
604
	  </listitem>
605
	</varlistentry>
606
      </variablelist>
607
      <para>
608
	A hook may not read from standard input, and should be
609
	restrictive in printing to standard output or standard error
610
	unless <varname>VERBOSITY</varname> is
611
	<quote><literal>1</literal></quote>.
612
      </para>
613
    </refsect2>
614
  </refsect1>
615
  
224 by Teddy Hogeborn
* mandos-keygen.xml (FILES): Fixed id to be "files", not "file".
616
  <refsect1 id="files">
24.1.55 by Björn Påhlsson
updated some partial manual pages
617
    <title>FILES</title>
146 by Teddy Hogeborn
* plugins.d/password-request.xml (OPTIONS): Improved wording.
618
    <variablelist>
619
      <varlistentry>
620
	<term><filename>/conf/conf.d/mandos/pubkey.txt</filename
621
	></term>
622
	<term><filename>/conf/conf.d/mandos/seckey.txt</filename
623
	></term>
624
	<listitem>
625
	  <para>
626
	    OpenPGP public and private key files, in <quote>ASCII
627
	    Armor</quote> format.  These are the default file names,
628
	    they can be changed with the <option>--pubkey</option> and
629
	    <option>--seckey</option> options.
630
	  </para>
631
	</listitem>
632
      </varlistentry>
237.16.13 by Teddy Hogeborn
* debian/mandos-client.README.Debian: Document network hook facility.
633
      <varlistentry>
634
	<term><filename
635
	class="directory">/lib/mandos/network-hooks.d</filename></term>
636
	<listitem>
637
	  <para>
638
	    Directory where network hooks are located.  Change this
639
	    with the <option>--network-hook-dir</option> option.  See
640
	    <xref linkend="network-hooks"/>.
641
	  </para>
642
	</listitem>
643
      </varlistentry>
146 by Teddy Hogeborn
* plugins.d/password-request.xml (OPTIONS): Improved wording.
644
    </variablelist>
118 by Teddy Hogeborn
* mandos-keygen.xml (SYNOPSIS): Fixed tags. Unify short and long
645
  </refsect1>
24.1.55 by Björn Påhlsson
updated some partial manual pages
646
  
146 by Teddy Hogeborn
* plugins.d/password-request.xml (OPTIONS): Improved wording.
647
<!--   <refsect1 id="bugs"> -->
648
<!--     <title>BUGS</title> -->
649
<!--     <para> -->
650
<!--     </para> -->
651
<!--   </refsect1> -->
182 by Teddy Hogeborn
* Makefile (install): Use "install-client-nokey".
652
  
87 by Teddy Hogeborn
* Makefile: Bug fix: fixed creation of man pages in "plugins.d".
653
  <refsect1 id="example">
654
    <title>EXAMPLE</title>
24.1.55 by Björn Påhlsson
updated some partial manual pages
655
    <para>
146 by Teddy Hogeborn
* plugins.d/password-request.xml (OPTIONS): Improved wording.
656
      Note that normally, command line options will not be given
657
      directly, but via options for the Mandos <citerefentry
658
      ><refentrytitle>plugin-runner</refentrytitle>
659
      <manvolnum>8mandos</manvolnum></citerefentry>.
24.1.55 by Björn Påhlsson
updated some partial manual pages
660
    </para>
146 by Teddy Hogeborn
* plugins.d/password-request.xml (OPTIONS): Improved wording.
661
    <informalexample>
662
      <para>
663
	Normal invocation needs no options, if the network interface
664
	is <quote>eth0</quote>:
665
      </para>
666
      <para>
667
	<userinput>&COMMANDNAME;</userinput>
668
      </para>
669
    </informalexample>
670
    <informalexample>
671
      <para>
158 by Teddy Hogeborn
* plugins.d/password-request.xml (EXAMPLE): Improved wording.
672
	Search for Mandos servers (and connect to them) using another
673
	interface:
146 by Teddy Hogeborn
* plugins.d/password-request.xml (OPTIONS): Improved wording.
674
      </para>
675
      <para>
676
	<!-- do not wrap this line -->
677
	<userinput>&COMMANDNAME; --interface eth1</userinput>
678
      </para>
679
    </informalexample>
680
    <informalexample>
681
      <para>
151 by Teddy Hogeborn
* plugins.d/password-request.xml (SYNOPSYS): Removed "--keydir".
682
	Run in debug mode, and use a custom key:
146 by Teddy Hogeborn
* plugins.d/password-request.xml (OPTIONS): Improved wording.
683
      </para>
684
      <para>
151 by Teddy Hogeborn
* plugins.d/password-request.xml (SYNOPSYS): Removed "--keydir".
685
686
<!-- do not wrap this line -->
687
<userinput>&COMMANDNAME; --debug --pubkey keydir/pubkey.txt --seckey keydir/seckey.txt</userinput>
688
146 by Teddy Hogeborn
* plugins.d/password-request.xml (OPTIONS): Improved wording.
689
      </para>
690
    </informalexample>
691
    <informalexample>
692
      <para>
151 by Teddy Hogeborn
* plugins.d/password-request.xml (SYNOPSYS): Removed "--keydir".
693
	Run in debug mode, with a custom key, and do not use Zeroconf
237.2.67 by Teddy Hogeborn
Four new interrelated features:
694
	to locate a server; connect directly to the IPv6 link-local
695
	address <quote><systemitem class="ipaddress"
696
	>fe80::aede:48ff:fe71:f6f2</systemitem></quote>, port 4711,
697
	using interface eth2:
146 by Teddy Hogeborn
* plugins.d/password-request.xml (OPTIONS): Improved wording.
698
      </para>
699
      <para>
700
701
<!-- do not wrap this line -->
237.2.67 by Teddy Hogeborn
Four new interrelated features:
702
<userinput>&COMMANDNAME; --debug --pubkey keydir/pubkey.txt --seckey keydir/seckey.txt --connect fe80::aede:48ff:fe71:f6f2:4711 --interface eth2</userinput>
146 by Teddy Hogeborn
* plugins.d/password-request.xml (OPTIONS): Improved wording.
703
704
      </para>
705
    </informalexample>
24.1.55 by Björn Påhlsson
updated some partial manual pages
706
  </refsect1>
182 by Teddy Hogeborn
* Makefile (install): Use "install-client-nokey".
707
  
24.1.55 by Björn Påhlsson
updated some partial manual pages
708
  <refsect1 id="security">
709
    <title>SECURITY</title>
710
    <para>
147 by Teddy Hogeborn
* plugins.d/password-request.c (init_gnutls_global): Improved wording
711
      This program is set-uid to root, but will switch back to the
148 by Teddy Hogeborn
* plugins.d/password-request.xml (OVERVIEW): Refer to
712
      original (and presumably non-privileged) user and group after
713
      bringing up the network interface.
147 by Teddy Hogeborn
* plugins.d/password-request.c (init_gnutls_global): Improved wording
714
    </para>
715
    <para>
716
      To use this program for its intended purpose (see <xref
717
      linkend="purpose"/>), the password for the root file system will
718
      have to be given out to be stored in a server computer, after
719
      having been encrypted using an OpenPGP key.  This encrypted data
720
      which will be stored in a server can only be decrypted by the
721
      OpenPGP key, and the data will only be given out to those
722
      clients who can prove they actually have that key.  This key,
723
      however, is stored unencrypted on the client side in its initial
724
      <acronym>RAM</acronym> disk image file system.  This is normally
725
      readable by all, but this is normally fixed during installation
726
      of this program; file permissions are set so that no-one is able
727
      to read that file.
728
    </para>
729
    <para>
730
      The only remaining weak point is that someone with physical
731
      access to the client hard drive might turn off the client
732
      computer, read the OpenPGP keys directly from the hard drive,
216 by Teddy Hogeborn
* Makefile: Add HTML rules for manual pages.
733
      and communicate with the server.  To safeguard against this, the
734
      server is supposed to notice the client disappearing and stop
735
      giving out the encrypted data.  Therefore, it is important to
736
      set the timeout and checker interval values tightly on the
737
      server.  See <citerefentry><refentrytitle
147 by Teddy Hogeborn
* plugins.d/password-request.c (init_gnutls_global): Improved wording
738
      >mandos</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
739
    </para>
740
    <para>
148 by Teddy Hogeborn
* plugins.d/password-request.xml (OVERVIEW): Refer to
741
      It will also help if the checker program on the server is
742
      configured to request something from the client which can not be
743
      spoofed by someone else on the network, unlike unencrypted
744
      <acronym>ICMP</acronym> echo (<quote>ping</quote>) replies.
745
    </para>
746
    <para>
747
      <emphasis>Note</emphasis>: This makes it completely insecure to
748
      have <application >Mandos</application> clients which dual-boot
749
      to another operating system which is <emphasis>not</emphasis>
750
      trusted to keep the initial <acronym>RAM</acronym> disk image
751
      confidential.
24.1.55 by Björn Påhlsson
updated some partial manual pages
752
    </para>
753
  </refsect1>
182 by Teddy Hogeborn
* Makefile (install): Use "install-client-nokey".
754
  
24.1.55 by Björn Påhlsson
updated some partial manual pages
755
  <refsect1 id="see_also">
756
    <title>SEE ALSO</title>
114 by Teddy Hogeborn
* mandos-clients.conf.xml (SEE ALSO): Alphabetized, as per
757
    <para>
237.7.41 by Teddy Hogeborn
* Makefile (DOCS): Added "intro.8mandos".
758
      <citerefentry><refentrytitle>intro</refentrytitle>
759
      <manvolnum>8mandos</manvolnum></citerefentry>,
148 by Teddy Hogeborn
* plugins.d/password-request.xml (OVERVIEW): Refer to
760
      <citerefentry><refentrytitle>cryptsetup</refentrytitle>
761
      <manvolnum>8</manvolnum></citerefentry>,
762
      <citerefentry><refentrytitle>crypttab</refentrytitle>
763
      <manvolnum>5</manvolnum></citerefentry>,
114 by Teddy Hogeborn
* mandos-clients.conf.xml (SEE ALSO): Alphabetized, as per
764
      <citerefentry><refentrytitle>mandos</refentrytitle>
765
      <manvolnum>8</manvolnum></citerefentry>,
766
      <citerefentry><refentrytitle>password-prompt</refentrytitle>
767
      <manvolnum>8mandos</manvolnum></citerefentry>,
768
      <citerefentry><refentrytitle>plugin-runner</refentrytitle>
769
      <manvolnum>8mandos</manvolnum></citerefentry>
770
    </para>
148 by Teddy Hogeborn
* plugins.d/password-request.xml (OVERVIEW): Refer to
771
    <variablelist>
772
      <varlistentry>
773
	<term>
774
	  <ulink url="http://www.zeroconf.org/">Zeroconf</ulink>
775
	</term>
776
	<listitem>
777
	  <para>
778
	    Zeroconf is the network protocol standard used for finding
779
	    Mandos servers on the local network.
780
	  </para>
781
	</listitem>
782
      </varlistentry>
783
      <varlistentry>
784
	<term>
785
	  <ulink url="http://www.avahi.org/">Avahi</ulink>
786
	</term>
787
      <listitem>
788
	<para>
789
	  Avahi is the library this program calls to find Zeroconf
790
	  services.
791
	</para>
792
      </listitem>
793
      </varlistentry>
794
      <varlistentry>
795
	<term>
796
	  <ulink url="http://www.gnu.org/software/gnutls/"
797
	  >GnuTLS</ulink>
798
	</term>
799
      <listitem>
800
	<para>
801
	  GnuTLS is the library this client uses to implement TLS for
802
	  communicating securely with the server, and at the same time
803
	  send the public OpenPGP key to the server.
804
	</para>
805
      </listitem>
806
      </varlistentry>
807
      <varlistentry>
808
	<term>
809
	  <ulink url="http://www.gnupg.org/related_software/gpgme/"
810
		 >GPGME</ulink>
811
	</term>
812
	<listitem>
813
	  <para>
814
	    GPGME is the library used to decrypt the OpenPGP data sent
815
	    by the server.
816
	  </para>
817
	</listitem>
818
      </varlistentry>
819
      <varlistentry>
820
	<term>
821
	  RFC 4291: <citetitle>IP Version 6 Addressing
822
	  Architecture</citetitle>
823
	</term>
824
	<listitem>
825
	  <variablelist>
826
	    <varlistentry>
827
	      <term>Section 2.2: <citetitle>Text Representation of
828
	      Addresses</citetitle></term>
829
	      <listitem><para/></listitem>
830
	    </varlistentry>
831
	    <varlistentry>
832
	      <term>Section 2.5.5.2: <citetitle>IPv4-Mapped IPv6
833
	      Address</citetitle></term>
834
	      <listitem><para/></listitem>
835
	    </varlistentry>
836
	    <varlistentry>
837
	    <term>Section 2.5.6, <citetitle>Link-Local IPv6 Unicast
838
	    Addresses</citetitle></term>
839
	    <listitem>
840
	      <para>
841
		This client uses IPv6 link-local addresses, which are
842
		immediately usable since a link-local addresses is
843
		automatically assigned to a network interfaces when it
844
		is brought up.
845
	      </para>
846
	    </listitem>
847
	    </varlistentry>
848
	  </variablelist>
849
	</listitem>
850
      </varlistentry>
851
      <varlistentry>
852
	<term>
853
	  RFC 4346: <citetitle>The Transport Layer Security (TLS)
854
	  Protocol Version 1.1</citetitle>
855
	</term>
856
      <listitem>
857
	<para>
858
	  TLS 1.1 is the protocol implemented by GnuTLS.
859
	</para>
860
      </listitem>
861
      </varlistentry>
862
      <varlistentry>
863
	<term>
864
	  RFC 4880: <citetitle>OpenPGP Message Format</citetitle>
865
	</term>
866
      <listitem>
867
	<para>
868
	  The data received from the server is binary encrypted
869
	  OpenPGP data.
870
	</para>
871
      </listitem>
872
      </varlistentry>
873
      <varlistentry>
874
	<term>
875
	  RFC 5081: <citetitle>Using OpenPGP Keys for Transport Layer
876
	  Security</citetitle>
877
	</term>
878
      <listitem>
879
	<para>
880
	  This is implemented by GnuTLS and used by this program so
881
	  that OpenPGP keys can be used.
882
	</para>
883
      </listitem>
884
      </varlistentry>
885
    </variablelist>
81 by Teddy Hogeborn
* Makefile (GNUTLS_CFLAGS, GNUTLS_LIBS, AVAHI_CFLAGS, AVAHI_LIBS,
886
  </refsect1>
24.1.23 by Björn Påhlsson
Added manual pages for:
887
</refentry>
182 by Teddy Hogeborn
* Makefile (install): Use "install-client-nokey".
888
111 by Teddy Hogeborn
* mandos-clients.conf.xml (ENTITY TIMESTAMP): New. Automatically
889
<!-- Local Variables: -->
890
<!-- time-stamp-start: "<!ENTITY TIMESTAMP [\"']" -->
891
<!-- time-stamp-end: "[\"']>" -->
892
<!-- time-stamp-format: "%:y-%02m-%02d" -->
893
<!-- End: -->