bzr branch
http://bzr.recompile.se/loggerhead/mandos/release
|
84
by Teddy Hogeborn
* Makefile (DOCBOOKTOMAN): Use the local manpages/docbook.xsl file, do |
1 |
<?xml version="1.0" encoding="UTF-8"?>
|
|
24.1.23
by Björn Påhlsson
Added manual pages for: |
2 |
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
|
|
84
by Teddy Hogeborn
* Makefile (DOCBOOKTOMAN): Use the local manpages/docbook.xsl file, do |
3 |
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
|
|
24.1.23
by Björn Påhlsson
Added manual pages for: |
4 |
<!ENTITY COMMANDNAME "mandos">
|
|
237.7.867
by Teddy Hogeborn
Update copyright year |
5 |
<!ENTITY TIMESTAMP "2025-06-27">
|
|
217
by Teddy Hogeborn
* .bzrignore: Added "man" directory (created by "make install-html"). |
6 |
<!ENTITY % common SYSTEM "common.ent">
|
7 |
%common; |
|
|
24.1.23
by Björn Påhlsson
Added manual pages for: |
8 |
]> |
9 |
||
|
90
by Teddy Hogeborn
* Makefile (DOCBOOKTOMAN): Added "--xinclude". |
10 |
<refentry xmlns:xi="http://www.w3.org/2001/XInclude"> |
|
217
by Teddy Hogeborn
* .bzrignore: Added "man" directory (created by "make install-html"). |
11 |
<refentryinfo> |
|
112
by Teddy Hogeborn
* mandos-clients.conf.xml (/refentry/refentryinfo/title): Changed to |
12 |
<title>Mandos Manual</title> |
|
84
by Teddy Hogeborn
* Makefile (DOCBOOKTOMAN): Use the local manpages/docbook.xsl file, do |
13 |
<!-- NWalsh’s docbook scripts use this to generate the footer: --> |
|
112
by Teddy Hogeborn
* mandos-clients.conf.xml (/refentry/refentryinfo/title): Changed to |
14 |
<productname>Mandos</productname> |
|
217
by Teddy Hogeborn
* .bzrignore: Added "man" directory (created by "make install-html"). |
15 |
<productnumber>&version;</productnumber> |
|
111
by Teddy Hogeborn
* mandos-clients.conf.xml (ENTITY TIMESTAMP): New. Automatically |
16 |
<date>&TIMESTAMP;</date> |
|
24.1.23
by Björn Påhlsson
Added manual pages for: |
17 |
<authorgroup> |
18 |
<author> |
|
19 |
<firstname>Björn</firstname> |
|
20 |
<surname>Påhlsson</surname> |
|
21 |
<address> |
|
|
237.11.2
by Teddy Hogeborn
Change "fukt.bsnet.se" to "recompile.se" throughout. |
22 |
<email>belorn@recompile.se</email> |
|
24.1.23
by Björn Påhlsson
Added manual pages for: |
23 |
</address> |
24 |
</author> |
|
25 |
<author> |
|
26 |
<firstname>Teddy</firstname> |
|
27 |
<surname>Hogeborn</surname> |
|
28 |
<address> |
|
|
237.11.2
by Teddy Hogeborn
Change "fukt.bsnet.se" to "recompile.se" throughout. |
29 |
<email>teddy@recompile.se</email> |
|
24.1.23
by Björn Påhlsson
Added manual pages for: |
30 |
</address> |
31 |
</author> |
|
32 |
</authorgroup> |
|
33 |
<copyright> |
|
34 |
<year>2008</year> |
|
|
237.2.9
by Teddy Hogeborn
* README: Update copyright year; add "2009". |
35 |
<year>2009</year> |
|
237.2.207
by Teddy Hogeborn
Update copyright year to "2010" wherever appropriate. |
36 |
<year>2010</year> |
|
237.7.14
by Teddy Hogeborn
Update copyright year to "2011" wherever appropriate. |
37 |
<year>2011</year> |
|
237.7.92
by Teddy Hogeborn
Updated year in copyright notices. |
38 |
<year>2012</year> |
|
237.7.174
by Teddy Hogeborn
* Makefile (CFLAGS, LDFLAGS): Keep default flags from environment. |
39 |
<year>2013</year> |
|
237.7.326
by Teddy Hogeborn
Update copyright year. |
40 |
<year>2014</year> |
41 |
<year>2015</year> |
|
|
237.7.355
by Teddy Hogeborn
Update copyright year. |
42 |
<year>2016</year> |
|
237.7.447
by Teddy Hogeborn
Update copyright year to 2017 |
43 |
<year>2017</year> |
|
237.7.471
by Teddy Hogeborn
Update copyright year to 2018 |
44 |
<year>2018</year> |
|
237.7.517
by Teddy Hogeborn
Update copyright year to 2019 |
45 |
<year>2019</year> |
|
237.7.867
by Teddy Hogeborn
Update copyright year |
46 |
<year>2020</year> |
47 |
<year>2021</year> |
|
48 |
<year>2022</year> |
|
|
81
by Teddy Hogeborn
* Makefile (GNUTLS_CFLAGS, GNUTLS_LIBS, AVAHI_CFLAGS, AVAHI_LIBS, |
49 |
<holder>Teddy Hogeborn</holder> |
50 |
<holder>Björn Påhlsson</holder> |
|
|
24.1.23
by Björn Påhlsson
Added manual pages for: |
51 |
</copyright> |
|
131
by Teddy Hogeborn
* Makefile: Make all DocBook rules include legalnotice.xml as a |
52 |
<xi:include href="legalnotice.xml"/> |
|
24.1.23
by Björn Påhlsson
Added manual pages for: |
53 |
</refentryinfo> |
|
182
by Teddy Hogeborn
* Makefile (install): Use "install-client-nokey". |
54 |
|
|
24.1.23
by Björn Påhlsson
Added manual pages for: |
55 |
<refmeta> |
56 |
<refentrytitle>&COMMANDNAME;</refentrytitle> |
|
|
24.1.24
by Björn Påhlsson
minor edits |
57 |
<manvolnum>8</manvolnum> |
|
24.1.23
by Björn Påhlsson
Added manual pages for: |
58 |
</refmeta> |
59 |
|
|
60 |
<refnamediv> |
|
61 |
<refname><command>&COMMANDNAME;</command></refname> |
|
62 |
<refpurpose> |
|
|
116
by Teddy Hogeborn
* mandos-options.xml (priority): Added <acronym> tags. |
63 |
Gives encrypted passwords to authenticated Mandos clients |
|
24.1.23
by Björn Påhlsson
Added manual pages for: |
64 |
</refpurpose> |
65 |
</refnamediv> |
|
|
182
by Teddy Hogeborn
* Makefile (install): Use "install-client-nokey". |
66 |
|
|
24.1.23
by Björn Påhlsson
Added manual pages for: |
67 |
<refsynopsisdiv> |
68 |
<cmdsynopsis> |
|
69 |
<command>&COMMANDNAME;</command> |
|
|
120
by Teddy Hogeborn
* mandos.xml (SYNOPSIS): Use <option> and <replaceable> tags. Unify |
70 |
<group> |
71 |
<arg choice="plain"><option>--interface |
|
72 |
<replaceable>NAME</replaceable></option></arg> |
|
73 |
<arg choice="plain"><option>-i |
|
74 |
<replaceable>NAME</replaceable></option></arg> |
|
75 |
</group> |
|
76 |
<sbr/> |
|
77 |
<group> |
|
78 |
<arg choice="plain"><option>--address |
|
79 |
<replaceable>ADDRESS</replaceable></option></arg> |
|
80 |
<arg choice="plain"><option>-a |
|
81 |
<replaceable>ADDRESS</replaceable></option></arg> |
|
82 |
</group> |
|
83 |
<sbr/> |
|
84 |
<group> |
|
85 |
<arg choice="plain"><option>--port |
|
86 |
<replaceable>PORT</replaceable></option></arg> |
|
87 |
<arg choice="plain"><option>-p |
|
88 |
<replaceable>PORT</replaceable></option></arg> |
|
89 |
</group> |
|
90 |
<sbr/> |
|
91 |
<arg><option>--priority |
|
92 |
<replaceable>PRIORITY</replaceable></option></arg> |
|
93 |
<sbr/> |
|
94 |
<arg><option>--servicename |
|
95 |
<replaceable>NAME</replaceable></option></arg> |
|
96 |
<sbr/> |
|
97 |
<arg><option>--configdir |
|
98 |
<replaceable>DIRECTORY</replaceable></option></arg> |
|
99 |
<sbr/> |
|
100 |
<arg><option>--debug</option></arg> |
|
|
237.2.34
by Teddy Hogeborn
Merge from release branch. |
101 |
<sbr/> |
|
237.2.210
by teddy at bsnet
* mandos: Fixed "--help" output. |
102 |
<arg><option>--debuglevel |
103 |
<replaceable>LEVEL</replaceable></option></arg> |
|
104 |
<sbr/> |
|
|
237.2.87
by Teddy Hogeborn
Merge from release branch. |
105 |
<arg><option>--no-dbus</option></arg> |
106 |
<sbr/> |
|
|
237.2.77
by Teddy Hogeborn
Support not using IPv6 in server: |
107 |
<arg><option>--no-ipv6</option></arg> |
|
237.12.1
by Björn Påhlsson
Persistent state: New feature. Client state is now stored when mandos |
108 |
<sbr/> |
109 |
<arg><option>--no-restore</option></arg> |
|
|
237.14.2
by Teddy Hogeborn
Directory with persistent state can now be changed with the "statedir" |
110 |
<sbr/> |
111 |
<arg><option>--statedir |
|
112 |
<replaceable>DIRECTORY</replaceable></option></arg> |
|
|
237.21.1
by Teddy Hogeborn
* mandos: Implement "--socket" option. |
113 |
<sbr/> |
114 |
<arg><option>--socket |
|
115 |
<replaceable>FD</replaceable></option></arg> |
|
|
237.7.154
by Teddy Hogeborn
* mandos: New "--foreground" option. |
116 |
<sbr/> |
117 |
<arg><option>--foreground</option></arg> |
|
|
237.7.255
by Teddy Hogeborn
mandos: New "--no-zeroconf" option. Also make "--socket=0" work. |
118 |
<sbr/> |
119 |
<arg><option>--no-zeroconf</option></arg> |
|
|
85
by Teddy Hogeborn
* mandos.xml (SYNOPSIS): Removed unnecessary 'choice="opt"' from <arg> |
120 |
</cmdsynopsis> |
121 |
<cmdsynopsis> |
|
122 |
<command>&COMMANDNAME;</command> |
|
123 |
<group choice="req"> |
|
|
122
by Teddy Hogeborn
* mandos-keygen.xml (SYNOPSIS): Put long options before short. |
124 |
<arg choice="plain"><option>--help</option></arg> |
|
120
by Teddy Hogeborn
* mandos.xml (SYNOPSIS): Use <option> and <replaceable> tags. Unify |
125 |
<arg choice="plain"><option>-h</option></arg> |
|
85
by Teddy Hogeborn
* mandos.xml (SYNOPSIS): Removed unnecessary 'choice="opt"' from <arg> |
126 |
</group> |
|
84
by Teddy Hogeborn
* Makefile (DOCBOOKTOMAN): Use the local manpages/docbook.xsl file, do |
127 |
</cmdsynopsis> |
128 |
<cmdsynopsis> |
|
129 |
<command>&COMMANDNAME;</command> |
|
|
120
by Teddy Hogeborn
* mandos.xml (SYNOPSIS): Use <option> and <replaceable> tags. Unify |
130 |
<arg choice="plain"><option>--version</option></arg> |
|
84
by Teddy Hogeborn
* Makefile (DOCBOOKTOMAN): Use the local manpages/docbook.xsl file, do |
131 |
</cmdsynopsis> |
132 |
<cmdsynopsis> |
|
133 |
<command>&COMMANDNAME;</command> |
|
|
120
by Teddy Hogeborn
* mandos.xml (SYNOPSIS): Use <option> and <replaceable> tags. Unify |
134 |
<arg choice="plain"><option>--check</option></arg> |
|
83
by Teddy Hogeborn
* Makefile (MANPOST): Bug fix: do not replace *all* "een" with "en". |
135 |
</cmdsynopsis> |
|
24.1.23
by Björn Påhlsson
Added manual pages for: |
136 |
</refsynopsisdiv> |
|
182
by Teddy Hogeborn
* Makefile (install): Use "install-client-nokey". |
137 |
|
|
24.1.23
by Björn Påhlsson
Added manual pages for: |
138 |
<refsect1 id="description"> |
139 |
<title>DESCRIPTION</title> |
|
140 |
<para> |
|
|
81
by Teddy Hogeborn
* Makefile (GNUTLS_CFLAGS, GNUTLS_LIBS, AVAHI_CFLAGS, AVAHI_LIBS, |
141 |
<command>&COMMANDNAME;</command> is a server daemon which |
|
237.7.797
by Teddy Hogeborn
Minor text adjustment in mandos(8) manual page |
142 |
handles incoming requests for passwords for a pre-defined list |
143 |
of client host computers. For an introduction, see |
|
|
24.1.179
by Björn Påhlsson
New feature: |
144 |
<citerefentry><refentrytitle>intro</refentrytitle> |
145 |
<manvolnum>8mandos</manvolnum></citerefentry>. The Mandos server |
|
146 |
uses Zeroconf to announce itself on the local network, and uses |
|
147 |
TLS to communicate securely with and to authenticate the |
|
148 |
clients. The Mandos server uses IPv6 to allow Mandos clients to |
|
149 |
use IPv6 link-local addresses, since the clients will probably |
|
150 |
not have any other addresses configured (see <xref |
|
151 |
linkend="overview"/>). Any authenticated client is then given |
|
152 |
the stored pre-encrypted password for that specific client. |
|
|
81
by Teddy Hogeborn
* Makefile (GNUTLS_CFLAGS, GNUTLS_LIBS, AVAHI_CFLAGS, AVAHI_LIBS, |
153 |
</para> |
|
83
by Teddy Hogeborn
* Makefile (MANPOST): Bug fix: do not replace *all* "een" with "en". |
154 |
</refsect1> |
|
81
by Teddy Hogeborn
* Makefile (GNUTLS_CFLAGS, GNUTLS_LIBS, AVAHI_CFLAGS, AVAHI_LIBS, |
155 |
|
156 |
<refsect1 id="purpose"> |
|
157 |
<title>PURPOSE</title> |
|
158 |
<para> |
|
159 |
The purpose of this is to enable <emphasis>remote and unattended |
|
|
84
by Teddy Hogeborn
* Makefile (DOCBOOKTOMAN): Use the local manpages/docbook.xsl file, do |
160 |
rebooting</emphasis> of client host computer with an |
161 |
<emphasis>encrypted root file system</emphasis>. See <xref |
|
162 |
linkend="overview"/> for details. |
|
|
81
by Teddy Hogeborn
* Makefile (GNUTLS_CFLAGS, GNUTLS_LIBS, AVAHI_CFLAGS, AVAHI_LIBS, |
163 |
</para> |
|
83
by Teddy Hogeborn
* Makefile (MANPOST): Bug fix: do not replace *all* "een" with "en". |
164 |
</refsect1> |
|
24.1.55
by Björn Påhlsson
updated some partial manual pages |
165 |
|
166 |
<refsect1 id="options"> |
|
167 |
<title>OPTIONS</title> |
|
|
24.1.23
by Björn Påhlsson
Added manual pages for: |
168 |
<variablelist> |
169 |
<varlistentry> |
|
|
124
by Teddy Hogeborn
* mandos.xml (OPTIONS): Moved long options before short. Use <option> |
170 |
<term><option>--help</option></term> |
|
115
by Teddy Hogeborn
* mandos.xml (SYNOPSIS): Split <term> tags for the "--help" and |
171 |
<term><option>-h</option></term> |
|
24.1.23
by Björn Påhlsson
Added manual pages for: |
172 |
<listitem> |
173 |
<para> |
|
|
81
by Teddy Hogeborn
* Makefile (GNUTLS_CFLAGS, GNUTLS_LIBS, AVAHI_CFLAGS, AVAHI_LIBS, |
174 |
Show a help message and exit |
|
24.1.23
by Björn Påhlsson
Added manual pages for: |
175 |
</para> |
176 |
</listitem> |
|
177 |
</varlistentry> |
|
|
124
by Teddy Hogeborn
* mandos.xml (OPTIONS): Moved long options before short. Use <option> |
178 |
|
|
24.1.23
by Björn Påhlsson
Added manual pages for: |
179 |
<varlistentry> |
|
124
by Teddy Hogeborn
* mandos.xml (OPTIONS): Moved long options before short. Use <option> |
180 |
<term><option>--interface</option> |
181 |
<replaceable>NAME</replaceable></term> |
|
|
115
by Teddy Hogeborn
* mandos.xml (SYNOPSIS): Split <term> tags for the "--help" and |
182 |
<term><option>-i</option> |
183 |
<replaceable>NAME</replaceable></term> |
|
|
24.1.23
by Björn Påhlsson
Added manual pages for: |
184 |
<listitem> |
|
90
by Teddy Hogeborn
* Makefile (DOCBOOKTOMAN): Added "--xinclude". |
185 |
<xi:include href="mandos-options.xml" xpointer="interface"/> |
|
24.1.23
by Björn Påhlsson
Added manual pages for: |
186 |
</listitem> |
|
83
by Teddy Hogeborn
* Makefile (MANPOST): Bug fix: do not replace *all* "een" with "en". |
187 |
</varlistentry> |
|
124
by Teddy Hogeborn
* mandos.xml (OPTIONS): Moved long options before short. Use <option> |
188 |
|
|
24.1.23
by Björn Påhlsson
Added manual pages for: |
189 |
<varlistentry> |
|
124
by Teddy Hogeborn
* mandos.xml (OPTIONS): Moved long options before short. Use <option> |
190 |
<term><option>--address |
191 |
<replaceable>ADDRESS</replaceable></option></term> |
|
192 |
<term><option>-a |
|
193 |
<replaceable>ADDRESS</replaceable></option></term> |
|
|
24.1.23
by Björn Påhlsson
Added manual pages for: |
194 |
<listitem> |
|
90
by Teddy Hogeborn
* Makefile (DOCBOOKTOMAN): Added "--xinclude". |
195 |
<xi:include href="mandos-options.xml" xpointer="address"/> |
|
24.1.23
by Björn Påhlsson
Added manual pages for: |
196 |
</listitem> |
|
83
by Teddy Hogeborn
* Makefile (MANPOST): Bug fix: do not replace *all* "een" with "en". |
197 |
</varlistentry> |
|
124
by Teddy Hogeborn
* mandos.xml (OPTIONS): Moved long options before short. Use <option> |
198 |
|
|
24.1.23
by Björn Påhlsson
Added manual pages for: |
199 |
<varlistentry> |
|
124
by Teddy Hogeborn
* mandos.xml (OPTIONS): Moved long options before short. Use <option> |
200 |
<term><option>--port |
201 |
<replaceable>PORT</replaceable></option></term> |
|
202 |
<term><option>-p |
|
203 |
<replaceable>PORT</replaceable></option></term> |
|
|
24.1.23
by Björn Påhlsson
Added manual pages for: |
204 |
<listitem> |
|
90
by Teddy Hogeborn
* Makefile (DOCBOOKTOMAN): Added "--xinclude". |
205 |
<xi:include href="mandos-options.xml" xpointer="port"/> |
|
24.1.23
by Björn Påhlsson
Added manual pages for: |
206 |
</listitem> |
|
83
by Teddy Hogeborn
* Makefile (MANPOST): Bug fix: do not replace *all* "een" with "en". |
207 |
</varlistentry> |
|
124
by Teddy Hogeborn
* mandos.xml (OPTIONS): Moved long options before short. Use <option> |
208 |
|
|
24.1.23
by Björn Påhlsson
Added manual pages for: |
209 |
<varlistentry> |
|
124
by Teddy Hogeborn
* mandos.xml (OPTIONS): Moved long options before short. Use <option> |
210 |
<term><option>--check</option></term> |
|
24.1.23
by Björn Påhlsson
Added manual pages for: |
211 |
<listitem> |
212 |
<para> |
|
|
84
by Teddy Hogeborn
* Makefile (DOCBOOKTOMAN): Use the local manpages/docbook.xsl file, do |
213 |
Run the server’s self-tests. This includes any unit |
|
81
by Teddy Hogeborn
* Makefile (GNUTLS_CFLAGS, GNUTLS_LIBS, AVAHI_CFLAGS, AVAHI_LIBS, |
214 |
tests, etc. |
|
24.1.23
by Björn Påhlsson
Added manual pages for: |
215 |
</para> |
216 |
</listitem> |
|
|
83
by Teddy Hogeborn
* Makefile (MANPOST): Bug fix: do not replace *all* "een" with "en". |
217 |
</varlistentry> |
|
124
by Teddy Hogeborn
* mandos.xml (OPTIONS): Moved long options before short. Use <option> |
218 |
|
|
24.1.23
by Björn Påhlsson
Added manual pages for: |
219 |
<varlistentry> |
|
124
by Teddy Hogeborn
* mandos.xml (OPTIONS): Moved long options before short. Use <option> |
220 |
<term><option>--debug</option></term> |
|
24.1.23
by Björn Påhlsson
Added manual pages for: |
221 |
<listitem> |
|
90
by Teddy Hogeborn
* Makefile (DOCBOOKTOMAN): Added "--xinclude". |
222 |
<xi:include href="mandos-options.xml" xpointer="debug"/> |
|
24.1.23
by Björn Påhlsson
Added manual pages for: |
223 |
</listitem> |
224 |
</varlistentry> |
|
|
182
by Teddy Hogeborn
* Makefile (install): Use "install-client-nokey". |
225 |
|
|
24.1.23
by Björn Påhlsson
Added manual pages for: |
226 |
<varlistentry> |
|
237.2.210
by teddy at bsnet
* mandos: Fixed "--help" output. |
227 |
<term><option>--debuglevel |
228 |
<replaceable>LEVEL</replaceable></option></term> |
|
229 |
<listitem> |
|
230 |
<para> |
|
231 |
Set the debugging log level. |
|
232 |
<replaceable>LEVEL</replaceable> is a string, one of |
|
233 |
<quote><literal>CRITICAL</literal></quote>, |
|
234 |
<quote><literal>ERROR</literal></quote>, |
|
235 |
<quote><literal>WARNING</literal></quote>, |
|
236 |
<quote><literal>INFO</literal></quote>, or |
|
237 |
<quote><literal>DEBUG</literal></quote>, in order of |
|
238 |
increasing verbosity. The default level is |
|
239 |
<quote><literal>WARNING</literal></quote>. |
|
240 |
</para> |
|
241 |
</listitem> |
|
242 |
</varlistentry> |
|
243 |
|
|
244 |
<varlistentry> |
|
|
124
by Teddy Hogeborn
* mandos.xml (OPTIONS): Moved long options before short. Use <option> |
245 |
<term><option>--priority <replaceable> |
246 |
PRIORITY</replaceable></option></term> |
|
|
24.1.23
by Björn Påhlsson
Added manual pages for: |
247 |
<listitem> |
|
237.7.325
by Teddy Hogeborn
Bug fix for GnuTLS 3: be compatible with old 2048-bit DSA keys. |
248 |
<xi:include href="mandos-options.xml" xpointer="priority"/> |
|
24.1.23
by Björn Påhlsson
Added manual pages for: |
249 |
</listitem> |
|
83
by Teddy Hogeborn
* Makefile (MANPOST): Bug fix: do not replace *all* "een" with "en". |
250 |
</varlistentry> |
|
182
by Teddy Hogeborn
* Makefile (install): Use "install-client-nokey". |
251 |
|
|
24.1.23
by Björn Påhlsson
Added manual pages for: |
252 |
<varlistentry> |
|
124
by Teddy Hogeborn
* mandos.xml (OPTIONS): Moved long options before short. Use <option> |
253 |
<term><option>--servicename |
254 |
<replaceable>NAME</replaceable></option></term> |
|
|
24.1.23
by Björn Påhlsson
Added manual pages for: |
255 |
<listitem> |
|
90
by Teddy Hogeborn
* Makefile (DOCBOOKTOMAN): Added "--xinclude". |
256 |
<xi:include href="mandos-options.xml" |
257 |
xpointer="servicename"/> |
|
|
24.1.23
by Björn Påhlsson
Added manual pages for: |
258 |
</listitem> |
|
83
by Teddy Hogeborn
* Makefile (MANPOST): Bug fix: do not replace *all* "een" with "en". |
259 |
</varlistentry> |
|
182
by Teddy Hogeborn
* Makefile (install): Use "install-client-nokey". |
260 |
|
|
24.1.23
by Björn Påhlsson
Added manual pages for: |
261 |
<varlistentry> |
|
124
by Teddy Hogeborn
* mandos.xml (OPTIONS): Moved long options before short. Use <option> |
262 |
<term><option>--configdir |
263 |
<replaceable>DIRECTORY</replaceable></option></term> |
|
|
24.1.23
by Björn Påhlsson
Added manual pages for: |
264 |
<listitem> |
265 |
<para> |
|
|
81
by Teddy Hogeborn
* Makefile (GNUTLS_CFLAGS, GNUTLS_LIBS, AVAHI_CFLAGS, AVAHI_LIBS, |
266 |
Directory to search for configuration files. Default is |
|
83
by Teddy Hogeborn
* Makefile (MANPOST): Bug fix: do not replace *all* "een" with "en". |
267 |
<quote><literal>/etc/mandos</literal></quote>. See |
268 |
<citerefentry><refentrytitle>mandos.conf</refentrytitle> |
|
|
81
by Teddy Hogeborn
* Makefile (GNUTLS_CFLAGS, GNUTLS_LIBS, AVAHI_CFLAGS, AVAHI_LIBS, |
269 |
<manvolnum>5</manvolnum></citerefentry> and <citerefentry> |
270 |
<refentrytitle>mandos-clients.conf</refentrytitle> |
|
271 |
<manvolnum>5</manvolnum></citerefentry>. |
|
|
24.1.23
by Björn Påhlsson
Added manual pages for: |
272 |
</para> |
273 |
</listitem> |
|
274 |
</varlistentry> |
|
|
182
by Teddy Hogeborn
* Makefile (install): Use "install-client-nokey". |
275 |
|
|
24.1.35
by Björn Påhlsson
version 1.0 |
276 |
<varlistentry> |
|
124
by Teddy Hogeborn
* mandos.xml (OPTIONS): Moved long options before short. Use <option> |
277 |
<term><option>--version</option></term> |
|
24.1.35
by Björn Påhlsson
version 1.0 |
278 |
<listitem> |
279 |
<para> |
|
|
81
by Teddy Hogeborn
* Makefile (GNUTLS_CFLAGS, GNUTLS_LIBS, AVAHI_CFLAGS, AVAHI_LIBS, |
280 |
Prints the program version and exit. |
|
24.1.35
by Björn Påhlsson
version 1.0 |
281 |
</para> |
282 |
</listitem> |
|
|
83
by Teddy Hogeborn
* Makefile (MANPOST): Bug fix: do not replace *all* "een" with "en". |
283 |
</varlistentry> |
|
237.2.34
by Teddy Hogeborn
Merge from release branch. |
284 |
|
285 |
<varlistentry> |
|
|
237.2.87
by Teddy Hogeborn
Merge from release branch. |
286 |
<term><option>--no-dbus</option></term> |
287 |
<listitem> |
|
288 |
<xi:include href="mandos-options.xml" xpointer="dbus"/> |
|
289 |
<para> |
|
290 |
See also <xref linkend="dbus_interface"/>. |
|
291 |
</para> |
|
292 |
</listitem> |
|
293 |
</varlistentry> |
|
294 |
|
|
295 |
<varlistentry> |
|
|
237.2.77
by Teddy Hogeborn
Support not using IPv6 in server: |
296 |
<term><option>--no-ipv6</option></term> |
297 |
<listitem> |
|
298 |
<xi:include href="mandos-options.xml" xpointer="ipv6"/> |
|
299 |
</listitem> |
|
300 |
</varlistentry> |
|
|
237.12.1
by Björn Påhlsson
Persistent state: New feature. Client state is now stored when mandos |
301 |
|
302 |
<varlistentry> |
|
303 |
<term><option>--no-restore</option></term> |
|
304 |
<listitem> |
|
305 |
<xi:include href="mandos-options.xml" xpointer="restore"/> |
|
|
237.7.94
by Teddy Hogeborn
* debian/rules (binary-common): Exclude network-hooks.d from |
306 |
<para> |
307 |
See also <xref linkend="persistent_state"/>. |
|
308 |
</para> |
|
|
237.12.1
by Björn Påhlsson
Persistent state: New feature. Client state is now stored when mandos |
309 |
</listitem> |
310 |
</varlistentry> |
|
|
237.14.2
by Teddy Hogeborn
Directory with persistent state can now be changed with the "statedir" |
311 |
|
312 |
<varlistentry> |
|
313 |
<term><option>--statedir |
|
314 |
<replaceable>DIRECTORY</replaceable></option></term> |
|
315 |
<listitem> |
|
316 |
<xi:include href="mandos-options.xml" xpointer="statedir"/> |
|
317 |
</listitem> |
|
318 |
</varlistentry> |
|
|
237.21.1
by Teddy Hogeborn
* mandos: Implement "--socket" option. |
319 |
|
320 |
<varlistentry> |
|
321 |
<term><option>--socket |
|
322 |
<replaceable>FD</replaceable></option></term> |
|
323 |
<listitem> |
|
324 |
<xi:include href="mandos-options.xml" xpointer="socket"/> |
|
325 |
</listitem> |
|
326 |
</varlistentry> |
|
327 |
|
|
|
237.7.154
by Teddy Hogeborn
* mandos: New "--foreground" option. |
328 |
<varlistentry> |
329 |
<term><option>--foreground</option></term> |
|
330 |
<listitem> |
|
331 |
<xi:include href="mandos-options.xml" |
|
332 |
xpointer="foreground"/> |
|
333 |
</listitem> |
|
334 |
</varlistentry> |
|
335 |
|
|
|
237.7.255
by Teddy Hogeborn
mandos: New "--no-zeroconf" option. Also make "--socket=0" work. |
336 |
<varlistentry> |
337 |
<term><option>--no-zeroconf</option></term> |
|
338 |
<listitem> |
|
339 |
<xi:include href="mandos-options.xml" xpointer="zeroconf"/> |
|
340 |
</listitem> |
|
341 |
</varlistentry> |
|
342 |
|
|
|
24.1.23
by Björn Påhlsson
Added manual pages for: |
343 |
</variablelist> |
344 |
</refsect1> |
|
|
182
by Teddy Hogeborn
* Makefile (install): Use "install-client-nokey". |
345 |
|
|
84
by Teddy Hogeborn
* Makefile (DOCBOOKTOMAN): Use the local manpages/docbook.xsl file, do |
346 |
<refsect1 id="overview"> |
347 |
<title>OVERVIEW</title> |
|
|
90
by Teddy Hogeborn
* Makefile (DOCBOOKTOMAN): Added "--xinclude". |
348 |
<xi:include href="overview.xml"/> |
|
84
by Teddy Hogeborn
* Makefile (DOCBOOKTOMAN): Use the local manpages/docbook.xsl file, do |
349 |
<para> |
350 |
This program is the server part. It is a normal server program |
|
351 |
and will run in a normal system environment, not in an initial |
|
|
134
by Teddy Hogeborn
* mandos.xml: Enclose "RAM" with <acronym>. |
352 |
<acronym>RAM</acronym> disk environment. |
|
84
by Teddy Hogeborn
* Makefile (DOCBOOKTOMAN): Use the local manpages/docbook.xsl file, do |
353 |
</para> |
354 |
</refsect1> |
|
|
182
by Teddy Hogeborn
* Makefile (install): Use "install-client-nokey". |
355 |
|
|
81
by Teddy Hogeborn
* Makefile (GNUTLS_CFLAGS, GNUTLS_LIBS, AVAHI_CFLAGS, AVAHI_LIBS, |
356 |
<refsect1 id="protocol"> |
357 |
<title>NETWORK PROTOCOL</title> |
|
358 |
<para> |
|
359 |
The Mandos server announces itself as a Zeroconf service of type |
|
|
83
by Teddy Hogeborn
* Makefile (MANPOST): Bug fix: do not replace *all* "een" with "en". |
360 |
<quote><literal>_mandos._tcp</literal></quote>. The Mandos |
361 |
client connects to the announced address and port, and sends a |
|
362 |
line of text where the first whitespace-separated field is the |
|
363 |
protocol version, which currently is |
|
364 |
<quote><literal>1</literal></quote>. The client and server then |
|
365 |
start a TLS protocol handshake with a slight quirk: the Mandos |
|
366 |
server program acts as a TLS <quote>client</quote> while the |
|
367 |
connecting Mandos client acts as a TLS <quote>server</quote>. |
|
|
237.7.510
by Teddy Hogeborn
Add support for using raw public keys in TLS (RFC 7250) |
368 |
The Mandos client must supply a TLS public key, and the key ID |
369 |
of this public key is used by the Mandos server to look up (in a |
|
370 |
list read from <filename>clients.conf</filename> at start time) |
|
371 |
which binary blob to give the client. No other authentication |
|
372 |
or authorization is done by the server. |
|
|
81
by Teddy Hogeborn
* Makefile (GNUTLS_CFLAGS, GNUTLS_LIBS, AVAHI_CFLAGS, AVAHI_LIBS, |
373 |
</para> |
|
83
by Teddy Hogeborn
* Makefile (MANPOST): Bug fix: do not replace *all* "een" with "en". |
374 |
<table> |
375 |
<title>Mandos Protocol (Version 1)</title><tgroup cols="3"><thead> |
|
|
81
by Teddy Hogeborn
* Makefile (GNUTLS_CFLAGS, GNUTLS_LIBS, AVAHI_CFLAGS, AVAHI_LIBS, |
376 |
<row> |
377 |
<entry>Mandos Client</entry> |
|
378 |
<entry>Direction</entry> |
|
379 |
<entry>Mandos Server</entry> |
|
380 |
</row> |
|
381 |
</thead><tbody> |
|
382 |
<row> |
|
383 |
<entry>Connect</entry> |
|
384 |
<entry>-><!-- → --></entry> |
|
385 |
</row> |
|
386 |
<row> |
|
|
91
by Teddy Hogeborn
* Makefile (DOCBOOKTOMAN): Include all DocBook-to-manpage-related |
387 |
<entry><quote><literal>1\r\n</literal></quote></entry> |
|
81
by Teddy Hogeborn
* Makefile (GNUTLS_CFLAGS, GNUTLS_LIBS, AVAHI_CFLAGS, AVAHI_LIBS, |
388 |
<entry>-><!-- → --></entry> |
389 |
</row> |
|
390 |
<row> |
|
|
83
by Teddy Hogeborn
* Makefile (MANPOST): Bug fix: do not replace *all* "een" with "en". |
391 |
<entry>TLS handshake <emphasis>as TLS <quote>server</quote> |
392 |
</emphasis></entry> |
|
|
81
by Teddy Hogeborn
* Makefile (GNUTLS_CFLAGS, GNUTLS_LIBS, AVAHI_CFLAGS, AVAHI_LIBS, |
393 |
<entry><-><!-- ⟷ --></entry> |
|
83
by Teddy Hogeborn
* Makefile (MANPOST): Bug fix: do not replace *all* "een" with "en". |
394 |
<entry>TLS handshake <emphasis>as TLS <quote>client</quote> |
395 |
</emphasis></entry> |
|
|
81
by Teddy Hogeborn
* Makefile (GNUTLS_CFLAGS, GNUTLS_LIBS, AVAHI_CFLAGS, AVAHI_LIBS, |
396 |
</row> |
397 |
<row> |
|
|
237.7.510
by Teddy Hogeborn
Add support for using raw public keys in TLS (RFC 7250) |
398 |
<entry>Public key (part of TLS handshake)</entry> |
|
81
by Teddy Hogeborn
* Makefile (GNUTLS_CFLAGS, GNUTLS_LIBS, AVAHI_CFLAGS, AVAHI_LIBS, |
399 |
<entry>-><!-- → --></entry> |
400 |
</row> |
|
401 |
<row> |
|
402 |
<entry/> |
|
403 |
<entry><-<!-- ← --></entry> |
|
|
83
by Teddy Hogeborn
* Makefile (MANPOST): Bug fix: do not replace *all* "een" with "en". |
404 |
<entry>Binary blob (client will assume OpenPGP data)</entry> |
|
81
by Teddy Hogeborn
* Makefile (GNUTLS_CFLAGS, GNUTLS_LIBS, AVAHI_CFLAGS, AVAHI_LIBS, |
405 |
</row> |
406 |
<row> |
|
407 |
<entry/> |
|
408 |
<entry><-<!-- ← --></entry> |
|
409 |
<entry>Close</entry> |
|
410 |
</row> |
|
|
83
by Teddy Hogeborn
* Makefile (MANPOST): Bug fix: do not replace *all* "een" with "en". |
411 |
</tbody></tgroup></table> |
412 |
</refsect1> |
|
|
182
by Teddy Hogeborn
* Makefile (install): Use "install-client-nokey". |
413 |
|
|
83
by Teddy Hogeborn
* Makefile (MANPOST): Bug fix: do not replace *all* "een" with "en". |
414 |
<refsect1 id="checking"> |
415 |
<title>CHECKING</title> |
|
416 |
<para> |
|
417 |
The server will, by default, continually check that the clients |
|
418 |
are still up. If a client has not been confirmed as being up |
|
419 |
for some time, the client is assumed to be compromised and is no |
|
|
237.2.130
by Teddy Hogeborn
* init.d-mandos: Bug fix: Correct the LSB header. |
420 |
longer eligible to receive the encrypted password. (Manual |
421 |
intervention is required to re-enable a client.) The timeout, |
|
|
24.1.179
by Björn Påhlsson
New feature: |
422 |
extended timeout, checker program, and interval between checks |
423 |
can be configured both globally and per client; see |
|
424 |
<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle> |
|
|
237.7.106
by Teddy Hogeborn
* mandos.xml (CHECKING): Don't claim that a successful secret request |
425 |
<manvolnum>5</manvolnum></citerefentry>. |
|
83
by Teddy Hogeborn
* Makefile (MANPOST): Bug fix: do not replace *all* "een" with "en". |
426 |
</para> |
|
81
by Teddy Hogeborn
* Makefile (GNUTLS_CFLAGS, GNUTLS_LIBS, AVAHI_CFLAGS, AVAHI_LIBS, |
427 |
</refsect1> |
|
182
by Teddy Hogeborn
* Makefile (install): Use "install-client-nokey". |
428 |
|
|
237.2.203
by Teddy Hogeborn
* mandos.xml (APPROVAL): New section. |
429 |
<refsect1 id="approval"> |
430 |
<title>APPROVAL</title> |
|
431 |
<para> |
|
432 |
The server can be configured to require manual approval for a |
|
433 |
client before it is sent its secret. The delay to wait for such |
|
434 |
approval and the default action (approve or deny) can be |
|
435 |
configured both globally and per client; see <citerefentry> |
|
436 |
<refentrytitle>mandos-clients.conf</refentrytitle> |
|
437 |
<manvolnum>5</manvolnum></citerefentry>. By default all clients |
|
438 |
will be approved immediately without delay. |
|
439 |
</para> |
|
440 |
<para> |
|
441 |
This can be used to deny a client its secret if not manually |
|
442 |
approved within a specified time. It can also be used to make |
|
443 |
the server delay before giving a client its secret, allowing |
|
444 |
optional manual denying of this specific client. |
|
445 |
</para> |
|
446 |
|
|
447 |
</refsect1> |
|
448 |
|
|
|
81
by Teddy Hogeborn
* Makefile (GNUTLS_CFLAGS, GNUTLS_LIBS, AVAHI_CFLAGS, AVAHI_LIBS, |
449 |
<refsect1 id="logging"> |
450 |
<title>LOGGING</title> |
|
451 |
<para> |
|
|
91
by Teddy Hogeborn
* Makefile (DOCBOOKTOMAN): Include all DocBook-to-manpage-related |
452 |
The server will send log message with various severity levels to |
|
237.13.1
by teddy at bsnet
* plugins.d/mandos-client.c (SYNOPSIS, OPTIONS): Document |
453 |
<filename class="devicefile">/dev/log</filename>. With the |
|
81
by Teddy Hogeborn
* Makefile (GNUTLS_CFLAGS, GNUTLS_LIBS, AVAHI_CFLAGS, AVAHI_LIBS, |
454 |
<option>--debug</option> option, it will log even more messages, |
455 |
and also show them on the console. |
|
456 |
</para> |
|
457 |
</refsect1> |
|
|
182
by Teddy Hogeborn
* Makefile (install): Use "install-client-nokey". |
458 |
|
|
237.7.94
by Teddy Hogeborn
* debian/rules (binary-common): Exclude network-hooks.d from |
459 |
<refsect1 id="persistent_state"> |
460 |
<title>PERSISTENT STATE</title> |
|
461 |
<para> |
|
462 |
Client settings, initially read from |
|
463 |
<filename>clients.conf</filename>, are persistent across |
|
464 |
restarts, and run-time changes will override settings in |
|
465 |
<filename>clients.conf</filename>. However, if a setting is |
|
466 |
<emphasis>changed</emphasis> (or a client added, or removed) in |
|
467 |
<filename>clients.conf</filename>, this will take precedence. |
|
468 |
</para> |
|
469 |
</refsect1> |
|
470 |
|
|
|
237.2.87
by Teddy Hogeborn
Merge from release branch. |
471 |
<refsect1 id="dbus_interface"> |
472 |
<title>D-BUS INTERFACE</title> |
|
473 |
<para> |
|
474 |
The server will by default provide a D-Bus system bus interface. |
|
475 |
This interface will only be accessible by the root user or a |
|
|
237.2.186
by Teddy Hogeborn
Documentation changes: |
476 |
Mandos-specific user, if such a user exists. For documentation |
477 |
of the D-Bus API, see the file <filename>DBUS-API</filename>. |
|
|
237.2.87
by Teddy Hogeborn
Merge from release branch. |
478 |
</para> |
479 |
</refsect1> |
|
480 |
|
|
|
24.1.55
by Björn Påhlsson
updated some partial manual pages |
481 |
<refsect1 id="exit_status"> |
482 |
<title>EXIT STATUS</title> |
|
483 |
<para> |
|
|
81
by Teddy Hogeborn
* Makefile (GNUTLS_CFLAGS, GNUTLS_LIBS, AVAHI_CFLAGS, AVAHI_LIBS, |
484 |
The server will exit with a non-zero exit status only when a |
485 |
critical error is encountered. |
|
|
24.1.55
by Björn Påhlsson
updated some partial manual pages |
486 |
</para> |
487 |
</refsect1> |
|
|
182
by Teddy Hogeborn
* Makefile (install): Use "install-client-nokey". |
488 |
|
|
85
by Teddy Hogeborn
* mandos.xml (SYNOPSIS): Removed unnecessary 'choice="opt"' from <arg> |
489 |
<refsect1 id="environment"> |
490 |
<title>ENVIRONMENT</title> |
|
491 |
<variablelist> |
|
492 |
<varlistentry> |
|
|
117
by Teddy Hogeborn
* mandos-keygen.xml (ENVIRONMENT): Replaced <varname> with <envar>. |
493 |
<term><envar>PATH</envar></term> |
|
85
by Teddy Hogeborn
* mandos.xml (SYNOPSIS): Removed unnecessary 'choice="opt"' from <arg> |
494 |
<listitem> |
495 |
<para> |
|
496 |
To start the configured checker (see <xref |
|
497 |
linkend="checking"/>), the server uses |
|
498 |
<filename>/bin/sh</filename>, which in turn uses |
|
499 |
<varname>PATH</varname> to search for matching commands if |
|
500 |
an absolute path is not given. See <citerefentry> |
|
501 |
<refentrytitle>sh</refentrytitle><manvolnum>1</manvolnum> |
|
|
91
by Teddy Hogeborn
* Makefile (DOCBOOKTOMAN): Include all DocBook-to-manpage-related |
502 |
</citerefentry>. |
|
85
by Teddy Hogeborn
* mandos.xml (SYNOPSIS): Removed unnecessary 'choice="opt"' from <arg> |
503 |
</para> |
504 |
</listitem> |
|
505 |
</varlistentry> |
|
506 |
</variablelist> |
|
507 |
</refsect1> |
|
|
182
by Teddy Hogeborn
* Makefile (install): Use "install-client-nokey". |
508 |
|
|
224
by Teddy Hogeborn
* mandos-keygen.xml (FILES): Fixed id to be "files", not "file". |
509 |
<refsect1 id="files"> |
|
24.1.55
by Björn Påhlsson
updated some partial manual pages |
510 |
<title>FILES</title> |
511 |
<para> |
|
|
83
by Teddy Hogeborn
* Makefile (MANPOST): Bug fix: do not replace *all* "een" with "en". |
512 |
Use the <option>--configdir</option> option to change where |
513 |
<command>&COMMANDNAME;</command> looks for its configurations |
|
514 |
files. The default file names are listed here. |
|
|
24.1.55
by Björn Påhlsson
updated some partial manual pages |
515 |
</para> |
|
83
by Teddy Hogeborn
* Makefile (MANPOST): Bug fix: do not replace *all* "een" with "en". |
516 |
<variablelist> |
517 |
<varlistentry> |
|
518 |
<term><filename>/etc/mandos/mandos.conf</filename></term> |
|
519 |
<listitem> |
|
520 |
<para> |
|
521 |
Server-global settings. See |
|
522 |
<citerefentry><refentrytitle>mandos.conf</refentrytitle> |
|
523 |
<manvolnum>5</manvolnum></citerefentry> for details. |
|
524 |
</para> |
|
525 |
</listitem> |
|
526 |
</varlistentry> |
|
527 |
<varlistentry> |
|
528 |
<term><filename>/etc/mandos/clients.conf</filename></term> |
|
529 |
<listitem> |
|
530 |
<para> |
|
531 |
List of clients and client-specific settings. See |
|
532 |
<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle> |
|
533 |
<manvolnum>5</manvolnum></citerefentry> for details. |
|
534 |
</para> |
|
535 |
</listitem> |
|
536 |
</varlistentry> |
|
537 |
<varlistentry> |
|
|
237.7.174
by Teddy Hogeborn
* Makefile (CFLAGS, LDFLAGS): Keep default flags from environment. |
538 |
<term><filename>/run/mandos.pid</filename></term> |
|
83
by Teddy Hogeborn
* Makefile (MANPOST): Bug fix: do not replace *all* "een" with "en". |
539 |
<listitem> |
540 |
<para> |
|
|
237.2.202
by Teddy Hogeborn
* mandos: Do not write pid file if --debug is passed. |
541 |
The file containing the process id of the |
542 |
<command>&COMMANDNAME;</command> process started last. |
|
|
237.7.184
by Teddy Hogeborn
Fall back to /var/run for pidfile if /run is not a directory. |
543 |
<emphasis >Note:</emphasis> If the <filename |
544 |
class="directory">/run</filename> directory does not |
|
545 |
exist, <filename>/var/run/mandos.pid</filename> will be |
|
546 |
used instead. |
|
|
83
by Teddy Hogeborn
* Makefile (MANPOST): Bug fix: do not replace *all* "een" with "en". |
547 |
</para> |
548 |
</listitem> |
|
549 |
</varlistentry> |
|
550 |
<varlistentry> |
|
|
237.14.2
by Teddy Hogeborn
Directory with persistent state can now be changed with the "statedir" |
551 |
<term><filename |
552 |
class="directory">/var/lib/mandos</filename></term> |
|
553 |
<listitem> |
|
554 |
<para> |
|
555 |
Directory where persistent state will be saved. Change |
|
556 |
this with the <option>--statedir</option> option. See |
|
557 |
also the <option>--no-restore</option> option. |
|
558 |
</para> |
|
559 |
</listitem> |
|
560 |
</varlistentry> |
|
561 |
<varlistentry> |
|
|
237.7.343
by Teddy Hogeborn
* mandos.xml (FILES): Removed duplicate entry for “/dev/log”. |
562 |
<term><filename class="devicefile">/dev/log</filename></term> |
|
83
by Teddy Hogeborn
* Makefile (MANPOST): Bug fix: do not replace *all* "een" with "en". |
563 |
<listitem> |
564 |
<para> |
|
565 |
The Unix domain socket to where local syslog messages are |
|
566 |
sent.
|
|
567 |
</para> |
|
568 |
</listitem> |
|
569 |
</varlistentry> |
|
|
85
by Teddy Hogeborn
* mandos.xml (SYNOPSIS): Removed unnecessary 'choice="opt"' from <arg> |
570 |
<varlistentry> |
571 |
<term><filename>/bin/sh</filename></term> |
|
572 |
<listitem> |
|
573 |
<para> |
|
574 |
This is used to start the configured checker command for |
|
575 |
each client. See <citerefentry> |
|
576 |
<refentrytitle>mandos-clients.conf</refentrytitle> |
|
577 |
<manvolnum>5</manvolnum></citerefentry> for details. |
|
578 |
</para> |
|
579 |
</listitem> |
|
580 |
</varlistentry> |
|
|
83
by Teddy Hogeborn
* Makefile (MANPOST): Bug fix: do not replace *all* "een" with "en". |
581 |
</variablelist> |
582 |
</refsect1> |
|
|
85
by Teddy Hogeborn
* mandos.xml (SYNOPSIS): Removed unnecessary 'choice="opt"' from <arg> |
583 |
|
|
24.1.55
by Björn Påhlsson
updated some partial manual pages |
584 |
<refsect1 id="bugs"> |
585 |
<title>BUGS</title> |
|
586 |
<para> |
|
|
83
by Teddy Hogeborn
* Makefile (MANPOST): Bug fix: do not replace *all* "een" with "en". |
587 |
This server might, on especially fatal errors, emit a Python |
588 |
backtrace. This could be considered a feature. |
|
|
24.1.55
by Björn Påhlsson
updated some partial manual pages |
589 |
</para> |
|
85
by Teddy Hogeborn
* mandos.xml (SYNOPSIS): Removed unnecessary 'choice="opt"' from <arg> |
590 |
<para> |
591 |
There is no fine-grained control over logging and debug output. |
|
592 |
</para> |
|
|
237.7.369
by Teddy Hogeborn
Add bug reporting information to manual pages |
593 |
<xi:include href="bugs.xml"/> |
|
83
by Teddy Hogeborn
* Makefile (MANPOST): Bug fix: do not replace *all* "een" with "en". |
594 |
</refsect1> |
|
85
by Teddy Hogeborn
* mandos.xml (SYNOPSIS): Removed unnecessary 'choice="opt"' from <arg> |
595 |
|
596 |
<refsect1 id="example"> |
|
597 |
<title>EXAMPLE</title> |
|
|
83
by Teddy Hogeborn
* Makefile (MANPOST): Bug fix: do not replace *all* "een" with "en". |
598 |
<informalexample> |
599 |
<para> |
|
600 |
Normal invocation needs no options: |
|
601 |
</para> |
|
602 |
<para> |
|
|
110
by Teddy Hogeborn
* mandos.xml (EXAMPLE): Replaced all occurences of command name with |
603 |
<userinput>&COMMANDNAME;</userinput> |
|
83
by Teddy Hogeborn
* Makefile (MANPOST): Bug fix: do not replace *all* "een" with "en". |
604 |
</para> |
605 |
</informalexample> |
|
606 |
<informalexample> |
|
607 |
<para> |
|
|
84
by Teddy Hogeborn
* Makefile (DOCBOOKTOMAN): Use the local manpages/docbook.xsl file, do |
608 |
Run the server in debug mode, read configuration files from |
|
237.14.2
by Teddy Hogeborn
Directory with persistent state can now be changed with the "statedir" |
609 |
the <filename class="directory">~/mandos</filename> directory, |
610 |
and use the Zeroconf service name <quote>Test</quote> to not |
|
611 |
collide with any other official Mandos server on this host: |
|
|
83
by Teddy Hogeborn
* Makefile (MANPOST): Bug fix: do not replace *all* "een" with "en". |
612 |
</para> |
613 |
<para> |
|
614 |
||
615 |
<!-- do not wrap this line -->
|
|
|
110
by Teddy Hogeborn
* mandos.xml (EXAMPLE): Replaced all occurences of command name with |
616 |
<userinput>&COMMANDNAME; --debug --configdir ~/mandos --servicename Test</userinput> |
|
83
by Teddy Hogeborn
* Makefile (MANPOST): Bug fix: do not replace *all* "een" with "en". |
617 |
|
618 |
</para> |
|
619 |
</informalexample> |
|
620 |
<informalexample> |
|
621 |
<para> |
|
622 |
Run the server normally, but only listen to one interface and |
|
623 |
only on the link-local address on that interface: |
|
624 |
</para> |
|
625 |
<para> |
|
626 |
||
627 |
<!-- do not wrap this line -->
|
|
|
110
by Teddy Hogeborn
* mandos.xml (EXAMPLE): Replaced all occurences of command name with |
628 |
<userinput>&COMMANDNAME; --interface eth7 --address fe80::aede:48ff:fe71:f6f2</userinput> |
|
83
by Teddy Hogeborn
* Makefile (MANPOST): Bug fix: do not replace *all* "een" with "en". |
629 |
|
630 |
</para> |
|
631 |
</informalexample> |
|
|
24.1.55
by Björn Påhlsson
updated some partial manual pages |
632 |
</refsect1> |
|
182
by Teddy Hogeborn
* Makefile (install): Use "install-client-nokey". |
633 |
|
|
24.1.55
by Björn Påhlsson
updated some partial manual pages |
634 |
<refsect1 id="security"> |
635 |
<title>SECURITY</title> |
|
|
224
by Teddy Hogeborn
* mandos-keygen.xml (FILES): Fixed id to be "files", not "file". |
636 |
<refsect2 id="server"> |
|
83
by Teddy Hogeborn
* Makefile (MANPOST): Bug fix: do not replace *all* "een" with "en". |
637 |
<title>SERVER</title> |
638 |
<para> |
|
|
85
by Teddy Hogeborn
* mandos.xml (SYNOPSIS): Removed unnecessary 'choice="opt"' from <arg> |
639 |
Running this <command>&COMMANDNAME;</command> server program |
640 |
should not in itself present any security risk to the host |
|
|
163
by Teddy Hogeborn
* Makefile (PIDDIR, USER, GROUP): Removed. |
641 |
computer running it. The program switches to a non-root user |
642 |
soon after startup. |
|
|
83
by Teddy Hogeborn
* Makefile (MANPOST): Bug fix: do not replace *all* "een" with "en". |
643 |
</para> |
644 |
</refsect2> |
|
|
224
by Teddy Hogeborn
* mandos-keygen.xml (FILES): Fixed id to be "files", not "file". |
645 |
<refsect2 id="clients"> |
|
83
by Teddy Hogeborn
* Makefile (MANPOST): Bug fix: do not replace *all* "een" with "en". |
646 |
<title>CLIENTS</title> |
647 |
<para> |
|
648 |
The server only gives out its stored data to clients which |
|
|
237.7.510
by Teddy Hogeborn
Add support for using raw public keys in TLS (RFC 7250) |
649 |
does have the correct key ID of the stored key ID. This is |
650 |
guaranteed by the fact that the client sends its public key in |
|
651 |
the TLS handshake; this ensures it to be genuine. The server |
|
652 |
computes the key ID of the key itself and looks up the key ID |
|
653 |
in its list of clients. The <filename>clients.conf</filename> |
|
654 |
file (see |
|
|
83
by Teddy Hogeborn
* Makefile (MANPOST): Bug fix: do not replace *all* "een" with "en". |
655 |
<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle> |
|
84
by Teddy Hogeborn
* Makefile (DOCBOOKTOMAN): Use the local manpages/docbook.xsl file, do |
656 |
<manvolnum>5</manvolnum></citerefentry>) |
657 |
<emphasis>must</emphasis> be made non-readable by anyone |
|
|
201
by Teddy Hogeborn
* mandos.xml (SECURITY): Minor wording improvement. |
658 |
except the user starting the server (usually root). |
|
84
by Teddy Hogeborn
* Makefile (DOCBOOKTOMAN): Use the local manpages/docbook.xsl file, do |
659 |
</para> |
660 |
<para> |
|
661 |
As detailed in <xref linkend="checking"/>, the status of all |
|
662 |
client computers will continually be checked and be assumed |
|
663 |
compromised if they are gone for too long. |
|
|
83
by Teddy Hogeborn
* Makefile (MANPOST): Bug fix: do not replace *all* "een" with "en". |
664 |
</para> |
665 |
<para> |
|
666 |
For more details on client-side security, see |
|
|
171
by Teddy Hogeborn
Renamed "password-request" to "mandos-client". |
667 |
<citerefentry><refentrytitle>mandos-client</refentrytitle> |
|
83
by Teddy Hogeborn
* Makefile (MANPOST): Bug fix: do not replace *all* "een" with "en". |
668 |
<manvolnum>8mandos</manvolnum></citerefentry>. |
669 |
</para> |
|
670 |
</refsect2> |
|
|
24.1.55
by Björn Påhlsson
updated some partial manual pages |
671 |
</refsect1> |
|
182
by Teddy Hogeborn
* Makefile (install): Use "install-client-nokey". |
672 |
|
|
24.1.55
by Björn Påhlsson
updated some partial manual pages |
673 |
<refsect1 id="see_also"> |
674 |
<title>SEE ALSO</title> |
|
|
92
by Teddy Hogeborn
* mandos-keygen.xml (SEE ALSO): Remove "and". |
675 |
<para> |
|
237.7.41
by Teddy Hogeborn
* Makefile (DOCS): Added "intro.8mandos". |
676 |
<citerefentry><refentrytitle>intro</refentrytitle> |
677 |
<manvolnum>8mandos</manvolnum></citerefentry>, |
|
678 |
<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle> |
|
679 |
<manvolnum>5</manvolnum></citerefentry>, |
|
680 |
<citerefentry><refentrytitle>mandos.conf</refentrytitle> |
|
681 |
<manvolnum>5</manvolnum></citerefentry>, |
|
682 |
<citerefentry><refentrytitle>mandos-client</refentrytitle> |
|
683 |
<manvolnum>8mandos</manvolnum></citerefentry>, |
|
684 |
<citerefentry><refentrytitle>sh</refentrytitle> |
|
685 |
<manvolnum>1</manvolnum></citerefentry> |
|
|
92
by Teddy Hogeborn
* mandos-keygen.xml (SEE ALSO): Remove "and". |
686 |
</para> |
|
84
by Teddy Hogeborn
* Makefile (DOCBOOKTOMAN): Use the local manpages/docbook.xsl file, do |
687 |
<variablelist> |
688 |
<varlistentry> |
|
689 |
<term> |
|
690 |
<ulink url="http://www.zeroconf.org/">Zeroconf</ulink> |
|
691 |
</term> |
|
692 |
<listitem> |
|
693 |
<para> |
|
694 |
Zeroconf is the network protocol standard used by clients |
|
695 |
for finding this Mandos server on the local network. |
|
696 |
</para> |
|
697 |
</listitem> |
|
698 |
</varlistentry> |
|
699 |
<varlistentry> |
|
700 |
<term> |
|
|
237.7.669
by Teddy Hogeborn
Change URL for Avahi to use HTTPS |
701 |
<ulink url="https://www.avahi.org/">Avahi</ulink> |
|
84
by Teddy Hogeborn
* Makefile (DOCBOOKTOMAN): Use the local manpages/docbook.xsl file, do |
702 |
</term> |
703 |
<listitem> |
|
704 |
<para> |
|
705 |
Avahi is the library this server calls to implement |
|
706 |
Zeroconf service announcements. |
|
707 |
</para> |
|
708 |
</listitem> |
|
709 |
</varlistentry> |
|
710 |
<varlistentry> |
|
711 |
<term> |
|
|
237.7.416
by Teddy Hogeborn
Change all http:// URLs to https:// wherever possible. |
712 |
<ulink url="https://gnutls.org/">GnuTLS</ulink> |
|
84
by Teddy Hogeborn
* Makefile (DOCBOOKTOMAN): Use the local manpages/docbook.xsl file, do |
713 |
</term> |
714 |
<listitem> |
|
715 |
<para> |
|
716 |
GnuTLS is the library this server uses to implement TLS for |
|
717 |
communicating securely with the client, and at the same time |
|
|
237.7.510
by Teddy Hogeborn
Add support for using raw public keys in TLS (RFC 7250) |
718 |
confidently get the client’s public key. |
|
84
by Teddy Hogeborn
* Makefile (DOCBOOKTOMAN): Use the local manpages/docbook.xsl file, do |
719 |
</para> |
720 |
</listitem> |
|
721 |
</varlistentry> |
|
722 |
<varlistentry> |
|
723 |
<term> |
|
|
108
by Teddy Hogeborn
* mandos-options.xml (address): Refer to IPv4-mapped IPv6 address |
724 |
RFC 4291: <citetitle>IP Version 6 Addressing |
725 |
Architecture</citetitle> |
|
|
84
by Teddy Hogeborn
* Makefile (DOCBOOKTOMAN): Use the local manpages/docbook.xsl file, do |
726 |
</term> |
727 |
<listitem> |
|
|
108
by Teddy Hogeborn
* mandos-options.xml (address): Refer to IPv4-mapped IPv6 address |
728 |
<variablelist> |
729 |
<varlistentry> |
|
730 |
<term>Section 2.2: <citetitle>Text Representation of |
|
731 |
Addresses</citetitle></term> |
|
732 |
<listitem><para/></listitem> |
|
733 |
</varlistentry> |
|
734 |
<varlistentry> |
|
735 |
<term>Section 2.5.5.2: <citetitle>IPv4-Mapped IPv6 |
|
736 |
Address</citetitle></term> |
|
737 |
<listitem><para/></listitem> |
|
738 |
</varlistentry> |
|
739 |
<varlistentry> |
|
740 |
<term>Section 2.5.6, <citetitle>Link-Local IPv6 Unicast |
|
741 |
Addresses</citetitle></term> |
|
742 |
<listitem> |
|
743 |
<para> |
|
744 |
The clients use IPv6 link-local addresses, which are |
|
|
237.7.797
by Teddy Hogeborn
Minor text adjustment in mandos(8) manual page |
745 |
immediately usable since a link-local address is |
|
108
by Teddy Hogeborn
* mandos-options.xml (address): Refer to IPv4-mapped IPv6 address |
746 |
automatically assigned to a network interfaces when it |
747 |
is brought up. |
|
748 |
</para> |
|
749 |
</listitem> |
|
750 |
</varlistentry> |
|
751 |
</variablelist> |
|
|
84
by Teddy Hogeborn
* Makefile (DOCBOOKTOMAN): Use the local manpages/docbook.xsl file, do |
752 |
</listitem> |
753 |
</varlistentry> |
|
754 |
<varlistentry> |
|
755 |
<term> |
|
|
237.7.289
by Teddy Hogeborn
mandos.xml (SEE ALSO): Update links. |
756 |
RFC 5246: <citetitle>The Transport Layer Security (TLS) |
757 |
Protocol Version 1.2</citetitle> |
|
|
84
by Teddy Hogeborn
* Makefile (DOCBOOKTOMAN): Use the local manpages/docbook.xsl file, do |
758 |
</term> |
759 |
<listitem> |
|
760 |
<para> |
|
|
237.7.289
by Teddy Hogeborn
mandos.xml (SEE ALSO): Update links. |
761 |
TLS 1.2 is the protocol implemented by GnuTLS. |
|
84
by Teddy Hogeborn
* Makefile (DOCBOOKTOMAN): Use the local manpages/docbook.xsl file, do |
762 |
</para> |
763 |
</listitem> |
|
764 |
</varlistentry> |
|
765 |
<varlistentry> |
|
766 |
<term> |
|
|
108
by Teddy Hogeborn
* mandos-options.xml (address): Refer to IPv4-mapped IPv6 address |
767 |
RFC 4880: <citetitle>OpenPGP Message Format</citetitle> |
|
84
by Teddy Hogeborn
* Makefile (DOCBOOKTOMAN): Use the local manpages/docbook.xsl file, do |
768 |
</term> |
769 |
<listitem> |
|
770 |
<para> |
|
771 |
The data sent to clients is binary encrypted OpenPGP data. |
|
772 |
</para> |
|
773 |
</listitem> |
|
774 |
</varlistentry> |
|
775 |
<varlistentry> |
|
776 |
<term> |
|
|
237.7.510
by Teddy Hogeborn
Add support for using raw public keys in TLS (RFC 7250) |
777 |
RFC 7250: <citetitle>Using Raw Public Keys in Transport |
778 |
Layer Security (TLS) and Datagram Transport Layer Security |
|
779 |
(DTLS)</citetitle> |
|
780 |
</term> |
|
781 |
<listitem> |
|
782 |
<para> |
|
783 |
This is implemented by GnuTLS version 3.6.6 and is, if |
|
784 |
present, used by this server so that raw public keys can be |
|
785 |
used.
|
|
786 |
</para> |
|
787 |
</listitem> |
|
788 |
</varlistentry> |
|
789 |
<varlistentry> |
|
790 |
<term> |
|
|
237.7.289
by Teddy Hogeborn
mandos.xml (SEE ALSO): Update links. |
791 |
RFC 6091: <citetitle>Using OpenPGP Keys for Transport Layer |
792 |
Security (TLS) Authentication</citetitle> |
|
|
84
by Teddy Hogeborn
* Makefile (DOCBOOKTOMAN): Use the local manpages/docbook.xsl file, do |
793 |
</term> |
794 |
<listitem> |
|
795 |
<para> |
|
|
237.7.510
by Teddy Hogeborn
Add support for using raw public keys in TLS (RFC 7250) |
796 |
This is implemented by GnuTLS before version 3.6.0 and is, |
797 |
if present, used by this server so that OpenPGP keys can be |
|
798 |
used.
|
|
|
84
by Teddy Hogeborn
* Makefile (DOCBOOKTOMAN): Use the local manpages/docbook.xsl file, do |
799 |
</para> |
800 |
</listitem> |
|
801 |
</varlistentry> |
|
802 |
</variablelist> |
|
|
24.1.55
by Björn Påhlsson
updated some partial manual pages |
803 |
</refsect1> |
|
24.1.23
by Björn Påhlsson
Added manual pages for: |
804 |
</refentry>
|
|
111
by Teddy Hogeborn
* mandos-clients.conf.xml (ENTITY TIMESTAMP): New. Automatically |
805 |
<!-- Local Variables: -->
|
806 |
<!-- time-stamp-start: "<!ENTITY TIMESTAMP [\"']" -->
|
|
807 |
<!-- time-stamp-end: "[\"']>" -->
|
|
808 |
<!-- time-stamp-format: "%:y-%02m-%02d" -->
|
|
809 |
<!-- End: -->
|