3
3
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4
4
<!ENTITY VERSION "1.0">
5
5
<!ENTITY COMMANDNAME "mandos">
6
<!ENTITY TIMESTAMP "2008-09-05">
9
8
<refentry xmlns:xi="http://www.w3.org/2001/XInclude">
11
<title>Mandos Manual</title>
10
<title>&COMMANDNAME;</title>
12
11
<!-- NWalsh’s docbook scripts use this to generate the footer: -->
13
<productname>Mandos</productname>
12
<productname>&COMMANDNAME;</productname>
14
13
<productnumber>&VERSION;</productnumber>
15
<date>&TIMESTAMP;</date>
18
16
<firstname>Björn</firstname>
34
32
<holder>Teddy Hogeborn</holder>
35
33
<holder>Björn Påhlsson</holder>
37
<xi:include href="legalnotice.xml"/>
37
This manual page is free software: you can redistribute it
38
and/or modify it under the terms of the GNU General Public
39
License as published by the Free Software Foundation,
40
either version 3 of the License, or (at your option) any
45
This manual page is distributed in the hope that it will
46
be useful, but WITHOUT ANY WARRANTY; without even the
47
implied warranty of MERCHANTABILITY or FITNESS FOR A
48
PARTICULAR PURPOSE. See the GNU General Public License
53
You should have received a copy of the GNU General Public
54
License along with this program; If not, see
55
<ulink url="http://www.gnu.org/licenses/"/>.
46
66
<refname><command>&COMMANDNAME;</command></refname>
48
Gives encrypted passwords to authenticated Mandos clients
68
Sends encrypted passwords to authenticated Mandos clients
54
74
<command>&COMMANDNAME;</command>
56
<arg choice="plain"><option>--interface
57
<replaceable>NAME</replaceable></option></arg>
58
<arg choice="plain"><option>-i
59
<replaceable>NAME</replaceable></option></arg>
63
<arg choice="plain"><option>--address
64
<replaceable>ADDRESS</replaceable></option></arg>
65
<arg choice="plain"><option>-a
66
<replaceable>ADDRESS</replaceable></option></arg>
70
<arg choice="plain"><option>--port
71
<replaceable>PORT</replaceable></option></arg>
72
<arg choice="plain"><option>-p
73
<replaceable>PORT</replaceable></option></arg>
76
<arg><option>--priority
77
<replaceable>PRIORITY</replaceable></option></arg>
79
<arg><option>--servicename
80
<replaceable>NAME</replaceable></option></arg>
82
<arg><option>--configdir
83
<replaceable>DIRECTORY</replaceable></option></arg>
85
<arg><option>--debug</option></arg>
75
<arg>--interface<arg choice="plain">NAME</arg></arg>
76
<arg>--address<arg choice="plain">ADDRESS</arg></arg>
77
<arg>--port<arg choice="plain">PORT</arg></arg>
78
<arg>--priority<arg choice="plain">PRIORITY</arg></arg>
79
<arg>--servicename<arg choice="plain">NAME</arg></arg>
80
<arg>--configdir<arg choice="plain">DIRECTORY</arg></arg>
84
<command>&COMMANDNAME;</command>
85
<arg>-i<arg choice="plain">NAME</arg></arg>
86
<arg>-a<arg choice="plain">ADDRESS</arg></arg>
87
<arg>-p<arg choice="plain">PORT</arg></arg>
88
<arg>--priority<arg choice="plain">PRIORITY</arg></arg>
89
<arg>--servicename<arg choice="plain">NAME</arg></arg>
90
<arg>--configdir<arg choice="plain">DIRECTORY</arg></arg>
88
94
<command>&COMMANDNAME;</command>
89
95
<group choice="req">
90
<arg choice="plain"><option>--help</option></arg>
91
<arg choice="plain"><option>-h</option></arg>
96
<arg choice="plain">-h</arg>
97
<arg choice="plain">--help</arg>
95
101
<command>&COMMANDNAME;</command>
96
<arg choice="plain"><option>--version</option></arg>
102
<arg choice="plain">--version</arg>
99
105
<command>&COMMANDNAME;</command>
100
<arg choice="plain"><option>--check</option></arg>
106
<arg choice="plain">--check</arg>
102
108
</refsynopsisdiv>
115
121
Any authenticated client is then given the stored pre-encrypted
116
122
password for that specific client.
120
127
<refsect1 id="purpose">
121
128
<title>PURPOSE</title>
123
131
The purpose of this is to enable <emphasis>remote and unattended
124
132
rebooting</emphasis> of client host computer with an
125
133
<emphasis>encrypted root file system</emphasis>. See <xref
126
134
linkend="overview"/> for details.
130
139
<refsect1 id="options">
131
140
<title>OPTIONS</title>
134
<term><option>--help</option></term>
135
<term><option>-h</option></term>
144
<term><literal>-h</literal>, <literal>--help</literal></term>
138
147
Show a help message and exit
144
<term><option>--interface</option>
145
<replaceable>NAME</replaceable></term>
146
<term><option>-i</option>
147
<replaceable>NAME</replaceable></term>
153
<term><literal>-i</literal>, <literal>--interface <replaceable
154
>NAME</replaceable></literal></term>
149
156
<xi:include href="mandos-options.xml" xpointer="interface"/>
154
<term><option>--address
155
<replaceable>ADDRESS</replaceable></option></term>
157
<replaceable>ADDRESS</replaceable></option></term>
161
<term><literal>-a</literal>, <literal>--address <replaceable>
162
ADDRESS</replaceable></literal></term>
159
164
<xi:include href="mandos-options.xml" xpointer="address"/>
165
<replaceable>PORT</replaceable></option></term>
167
<replaceable>PORT</replaceable></option></term>
169
<term><literal>-p</literal>, <literal>--port <replaceable>
170
PORT</replaceable></literal></term>
169
172
<xi:include href="mandos-options.xml" xpointer="port"/>
174
<term><option>--check</option></term>
177
<term><literal>--check</literal></term>
177
180
Run the server’s self-tests. This includes any unit
184
<term><option>--debug</option></term>
187
<term><literal>--debug</literal></term>
186
189
<xi:include href="mandos-options.xml" xpointer="debug"/>
191
<term><option>--priority <replaceable>
192
PRIORITY</replaceable></option></term>
194
<term><literal>--priority <replaceable>
195
PRIORITY</replaceable></literal></term>
194
197
<xi:include href="mandos-options.xml" xpointer="priority"/>
199
<term><option>--servicename
200
<replaceable>NAME</replaceable></option></term>
202
<term><literal>--servicename <replaceable>NAME</replaceable>
202
205
<xi:include href="mandos-options.xml"
203
206
xpointer="servicename"/>
488
487
Running this <command>&COMMANDNAME;</command> server program
489
488
should not in itself present any security risk to the host
490
computer running it. The program switches to a non-root user
489
computer running it. The program does not need any special
490
privileges to run, and is designed to run as a non-root user.
494
493
<refsect2 id="CLIENTS">
521
520
restarting servers if it is suspected that a client has, in
522
521
fact, been compromised by parties who may now be running a
523
522
fake Mandos client with the keys from the non-encrypted
524
initial <acronym>RAM</acronym> image of the client host. What
525
should be done in that case (if restarting the server program
526
really is necessary) is to stop the server program, edit the
523
initial RAM image of the client host. What should be done in
524
that case (if restarting the server program really is
525
necessary) is to stop the server program, edit the
527
526
configuration file to omit any suspect clients, and restart
528
527
the server program.
539
538
<title>SEE ALSO</title>
541
<refentrytitle>mandos.conf</refentrytitle>
542
<manvolnum>5</manvolnum></citerefentry>, <citerefentry>
542
543
<refentrytitle>mandos-clients.conf</refentrytitle>
543
544
<manvolnum>5</manvolnum></citerefentry>, <citerefentry>
544
<refentrytitle>mandos.conf</refentrytitle>
545
<manvolnum>5</manvolnum></citerefentry>, <citerefentry>
546
545
<refentrytitle>password-request</refentrytitle>
547
546
<manvolnum>8mandos</manvolnum></citerefentry>, <citerefentry>
548
547
<refentrytitle>sh</refentrytitle><manvolnum>1</manvolnum>
589
RFC 4291: <citetitle>IP Version 6 Addressing
590
Architecture</citetitle>
588
<citation>RFC 4291: <citetitle>IP Version 6 Addressing
589
Architecture</citetitle>, section 2.5.6, Link-Local IPv6
590
Unicast Addresses</citation>
595
<term>Section 2.2: <citetitle>Text Representation of
596
Addresses</citetitle></term>
597
<listitem><para/></listitem>
600
<term>Section 2.5.5.2: <citetitle>IPv4-Mapped IPv6
601
Address</citetitle></term>
602
<listitem><para/></listitem>
605
<term>Section 2.5.6, <citetitle>Link-Local IPv6 Unicast
606
Addresses</citetitle></term>
609
The clients use IPv6 link-local addresses, which are
610
immediately usable since a link-local addresses is
611
automatically assigned to a network interfaces when it
594
The clients use IPv6 link-local addresses, which are
595
immediately usable since a link-local addresses is
596
automatically assigned to a network interfaces when it is
621
RFC 4346: <citetitle>The Transport Layer Security (TLS)
622
Protocol Version 1.1</citetitle>
603
<citation>RFC 4346: <citetitle>The Transport Layer Security
604
(TLS) Protocol Version 1.1</citetitle></citation>