/mandos/release

To get this branch, use:
bzr branch http://bzr.recompile.se/loggerhead/mandos/release

« back to all changes in this revision

Viewing changes to mandos.xml

  • Committer: Teddy Hogeborn
  • Date: 2008-08-29 07:09:04 UTC
  • Revision ID: teddy@fukt.bsnet.se-20080829070904-i6u8xb0aueytvfii
* mandos-clients.conf.xml (/refentry/refentryinfo/title): Changed to
                                                          "Mandos
                                                          Manual".

  (/refentry/refentryinfo/productname): Changed to "Mandos".
* mandos-keygen.xml: - '' -
* mandos.conf.xml: - '' -
* mandos.xml: - '' -
* plugin-runner.xml: - '' -
* plugins.d/password-request.xml: - '' -

Show diffs side-by-side

added added

removed removed

Lines of Context:
3
3
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4
4
<!ENTITY VERSION "1.0">
5
5
<!ENTITY COMMANDNAME "mandos">
6
 
<!ENTITY TIMESTAMP "2008-09-21">
 
6
<!ENTITY TIMESTAMP "2008-08-29">
7
7
]>
8
8
 
9
9
<refentry xmlns:xi="http://www.w3.org/2001/XInclude">
34
34
      <holder>Teddy Hogeborn</holder>
35
35
      <holder>Björn Påhlsson</holder>
36
36
    </copyright>
37
 
    <xi:include href="legalnotice.xml"/>
 
37
    <legalnotice>
 
38
      <para>
 
39
        This manual page is free software: you can redistribute it
 
40
        and/or modify it under the terms of the GNU General Public
 
41
        License as published by the Free Software Foundation,
 
42
        either version 3 of the License, or (at your option) any
 
43
        later version.
 
44
      </para>
 
45
 
 
46
      <para>
 
47
        This manual page is distributed in the hope that it will
 
48
        be useful, but WITHOUT ANY WARRANTY; without even the
 
49
        implied warranty of MERCHANTABILITY or FITNESS FOR A
 
50
        PARTICULAR PURPOSE.  See the GNU General Public License
 
51
        for more details.
 
52
      </para>
 
53
 
 
54
      <para>
 
55
        You should have received a copy of the GNU General Public
 
56
        License along with this program; If not, see
 
57
        <ulink url="http://www.gnu.org/licenses/"/>.
 
58
      </para>
 
59
    </legalnotice>
38
60
  </refentryinfo>
39
 
  
 
61
 
40
62
  <refmeta>
41
63
    <refentrytitle>&COMMANDNAME;</refentrytitle>
42
64
    <manvolnum>8</manvolnum>
45
67
  <refnamediv>
46
68
    <refname><command>&COMMANDNAME;</command></refname>
47
69
    <refpurpose>
48
 
      Gives encrypted passwords to authenticated Mandos clients
 
70
      Sends encrypted passwords to authenticated Mandos clients
49
71
    </refpurpose>
50
72
  </refnamediv>
51
 
  
 
73
 
52
74
  <refsynopsisdiv>
53
75
    <cmdsynopsis>
54
76
      <command>&COMMANDNAME;</command>
55
 
      <group>
56
 
        <arg choice="plain"><option>--interface
57
 
        <replaceable>NAME</replaceable></option></arg>
58
 
        <arg choice="plain"><option>-i
59
 
        <replaceable>NAME</replaceable></option></arg>
60
 
      </group>
61
 
      <sbr/>
62
 
      <group>
63
 
        <arg choice="plain"><option>--address
64
 
        <replaceable>ADDRESS</replaceable></option></arg>
65
 
        <arg choice="plain"><option>-a
66
 
        <replaceable>ADDRESS</replaceable></option></arg>
67
 
      </group>
68
 
      <sbr/>
69
 
      <group>
70
 
        <arg choice="plain"><option>--port
71
 
        <replaceable>PORT</replaceable></option></arg>
72
 
        <arg choice="plain"><option>-p
73
 
        <replaceable>PORT</replaceable></option></arg>
74
 
      </group>
75
 
      <sbr/>
76
 
      <arg><option>--priority
77
 
      <replaceable>PRIORITY</replaceable></option></arg>
78
 
      <sbr/>
79
 
      <arg><option>--servicename
80
 
      <replaceable>NAME</replaceable></option></arg>
81
 
      <sbr/>
82
 
      <arg><option>--configdir
83
 
      <replaceable>DIRECTORY</replaceable></option></arg>
84
 
      <sbr/>
85
 
      <arg><option>--debug</option></arg>
 
77
      <arg>--interface<arg choice="plain">NAME</arg></arg>
 
78
      <arg>--address<arg choice="plain">ADDRESS</arg></arg>
 
79
      <arg>--port<arg choice="plain">PORT</arg></arg>
 
80
      <arg>--priority<arg choice="plain">PRIORITY</arg></arg>
 
81
      <arg>--servicename<arg choice="plain">NAME</arg></arg>
 
82
      <arg>--configdir<arg choice="plain">DIRECTORY</arg></arg>
 
83
      <arg>--debug</arg>
 
84
    </cmdsynopsis>
 
85
    <cmdsynopsis>
 
86
      <command>&COMMANDNAME;</command>
 
87
      <arg>-i<arg choice="plain">NAME</arg></arg>
 
88
      <arg>-a<arg choice="plain">ADDRESS</arg></arg>
 
89
      <arg>-p<arg choice="plain">PORT</arg></arg>
 
90
      <arg>--priority<arg choice="plain">PRIORITY</arg></arg>
 
91
      <arg>--servicename<arg choice="plain">NAME</arg></arg>
 
92
      <arg>--configdir<arg choice="plain">DIRECTORY</arg></arg>
 
93
      <arg>--debug</arg>
86
94
    </cmdsynopsis>
87
95
    <cmdsynopsis>
88
96
      <command>&COMMANDNAME;</command>
89
97
      <group choice="req">
90
 
        <arg choice="plain"><option>--help</option></arg>
91
 
        <arg choice="plain"><option>-h</option></arg>
 
98
        <arg choice="plain">-h</arg>
 
99
        <arg choice="plain">--help</arg>
92
100
      </group>
93
101
    </cmdsynopsis>
94
102
    <cmdsynopsis>
95
103
      <command>&COMMANDNAME;</command>
96
 
      <arg choice="plain"><option>--version</option></arg>
 
104
      <arg choice="plain">--version</arg>
97
105
    </cmdsynopsis>
98
106
    <cmdsynopsis>
99
107
      <command>&COMMANDNAME;</command>
100
 
      <arg choice="plain"><option>--check</option></arg>
 
108
      <arg choice="plain">--check</arg>
101
109
    </cmdsynopsis>
102
110
  </refsynopsisdiv>
103
 
  
 
111
 
104
112
  <refsect1 id="description">
105
113
    <title>DESCRIPTION</title>
106
114
    <para>
115
123
      Any authenticated client is then given the stored pre-encrypted
116
124
      password for that specific client.
117
125
    </para>
 
126
 
118
127
  </refsect1>
119
128
  
120
129
  <refsect1 id="purpose">
121
130
    <title>PURPOSE</title>
 
131
 
122
132
    <para>
123
133
      The purpose of this is to enable <emphasis>remote and unattended
124
134
      rebooting</emphasis> of client host computer with an
125
135
      <emphasis>encrypted root file system</emphasis>.  See <xref
126
136
      linkend="overview"/> for details.
127
137
    </para>
 
138
 
128
139
  </refsect1>
129
140
  
130
141
  <refsect1 id="options">
131
142
    <title>OPTIONS</title>
 
143
 
132
144
    <variablelist>
133
145
      <varlistentry>
134
 
        <term><option>--help</option></term>
135
 
        <term><option>-h</option></term>
 
146
        <term><literal>-h</literal>, <literal>--help</literal></term>
136
147
        <listitem>
137
148
          <para>
138
149
            Show a help message and exit
139
150
          </para>
140
151
        </listitem>
141
152
      </varlistentry>
142
 
      
 
153
 
143
154
      <varlistentry>
144
 
        <term><option>--interface</option>
145
 
        <replaceable>NAME</replaceable></term>
146
 
        <term><option>-i</option>
147
 
        <replaceable>NAME</replaceable></term>
 
155
        <term><literal>-i</literal>, <literal>--interface <replaceable
 
156
        >NAME</replaceable></literal></term>
148
157
        <listitem>
149
158
          <xi:include href="mandos-options.xml" xpointer="interface"/>
150
159
        </listitem>
151
160
      </varlistentry>
152
 
      
 
161
 
153
162
      <varlistentry>
154
 
        <term><option>--address
155
 
        <replaceable>ADDRESS</replaceable></option></term>
156
 
        <term><option>-a
157
 
        <replaceable>ADDRESS</replaceable></option></term>
 
163
        <term><literal>-a</literal>, <literal>--address <replaceable>
 
164
        ADDRESS</replaceable></literal></term>
158
165
        <listitem>
159
166
          <xi:include href="mandos-options.xml" xpointer="address"/>
160
167
        </listitem>
161
168
      </varlistentry>
162
 
      
 
169
 
163
170
      <varlistentry>
164
 
        <term><option>--port
165
 
        <replaceable>PORT</replaceable></option></term>
166
 
        <term><option>-p
167
 
        <replaceable>PORT</replaceable></option></term>
 
171
        <term><literal>-p</literal>, <literal>--port <replaceable>
 
172
        PORT</replaceable></literal></term>
168
173
        <listitem>
169
174
          <xi:include href="mandos-options.xml" xpointer="port"/>
170
175
        </listitem>
171
176
      </varlistentry>
172
 
      
 
177
 
173
178
      <varlistentry>
174
 
        <term><option>--check</option></term>
 
179
        <term><literal>--check</literal></term>
175
180
        <listitem>
176
181
          <para>
177
182
            Run the server’s self-tests.  This includes any unit
179
184
          </para>
180
185
        </listitem>
181
186
      </varlistentry>
182
 
      
 
187
 
183
188
      <varlistentry>
184
 
        <term><option>--debug</option></term>
 
189
        <term><literal>--debug</literal></term>
185
190
        <listitem>
186
191
          <xi:include href="mandos-options.xml" xpointer="debug"/>
187
192
        </listitem>
188
193
      </varlistentry>
189
 
      
 
194
 
190
195
      <varlistentry>
191
 
        <term><option>--priority <replaceable>
192
 
        PRIORITY</replaceable></option></term>
 
196
        <term><literal>--priority <replaceable>
 
197
        PRIORITY</replaceable></literal></term>
193
198
        <listitem>
194
199
          <xi:include href="mandos-options.xml" xpointer="priority"/>
195
200
        </listitem>
196
201
      </varlistentry>
197
 
      
 
202
 
198
203
      <varlistentry>
199
 
        <term><option>--servicename
200
 
        <replaceable>NAME</replaceable></option></term>
 
204
        <term><literal>--servicename <replaceable>NAME</replaceable>
 
205
        </literal></term>
201
206
        <listitem>
202
207
          <xi:include href="mandos-options.xml"
203
208
                      xpointer="servicename"/>
204
209
        </listitem>
205
210
      </varlistentry>
206
 
      
 
211
 
207
212
      <varlistentry>
208
 
        <term><option>--configdir
209
 
        <replaceable>DIRECTORY</replaceable></option></term>
 
213
        <term><literal>--configdir <replaceable>DIR</replaceable>
 
214
        </literal></term>
210
215
        <listitem>
211
216
          <para>
212
217
            Directory to search for configuration files.  Default is
218
223
          </para>
219
224
        </listitem>
220
225
      </varlistentry>
221
 
      
 
226
 
222
227
      <varlistentry>
223
 
        <term><option>--version</option></term>
 
228
        <term><literal>--version</literal></term>
224
229
        <listitem>
225
230
          <para>
226
231
            Prints the program version and exit.
229
234
      </varlistentry>
230
235
    </variablelist>
231
236
  </refsect1>
232
 
  
 
237
 
233
238
  <refsect1 id="overview">
234
239
    <title>OVERVIEW</title>
235
240
    <xi:include href="overview.xml"/>
236
241
    <para>
237
242
      This program is the server part.  It is a normal server program
238
243
      and will run in a normal system environment, not in an initial
239
 
      <acronym>RAM</acronym> disk environment.
 
244
      RAM disk environment.
240
245
    </para>
241
246
  </refsect1>
242
 
  
 
247
 
243
248
  <refsect1 id="protocol">
244
249
    <title>NETWORK PROTOCOL</title>
245
250
    <para>
297
302
      </row>
298
303
    </tbody></tgroup></table>
299
304
  </refsect1>
300
 
  
 
305
 
301
306
  <refsect1 id="checking">
302
307
    <title>CHECKING</title>
303
308
    <para>
311
316
      <manvolnum>5</manvolnum></citerefentry>.
312
317
    </para>
313
318
  </refsect1>
314
 
  
 
319
 
315
320
  <refsect1 id="logging">
316
321
    <title>LOGGING</title>
317
322
    <para>
321
326
      and also show them on the console.
322
327
    </para>
323
328
  </refsect1>
324
 
  
 
329
 
325
330
  <refsect1 id="exit_status">
326
331
    <title>EXIT STATUS</title>
327
332
    <para>
329
334
      critical error is encountered.
330
335
    </para>
331
336
  </refsect1>
332
 
  
 
337
 
333
338
  <refsect1 id="environment">
334
339
    <title>ENVIRONMENT</title>
335
340
    <variablelist>
336
341
      <varlistentry>
337
 
        <term><envar>PATH</envar></term>
 
342
        <term><varname>PATH</varname></term>
338
343
        <listitem>
339
344
          <para>
340
345
            To start the configured checker (see <xref
349
354
      </varlistentry>
350
355
    </variablelist>
351
356
  </refsect1>
352
 
  
 
357
 
353
358
  <refsect1 id="file">
354
359
    <title>FILES</title>
355
360
    <para>
379
384
        </listitem>
380
385
      </varlistentry>
381
386
      <varlistentry>
382
 
        <term><filename>/var/run/mandos.pid</filename></term>
 
387
        <term><filename>/var/run/mandos/mandos.pid</filename></term>
383
388
        <listitem>
384
389
          <para>
385
390
            The file containing the process id of
434
439
      Debug mode is conflated with running in the foreground.
435
440
    </para>
436
441
    <para>
437
 
      The console log messages does not show a time stamp.
438
 
    </para>
439
 
    <para>
440
 
      This server does not check the expire time of clients’ OpenPGP
441
 
      keys.
 
442
      The console log messages does not show a timestamp.
442
443
    </para>
443
444
  </refsect1>
444
445
  
479
480
      </para>
480
481
    </informalexample>
481
482
  </refsect1>
482
 
  
 
483
 
483
484
  <refsect1 id="security">
484
485
    <title>SECURITY</title>
485
486
    <refsect2 id="SERVER">
487
488
      <para>
488
489
        Running this <command>&COMMANDNAME;</command> server program
489
490
        should not in itself present any security risk to the host
490
 
        computer running it.  The program switches to a non-root user
491
 
        soon after startup.
 
491
        computer running it.  The program does not need any special
 
492
        privileges to run, and is designed to run as a non-root user.
492
493
      </para>
493
494
    </refsect2>
494
495
    <refsect2 id="CLIENTS">
504
505
        <citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>
505
506
        <manvolnum>5</manvolnum></citerefentry>)
506
507
        <emphasis>must</emphasis> be made non-readable by anyone
507
 
        except the user starting the server (usually root).
 
508
        except the user running the server.
508
509
      </para>
509
510
      <para>
510
511
        As detailed in <xref linkend="checking"/>, the status of all
521
522
        restarting servers if it is suspected that a client has, in
522
523
        fact, been compromised by parties who may now be running a
523
524
        fake Mandos client with the keys from the non-encrypted
524
 
        initial <acronym>RAM</acronym> image of the client host.  What
525
 
        should be done in that case (if restarting the server program
526
 
        really is necessary) is to stop the server program, edit the
 
525
        initial RAM image of the client host.  What should be done in
 
526
        that case (if restarting the server program really is
 
527
        necessary) is to stop the server program, edit the
527
528
        configuration file to omit any suspect clients, and restart
528
529
        the server program.
529
530
      </para>
530
531
      <para>
531
532
        For more details on client-side security, see
532
 
        <citerefentry><refentrytitle>mandos-client</refentrytitle>
 
533
        <citerefentry><refentrytitle>password-request</refentrytitle>
533
534
        <manvolnum>8mandos</manvolnum></citerefentry>.
534
535
      </para>
535
536
    </refsect2>
536
537
  </refsect1>
537
 
  
 
538
 
538
539
  <refsect1 id="see_also">
539
540
    <title>SEE ALSO</title>
540
541
    <para>
541
542
      <citerefentry>
 
543
        <refentrytitle>mandos.conf</refentrytitle>
 
544
        <manvolnum>5</manvolnum></citerefentry>, <citerefentry>
542
545
        <refentrytitle>mandos-clients.conf</refentrytitle>
543
546
        <manvolnum>5</manvolnum></citerefentry>, <citerefentry>
544
 
        <refentrytitle>mandos.conf</refentrytitle>
545
 
        <manvolnum>5</manvolnum></citerefentry>, <citerefentry>
546
 
        <refentrytitle>mandos-client</refentrytitle>
 
547
        <refentrytitle>password-request</refentrytitle>
547
548
        <manvolnum>8mandos</manvolnum></citerefentry>, <citerefentry>
548
549
        <refentrytitle>sh</refentrytitle><manvolnum>1</manvolnum>
549
550
      </citerefentry>