/mandos/release : revision 140

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/release

« back to all changes in this revision

Viewing changes to mandos-clients.conf.xml

Committer: Teddy Hogeborn
Date: 2008-09-02 13:04:42 UTC
Revision ID: teddy@fukt.bsnet.se-20080902130442-ytnjsmllaph18e20

* plugin-runner.xml (PLUGINS/WRITING PLUGINS): New section.
  (BUGS): Commented out.  There are no bugs.
  (EXAMPLE): Added lots of examples.
  (SECURITY): Added text.
  (SEE ALSO): Added "crypttab(5)" and "execve(2)".

files removed:
.bzr-builddeb

.bzr-builddeb/default.conf

INSTALL

README

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/rules

default-mandos

etc-plugins.d-README

init.d-mandos

plugin-runner.conf

files renamed:
plugins.d/mandos-client.c => plugins.d/password-request.c

plugins.d/mandos-client.xml => plugins.d/password-request.xml

files modified:
.bzrignore

Makefile

TODO

initramfs-tools-hook

initramfs-tools-script

legalnotice.xml

mandos

mandos-clients.conf.xml

mandos-keygen

mandos-keygen.xml

mandos-options.xml

mandos.conf.xml

mandos.xml

overview.xml

plugin-runner.c

plugin-runner.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

Show diffs side-by-side

added added

removed removed

mandos-clients.conf.xml

<!ENTITY VERSION "1.0">

<!ENTITY CONFNAME "mandos-clients.conf">

<!ENTITY CONFPATH "<filename>/etc/mandos/clients.conf</filename>">

<!ENTITY TIMESTAMP "2008-09-12">

<!ENTITY TIMESTAMP "2008-08-31">

</copyright>

<xi:include href="legalnotice.xml"/>

</refentryinfo>

<refentrytitle>&CONFNAME;</refentrytitle>

Configuration file for the Mandos server

</refpurpose>

</refnamediv>

<synopsis>&CONFPATH;</synopsis>

</refsynopsisdiv>

<title>DESCRIPTION</title>

<para>

start time expansion, see <xref linkend="expansion"/>.

</para>

<para>

Unknown options are ignored. The used options are as follows:

Uknown options are ignored. The used options are as follows:

</para>

100

101

102

<term><option>timeout<literal> = </literal><replaceable

103

>TIME</replaceable></option></term>

104

105

<para>

106

This option is <emphasis>optional</emphasis>.

107

</para>

108

<para>

109

106

The timeout is how long the server will wait for a

110

107

successful checker run until a client is considered

111

108

invalid - that is, ineligible to get the data this server

126

123

</para>

127

124

</listitem>

128

125

</varlistentry>

129

126

130

127

131

128

<term><option>interval<literal> = </literal><replaceable

132

129

>TIME</replaceable></option></term>

133

130

134

131

<para>

135

This option is <emphasis>optional</emphasis>.

136

</para>

137

<para>

138

132

How often to run the checker to confirm that a client is

139

133

still up. <emphasis>Note:</emphasis> a new checker will

140

134

not be started if an old one is still running. The server

149

143

</para>

150

144

</listitem>

151

145

</varlistentry>

152

146

153

147

154

148

<term><option>checker<literal> = </literal><replaceable

155

149

>COMMAND</replaceable></option></term>

156

150

157

151

<para>

158

This option is <emphasis>optional</emphasis>.

159

</para>

160

<para>

161

152

This option allows you to override the default shell

162

153

command that the server will use to check if the client is

163

154

still up. Any output of the command will be ignored, only

183

174

><replaceable>HEXSTRING</replaceable></option></term>

184

175

185

176

<para>

186

This option is <emphasis>required</emphasis>.

187

</para>

188

<para>

189

177

This option sets the OpenPGP fingerprint that identifies

190

178

the public key that clients authenticate themselves with

191

179

through TLS. The string needs to be in hexidecimal form,

199

187

>BASE64_ENCODED_DATA</replaceable></option></term>

200

188

201

189

<para>

202

If this option is not specified, the <option

203

>secfile</option> option is <emphasis>required</emphasis>

204

to be present.

205

</para>

206

<para>

207

190

If present, this option must be set to a string of

208

191

base64-encoded binary data. It will be decoded and sent

209

192

to the client matching the above

221

204

lines is that a line beginning with white space adds to

222

205

the value of the previous line, RFC 822-style.

223

206

</para>

207

<para>

208

If this option is not specified, the <option

209

>secfile</option> option is used instead, but one of them

210

<emphasis>must</emphasis> be present.

211

</para>

224

212

</listitem>

225

213

</varlistentry>

226

214

227

215

228

216

<term><option>secfile<literal> = </literal><replaceable

229

217

>FILENAME</replaceable></option></term>

230

218

231

219

<para>

232

This option is only used if <option>secret</option> is not

233

specified, in which case this option is

234

<emphasis>required</emphasis>.

235

</para>

236

<para>

237

220

Similar to the <option>secret</option>, except the secret

238

221

data is in an external file. The contents of the file

239

222

should <emphasis>not</emphasis> be base64-encoded, but

240

223

will be sent to clients verbatim.

241

224

</para>

225

<para>

226

This option is only used, and <emphasis>must</emphasis> be

227

present, if <option>secret</option> is not specified.

228

</para>

242

229

</listitem>

243

230

</varlistentry>

244

231

245

232

246

233

<term><option><literal>host = </literal><replaceable

247

234

>STRING</replaceable></option></term>

248

235

249

236

<para>

250

This option is <emphasis>optional</emphasis>, but highly

251

<emphasis>recommended</emphasis> unless the

252

<option>checker</option> option is modified to a

253

non-standard value without <quote>%(host)s</quote> in it.

254

</para>

255

<para>

256

237

Host name for this client. This is not used by the server

257

238

directly, but can be, and is by default, used by the

258

239

checker. See the <option>checker</option> option.

313

294

mode is needed to expose an error of this kind.

314

295

</para>

315

296

</refsect2>

316

297

317

298

</refsect1>

318

299

319

300

373

354

fingerprint = 3e393aeaefb84c7e89e2f547b3a107558fca3a27

374

355

secfile = /etc/mandos/bar-secret

375

356

timeout = 15m

357

376

358

</programlisting>

377

359

</informalexample>

378

360

</refsect1>

Older »