/mandos/release

To get this branch, use:
bzr branch http://bzr.recompile.se/loggerhead/mandos/release

« back to all changes in this revision

Viewing changes to plugins.d/mandos-client.xml

  • Committer: Teddy Hogeborn
  • Date: 2014-06-22 02:19:30 UTC
  • mto: (237.7.272 trunk)
  • mto: This revision was merged to the branch mainline in revision 317.
  • Revision ID: teddy@recompile.se-20140622021930-icl7h4cm97blhjml
mandos-keygen: Generate "checker" option to use SSH fingerprints.

To turn this off, use a new "--no-ssh" option to mandos-keygen.

* INSTALL (Mandos Server, Mandos Client): Document new suggested
                                          installation of SSH.
* Makefile (confdir/clients.conf): Use new "--no-ssh" option to
                                   "mandos-keygen".
* debian/control (mandos/Depends): Changed to "fping | ssh-client".
  (mandos-client/Recommends): New; set to "ssh".
* intro.xml (FREQUENTLY ASKED QUESTIONS): Rename and rewrite section
                                          called "Faking ping
                                          replies?" to address new
                                          default behavior.
* mandos-clients.conf.xml (OPTIONS/checker): Briefly discuss new
                                             behavior of
                                             mandos-keygen.
* mandos-keygen: Bug fix: Suppress failure output of "shred" to remove
                 "sec*", since no such files may exist.
 (password mode): Scan for SSH key fingerprints and output as new
                  "checker" and "ssh_fingerprint" options, unless new
                  "--no-ssh" option is given.
* mandos-keygen.xml (SYNOPSIS/--force): Bug fix: Document short form.
  (OPTIONS/--no-ssh): New.
  (SEE ALSO): Add reference "ssh-keyscan(1)".
* plugins.d/mandos-client.xml (SECURITY): Briefly mention the
                                          possibility of using SSH key
                                          fingerprints for checking.

Show diffs side-by-side

added added

removed removed

Lines of Context:
2
2
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3
3
        "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4
4
<!ENTITY COMMANDNAME "mandos-client">
5
 
<!ENTITY TIMESTAMP "2012-06-13">
 
5
<!ENTITY TIMESTAMP "2014-06-22">
6
6
<!ENTITY % common SYSTEM "../common.ent">
7
7
%common;
8
8
]>
34
34
      <year>2008</year>
35
35
      <year>2009</year>
36
36
      <year>2012</year>
 
37
      <year>2013</year>
 
38
      <year>2014</year>
37
39
      <holder>Teddy Hogeborn</holder>
38
40
      <holder>Björn Påhlsson</holder>
39
41
    </copyright>
218
220
            assumed to separate the address from the port number.
219
221
          </para>
220
222
          <para>
221
 
            This option is normally only useful for testing and
222
 
            debugging.
 
223
            Normally, Zeroconf would be used to locate Mandos servers,
 
224
            in which case this option would only be used when testing
 
225
            and debugging.
223
226
          </para>
224
227
        </listitem>
225
228
      </varlistentry>
226
229
      
227
230
      <varlistentry>
228
231
        <term><option>--interface=<replaceable
229
 
        >NAME</replaceable></option></term>
 
232
        >NAME</replaceable><arg rep='repeat'>,<replaceable
 
233
        >NAME</replaceable></arg></option></term>
230
234
        <term><option>-i
231
 
        <replaceable>NAME</replaceable></option></term>
 
235
        <replaceable>NAME</replaceable><arg rep='repeat'>,<replaceable
 
236
        >NAME</replaceable></arg></option></term>
232
237
        <listitem>
233
238
          <para>
234
239
            Comma separated list of network interfaces that will be
237
242
            use all appropriate interfaces.
238
243
          </para>
239
244
          <para>
240
 
            If the <option>--connect</option> option is used, this
241
 
            specifies the interface to use to connect to the address
242
 
            given.
 
245
            If the <option>--connect</option> option is used, and
 
246
            exactly one interface name is specified (except
 
247
            <quote><literal>none</literal></quote>), this specifies
 
248
            the interface to use to connect to the address given.
243
249
          </para>
244
250
          <para>
245
251
            Note that since this program will normally run in the
254
260
          </para>
255
261
          <para>
256
262
            <replaceable>NAME</replaceable> can be the string
257
 
            <quote><literal>none</literal></quote>; this will not use
258
 
            any specific interface, and will not bring up an interface
259
 
            on startup.  This is not recommended, and only meant for
260
 
            advanced users.
 
263
            <quote><literal>none</literal></quote>; this will make
 
264
            <command>&COMMANDNAME;</command> only bring up interfaces
 
265
            specified <emphasis>before</emphasis> this string.  This
 
266
            is not recommended, and only meant for advanced users.
261
267
          </para>
262
268
        </listitem>
263
269
      </varlistentry>
508
514
              It is not necessary to print any non-executable files
509
515
              already in the network hook directory, these will be
510
516
              copied implicitly if they otherwise satisfy the name
511
 
              requirement.
 
517
              requirements.
512
518
            </para>
513
519
          </listitem>
514
520
        </varlistentry>
662
668
    </para>
663
669
    <informalexample>
664
670
      <para>
665
 
        Normal invocation needs no options, if the network interface
 
671
        Normal invocation needs no options, if the network interfaces
666
672
        can be automatically determined:
667
673
      </para>
668
674
      <para>
671
677
    </informalexample>
672
678
    <informalexample>
673
679
      <para>
674
 
        Search for Mandos servers (and connect to them) using another
675
 
        interface:
 
680
        Search for Mandos servers (and connect to them) using one
 
681
        specific interface:
676
682
      </para>
677
683
      <para>
678
684
        <!-- do not wrap this line -->
742
748
    <para>
743
749
      It will also help if the checker program on the server is
744
750
      configured to request something from the client which can not be
745
 
      spoofed by someone else on the network, unlike unencrypted
746
 
      <acronym>ICMP</acronym> echo (<quote>ping</quote>) replies.
 
751
      spoofed by someone else on the network, like SSH server key
 
752
      fingerprints, and unlike unencrypted <acronym>ICMP</acronym>
 
753
      echo (<quote>ping</quote>) replies.
747
754
    </para>
748
755
    <para>
749
756
      <emphasis>Note</emphasis>: This makes it completely insecure to
842
849
              <para>
843
850
                This client uses IPv6 link-local addresses, which are
844
851
                immediately usable since a link-local addresses is
845
 
                automatically assigned to a network interfaces when it
 
852
                automatically assigned to a network interface when it
846
853
                is brought up.
847
854
              </para>
848
855
            </listitem>