/mandos/release : revision 237.7.325

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/release

« back to all changes in this revision

Viewing changes to mandos.conf.xml

Committer: Teddy Hogeborn
Date: 2015-07-20 03:03:33 UTC
mto: (237.7.594 trunk)
mto: This revision was merged to the branch mainline in revision 325.
Revision ID: teddy@recompile.se-20150720030333-203m2aeblypcsfte

Bug fix for GnuTLS 3: be compatible with old 2048-bit DSA keys.

The mandos-keygen program in Mandos version 1.6.0 and older generated
2048-bit DSA keys, and when GnuTLS uses these it has trouble
connecting using the Mandos default priority string.  This was
previously fixed in Mandos 1.6.2, but the bug reappeared when using
GnuTLS 3, so the default priority string has to change again; this
time also the Mandos client has to change its default, so now the
server and the client should use the same default priority string:

SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA:+SIGN-DSA-SHA256

* mandos (main/server_defaults): Changed default priority string.
* mandos-options.xml (/section/para[id="priority_compat"]): Removed.
  (/section/para[id="priority"]): Changed default priority string.
* mandos.conf ([DEFAULT]/priority): - '' -
* mandos.conf.xml (OPTIONS/priority): Refer to the id "priority"
                                      instead of "priority_compat".
* mandos.xml (OPTIONS/--priority): - '' -
* plugins.d/mandos-client.c (main): Changed default priority string.

files added:
.bzr-builddeb

.bzr-builddeb/default.conf

.bzrignore

DBUS-API

INSTALL

NEWS

README

common.ent

dbus-mandos.conf

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.examples

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/po

debian/rules

debian/source

debian/source/format

debian/source/local-options

debian/upstream

debian/upstream/signing-key.asc

debian/watch

default-mandos

init.d-mandos

initramfs-unpack

intro.xml

legalnotice.xml

mandos-ctl

mandos-ctl.xml

mandos-monitor

mandos-monitor.xml

mandos.lsm

mandos.service

network-hooks.d

network-hooks.d/bridge

network-hooks.d/bridge.conf

network-hooks.d/openvpn

network-hooks.d/openvpn.conf

network-hooks.d/wireless

network-hooks.d/wireless.conf

plugin-helpers

plugin-helpers/mandos-client-iprouteadddel.c

plugin-runner.conf

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

files removed:
plugins.d/usplash

files renamed:
plugins.d/password-request.c => plugins.d/mandos-client.c

plugins.d/password-request.xml => plugins.d/mandos-client.xml

files modified:
Makefile

TODO

clients.conf

initramfs-tools-hook

initramfs-tools-hook-conf

initramfs-tools-script

mandos

mandos-clients.conf.xml

mandos-keygen

mandos-keygen.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.xml

overview.xml

plugin-runner.c

plugin-runner.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

Show diffs side-by-side

added added

removed removed

mandos.conf.xml

<?xml version='1.0' encoding='UTF-8'?>

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY VERSION "1.0">

<!ENTITY CONFNAME "mandos.conf">

<!ENTITY CONFPATH "<filename>/etc/mandos/mandos.conf</filename>">

<!ENTITY OVERVIEW SYSTEM "overview.xml">

<!ENTITY TIMESTAMP "2015-07-20">

<!ENTITY % common SYSTEM "common.ent">

%common;

<title>&CONFNAME;</title>

<title>Mandos Manual</title>

<productname>&CONFNAME;</productname>

<productnumber>&VERSION;</productnumber>

<productname>Mandos</productname>

<productnumber>&version;</productnumber>

<date>&TIMESTAMP;</date>

<firstname>Björn</firstname>

<surname>Påhlsson</surname>

<email>belorn@fukt.bsnet.se</email>

<email>belorn@recompile.se</email>

</address>

</author>

<firstname>Teddy</firstname>

<surname>Hogeborn</surname>

<email>teddy@fukt.bsnet.se</email>

<email>teddy@recompile.se</email>

</address>

</author>

</authorgroup>

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

<para>

This manual page is free software: you can redistribute it

and/or modify it under the terms of the GNU General Public

License as published by the Free Software Foundation,

either version 3 of the License, or (at your option) any

later version.

</para>

<para>

This manual page is distributed in the hope that it will

be useful, but WITHOUT ANY WARRANTY; without even the

implied warranty of MERCHANTABILITY or FITNESS FOR A

PARTICULAR PURPOSE. See the GNU General Public License

for more details.

</para>

<para>

You should have received a copy of the GNU General Public

License along with this program; If not, see

<ulink url="http://www.gnu.org/licenses/"/>.

</para>

</legalnotice>

<xi:include href="legalnotice.xml"/>

</refentryinfo>

<refentrytitle>&CONFNAME;</refentrytitle>

Configuration file for the Mandos server

</refpurpose>

</refnamediv>

&CONFPATH;

</synopsis>

<synopsis>&CONFPATH;</synopsis>

</refsynopsisdiv>

<title>DESCRIPTION</title>

<para>

The file &CONFPATH; is a simple configuration file for

<citerefentry><refentrytitle>mandos</refentrytitle>

<manvolnum>8</manvolnum></citerefentry>, and is read by it at

startup. The configuration file starts with

<quote><literal>[DEFAULT]</literal></quote> on a line by itself,

followed by any number of

<quote><varname><replaceable>option</replaceable></varname>=<replaceable>value</replaceable></quote>

entries, with continuations in the style of RFC 822.

<quote><varname><replaceable>option</replaceable></varname>:

<replaceable>value</replaceable></quote> is also accepted. Note

that leading whitespace is removed from values. Lines beginning

with <quote>#</quote> or <quote>;</quote> are ignored and may be

used to provide comments.

startup. The configuration file starts with <quote><literal

>[DEFAULT]</literal></quote> on a line by itself, followed by

any number of <quote><varname><replaceable>option</replaceable

></varname>=<replaceable>value</replaceable></quote> entries,

with continuations in the style of RFC 822. <quote><varname

><replaceable>option</replaceable></varname>: <replaceable

>value</replaceable></quote> is also accepted. Note that

leading whitespace is removed from values. Lines beginning with

<quote>#</quote> or <quote>;</quote> are ignored and may be used

to provide comments.

</para>

</refsect1>

100

<title>OPTIONS</title>

101

102

103

104

<term><varname>interface</varname></term>

<term><option>interface<literal> = </literal><replaceable

>NAME</replaceable></option></term>

105

106

<synopsis><literal>interface = </literal><arg

107

choice="plain"><replaceable>IF</replaceable></arg>

108

</synopsis>

109

<xi:include href="mandos-options.xml" xpointer="interface"/>

110

</listitem>

111

</varlistentry>

112

113

114

<term><varname>address</varname></term>

<term><option>address<literal> = </literal><replaceable

>ADDRESS</replaceable></option></term>

115

116

<synopsis><literal>address = </literal><arg

117

choice="plain"><replaceable>ADDRESS</replaceable></arg>

118

</synopsis>

119

<xi:include href="mandos-options.xml" xpointer="address"/>

120

</listitem>

121

</varlistentry>

122

100

123

101

124

102

<term><option>port<literal> = </literal><replaceable

103

>NUMBER</replaceable></option></term>

125

104

126

<synopsis><literal>port = </literal><arg

127

choice="plain"><replaceable>PORT</replaceable></arg>

128

</synopsis>

129

105

<xi:include href="mandos-options.xml" xpointer="port"/>

130

106

</listitem>

131

107

</varlistentry>

132

108

133

109

134

<term><varname>debug</varname></term>

110

<term><option>debug<literal> = </literal>{ <literal

111

>1</literal> | <literal>yes</literal> | <literal

112

>true</literal> | <literal>on</literal> | <literal

113

>0</literal> | <literal>no</literal> | <literal

114

>false</literal> | <literal>off</literal> }</option></term>

135

115

136

<synopsis><literal>debug =</literal><group choice="req">

137

138

139

140

141

142

143

<arg choice="plain">false</arg>

144

145

</group>

146

</synopsis>

147

116

<xi:include href="mandos-options.xml" xpointer="debug"/>

148

117

</listitem>

149

118

</varlistentry>

150

119

151

120

152

<term><varname>priority</varname></term>

121

<term><option>priority<literal> = </literal><replaceable

122

>STRING</replaceable></option></term>

153

123

154

<synopsis><literal>priority = </literal><arg

155

choice="plain"><replaceable>PRIORITY</replaceable></arg>

156

</synopsis>

157

124

<xi:include href="mandos-options.xml" xpointer="priority"/>

158

125

</listitem>

159

126

</varlistentry>

160

127

161

128

162

<term><varname>servicename</varname></term>

163

<synopsis><literal>servicename = </literal><arg

164

choice="plain"><replaceable>NAME</replaceable></arg>

165

</synopsis>

129

<term><option>servicename<literal> = </literal

130

><replaceable>NAME</replaceable></option></term>

166

131

167

132

<xi:include href="mandos-options.xml"

168

133

xpointer="servicename"/>

169

134

</listitem>

170

135

</varlistentry>

171

136

137

138

<term><option>use_dbus<literal> = </literal>{ <literal

139

>1</literal> | <literal>yes</literal> | <literal

140

>true</literal> | <literal>on</literal> | <literal

141

>0</literal> | <literal>no</literal> | <literal

142

>false</literal> | <literal>off</literal> }</option></term>

143

144

<xi:include href="mandos-options.xml" xpointer="dbus"/>

145

</listitem>

146

</varlistentry>

147

148

149

<term><option>use_ipv6<literal> = </literal>{ <literal

150

>1</literal> | <literal>yes</literal> | <literal

151

>true</literal> | <literal>on</literal> | <literal

152

>0</literal> | <literal>no</literal> | <literal

153

>false</literal> | <literal>off</literal> }</option></term>

154

155

<xi:include href="mandos-options.xml" xpointer="ipv6"/>

156

</listitem>

157

</varlistentry>

158

159

160

<term><option>restore<literal> = </literal>{ <literal

161

>1</literal> | <literal>yes</literal> | <literal

162

>true</literal> | <literal>on</literal> | <literal

163

>0</literal> | <literal>no</literal> | <literal

164

>false</literal> | <literal>off</literal> }</option></term>

165

166

<xi:include href="mandos-options.xml" xpointer="restore"/>

167

</listitem>

168

</varlistentry>

169

170

171

<term><option>statedir<literal> = </literal><replaceable

172

>DIRECTORY</replaceable></option></term>

173

174

<xi:include href="mandos-options.xml" xpointer="statedir"/>

175

</listitem>

176

</varlistentry>

177

178

179

<term><option>socket<literal> = </literal><replaceable

180

>NUMBER</replaceable></option></term>

181

182

<xi:include href="mandos-options.xml" xpointer="socket"/>

183

</listitem>

184

</varlistentry>

185

172

186

</variablelist>

173

187

</refsect1>

174

188

183

197

184

198

<para>

185

199

The <literal>[DEFAULT]</literal> is necessary because the Python

186

module <systemitem class="library">ConfigParser</systemitem>

187

requres it.

200

built-in module <systemitem class="library">ConfigParser</systemitem>

201

requires it.

188

202

</para>

189

203

</refsect1>

190

204

191

205

192

206

<title>EXAMPLE</title>

193

207

208

<para>

209

No options are actually required:

210

</para>

211

212

[DEFAULT]

213

</programlisting>

214

</informalexample>

215

216

<para>

217

An example using all the options:

218

</para>

194

219

195

220

[DEFAULT]

196

221

# A configuration example

197

222

interface = eth0

198

address = 2001:db8:f983:bd0b:30de:ae4a:71f2:f672

223

address = fe80::aede:48ff:fe71:f6f2

199

224

port = 1025

200

debug = true

201

priority = SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP

202

servicename = Mandos

225

debug = True

226

priority = SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA

227

servicename = Daena

228

use_dbus = False

229

use_ipv6 = True

230

restore = True

231

statedir = /var/lib/mandos

203

232

</programlisting>

204

233

</informalexample>

205

234

</refsect1>

235

236

237

238

<para>

239

<citerefentry><refentrytitle>intro</refentrytitle>

240

<manvolnum>8mandos</manvolnum></citerefentry>,

241

<citerefentry><refentrytitle>gnutls_priority_init</refentrytitle

242

><manvolnum>3</manvolnum></citerefentry>,

243

<citerefentry><refentrytitle>mandos</refentrytitle>

244

<manvolnum>8</manvolnum></citerefentry>,

245

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

246

247

</para>

248

249

250

251

<term>

252

RFC 4291: <citetitle>IP Version 6 Addressing

253

Architecture</citetitle>

254

</term>

255

256

257

258

<term>Section 2.2: <citetitle>Text Representation of

259

Addresses</citetitle></term>

260

261

</varlistentry>

262

263

<term>Section 2.5.5.2: <citetitle>IPv4-Mapped IPv6

264

Address</citetitle></term>

265

266

</varlistentry>

267

268

<term>Section 2.5.6, <citetitle>Link-Local IPv6 Unicast

269

Addresses</citetitle></term>

270

271

<para>

272

The clients use IPv6 link-local addresses, which are

273

immediately usable since a link-local addresses is

274

automatically assigned to a network interface when it

275

is brought up.

276

</para>

277

</listitem>

278

</varlistentry>

279

</variablelist>

280

</listitem>

281

</varlistentry>

282

283

<term>

284

<ulink url="http://www.zeroconf.org/">Zeroconf</ulink>

285

</term>

286

287

<para>

288

Zeroconf is the network protocol standard used by clients

289

for finding the Mandos server on the local network.

290

</para>

291

</listitem>

292

</varlistentry>

293

</variablelist>

294

</refsect1>

206

295

</refentry>

296

297

298

299

300

Older »