/mandos/release : revision 237.7.437

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/release

« back to all changes in this revision

Viewing changes to mandos-ctl.xml

Committer: Teddy Hogeborn
Date: 2016-11-26 23:21:16 UTC
mto: (237.7.594 trunk)
mto: This revision was merged to the branch mainline in revision 356.
Revision ID: teddy@recompile.se-20161126232116-nhqk9x1qij09b7cx

Add comment in documentation source with clarifying text.

* intro.xml (INTRODUCTION): Add comment with clarification.

files added:
DBUS-API

bugs.xml

dbus-mandos.conf

debian/mandos-client.examples

debian/source

debian/source/format

debian/source/local-options

debian/upstream

debian/upstream/signing-key.asc

initramfs-unpack

intro.xml

mandos-ctl.xml

mandos-monitor

mandos-monitor.xml

mandos.service

network-hooks.d

network-hooks.d/bridge

network-hooks.d/bridge.conf

network-hooks.d/openvpn

network-hooks.d/openvpn.conf

network-hooks.d/wireless

network-hooks.d/wireless.conf

plugin-helpers

plugin-helpers/mandos-client-iprouteadddel.c

plugins.d/plymouth.c

plugins.d/plymouth.xml

tmpfiles.d-mandos.conf

files modified:
.bzrignore

INSTALL

Makefile

NEWS

README

TODO

clients.conf

common.ent

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.docs

debian/mandos.postinst

debian/mandos.prerm

debian/rules

debian/watch

init.d-mandos

initramfs-tools-hook

initramfs-tools-script

mandos

mandos-clients.conf.xml

mandos-ctl

mandos-keygen

mandos-keygen.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.lsm

mandos.xml

plugin-runner.c

plugin-runner.xml

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/mandos-client.c

plugins.d/mandos-client.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

Show diffs side-by-side

added added

removed removed

mandos-ctl.xml

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY COMMANDNAME "mandos-ctl">

<!ENTITY TIMESTAMP "2016-06-27">

<!ENTITY % common SYSTEM "common.ent">

%common;

<title>Mandos Manual</title>

<productname>Mandos</productname>

<productnumber>&version;</productnumber>

<date>&TIMESTAMP;</date>

<firstname>Björn</firstname>

<surname>Påhlsson</surname>

<email>belorn@recompile.se</email>

</address>

</author>

<firstname>Teddy</firstname>

<surname>Hogeborn</surname>

<email>teddy@recompile.se</email>

</address>

</author>

</authorgroup>

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

<xi:include href="legalnotice.xml"/>

</refentryinfo>

<refentrytitle>&COMMANDNAME;</refentrytitle>

</refmeta>

<refname><command>&COMMANDNAME;</command></refname>

Control or query the operation of the Mandos server

</refpurpose>

</refnamediv>

<command>&COMMANDNAME;</command>

<group>

<arg choice="plain"><option>--enable</option></arg>

<sbr/>

<arg choice="plain"><option>--disable</option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--bump-timeout</option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--start-checker</option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--stop-checker</option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--remove</option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--checker

<replaceable>COMMAND</replaceable></option></arg>

<arg choice="plain"><option>-c

<replaceable>COMMAND</replaceable></option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--timeout

<arg choice="plain"><option>-t

100

101

</group>

102

<sbr/>

103

<group>

104

<arg choice="plain"><option>--extended-timeout

105

106

</group>

107

<sbr/>

108

<group>

109

<arg choice="plain"><option>--interval

110

111

<arg choice="plain"><option>-i

112

113

</group>

114

<sbr/>

115

<group>

116

<arg choice="plain"><option>--approve-by-default</option

117

></arg>

118

<sbr/>

119

<arg choice="plain"><option>--deny-by-default</option></arg>

120

</group>

121

<sbr/>

122

<group>

123

<arg choice="plain"><option>--approval-delay

124

125

</group>

126

<sbr/>

127

<group>

128

<arg choice="plain"><option>--approval-duration

129

130

</group>

131

<sbr/>

132

<group>

133

<arg choice="plain"><option>--interval

134

135

<arg choice="plain"><option>-i

136

137

</group>

138

<sbr/>

139

<group>

140

<arg choice="plain"><option>--host

141

<replaceable>STRING</replaceable></option></arg>

142

<arg choice="plain"><option>-H

143

<replaceable>STRING</replaceable></option></arg>

144

</group>

145

<sbr/>

146

<group>

147

<arg choice="plain"><option>--secret

148

<replaceable>FILENAME</replaceable></option></arg>

149

<arg choice="plain"><option>-s

150

<replaceable>FILENAME</replaceable></option></arg>

151

</group>

152

<sbr/>

153

<group>

154

<arg choice="plain"><option>--approve</option></arg>

155

156

<sbr/>

157

158

159

</group>

160

</group>

161

<sbr/>

162

163

164

165

166

<replaceable>CLIENT</replaceable>

167

</arg>

168

</group>

169

</cmdsynopsis>

170

171

<command>&COMMANDNAME;</command>

172

<group>

173

<arg choice="plain"><option>--verbose</option></arg>

174

175

<sbr/>

176

177

178

</group>

179

<group>

180

181

<replaceable>CLIENT</replaceable>

182

</arg>

183

</group>

184

</cmdsynopsis>

185

186

<command>&COMMANDNAME;</command>

187

188

<arg choice="plain"><option>--is-enabled</option></arg>

189

190

</group>

191

<arg choice='plain'><replaceable>CLIENT</replaceable></arg>

192

</cmdsynopsis>

193

194

<command>&COMMANDNAME;</command>

195

196

197

198

</group>

199

</cmdsynopsis>

200

201

<command>&COMMANDNAME;</command>

202

203

<arg choice="plain"><option>--version</option></arg>

204

205

</group>

206

</cmdsynopsis>

207

208

<command>&COMMANDNAME;</command>

209

<arg choice="plain"><option>--check</option></arg>

210

</cmdsynopsis>

211

</refsynopsisdiv>

212

213

214

<title>DESCRIPTION</title>

215

<para>

216

<command>&COMMANDNAME;</command> is a program to control or

217

query the operation of the Mandos server

218

<citerefentry><refentrytitle>mandos</refentrytitle><manvolnum

219

>8</manvolnum></citerefentry>.

220

</para>

221

<para>

222

This program can be used to change client settings, approve or

223

deny client requests, and to remove clients from the server.

224

</para>

225

</refsect1>

226

227

228

<title>PURPOSE</title>

229

<para>

230

The purpose of this is to enable <emphasis>remote and unattended

231

rebooting</emphasis> of client host computer with an

232

<emphasis>encrypted root file system</emphasis>. See <xref

233

linkend="overview"/> for details.

234

</para>

235

</refsect1>

236

237

238

<title>OPTIONS</title>

239

240

241

242

243

244

245

<para>

246

Show a help message and exit

247

</para>

248

</listitem>

249

</varlistentry>

250

251

252

<term><option>--enable</option></term>

253

254

255

<para>

256

Enable client(s). An enabled client will be eligble to

257

receive its secret.

258

</para>

259

</listitem>

260

</varlistentry>

261

262

263

<term><option>--disable</option></term>

264

265

266

<para>

267

Disable client(s). A disabled client will not be eligble

268

to receive its secret, and no checkers will be started for

269

it.

270

</para>

271

</listitem>

272

</varlistentry>

273

274

275

<term><option>--bump-timeout</option></term>

276

277

<para>

278

Bump the timeout of the specified client(s), just as if a

279

checker had completed successfully for it/them.

280

</para>

281

</listitem>

282

</varlistentry>

283

284

285

<term><option>--start-checker</option></term>

286

287

<para>

288

Start a new checker now for the specified client(s).

289

</para>

290

</listitem>

291

</varlistentry>

292

293

294

<term><option>--stop-checker</option></term>

295

296

<para>

297

Stop any running checker for the specified client(s).

298

</para>

299

</listitem>

300

</varlistentry>

301

302

303

<term><option>--remove</option></term>

304

305

306

<para>

307

Remove the specified client(s) from the server.

308

</para>

309

</listitem>

310

</varlistentry>

311

312

313

<term><option>--checker

314

<replaceable>COMMAND</replaceable></option></term>

315

<term><option>-c

316

<replaceable>COMMAND</replaceable></option></term>

317

318

<para>

319

Set the <varname>checker</varname> option of the specified

320

client(s); see <citerefentry><refentrytitle

321

>mandos-clients.conf</refentrytitle><manvolnum

322

>5</manvolnum></citerefentry>.

323

</para>

324

</listitem>

325

</varlistentry>

326

327

328

<term><option>--timeout

329

330

<term><option>-t

331

332

333

<para>

334

Set the <varname>timeout</varname> option of the specified

335

client(s); see <citerefentry><refentrytitle

336

>mandos-clients.conf</refentrytitle><manvolnum

337

>5</manvolnum></citerefentry>.

338

</para>

339

</listitem>

340

</varlistentry>

341

342

343

<term><option>--extended-timeout

344

345

346

<para>

347

Set the <varname>extended_timeout</varname> option of the

348

specified client(s); see <citerefentry><refentrytitle

349

>mandos-clients.conf</refentrytitle><manvolnum

350

>5</manvolnum></citerefentry>.

351

</para>

352

</listitem>

353

</varlistentry>

354

355

356

<term><option>--interval

357

358

<term><option>-i

359

360

361

<para>

362

Set the <varname>interval</varname> option of the

363

specified client(s); see <citerefentry><refentrytitle

364

>mandos-clients.conf</refentrytitle><manvolnum

365

>5</manvolnum></citerefentry>.

366

</para>

367

</listitem>

368

</varlistentry>

369

370

371

<term><option>--approve-by-default</option></term>

372

<term><option>--deny-by-default</option></term>

373

374

<para>

375

Set the <varname>approved_by_default</varname> option of

376

the specified client(s) to <literal>True</literal> or

377

<literal>False</literal>, respectively; see

378

<citerefentry><refentrytitle

379

>mandos-clients.conf</refentrytitle><manvolnum

380

>5</manvolnum></citerefentry>.

381

</para>

382

</listitem>

383

</varlistentry>

384

385

386

<term><option>--approval-delay

387

388

389

<para>

390

Set the <varname>approval_delay</varname> option of the

391

specified client(s); see <citerefentry><refentrytitle

392

>mandos-clients.conf</refentrytitle><manvolnum

393

>5</manvolnum></citerefentry>.

394

</para>

395

</listitem>

396

</varlistentry>

397

398

399

<term><option>--approval-duration

400

401

402

<para>

403

Set the <varname>approval_duration</varname> option of the

404

specified client(s); see <citerefentry><refentrytitle

405

>mandos-clients.conf</refentrytitle><manvolnum

406

>5</manvolnum></citerefentry>.

407

</para>

408

</listitem>

409

</varlistentry>

410

411

412

<term><option>--host

413

<replaceable>STRING</replaceable></option></term>

414

<term><option>-H

415

<replaceable>STRING</replaceable></option></term>

416

417

<para>

418

Set the <varname>host</varname> option of the specified

419

client(s); see <citerefentry><refentrytitle

420

>mandos-clients.conf</refentrytitle><manvolnum

421

>5</manvolnum></citerefentry>.

422

</para>

423

</listitem>

424

</varlistentry>

425

426

427

<term><option>--secret

428

<replaceable>FILENAME</replaceable></option></term>

429

<term><option>-s

430

<replaceable>FILENAME</replaceable></option></term>

431

432

<para>

433

Set the <varname>secfile</varname> option of the specified

434

client(s); see <citerefentry><refentrytitle

435

>mandos-clients.conf</refentrytitle><manvolnum

436

>5</manvolnum></citerefentry>.

437

</para>

438

</listitem>

439

</varlistentry>

440

441

442

<term><option>--approve</option></term>

443

444

445

<para>

446

Approve client(s) if currently waiting for approval.

447

</para>

448

</listitem>

449

</varlistentry>

450

451

452

453

454

455

<para>

456

Deny client(s) if currently waiting for approval.

457

</para>

458

</listitem>

459

</varlistentry>

460

461

462

463

464

465

<para>

466

Make the client-modifying options modify <emphasis

467

>all</emphasis> clients.

468

</para>

469

</listitem>

470

</varlistentry>

471

472

473

<term><option>--verbose</option></term>

474

475

476

<para>

477

Show all client settings, not just a subset.

478

</para>

479

</listitem>

480

</varlistentry>

481

482

483

484

485

486

<para>

487

Dump client settings as JSON to standard output.

488

</para>

489

</listitem>

490

</varlistentry>

491

492

493

<term><option>--is-enabled</option></term>

494

495

496

<para>

497

Check if a single client is enabled or not, and exit with

498

a successful exit status only if the client is enabled.

499

</para>

500

</listitem>

501

</varlistentry>

502

503

504

<term><option>--check</option></term>

505

506

<para>

507

Run self-tests. This includes any unit tests, etc.

508

</para>

509

</listitem>

510

</varlistentry>

511

512

</variablelist>

513

</refsect1>

514

515

516

<title>OVERVIEW</title>

517

<xi:include href="overview.xml"/>

518

<para>

519

This program is a small utility to generate new OpenPGP keys for

520

new Mandos clients, and to generate sections for inclusion in

521

<filename>clients.conf</filename> on the server.

522

</para>

523

</refsect1>

524

525

526

<title>EXIT STATUS</title>

527

<para>

528

If the <option>--is-enabled</option> option is used, the exit

529

status will be 0 only if the specified client is enabled.

530

</para>

531

</refsect1>

532

533

534

535

<xi:include href="bugs.xml"/>

536

</refsect1>

537

538

539

<title>EXAMPLE</title>

540

541

<para>

542

To list all clients:

543

</para>

544

<para>

545

<userinput>&COMMANDNAME;</userinput>

546

</para>

547

</informalexample>

548

549

550

<para>

551

To list <emphasis>all</emphasis> settings for the clients

552

named <quote>foo1.example.org</quote> and <quote

553

>foo2.example.org</quote>:

554

</para>

555

<para>

556

557

558

<userinput>&COMMANDNAME; --verbose foo1.example.org foo2.example.org</userinput>

559

560

</para>

561

</informalexample>

562

563

564

<para>

565

To enable all clients:

566

</para>

567

<para>

568

<userinput>&COMMANDNAME; --enable --all</userinput>

569

</para>

570

</informalexample>

571

572

573

<para>

574

To change timeout and interval value for the clients

575

named <quote>foo1.example.org</quote> and <quote

576

>foo2.example.org</quote>:

577

</para>

578

<para>

579

580

581

<userinput>&COMMANDNAME; --timeout="5m" --interval="1m" foo1.example.org foo2.example.org</userinput>

582

583

</para>

584

</informalexample>

585

586

587

<para>

588

To approve all clients currently waiting for it:

589

</para>

590

<para>

591

<userinput>&COMMANDNAME; --approve --all</userinput>

592

</para>

593

</informalexample>

594

</refsect1>

595

596

597

<title>SECURITY</title>

598

<para>

599

This program must be permitted to access the Mandos server via

600

the D-Bus interface. This normally requires the root user, but

601

could be configured otherwise by reconfiguring the D-Bus server.

602

</para>

603

</refsect1>

604

605

606

607

<para>

608

<citerefentry><refentrytitle>intro</refentrytitle>

609

<manvolnum>8mandos</manvolnum></citerefentry>,

610

<citerefentry><refentrytitle>mandos</refentrytitle>

611

<manvolnum>8</manvolnum></citerefentry>,

612

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

613

<manvolnum>5</manvolnum></citerefentry>,

614

<citerefentry><refentrytitle>mandos-monitor</refentrytitle>

615

616

</para>

617

</refsect1>

618

619

</refentry>

620

621

622

623

624

Older »