/mandos/release

To get this branch, use:
bzr branch http://bzr.recompile.se/loggerhead/mandos/release

« back to all changes in this revision

Viewing changes to mandos-clients.conf.xml

  • Committer: Teddy Hogeborn
  • Date: 2018-08-19 01:35:11 UTC
  • mto: (237.7.594 trunk)
  • mto: This revision was merged to the branch mainline in revision 368.
  • Revision ID: teddy@recompile.se-20180819013511-cku25q9yeub3dnr0
Adapt to changes in cryptsetup; use "cryptroot-unlock" program

* Makefile (install-client-nokey): Also install new script files
  "mandos-to-cryptroot-unlock" and "initramfs-tools-script-stop".
* debian/mandos-client.dirs: Add
  "usr/share/initramfs-tools/scripts/local-premount".
* initramfs-tools-hook: Also copy "mandos-to-cryptroot-unlock".
* initramfs-tools-script: Only modify keyscript setting in cryptroot
  file if the file exists, otherwise start
  "mandos-to-cryptroot-unlock" in background.
* initramfs-tools-script-stop: New script to make sure plugin-runner
  has stopped before continuing.
* mandos-to-cryptroot-unlock: New script to run plugin-runner and feed
  any password it gets into the "cryptroot-unlock" program.

Show diffs side-by-side

added added

removed removed

Lines of Context:
3
3
        "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4
4
<!ENTITY CONFNAME "mandos-clients.conf">
5
5
<!ENTITY CONFPATH "<filename>/etc/mandos/clients.conf</filename>">
6
 
<!ENTITY TIMESTAMP "2012-05-12">
 
6
<!ENTITY TIMESTAMP "2018-02-08">
7
7
<!ENTITY % common SYSTEM "common.ent">
8
8
%common;
9
9
]>
37
37
      <year>2010</year>
38
38
      <year>2011</year>
39
39
      <year>2012</year>
 
40
      <year>2013</year>
 
41
      <year>2014</year>
 
42
      <year>2015</year>
 
43
      <year>2016</year>
 
44
      <year>2017</year>
 
45
      <year>2018</year>
40
46
      <holder>Teddy Hogeborn</holder>
41
47
      <holder>Björn Påhlsson</holder>
42
48
    </copyright>
117
123
          <para>
118
124
            How long to wait for external approval before resorting to
119
125
            use the <option>approved_by_default</option> value.  The
120
 
            default is <quote>0s</quote>, i.e. not to wait.
 
126
            default is <quote>PT0S</quote>, i.e. not to wait.
121
127
          </para>
122
128
          <para>
123
129
            The format of <replaceable>TIME</replaceable> is the same
167
173
            This option is <emphasis>optional</emphasis>.
168
174
          </para>
169
175
          <para>
170
 
            This option allows you to override the default shell
171
 
            command that the server will use to check if the client is
172
 
            still up.  Any output of the command will be ignored, only
173
 
            the exit code is checked:  If the exit code of the command
174
 
            is zero, the client is considered up.  The command will be
175
 
            run using <quote><command><filename>/bin/sh</filename>
 
176
            This option overrides the default shell command that the
 
177
            server will use to check if the client is still up.  Any
 
178
            output of the command will be ignored, only the exit code
 
179
            is checked:  If the exit code of the command is zero, the
 
180
            client is considered up.  The command will be run using
 
181
            <quote><command><filename>/bin/sh</filename>
176
182
            <option>-c</option></command></quote>, so
177
183
            <varname>PATH</varname> will be searched.  The default
178
184
            value for the checker command is <quote><literal
179
185
            ><command>fping</command> <option>-q</option> <option
180
 
            >--</option> %%(host)s</literal></quote>.
 
186
            >--</option> %%(host)s</literal></quote>.  Note that
 
187
            <command>mandos-keygen</command>, when generating output
 
188
            to be inserted into this file, normally looks for an SSH
 
189
            server on the Mandos client, and, if it find one, outputs
 
190
            a <option>checker</option> option to check for the
 
191
            client’s key fingerprint – this is more secure against
 
192
            spoofing.
181
193
          </para>
182
194
          <para>
183
195
            In addition to normal start time expansion, this option
220
232
          <para>
221
233
            This option sets the OpenPGP fingerprint that identifies
222
234
            the public key that clients authenticate themselves with
223
 
            through TLS.  The string needs to be in hexidecimal form,
 
235
            through TLS.  The string needs to be in hexadecimal form,
224
236
            but spaces or upper/lower case are not significant.
225
237
          </para>
226
238
        </listitem>
335
347
            <option>extended_timeout</option> option.
336
348
          </para>
337
349
          <para>
338
 
            The <replaceable>TIME</replaceable> is specified as a
339
 
            space-separated number of values, each of which is a
340
 
            number and a one-character suffix.  The suffix must be one
341
 
            of <quote>d</quote>, <quote>s</quote>, <quote>m</quote>,
342
 
            <quote>h</quote>, and <quote>w</quote> for days, seconds,
343
 
            minutes, hours, and weeks, respectively.  The values are
344
 
            added together to give the total time value, so all of
345
 
            <quote><literal>330s</literal></quote>,
346
 
            <quote><literal>110s 110s 110s</literal></quote>, and
347
 
            <quote><literal>5m 30s</literal></quote> will give a value
348
 
            of five minutes and thirty seconds.
 
350
            The <replaceable>TIME</replaceable> is specified as an RFC
 
351
            3339 duration; for example
 
352
            <quote><literal>P1Y2M3DT4H5M6S</literal></quote> meaning
 
353
            one year, two months, three days, four hours, five
 
354
            minutes, and six seconds.  Some values can be omitted, see
 
355
            RFC 3339 Appendix A for details.
349
356
          </para>
350
357
        </listitem>
351
358
      </varlistentry>
458
465
      <literal>%(<replaceable>foo</replaceable>)s</literal> is
459
466
      obscure.
460
467
    </para>
 
468
    <xi:include href="bugs.xml"/>
461
469
  </refsect1>
462
470
  
463
471
  <refsect1 id="example">
465
473
    <informalexample>
466
474
      <programlisting>
467
475
[DEFAULT]
468
 
timeout = 5m
469
 
interval = 2m
 
476
timeout = PT5M
 
477
interval = PT2M
470
478
checker = fping -q -- %%(host)s
471
479
 
472
480
# Client "foo"
489
497
        4T2zw4dxS5NswXWU0sVEXxjs6PYxuIiCTL7vdpx8QjBkrPWDrAbcMyBr2O
490
498
        QlnHIvPzEArRQLo=
491
499
host = foo.example.org
492
 
interval = 1m
 
500
interval = PT1M
493
501
 
494
502
# Client "bar"
495
503
[bar]
496
504
fingerprint = 3e393aeaefb84c7e89e2f547b3a107558fca3a27
497
505
secfile = /etc/mandos/bar-secret
498
 
timeout = 15m
 
506
timeout = PT15M
499
507
approved_by_default = False
500
 
approval_delay = 30s
 
508
approval_delay = PT30S
501
509
      </programlisting>
502
510
    </informalexample>
503
511
  </refsect1>
512
520
      <citerefentry><refentrytitle>mandos.conf</refentrytitle>
513
521
      <manvolnum>5</manvolnum></citerefentry>,
514
522
      <citerefentry><refentrytitle>mandos</refentrytitle>
 
523
      <manvolnum>8</manvolnum></citerefentry>,
 
524
      <citerefentry><refentrytitle>fping</refentrytitle>
515
525
      <manvolnum>8</manvolnum></citerefentry>
516
526
    </para>
 
527
    <variablelist>
 
528
      <varlistentry>
 
529
        <term>
 
530
          RFC 3339: <citetitle>Date and Time on the Internet:
 
531
          Timestamps</citetitle>
 
532
        </term>
 
533
      <listitem>
 
534
        <para>
 
535
          The time intervals are in the "duration" format, as
 
536
          specified in ABNF in Appendix A of RFC 3339.
 
537
        </para>
 
538
      </listitem>
 
539
      </varlistentry>
 
540
    </variablelist>
517
541
  </refsect1>
518
542
</refentry>
519
543
<!-- Local Variables: -->