/mandos/release : revision 237.7.583

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/release

« back to all changes in this revision

Viewing changes to mandos-ctl.xml

Committer: Teddy Hogeborn
Date: 2019-03-07 20:28:17 UTC
mto: (237.7.594 trunk)
mto: This revision was merged to the branch mainline in revision 382.
Revision ID: teddy@recompile.se-20190307202817-avhha20s3pl14j6y

mandos-ctl: Refactor; move parsing of intervals into argument parsing

* mandos-ctl (MillisecondsValueArgumentMixIn.value_to_set): Assume
  that an incoming value is datetime.timedelta(), not a string.
  (add_command_line_options): Add "type=string_to_delta" to --timeout,
  --extended-timeout, --interval, --approval-delay, and
  --approval-duration.
  (TestSetTimeoutCmd, TestSetExtendedTimeoutCmd, TestSetIntervalCmd,
  TestSetApprovalDelayCmd, TestSetApprovalDurationCmd): Change
  values_to_set to be datetime.timedelta() values, and change to more
  appropriate values to test.  Also adjust values_to_get accordingly.

files added:
.bzr-builddeb

.bzr-builddeb/default.conf

.bzrignore

COPYING

DBUS-API

INSTALL

NEWS

README

bugs.xml

common.ent

dbus-mandos.conf

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.examples

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos-client.templates

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/mandos.templates

debian/po

debian/rules

debian/source

debian/source/format

debian/source/local-options

debian/upstream

debian/upstream/signing-key.asc

debian/watch

default-mandos

init.d-mandos

initramfs-tools-conf

initramfs-tools-hook

initramfs-tools-script

initramfs-tools-script-stop

initramfs-unpack

intro.xml

legalnotice.xml

mandos-ctl

mandos-ctl.xml

mandos-keygen

mandos-keygen.xml

mandos-monitor

mandos-monitor.xml

mandos-options.xml

mandos-to-cryptroot-unlock

mandos.lsm

mandos.service

network-hooks.d

network-hooks.d/bridge

network-hooks.d/bridge.conf

network-hooks.d/openvpn

network-hooks.d/openvpn.conf

network-hooks.d/wireless

network-hooks.d/wireless.conf

overview.xml

plugin-helpers

plugin-helpers/mandos-client-iprouteadddel.c

plugin-runner.conf

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

tmpfiles.d-mandos.conf

files removed:
network-protocol.txt

files renamed:
mandos-client.c => plugin-runner.c

mandos-client.xml => plugin-runner.xml

plugins.d/password-request.c => plugins.d/mandos-client.c

plugins.d/password-request.xml => plugins.d/mandos-client.xml

files modified:
Makefile

TODO

clients.conf

mandos

mandos-clients.conf.xml

mandos.conf

mandos.conf.xml

mandos.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

Show diffs side-by-side

added added

removed removed

mandos-ctl.xml

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY COMMANDNAME "mandos-ctl">

<!ENTITY TIMESTAMP "2019-03-06">

<!ENTITY % common SYSTEM "common.ent">

%common;

<title>Mandos Manual</title>

<productname>Mandos</productname>

<productnumber>&version;</productnumber>

<date>&TIMESTAMP;</date>

<firstname>Björn</firstname>

<surname>Påhlsson</surname>

<email>belorn@recompile.se</email>

</address>

</author>

<firstname>Teddy</firstname>

<surname>Hogeborn</surname>

<email>teddy@recompile.se</email>

</address>

</author>

</authorgroup>

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

<xi:include href="legalnotice.xml"/>

</refentryinfo>

<refentrytitle>&COMMANDNAME;</refentrytitle>

</refmeta>

<refname><command>&COMMANDNAME;</command></refname>

Control or query the operation of the Mandos server

</refpurpose>

</refnamediv>

<command>&COMMANDNAME;</command>

<group>

<arg choice="plain"><option>--enable</option></arg>

<sbr/>

<arg choice="plain"><option>--disable</option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--bump-timeout</option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--start-checker</option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--stop-checker</option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--remove</option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--checker

<replaceable>COMMAND</replaceable></option></arg>

<arg choice="plain"><option>-c

<replaceable>COMMAND</replaceable></option></arg>

</group>

<sbr/>

<group>

100

<arg choice="plain"><option>--timeout

101

102

<arg choice="plain"><option>-t

103

104

</group>

105

<sbr/>

106

<group>

107

<arg choice="plain"><option>--extended-timeout

108

109

</group>

110

<sbr/>

111

<group>

112

<arg choice="plain"><option>--interval

113

114

<arg choice="plain"><option>-i

115

116

</group>

117

<sbr/>

118

<group>

119

<arg choice="plain"><option>--approve-by-default</option

120

></arg>

121

<sbr/>

122

<arg choice="plain"><option>--deny-by-default</option></arg>

123

</group>

124

<sbr/>

125

<group>

126

<arg choice="plain"><option>--approval-delay

127

128

</group>

129

<sbr/>

130

<group>

131

<arg choice="plain"><option>--approval-duration

132

133

</group>

134

<sbr/>

135

<group>

136

<arg choice="plain"><option>--host

137

<replaceable>STRING</replaceable></option></arg>

138

<arg choice="plain"><option>-H

139

<replaceable>STRING</replaceable></option></arg>

140

</group>

141

<sbr/>

142

<group>

143

<arg choice="plain"><option>--secret

144

<replaceable>FILENAME</replaceable></option></arg>

145

<arg choice="plain"><option>-s

146

<replaceable>FILENAME</replaceable></option></arg>

147

</group>

148

<sbr/>

149

<group>

150

<arg choice="plain"><option>--approve</option></arg>

151

152

<sbr/>

153

154

155

</group>

156

</group>

157

<sbr/>

158

159

160

161

162

<replaceable>CLIENT</replaceable>

163

</arg>

164

</group>

165

</cmdsynopsis>

166

167

<command>&COMMANDNAME;</command>

168

<group>

169

<arg choice="plain"><option>--verbose</option></arg>

170

171

<sbr/>

172

173

174

</group>

175

<group>

176

177

<replaceable>CLIENT</replaceable>

178

</arg>

179

</group>

180

</cmdsynopsis>

181

182

<command>&COMMANDNAME;</command>

183

184

<arg choice="plain"><option>--is-enabled</option></arg>

185

186

</group>

187

<arg choice='plain'><replaceable>CLIENT</replaceable></arg>

188

</cmdsynopsis>

189

190

<command>&COMMANDNAME;</command>

191

192

193

194

</group>

195

</cmdsynopsis>

196

197

<command>&COMMANDNAME;</command>

198

199

<arg choice="plain"><option>--version</option></arg>

200

201

</group>

202

</cmdsynopsis>

203

204

<command>&COMMANDNAME;</command>

205

<arg choice="plain"><option>--check</option></arg>

206

</cmdsynopsis>

207

</refsynopsisdiv>

208

209

210

<title>DESCRIPTION</title>

211

<para>

212

<command>&COMMANDNAME;</command> is a program to control or

213

query the operation of the Mandos server

214

<citerefentry><refentrytitle>mandos</refentrytitle><manvolnum

215

>8</manvolnum></citerefentry>.

216

</para>

217

<para>

218

This program can be used to change client settings, approve or

219

deny client requests, and to remove clients from the server.

220

</para>

221

</refsect1>

222

223

224

<title>PURPOSE</title>

225

<para>

226

The purpose of this is to enable <emphasis>remote and unattended

227

rebooting</emphasis> of client host computer with an

228

<emphasis>encrypted root file system</emphasis>. See <xref

229

linkend="overview"/> for details.

230

</para>

231

</refsect1>

232

233

234

<title>OPTIONS</title>

235

236

237

238

239

240

241

<para>

242

Show a help message and exit

243

</para>

244

</listitem>

245

</varlistentry>

246

247

248

<term><option>--enable</option></term>

249

250

251

<para>

252

Enable client(s). An enabled client will be eligble to

253

receive its secret.

254

</para>

255

</listitem>

256

</varlistentry>

257

258

259

<term><option>--disable</option></term>

260

261

262

<para>

263

Disable client(s). A disabled client will not be eligble

264

to receive its secret, and no checkers will be started for

265

it.

266

</para>

267

</listitem>

268

</varlistentry>

269

270

271

<term><option>--bump-timeout</option></term>

272

273

<para>

274

Bump the timeout of the specified client(s), just as if a

275

checker had completed successfully for it/them.

276

</para>

277

</listitem>

278

</varlistentry>

279

280

281

<term><option>--start-checker</option></term>

282

283

<para>

284

Start a new checker now for the specified client(s).

285

</para>

286

</listitem>

287

</varlistentry>

288

289

290

<term><option>--stop-checker</option></term>

291

292

<para>

293

Stop any running checker for the specified client(s).

294

</para>

295

</listitem>

296

</varlistentry>

297

298

299

<term><option>--remove</option></term>

300

301

302

<para>

303

Remove the specified client(s) from the server.

304

</para>

305

</listitem>

306

</varlistentry>

307

308

309

<term><option>--checker

310

<replaceable>COMMAND</replaceable></option></term>

311

<term><option>-c

312

<replaceable>COMMAND</replaceable></option></term>

313

314

<para>

315

Set the <varname>checker</varname> option of the specified

316

client(s); see <citerefentry><refentrytitle

317

>mandos-clients.conf</refentrytitle><manvolnum

318

>5</manvolnum></citerefentry>.

319

</para>

320

</listitem>

321

</varlistentry>

322

323

324

<term><option>--timeout

325

326

<term><option>-t

327

328

329

<para>

330

Set the <varname>timeout</varname> option of the specified

331

client(s); see <citerefentry><refentrytitle

332

>mandos-clients.conf</refentrytitle><manvolnum

333

>5</manvolnum></citerefentry>.

334

</para>

335

</listitem>

336

</varlistentry>

337

338

339

<term><option>--extended-timeout

340

341

342

<para>

343

Set the <varname>extended_timeout</varname> option of the

344

specified client(s); see <citerefentry><refentrytitle

345

>mandos-clients.conf</refentrytitle><manvolnum

346

>5</manvolnum></citerefentry>.

347

</para>

348

</listitem>

349

</varlistentry>

350

351

352

<term><option>--interval

353

354

<term><option>-i

355

356

357

<para>

358

Set the <varname>interval</varname> option of the

359

specified client(s); see <citerefentry><refentrytitle

360

>mandos-clients.conf</refentrytitle><manvolnum

361

>5</manvolnum></citerefentry>.

362

</para>

363

</listitem>

364

</varlistentry>

365

366

367

<term><option>--approve-by-default</option></term>

368

<term><option>--deny-by-default</option></term>

369

370

<para>

371

Set the <varname>approved_by_default</varname> option of

372

the specified client(s) to <literal>True</literal> or

373

<literal>False</literal>, respectively; see

374

<citerefentry><refentrytitle

375

>mandos-clients.conf</refentrytitle><manvolnum

376

>5</manvolnum></citerefentry>.

377

</para>

378

</listitem>

379

</varlistentry>

380

381

382

<term><option>--approval-delay

383

384

385

<para>

386

Set the <varname>approval_delay</varname> option of the

387

specified client(s); see <citerefentry><refentrytitle

388

>mandos-clients.conf</refentrytitle><manvolnum

389

>5</manvolnum></citerefentry>.

390

</para>

391

</listitem>

392

</varlistentry>

393

394

395

<term><option>--approval-duration

396

397

398

<para>

399

Set the <varname>approval_duration</varname> option of the

400

specified client(s); see <citerefentry><refentrytitle

401

>mandos-clients.conf</refentrytitle><manvolnum

402

>5</manvolnum></citerefentry>.

403

</para>

404

</listitem>

405

</varlistentry>

406

407

408

<term><option>--host

409

<replaceable>STRING</replaceable></option></term>

410

<term><option>-H

411

<replaceable>STRING</replaceable></option></term>

412

413

<para>

414

Set the <varname>host</varname> option of the specified

415

client(s); see <citerefentry><refentrytitle

416

>mandos-clients.conf</refentrytitle><manvolnum

417

>5</manvolnum></citerefentry>.

418

</para>

419

</listitem>

420

</varlistentry>

421

422

423

<term><option>--secret

424

<replaceable>FILENAME</replaceable></option></term>

425

<term><option>-s

426

<replaceable>FILENAME</replaceable></option></term>

427

428

<para>

429

Set the <varname>secfile</varname> option of the specified

430

client(s); see <citerefentry><refentrytitle

431

>mandos-clients.conf</refentrytitle><manvolnum

432

>5</manvolnum></citerefentry>.

433

</para>

434

</listitem>

435

</varlistentry>

436

437

438

<term><option>--approve</option></term>

439

440

441

<para>

442

Approve client(s) if currently waiting for approval.

443

</para>

444

</listitem>

445

</varlistentry>

446

447

448

449

450

451

<para>

452

Deny client(s) if currently waiting for approval.

453

</para>

454

</listitem>

455

</varlistentry>

456

457

458

459

460

461

<para>

462

Make the client-modifying options modify <emphasis

463

>all</emphasis> clients.

464

</para>

465

</listitem>

466

</varlistentry>

467

468

469

<term><option>--verbose</option></term>

470

471

472

<para>

473

Show all client settings, not just a subset.

474

</para>

475

</listitem>

476

</varlistentry>

477

478

479

480

481

482

<para>

483

Dump client settings as JSON to standard output.

484

</para>

485

</listitem>

486

</varlistentry>

487

488

489

<term><option>--is-enabled</option></term>

490

491

492

<para>

493

Check if a single client is enabled or not, and exit with

494

a successful exit status only if the client is enabled.

495

</para>

496

</listitem>

497

</varlistentry>

498

499

500

<term><option>--check</option></term>

501

502

<para>

503

Run self-tests. This includes any unit tests, etc.

504

</para>

505

</listitem>

506

</varlistentry>

507

508

</variablelist>

509

</refsect1>

510

511

512

<title>OVERVIEW</title>

513

<xi:include href="overview.xml"/>

514

<para>

515

This program is a small utility to generate new OpenPGP keys for

516

new Mandos clients, and to generate sections for inclusion in

517

<filename>clients.conf</filename> on the server.

518

</para>

519

</refsect1>

520

521

522

<title>EXIT STATUS</title>

523

<para>

524

If the <option>--is-enabled</option> option is used, the exit

525

status will be 0 only if the specified client is enabled.

526

</para>

527

</refsect1>

528

529

530

531

<xi:include href="bugs.xml"/>

532

</refsect1>

533

534

535

<title>EXAMPLE</title>

536

537

<para>

538

To list all clients:

539

</para>

540

<para>

541

<userinput>&COMMANDNAME;</userinput>

542

</para>

543

</informalexample>

544

545

546

<para>

547

To list <emphasis>all</emphasis> settings for the clients

548

named <quote>foo1.example.org</quote> and <quote

549

>foo2.example.org</quote>:

550

</para>

551

<para>

552

553

554

<userinput>&COMMANDNAME; --verbose foo1.example.org foo2.example.org</userinput>

555

556

</para>

557

</informalexample>

558

559

560

<para>

561

To enable all clients:

562

</para>

563

<para>

564

<userinput>&COMMANDNAME; --enable --all</userinput>

565

</para>

566

</informalexample>

567

568

569

<para>

570

To change timeout and interval value for the clients

571

named <quote>foo1.example.org</quote> and <quote

572

>foo2.example.org</quote>:

573

</para>

574

<para>

575

576

577

<userinput>&COMMANDNAME; --timeout="5m" --interval="1m" foo1.example.org foo2.example.org</userinput>

578

579

</para>

580

</informalexample>

581

582

583

<para>

584

To approve all clients currently waiting for it:

585

</para>

586

<para>

587

<userinput>&COMMANDNAME; --approve --all</userinput>

588

</para>

589

</informalexample>

590

</refsect1>

591

592

593

<title>SECURITY</title>

594

<para>

595

This program must be permitted to access the Mandos server via

596

the D-Bus interface. This normally requires the root user, but

597

could be configured otherwise by reconfiguring the D-Bus server.

598

</para>

599

</refsect1>

600

601

602

603

<para>

604

<citerefentry><refentrytitle>intro</refentrytitle>

605

<manvolnum>8mandos</manvolnum></citerefentry>,

606

<citerefentry><refentrytitle>mandos</refentrytitle>

607

<manvolnum>8</manvolnum></citerefentry>,

608

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

609

<manvolnum>5</manvolnum></citerefentry>,

610

<citerefentry><refentrytitle>mandos-monitor</refentrytitle>

611

612

</para>

613

</refsect1>

614

615

</refentry>

616

617

618

619

620

Older »