3
3
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4
4
<!ENTITY CONFNAME "mandos-clients.conf">
5
5
<!ENTITY CONFPATH "<filename>/etc/mandos/clients.conf</filename>">
6
<!ENTITY TIMESTAMP "2012-06-23">
6
<!ENTITY TIMESTAMP "2019-02-10">
7
7
<!ENTITY % common SYSTEM "common.ent">
118
125
How long to wait for external approval before resorting to
119
126
use the <option>approved_by_default</option> value. The
120
default is <quote>0s</quote>, i.e. not to wait.
127
default is <quote>PT0S</quote>, i.e. not to wait.
123
130
The format of <replaceable>TIME</replaceable> is the same
177
184
<varname>PATH</varname> will be searched. The default
178
185
value for the checker command is <quote><literal
179
186
><command>fping</command> <option>-q</option> <option
180
>--</option> %%(host)s</literal></quote>.
187
>--</option> %%(host)s</literal></quote>. Note that
188
<command>mandos-keygen</command>, when generating output
189
to be inserted into this file, normally looks for an SSH
190
server on the Mandos client, and, if it finds one, outputs
191
a <option>checker</option> option to check for the
192
client’s SSH key fingerprint – this is more secure against
183
196
In addition to normal start time expansion, this option
215
228
><replaceable>HEXSTRING</replaceable></option></term>
218
This option is <emphasis>required</emphasis>.
221
This option sets the OpenPGP fingerprint that identifies
222
the public key that clients authenticate themselves with
223
through TLS. The string needs to be in hexidecimal form,
224
but spaces or upper/lower case are not significant.
231
This option is <emphasis>required</emphasis> if the
232
<option>key_id</option> is not set, and
233
<emphasis>optional</emphasis> otherwise.
236
This option sets the OpenPGP fingerprint that (before
237
GnuTLS 3.6.0) identified the public key that clients
238
authenticate themselves with through TLS. The string
239
needs to be in hexadecimal form, but spaces or upper/lower
240
case are not significant.
246
<term><option>key_id<literal> = </literal
247
><replaceable>HEXSTRING</replaceable></option></term>
250
This option is <emphasis>required</emphasis> if the
251
<option>fingerprint</option> is not set, and
252
<emphasis>optional</emphasis> otherwise.
255
This option sets the certificate key ID that (with GnuTLS
256
3.6.6 or later) identifies the public key that clients
257
authenticate themselves with through TLS. The string
258
needs to be in hexadecimal form, but spaces or upper/lower
259
case are not significant.
303
338
If present, this option must be set to a string of
304
339
base64-encoded binary data. It will be decoded and sent
305
to the client matching the above
306
<option>fingerprint</option>. This should, of course, be
307
OpenPGP encrypted data, decryptable only by the client.
340
to the client matching the above <option>key_id</option>
341
or <option>fingerprint</option>. This should, of course,
342
be OpenPGP encrypted data, decryptable only by the client.
308
343
The program <citerefentry><refentrytitle><command
309
344
>mandos-keygen</command></refentrytitle><manvolnum
310
345
>8</manvolnum></citerefentry> can, using its
405
440
<quote><literal>created</literal></quote>,
406
441
<quote><literal>enabled</literal></quote>,
407
442
<quote><literal>expires</literal></quote>,
443
<quote><literal>key_id</literal></quote>,
408
444
<quote><literal>fingerprint</literal></quote>,
409
445
<quote><literal>host</literal></quote>,
410
446
<quote><literal>interval</literal></quote>,
added
removed
mandos-clients.conf.xml
