To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/release
« back to all changes in this revision
Viewing changes to mandos-clients.conf.xml
- browse files at revision 237.7.92
- compare with another revision
- download diff
- download tarball
- view history from revision 237.7.92
- Committer: Teddy Hogeborn
- Date: 2011-12-31 23:05:34 UTC
- mto: (237.7.109 trunk) (299.1.1 release) (300.1.1 release) (301.1.1 release)
- mto: This revision was merged to the branch mainline in revision 290.
- Revision ID: teddy@recompile.se-20111231230534-o5w0uhwx30gwhmk7
Updated year in copyright notices.
- files added:
- .bzr-builddeb
- debian
- debian/po
- debian/source
- network-hooks.d
- files removed:
- plugins.d/usplash
- files renamed:
- plugins.d/password-request.c => plugins.d/mandos-client.c
- plugins.d/password-request.xml => plugins.d/mandos-client.xml
- files modified:
- Makefile
added
removed
mandos-clients.conf.xml
1
<?xml version='1.0' encoding='UTF-8'?>
1
<?xml version="1.0" encoding="UTF-8"?>
2
2
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3
3
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4
<!ENTITY VERSION "1.0">
5
4
<!ENTITY CONFNAME "mandos-clients.conf">
6
5
<!ENTITY CONFPATH "<filename>/etc/mandos/clients.conf</filename>">
6
<!ENTITY TIMESTAMP "2012-01-01">
7
<!ENTITY % common SYSTEM "common.ent">
8
%common;
7
9
]>
8
10
9
<refentry>
11
<refentry xmlns:xi="http://www.w3.org/2001/XInclude">
10
12
<refentryinfo>
11
<title>&CONFNAME;</title>
13
<title>Mandos Manual</title>
12
14
<!-- NWalsh’s docbook scripts use this to generate the footer: -->
13
<productname>&CONFNAME;</productname>
14
<productnumber>&VERSION;</productnumber>
15
<productname>Mandos</productname>
16
<productnumber>&version;</productnumber>
17
<date>&TIMESTAMP;</date>
15
18
<authorgroup>
16
19
<author>
17
20
<firstname>Björn</firstname>
18
21
<surname>Påhlsson</surname>
19
22
<address>
20
<email>belorn@fukt.bsnet.se</email>
23
<email>belorn@recompile.se</email>
21
24
</address>
22
25
</author>
23
26
<author>
24
27
<firstname>Teddy</firstname>
25
28
<surname>Hogeborn</surname>
26
29
<address>
27
<email>teddy@fukt.bsnet.se</email>
30
<email>teddy@recompile.se</email>
28
31
</address>
29
32
</author>
30
33
</authorgroup>
31
34
<copyright>
32
35
<year>2008</year>
36
<year>2009</year>
37
<year>2010</year>
38
<year>2011</year>
39
<year>2012</year>
33
40
<holder>Teddy Hogeborn</holder>
34
41
<holder>Björn Påhlsson</holder>
35
42
</copyright>
36
<legalnotice>
37
<para>
38
This manual page is free software: you can redistribute it
39
and/or modify it under the terms of the GNU General Public
40
License as published by the Free Software Foundation,
41
either version 3 of the License, or (at your option) any
42
later version.
43
</para>
44
45
<para>
46
This manual page is distributed in the hope that it will
47
be useful, but WITHOUT ANY WARRANTY; without even the
48
implied warranty of MERCHANTABILITY or FITNESS FOR A
49
PARTICULAR PURPOSE. See the GNU General Public License
50
for more details.
51
</para>
52
53
<para>
54
You should have received a copy of the GNU General Public
55
License along with this program; If not, see
56
<ulink url="http://www.gnu.org/licenses/"/>.
57
</para>
58
</legalnotice>
43
<xi:include href="legalnotice.xml"/>
59
44
</refentryinfo>
60
45
61
46
<refmeta>
62
47
<refentrytitle>&CONFNAME;</refentrytitle>
63
48
<manvolnum>5</manvolnum>
69
54
Configuration file for the Mandos server
70
55
</refpurpose>
71
56
</refnamediv>
72
57
73
58
<refsynopsisdiv>
74
<synopsis>
75
&CONFPATH;
76
</synopsis>
59
<synopsis>&CONFPATH;</synopsis>
77
60
</refsynopsisdiv>
78
61
79
62
<refsect1 id="description">
80
63
<title>DESCRIPTION</title>
81
64
<para>
82
The file &CONFPATH; is the configuration file for <citerefentry
65
The file &CONFPATH; is a configuration file for <citerefentry
83
66
><refentrytitle>mandos</refentrytitle>
84
<manvolnum>8</manvolnum></citerefentry>, read by it at startup,
85
where each client that will be able to use the service needs to
86
be listed. All clients listed will be regarded as valid, even
87
if a client was declared invalid in a previous run of the
88
server.
67
<manvolnum>8</manvolnum></citerefentry>, read by it at startup.
68
The file needs to list all clients that should be able to use
69
the service. All clients listed will be regarded as enabled,
70
even if a client was disabled in a previous run of the server.
89
71
</para>
90
72
<para>
91
73
The format starts with a <literal>[<replaceable>section
111
93
<refsect1 id="options">
112
94
<title>OPTIONS</title>
113
95
<para>
114
The possible options are:
115
</para>
116
96
<emphasis>Note:</emphasis> all option values are subject to
97
start time expansion, see <xref linkend="expansion"/>.
98
</para>
99
<para>
100
Unknown options are ignored. The used options are as follows:
101
</para>
102
117
103
<variablelist>
118
119
<varlistentry>
120
<term><literal><varname>timeout</varname></literal></term>
121
<listitem>
122
<synopsis><literal>timeout = </literal><replaceable
123
>TIME</replaceable>
124
</synopsis>
125
<para>
126
The timeout is how long the server will wait for a
127
successful checker run until a client is considered
128
invalid - that is, ineligible to get the data this server
129
holds. By default Mandos will use 1 hour.
130
</para>
131
<para>
132
The <replaceable>TIME</replaceable> is specified as a
133
space-separated number of values, each of which is a
134
number and a one-character suffix. The suffix must be one
135
of <quote>d</quote>, <quote>s</quote>, <quote>m</quote>,
136
<quote>h</quote>, and <quote>w</quote> for days, seconds,
137
minutes, hours, and weeks, respectively. The values are
138
added together to give the total time value, so all of
139
<quote><literal>330s</literal></quote>,
140
<quote><literal>110s 110s 110s</literal></quote>, and
141
<quote><literal>5m 30s</literal></quote> will give a value
142
of five minutes and thirty seconds.
143
</para>
144
</listitem>
145
</varlistentry>
146
147
<varlistentry>
148
<term><literal><varname>interval</varname></literal></term>
149
<listitem>
150
<synopsis><literal>interval = </literal><replaceable
151
>TIME</replaceable>
152
</synopsis>
153
<para>
154
How often to run the checker to confirm that a client is
155
still up. <emphasis>Note:</emphasis> a new checker will
156
not be started if an old one is still running. The server
157
will wait for a checker to complete until the above
158
<quote><varname>timeout</varname></quote> occurs, at which
159
time the client will be marked invalid, and any running
160
checker killed. The default interval is 5 minutes.
161
</para>
162
<para>
163
The format of <replaceable>TIME</replaceable> is the same
164
as for <varname>timeout</varname> above.
165
</para>
166
</listitem>
167
</varlistentry>
168
169
<varlistentry>
170
<term><literal>checker</literal></term>
171
<listitem>
172
<synopsis><literal>checker = </literal><replaceable
173
>COMMAND</replaceable>
174
</synopsis>
104
105
<varlistentry>
106
<term><option>approval_delay<literal> = </literal><replaceable
107
>TIME</replaceable></option></term>
108
<listitem>
109
<para>
110
This option is <emphasis>optional</emphasis>.
111
</para>
112
<para>
113
How long to wait for external approval before resorting to
114
use the <option>approved_by_default</option> value. The
115
default is <quote>0s</quote>, i.e. not to wait.
116
</para>
117
<para>
118
The format of <replaceable>TIME</replaceable> is the same
119
as for <varname>timeout</varname> below.
120
</para>
121
</listitem>
122
</varlistentry>
123
124
<varlistentry>
125
<term><option>approval_duration<literal> = </literal
126
><replaceable>TIME</replaceable></option></term>
127
<listitem>
128
<para>
129
This option is <emphasis>optional</emphasis>.
130
</para>
131
<para>
132
How long an external approval lasts. The default is 1
133
second.
134
</para>
135
<para>
136
The format of <replaceable>TIME</replaceable> is the same
137
as for <varname>timeout</varname> below.
138
</para>
139
</listitem>
140
</varlistentry>
141
142
<varlistentry>
143
<term><option>approved_by_default<literal> = </literal
144
>{ <literal >1</literal> | <literal>yes</literal> | <literal
145
>true</literal> | <literal>on</literal> | <literal
146
>0</literal> | <literal>no</literal> | <literal
147
>false</literal> | <literal>off</literal> }</option></term>
148
<listitem>
149
<para>
150
Whether to approve a client by default after
151
the <option>approval_delay</option>. The default
152
is <quote>True</quote>.
153
</para>
154
</listitem>
155
</varlistentry>
156
157
<varlistentry>
158
<term><option>checker<literal> = </literal><replaceable
159
>COMMAND</replaceable></option></term>
160
<listitem>
161
<para>
162
This option is <emphasis>optional</emphasis>.
163
</para>
175
164
<para>
176
165
This option allows you to override the default shell
177
166
command that the server will use to check if the client is
178
still up. The output of the command will be ignored, only
179
the exit code is checked. The command will be run using
180
<quote><command><filename>/bin/sh</filename>
181
<option>-c</option></command></quote>. The default
182
command is <quote><literal><command>fping</command>
183
<option>-q</option> <option>--</option>
184
%(host)s</literal></quote>.
167
still up. Any output of the command will be ignored, only
168
the exit code is checked: If the exit code of the command
169
is zero, the client is considered up. The command will be
170
run using <quote><command><filename>/bin/sh</filename>
171
<option>-c</option></command></quote>, so
172
<varname>PATH</varname> will be searched. The default
173
value for the checker command is <quote><literal
174
><command>fping</command> <option>-q</option> <option
175
>--</option> %%(host)s</literal></quote>.
185
176
</para>
186
177
<para>
187
178
In addition to normal start time expansion, this option
192
183
</varlistentry>
193
184
194
185
<varlistentry>
195
<term><literal>fingerprint</literal></term>
196
<listitem>
197
<synopsis><literal>fingerprint = </literal><replaceable
198
>HEXSTRING</replaceable>
199
</synopsis>
186
<term><option>extended_timeout<literal> = </literal><replaceable
187
>TIME</replaceable></option></term>
188
<listitem>
189
<para>
190
This option is <emphasis>optional</emphasis>.
191
</para>
192
<para>
193
Extended timeout is an added timeout that is given once
194
after a password has been sent successfully to a client.
195
The timeout is by default longer than the normal timeout,
196
and is used for handling the extra long downtime while a
197
machine is booting up. Time to take into consideration
198
when changing this value is file system checks and quota
199
checks. The default value is 15 minutes.
200
</para>
201
<para>
202
The format of <replaceable>TIME</replaceable> is the same
203
as for <varname>timeout</varname> below.
204
</para>
205
</listitem>
206
</varlistentry>
207
208
<varlistentry>
209
<term><option>fingerprint<literal> = </literal
210
><replaceable>HEXSTRING</replaceable></option></term>
211
<listitem>
212
<para>
213
This option is <emphasis>required</emphasis>.
214
</para>
200
215
<para>
201
216
This option sets the OpenPGP fingerprint that identifies
202
217
the public key that clients authenticate themselves with
207
222
</varlistentry>
208
223
209
224
<varlistentry>
210
<term><literal>secret</literal></term>
211
<listitem>
212
<synopsis><literal>secret = </literal><replaceable
213
>BASE64_ENCODED_DATA</replaceable>
214
</synopsis>
225
<term><option><literal>host = </literal><replaceable
226
>STRING</replaceable></option></term>
227
<listitem>
228
<para>
229
This option is <emphasis>optional</emphasis>, but highly
230
<emphasis>recommended</emphasis> unless the
231
<option>checker</option> option is modified to a
232
non-standard value without <quote>%%(host)s</quote> in it.
233
</para>
234
<para>
235
Host name for this client. This is not used by the server
236
directly, but can be, and is by default, used by the
237
checker. See the <option>checker</option> option.
238
</para>
239
</listitem>
240
</varlistentry>
241
242
<varlistentry>
243
<term><option>interval<literal> = </literal><replaceable
244
>TIME</replaceable></option></term>
245
<listitem>
246
<para>
247
This option is <emphasis>optional</emphasis>.
248
</para>
249
<para>
250
How often to run the checker to confirm that a client is
251
still up. <emphasis>Note:</emphasis> a new checker will
252
not be started if an old one is still running. The server
253
will wait for a checker to complete until the below
254
<quote><varname>timeout</varname></quote> occurs, at which
255
time the client will be disabled, and any running checker
256
killed. The default interval is 2 minutes.
257
</para>
258
<para>
259
The format of <replaceable>TIME</replaceable> is the same
260
as for <varname>timeout</varname> below.
261
</para>
262
</listitem>
263
</varlistentry>
264
265
<varlistentry>
266
<term><option>secfile<literal> = </literal><replaceable
267
>FILENAME</replaceable></option></term>
268
<listitem>
269
<para>
270
This option is only used if <option>secret</option> is not
271
specified, in which case this option is
272
<emphasis>required</emphasis>.
273
</para>
274
<para>
275
Similar to the <option>secret</option>, except the secret
276
data is in an external file. The contents of the file
277
should <emphasis>not</emphasis> be base64-encoded, but
278
will be sent to clients verbatim.
279
</para>
280
<para>
281
File names of the form <filename>~user/foo/bar</filename>
282
and <filename>$<envar>ENVVAR</envar>/foo/bar</filename>
283
are supported.
284
</para>
285
</listitem>
286
</varlistentry>
287
288
<varlistentry>
289
<term><option>secret<literal> = </literal><replaceable
290
>BASE64_ENCODED_DATA</replaceable></option></term>
291
<listitem>
292
<para>
293
If this option is not specified, the <option
294
>secfile</option> option is <emphasis>required</emphasis>
295
to be present.
296
</para>
215
297
<para>
216
298
If present, this option must be set to a string of
217
299
base64-encoded binary data. It will be decoded and sent
218
300
to the client matching the above
219
301
<option>fingerprint</option>. This should, of course, be
220
302
OpenPGP encrypted data, decryptable only by the client.
221
<!-- The program <citerefentry><refentrytitle><command -->
222
<!-- >mandos-keygen</command></refentrytitle><manvolnum -->
223
<!-- >8</manvolnum></citerefentry> can be used to generate it, -->
224
<!-- if desired. -->
225
</para>
226
<para>
227
Note: this value of this option will probably run over
228
many lines, and will then have to use the fact that a line
229
beginning with white space adds to the value of the
230
previous line, RFC 822-style.
231
</para>
232
</listitem>
233
</varlistentry>
234
235
<varlistentry>
236
<term><literal>secfile</literal></term>
237
<listitem>
238
<para>
239
Base 64 encoded OpenPGP encrypted password encrypted by
240
the clients openpgp certificate as a binary file.
241
</para>
242
</listitem>
243
</varlistentry>
244
245
<varlistentry>
246
<term><literal>host</literal></term>
247
<listitem>
248
<para>
249
Host name that can be used in for checking that the client is up.
250
</para>
251
</listitem>
252
</varlistentry>
253
254
<varlistentry>
255
<term><literal>checker</literal></term>
256
<listitem>
257
<para>
258
Shell command that the server will use to check up if a
259
client is still up.
260
</para>
261
</listitem>
262
</varlistentry>
263
264
<varlistentry>
265
<term><literal>timeout</literal></term>
266
<listitem>
267
<para>
268
Duration that a client can be down whitout be removed from
269
the client list.
270
</para>
271
</listitem>
272
</varlistentry>
303
The program <citerefentry><refentrytitle><command
304
>mandos-keygen</command></refentrytitle><manvolnum
305
>8</manvolnum></citerefentry> can, using its
306
<option>--password</option> option, be used to generate
307
this, if desired.
308
</para>
309
<para>
310
Note: this value of this option will probably be very
311
long. A useful feature to avoid having unreadably-long
312
lines is that a line beginning with white space adds to
313
the value of the previous line, RFC 822-style.
314
</para>
315
</listitem>
316
</varlistentry>
317
318
<varlistentry>
319
<term><option>timeout<literal> = </literal><replaceable
320
>TIME</replaceable></option></term>
321
<listitem>
322
<para>
323
This option is <emphasis>optional</emphasis>.
324
</para>
325
<para>
326
The timeout is how long the server will wait, after a
327
successful checker run, until a client is disabled and not
328
allowed to get the data this server holds. By default
329
Mandos will use 5 minutes. See also the
330
<option>extended_timeout</option> option.
331
</para>
332
<para>
333
The <replaceable>TIME</replaceable> is specified as a
334
space-separated number of values, each of which is a
335
number and a one-character suffix. The suffix must be one
336
of <quote>d</quote>, <quote>s</quote>, <quote>m</quote>,
337
<quote>h</quote>, and <quote>w</quote> for days, seconds,
338
minutes, hours, and weeks, respectively. The values are
339
added together to give the total time value, so all of
340
<quote><literal>330s</literal></quote>,
341
<quote><literal>110s 110s 110s</literal></quote>, and
342
<quote><literal>5m 30s</literal></quote> will give a value
343
of five minutes and thirty seconds.
344
</para>
345
</listitem>
346
</varlistentry>
347
348
<varlistentry>
349
<term><option>enabled<literal> = </literal>{ <literal
350
>1</literal> | <literal>yes</literal> | <literal>true</literal
351
> | <literal >on</literal> | <literal>0</literal> | <literal
352
>no</literal> | <literal>false</literal> | <literal
353
>off</literal> }</option></term>
354
<listitem>
355
<para>
356
Whether this client should be enabled by default. The
357
default is <quote>true</quote>.
358
</para>
359
</listitem>
360
</varlistentry>
273
361
274
362
</variablelist>
275
</refsect1>
363
</refsect1>
276
364
277
365
<refsect1 id="expansion">
278
366
<title>EXPANSION</title>
309
397
<quote><literal>%%(<replaceable>foo</replaceable>)s</literal
310
398
></quote> will be replaced by the value of the attribute
311
399
<varname>foo</varname> of the internal
312
<quote><classname>Client</classname></quote> object. See the
313
source code for details, and let the authors know of any
314
attributes that are useful so they may be preserved to any new
315
versions of this software.
400
<quote><classname>Client</classname></quote> object in the
401
Mandos server. The currently allowed values for
402
<replaceable>foo</replaceable> are:
403
<quote><literal>approval_delay</literal></quote>,
404
<quote><literal>approval_duration</literal></quote>,
405
<quote><literal>created</literal></quote>,
406
<quote><literal>enabled</literal></quote>,
407
<quote><literal>fingerprint</literal></quote>,
408
<quote><literal>host</literal></quote>,
409
<quote><literal>interval</literal></quote>,
410
<quote><literal>last_approval_request</literal></quote>,
411
<quote><literal>last_checked_ok</literal></quote>,
412
<quote><literal>last_enabled</literal></quote>,
413
<quote><literal>name</literal></quote>,
414
<quote><literal>timeout</literal></quote>, and, if using
415
D-Bus, <quote><literal>dbus_object_path</literal></quote>.
416
See the source code for details. <emphasis role="strong"
417
>Currently, <emphasis>none</emphasis> of these attributes
418
except <quote><literal>host</literal></quote> are guaranteed
419
to be valid in future versions.</emphasis> Therefore, please
420
let the authors know of any attributes that are useful so they
421
may be preserved to any new versions of this software.
316
422
</para>
317
423
<para>
318
424
Note that this means that, in order to include an actual
319
425
percent character (<quote>%</quote>) in a
320
<varname>checker</varname> options, <emphasis>four</emphasis>
426
<varname>checker</varname> option, <emphasis>four</emphasis>
321
427
percent characters in a row (<quote>%%%%</quote>) must be
322
428
entered. Also, a bad format here will lead to an immediate
323
429
but <emphasis>silent</emphasis> run-time fatal exit; debug
324
mode is needed to track down an error of this kind.
430
mode is needed to expose an error of this kind.
325
431
</para>
326
432
</refsect2>
327
328
</refsect1>
433
434
</refsect1>
329
435
330
436
<refsect1 id="files">
331
437
<title>FILES</title>
353
459
<informalexample>
354
460
<programlisting>
355
461
[DEFAULT]
356
timeout = 1h
357
interval = 5m
358
checker = fping -q -- %(host)s
462
timeout = 5m
463
interval = 2m
464
checker = fping -q -- %%(host)s
359
465
360
466
# Client "foo"
361
467
[foo]
376
482
5MHdW9AYsNJZAQSOpirE4Xi31CSlWAi9KV+cUCmWF5zOFy1x23P6PjdaRm
377
483
4T2zw4dxS5NswXWU0sVEXxjs6PYxuIiCTL7vdpx8QjBkrPWDrAbcMyBr2O
378
484
QlnHIvPzEArRQLo=
379
=iHhv
380
485
host = foo.example.org
381
interval = 5m
486
interval = 1m
382
487
383
488
# Client "bar"
384
489
[bar]
385
490
fingerprint = 3e393aeaefb84c7e89e2f547b3a107558fca3a27
386
secfile = /etc/mandos/bar-secret.txt.asc
387
491
secfile = /etc/mandos/bar-secret
492
timeout = 15m
493
approved_by_default = False
494
approval_delay = 30s
388
495
</programlisting>
389
496
</informalexample>
390
</refsect1>
391
497
</refsect1>
498
499
<refsect1 id="see_also">
500
<title>SEE ALSO</title>
501
<para>
502
<citerefentry><refentrytitle>intro</refentrytitle>
503
<manvolnum>8mandos</manvolnum></citerefentry>,
504
<citerefentry><refentrytitle>mandos-keygen</refentrytitle>
505
<manvolnum>8</manvolnum></citerefentry>,
506
<citerefentry><refentrytitle>mandos.conf</refentrytitle>
507
<manvolnum>5</manvolnum></citerefentry>,
508
<citerefentry><refentrytitle>mandos</refentrytitle>
509
<manvolnum>8</manvolnum></citerefentry>
510
</para>
511
</refsect1>
392
512
</refentry>
513
<!-- Local Variables: -->
514
<!-- time-stamp-start: "<!ENTITY TIMESTAMP [\"']" -->
515
<!-- time-stamp-end: "[\"']>" -->
516
<!-- time-stamp-format: "%:y-%02m-%02d" -->
517
<!-- End: -->
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0