/mandos/release : revision 24.1.146

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/release

« back to all changes in this revision

Viewing changes to mandos.xml

Committer: Björn Påhlsson
Date: 2010-03-27 18:39:02 UTC
mfrom: (237.2.177 mandos)
mto: (237.7.1 mandos) (24.1.154 mandos)
mto: This revision was merged to the branch mainline in revision 270.
Revision ID: belorn@braxen-20100327183902-24g6cra7xqq31g8t

Merge from Teddy:

* New upstream release.
* debian/rules: Build with BROKEN_PIE set on mips and mipsel
architectures - fixes FTBFS there.
* New upstream release.
* Do not copy unnecessary files to initrd (Closes: #551907)

files removed:
DBUS-API

debian/source

debian/source/format

debian/source/local-options

intro.xml

mandos-ctl.xml

mandos-monitor.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

files modified:
.bzrignore

INSTALL

Makefile

NEWS

README

TODO

clients.conf

common.ent

dbus-mandos.conf

debian/changelog

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.docs

debian/mandos.postinst

debian/mandos.prerm

debian/watch

init.d-mandos

initramfs-tools-hook

initramfs-tools-script

mandos

mandos-clients.conf.xml

mandos-ctl

mandos-keygen

mandos-keygen.xml

mandos-monitor

mandos.conf.xml

mandos.lsm

mandos.xml

plugin-runner.c

plugin-runner.xml

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/mandos-client.c

plugins.d/mandos-client.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

Show diffs side-by-side

added added

removed removed

mandos.xml

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY COMMANDNAME "mandos">

<!ENTITY TIMESTAMP "2011-10-03">

<!ENTITY TIMESTAMP "2009-12-09">

<!ENTITY % common SYSTEM "common.ent">

%common;

<firstname>Björn</firstname>

<surname>Påhlsson</surname>

<email>belorn@recompile.se</email>

<email>belorn@fukt.bsnet.se</email>

</address>

</author>

<firstname>Teddy</firstname>

<surname>Hogeborn</surname>

<email>teddy@recompile.se</email>

<email>teddy@fukt.bsnet.se</email>

</address>

</author>

</authorgroup>

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

<sbr/>

<arg><option>--debug</option></arg>

<sbr/>

<arg><option>--debuglevel

<replaceable>LEVEL</replaceable></option></arg>

<sbr/>

<sbr/>

117

112

<para>

118

113

<command>&COMMANDNAME;</command> is a server daemon which

119

114

handles incoming request for passwords for a pre-defined list of

120

client host computers. For an introduction, see

121

<citerefentry><refentrytitle>intro</refentrytitle>

122

<manvolnum>8mandos</manvolnum></citerefentry>. The Mandos server

123

uses Zeroconf to announce itself on the local network, and uses

124

TLS to communicate securely with and to authenticate the

125

clients. The Mandos server uses IPv6 to allow Mandos clients to

126

use IPv6 link-local addresses, since the clients will probably

127

not have any other addresses configured (see <xref

128

linkend="overview"/>). Any authenticated client is then given

129

the stored pre-encrypted password for that specific client.

115

client host computers. The Mandos server uses Zeroconf to

116

announce itself on the local network, and uses TLS to

117

communicate securely with and to authenticate the clients. The

118

Mandos server uses IPv6 to allow Mandos clients to use IPv6

119

link-local addresses, since the clients will probably not have

120

any other addresses configured (see <xref linkend="overview"/>).

121

Any authenticated client is then given the stored pre-encrypted

122

password for that specific client.

130

123

</para>

131

124

</refsect1>

132

125

201

194

</varlistentry>

202

195

203

196

204

<term><option>--debuglevel

205

<replaceable>LEVEL</replaceable></option></term>

206

207

<para>

208

Set the debugging log level.

209

<replaceable>LEVEL</replaceable> is a string, one of

210

<quote><literal>CRITICAL</literal></quote>,

211

<quote><literal>ERROR</literal></quote>,

212

<quote><literal>WARNING</literal></quote>,

213

<quote><literal>INFO</literal></quote>, or

214

<quote><literal>DEBUG</literal></quote>, in order of

215

increasing verbosity. The default level is

216

<quote><literal>WARNING</literal></quote>.

217

</para>

218

</listitem>

219

</varlistentry>

220

221

222

197

<term><option>--priority <replaceable>

223

198

PRIORITY</replaceable></option></term>

224

199

354

329

for some time, the client is assumed to be compromised and is no

355

330

longer eligible to receive the encrypted password. (Manual

356

331

intervention is required to re-enable a client.) The timeout,

357

extended timeout, checker program, and interval between checks

358

can be configured both globally and per client; see

359

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

332

checker program, and interval between checks can be configured

333

both globally and per client; see <citerefentry>

334

<refentrytitle>mandos-clients.conf</refentrytitle>

360

335

<manvolnum>5</manvolnum></citerefentry>. A client successfully

361

336

receiving its password will also be treated as a successful

362

337

checker run.

363

338

</para>

364

339

</refsect1>

365

340

366

367

<title>APPROVAL</title>

368

<para>

369

The server can be configured to require manual approval for a

370

client before it is sent its secret. The delay to wait for such

371

approval and the default action (approve or deny) can be

372

configured both globally and per client; see <citerefentry>

373

<refentrytitle>mandos-clients.conf</refentrytitle>

374

<manvolnum>5</manvolnum></citerefentry>. By default all clients

375

will be approved immediately without delay.

376

</para>

377

<para>

378

This can be used to deny a client its secret if not manually

379

approved within a specified time. It can also be used to make

380

the server delay before giving a client its secret, allowing

381

optional manual denying of this specific client.

382

</para>

383

384

</refsect1>

385

386

341

387

342

<title>LOGGING</title>

388

343

<para>

398

353

<para>

399

354

The server will by default provide a D-Bus system bus interface.

400

355

This interface will only be accessible by the root user or a

401

Mandos-specific user, if such a user exists. For documentation

402

of the D-Bus API, see the file <filename>DBUS-API</filename>.

356

Mandos-specific user, if such a user exists.

357

403

358

</para>

404

359

</refsect1>

405

360

463

418

<term><filename>/var/run/mandos.pid</filename></term>

464

419

465

420

<para>

466

The file containing the process id of the

467

<command>&COMMANDNAME;</command> process started last.

421

The file containing the process id of

422

<command>&COMMANDNAME;</command>.

468

423

</para>

469

424

</listitem>

470

425

</varlistentry>

503

458

has some security implications, see <xref linkend="clients"/>.

504

459

</para>

505

460

<para>

461

There is currently no way of querying the server of the current

462

status of clients, other than analyzing its <systemitem

463

class="service">syslog</systemitem> output.

464

</para>

465

<para>

506

466

There is no fine-grained control over logging and debug output.

507

467

</para>

508

468

<para>

612

572

613

573

614

574

<para>

615

<citerefentry><refentrytitle>intro</refentrytitle>

616

<manvolnum>8mandos</manvolnum></citerefentry>,

617

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

618

<manvolnum>5</manvolnum></citerefentry>,

619

<citerefentry><refentrytitle>mandos.conf</refentrytitle>

620

<manvolnum>5</manvolnum></citerefentry>,

621

<citerefentry><refentrytitle>mandos-client</refentrytitle>

622

<manvolnum>8mandos</manvolnum></citerefentry>,

623

624

575

576

<refentrytitle>mandos-clients.conf</refentrytitle>

577

578

<refentrytitle>mandos.conf</refentrytitle>

579

580

<refentrytitle>mandos-client</refentrytitle>

581

<manvolnum>8mandos</manvolnum></citerefentry>, <citerefentry>

582

583

</citerefentry>

625

584

</para>

626

585

627

586

Older »