/mandos/release

To get this branch, use:
bzr branch http://bzr.recompile.se/loggerhead/mandos/release

« back to all changes in this revision

Viewing changes to mandos.xml

merge

Show diffs side-by-side

added added

removed removed

Lines of Context:
3
3
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4
4
<!ENTITY VERSION "1.0">
5
5
<!ENTITY COMMANDNAME "mandos">
6
 
<!ENTITY TIMESTAMP "2008-09-06">
 
6
<!ENTITY TIMESTAMP "2008-08-29">
7
7
]>
8
8
 
9
9
<refentry xmlns:xi="http://www.w3.org/2001/XInclude">
34
34
      <holder>Teddy Hogeborn</holder>
35
35
      <holder>Björn Påhlsson</holder>
36
36
    </copyright>
37
 
    <xi:include href="legalnotice.xml"/>
 
37
    <legalnotice>
 
38
      <para>
 
39
        This manual page is free software: you can redistribute it
 
40
        and/or modify it under the terms of the GNU General Public
 
41
        License as published by the Free Software Foundation,
 
42
        either version 3 of the License, or (at your option) any
 
43
        later version.
 
44
      </para>
 
45
 
 
46
      <para>
 
47
        This manual page is distributed in the hope that it will
 
48
        be useful, but WITHOUT ANY WARRANTY; without even the
 
49
        implied warranty of MERCHANTABILITY or FITNESS FOR A
 
50
        PARTICULAR PURPOSE.  See the GNU General Public License
 
51
        for more details.
 
52
      </para>
 
53
 
 
54
      <para>
 
55
        You should have received a copy of the GNU General Public
 
56
        License along with this program; If not, see
 
57
        <ulink url="http://www.gnu.org/licenses/"/>.
 
58
      </para>
 
59
    </legalnotice>
38
60
  </refentryinfo>
39
61
 
40
62
  <refmeta>
45
67
  <refnamediv>
46
68
    <refname><command>&COMMANDNAME;</command></refname>
47
69
    <refpurpose>
48
 
      Gives encrypted passwords to authenticated Mandos clients
 
70
      Sends encrypted passwords to authenticated Mandos clients
49
71
    </refpurpose>
50
72
  </refnamediv>
51
73
 
52
74
  <refsynopsisdiv>
53
75
    <cmdsynopsis>
54
76
      <command>&COMMANDNAME;</command>
55
 
      <group>
56
 
        <arg choice="plain"><option>--interface
57
 
        <replaceable>NAME</replaceable></option></arg>
58
 
        <arg choice="plain"><option>-i
59
 
        <replaceable>NAME</replaceable></option></arg>
60
 
      </group>
61
 
      <sbr/>
62
 
      <group>
63
 
        <arg choice="plain"><option>--address
64
 
        <replaceable>ADDRESS</replaceable></option></arg>
65
 
        <arg choice="plain"><option>-a
66
 
        <replaceable>ADDRESS</replaceable></option></arg>
67
 
      </group>
68
 
      <sbr/>
69
 
      <group>
70
 
        <arg choice="plain"><option>--port
71
 
        <replaceable>PORT</replaceable></option></arg>
72
 
        <arg choice="plain"><option>-p
73
 
        <replaceable>PORT</replaceable></option></arg>
74
 
      </group>
75
 
      <sbr/>
76
 
      <arg><option>--priority
77
 
      <replaceable>PRIORITY</replaceable></option></arg>
78
 
      <sbr/>
79
 
      <arg><option>--servicename
80
 
      <replaceable>NAME</replaceable></option></arg>
81
 
      <sbr/>
82
 
      <arg><option>--configdir
83
 
      <replaceable>DIRECTORY</replaceable></option></arg>
84
 
      <sbr/>
85
 
      <arg><option>--debug</option></arg>
 
77
      <arg>--interface<arg choice="plain">NAME</arg></arg>
 
78
      <arg>--address<arg choice="plain">ADDRESS</arg></arg>
 
79
      <arg>--port<arg choice="plain">PORT</arg></arg>
 
80
      <arg>--priority<arg choice="plain">PRIORITY</arg></arg>
 
81
      <arg>--servicename<arg choice="plain">NAME</arg></arg>
 
82
      <arg>--configdir<arg choice="plain">DIRECTORY</arg></arg>
 
83
      <arg>--debug</arg>
 
84
    </cmdsynopsis>
 
85
    <cmdsynopsis>
 
86
      <command>&COMMANDNAME;</command>
 
87
      <arg>-i<arg choice="plain">NAME</arg></arg>
 
88
      <arg>-a<arg choice="plain">ADDRESS</arg></arg>
 
89
      <arg>-p<arg choice="plain">PORT</arg></arg>
 
90
      <arg>--priority<arg choice="plain">PRIORITY</arg></arg>
 
91
      <arg>--servicename<arg choice="plain">NAME</arg></arg>
 
92
      <arg>--configdir<arg choice="plain">DIRECTORY</arg></arg>
 
93
      <arg>--debug</arg>
86
94
    </cmdsynopsis>
87
95
    <cmdsynopsis>
88
96
      <command>&COMMANDNAME;</command>
89
97
      <group choice="req">
90
 
        <arg choice="plain"><option>--help</option></arg>
91
 
        <arg choice="plain"><option>-h</option></arg>
 
98
        <arg choice="plain">-h</arg>
 
99
        <arg choice="plain">--help</arg>
92
100
      </group>
93
101
    </cmdsynopsis>
94
102
    <cmdsynopsis>
95
103
      <command>&COMMANDNAME;</command>
96
 
      <arg choice="plain"><option>--version</option></arg>
 
104
      <arg choice="plain">--version</arg>
97
105
    </cmdsynopsis>
98
106
    <cmdsynopsis>
99
107
      <command>&COMMANDNAME;</command>
100
 
      <arg choice="plain"><option>--check</option></arg>
 
108
      <arg choice="plain">--check</arg>
101
109
    </cmdsynopsis>
102
110
  </refsynopsisdiv>
103
111
 
115
123
      Any authenticated client is then given the stored pre-encrypted
116
124
      password for that specific client.
117
125
    </para>
 
126
 
118
127
  </refsect1>
119
128
  
120
129
  <refsect1 id="purpose">
121
130
    <title>PURPOSE</title>
 
131
 
122
132
    <para>
123
133
      The purpose of this is to enable <emphasis>remote and unattended
124
134
      rebooting</emphasis> of client host computer with an
125
135
      <emphasis>encrypted root file system</emphasis>.  See <xref
126
136
      linkend="overview"/> for details.
127
137
    </para>
 
138
 
128
139
  </refsect1>
129
140
  
130
141
  <refsect1 id="options">
131
142
    <title>OPTIONS</title>
 
143
 
132
144
    <variablelist>
133
145
      <varlistentry>
134
 
        <term><option>--help</option></term>
135
 
        <term><option>-h</option></term>
 
146
        <term><literal>-h</literal>, <literal>--help</literal></term>
136
147
        <listitem>
137
148
          <para>
138
149
            Show a help message and exit
139
150
          </para>
140
151
        </listitem>
141
152
      </varlistentry>
142
 
      
 
153
 
143
154
      <varlistentry>
144
 
        <term><option>--interface</option>
145
 
        <replaceable>NAME</replaceable></term>
146
 
        <term><option>-i</option>
147
 
        <replaceable>NAME</replaceable></term>
 
155
        <term><literal>-i</literal>, <literal>--interface <replaceable
 
156
        >NAME</replaceable></literal></term>
148
157
        <listitem>
149
158
          <xi:include href="mandos-options.xml" xpointer="interface"/>
150
159
        </listitem>
151
160
      </varlistentry>
152
 
      
 
161
 
153
162
      <varlistentry>
154
 
        <term><option>--address
155
 
        <replaceable>ADDRESS</replaceable></option></term>
156
 
        <term><option>-a
157
 
        <replaceable>ADDRESS</replaceable></option></term>
 
163
        <term><literal>-a</literal>, <literal>--address <replaceable>
 
164
        ADDRESS</replaceable></literal></term>
158
165
        <listitem>
159
166
          <xi:include href="mandos-options.xml" xpointer="address"/>
160
167
        </listitem>
161
168
      </varlistentry>
162
 
      
 
169
 
163
170
      <varlistentry>
164
 
        <term><option>--port
165
 
        <replaceable>PORT</replaceable></option></term>
166
 
        <term><option>-p
167
 
        <replaceable>PORT</replaceable></option></term>
 
171
        <term><literal>-p</literal>, <literal>--port <replaceable>
 
172
        PORT</replaceable></literal></term>
168
173
        <listitem>
169
174
          <xi:include href="mandos-options.xml" xpointer="port"/>
170
175
        </listitem>
171
176
      </varlistentry>
172
 
      
 
177
 
173
178
      <varlistentry>
174
 
        <term><option>--check</option></term>
 
179
        <term><literal>--check</literal></term>
175
180
        <listitem>
176
181
          <para>
177
182
            Run the server’s self-tests.  This includes any unit
179
184
          </para>
180
185
        </listitem>
181
186
      </varlistentry>
182
 
      
 
187
 
183
188
      <varlistentry>
184
 
        <term><option>--debug</option></term>
 
189
        <term><literal>--debug</literal></term>
185
190
        <listitem>
186
191
          <xi:include href="mandos-options.xml" xpointer="debug"/>
187
192
        </listitem>
188
193
      </varlistentry>
189
194
 
190
195
      <varlistentry>
191
 
        <term><option>--priority <replaceable>
192
 
        PRIORITY</replaceable></option></term>
 
196
        <term><literal>--priority <replaceable>
 
197
        PRIORITY</replaceable></literal></term>
193
198
        <listitem>
194
199
          <xi:include href="mandos-options.xml" xpointer="priority"/>
195
200
        </listitem>
196
201
      </varlistentry>
197
202
 
198
203
      <varlistentry>
199
 
        <term><option>--servicename
200
 
        <replaceable>NAME</replaceable></option></term>
 
204
        <term><literal>--servicename <replaceable>NAME</replaceable>
 
205
        </literal></term>
201
206
        <listitem>
202
207
          <xi:include href="mandos-options.xml"
203
208
                      xpointer="servicename"/>
205
210
      </varlistentry>
206
211
 
207
212
      <varlistentry>
208
 
        <term><option>--configdir
209
 
        <replaceable>DIRECTORY</replaceable></option></term>
 
213
        <term><literal>--configdir <replaceable>DIR</replaceable>
 
214
        </literal></term>
210
215
        <listitem>
211
216
          <para>
212
217
            Directory to search for configuration files.  Default is
220
225
      </varlistentry>
221
226
 
222
227
      <varlistentry>
223
 
        <term><option>--version</option></term>
 
228
        <term><literal>--version</literal></term>
224
229
        <listitem>
225
230
          <para>
226
231
            Prints the program version and exit.
236
241
    <para>
237
242
      This program is the server part.  It is a normal server program
238
243
      and will run in a normal system environment, not in an initial
239
 
      <acronym>RAM</acronym> disk environment.
 
244
      RAM disk environment.
240
245
    </para>
241
246
  </refsect1>
242
247
 
334
339
    <title>ENVIRONMENT</title>
335
340
    <variablelist>
336
341
      <varlistentry>
337
 
        <term><envar>PATH</envar></term>
 
342
        <term><varname>PATH</varname></term>
338
343
        <listitem>
339
344
          <para>
340
345
            To start the configured checker (see <xref
379
384
        </listitem>
380
385
      </varlistentry>
381
386
      <varlistentry>
382
 
        <term><filename>/var/run/mandos.pid</filename></term>
 
387
        <term><filename>/var/run/mandos/mandos.pid</filename></term>
383
388
        <listitem>
384
389
          <para>
385
390
            The file containing the process id of
434
439
      Debug mode is conflated with running in the foreground.
435
440
    </para>
436
441
    <para>
437
 
      The console log messages does not show a time stamp.
438
 
    </para>
439
 
    <para>
440
 
      This server does not check the expire time of clients’ OpenPGP
441
 
      keys.
 
442
      The console log messages does not show a timestamp.
442
443
    </para>
443
444
  </refsect1>
444
445
  
487
488
      <para>
488
489
        Running this <command>&COMMANDNAME;</command> server program
489
490
        should not in itself present any security risk to the host
490
 
        computer running it.  The program switches to a non-root user
491
 
        soon after startup.
 
491
        computer running it.  The program does not need any special
 
492
        privileges to run, and is designed to run as a non-root user.
492
493
      </para>
493
494
    </refsect2>
494
495
    <refsect2 id="CLIENTS">
521
522
        restarting servers if it is suspected that a client has, in
522
523
        fact, been compromised by parties who may now be running a
523
524
        fake Mandos client with the keys from the non-encrypted
524
 
        initial <acronym>RAM</acronym> image of the client host.  What
525
 
        should be done in that case (if restarting the server program
526
 
        really is necessary) is to stop the server program, edit the
 
525
        initial RAM image of the client host.  What should be done in
 
526
        that case (if restarting the server program really is
 
527
        necessary) is to stop the server program, edit the
527
528
        configuration file to omit any suspect clients, and restart
528
529
        the server program.
529
530
      </para>
530
531
      <para>
531
532
        For more details on client-side security, see
532
 
        <citerefentry><refentrytitle>mandos-client</refentrytitle>
 
533
        <citerefentry><refentrytitle>password-request</refentrytitle>
533
534
        <manvolnum>8mandos</manvolnum></citerefentry>.
534
535
      </para>
535
536
    </refsect2>
543
544
        <manvolnum>5</manvolnum></citerefentry>, <citerefentry>
544
545
        <refentrytitle>mandos.conf</refentrytitle>
545
546
        <manvolnum>5</manvolnum></citerefentry>, <citerefentry>
546
 
        <refentrytitle>mandos-client</refentrytitle>
 
547
        <refentrytitle>password-request</refentrytitle>
547
548
        <manvolnum>8mandos</manvolnum></citerefentry>, <citerefentry>
548
549
        <refentrytitle>sh</refentrytitle><manvolnum>1</manvolnum>
549
550
      </citerefentry>