/mandos/release

To get this branch, use:
bzr branch http://bzr.recompile.se/loggerhead/mandos/release

« back to all changes in this revision

Viewing changes to mandos.xml

  • Committer: Björn Påhlsson
  • Date: 2008-09-03 18:47:50 UTC
  • mto: (237.7.1 mandos) (24.1.154 mandos)
  • mto: This revision was merged to the branch mainline in revision 149.
  • Revision ID: belorn@braxen-20080903184750-s0k0jrrq0lxiamwh
removed keyring pre-requirement for starting password-request.
        Keys will now be imported in run-time to a run-time created keyring

Changed seckey and pubkey to be paths to private and public keys of the pgp encrypted password and gnutls authentication credentials.

Show diffs side-by-side

added added

removed removed

Lines of Context:
1
1
<?xml version="1.0" encoding="UTF-8"?>
2
2
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3
3
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
 
4
<!ENTITY VERSION "1.0">
4
5
<!ENTITY COMMANDNAME "mandos">
5
 
<!ENTITY TIMESTAMP "2009-02-13">
6
 
<!ENTITY % common SYSTEM "common.ent">
7
 
%common;
 
6
<!ENTITY TIMESTAMP "2008-09-01">
8
7
]>
9
8
 
10
9
<refentry xmlns:xi="http://www.w3.org/2001/XInclude">
11
 
   <refentryinfo>
 
10
  <refentryinfo>
12
11
    <title>Mandos Manual</title>
13
12
    <!-- NWalsh’s docbook scripts use this to generate the footer: -->
14
13
    <productname>Mandos</productname>
15
 
    <productnumber>&version;</productnumber>
 
14
    <productnumber>&VERSION;</productnumber>
16
15
    <date>&TIMESTAMP;</date>
17
16
    <authorgroup>
18
17
      <author>
32
31
    </authorgroup>
33
32
    <copyright>
34
33
      <year>2008</year>
35
 
      <year>2009</year>
36
34
      <holder>Teddy Hogeborn</holder>
37
35
      <holder>Björn Påhlsson</holder>
38
36
    </copyright>
39
37
    <xi:include href="legalnotice.xml"/>
40
38
  </refentryinfo>
41
 
  
 
39
 
42
40
  <refmeta>
43
41
    <refentrytitle>&COMMANDNAME;</refentrytitle>
44
42
    <manvolnum>8</manvolnum>
50
48
      Gives encrypted passwords to authenticated Mandos clients
51
49
    </refpurpose>
52
50
  </refnamediv>
53
 
  
 
51
 
54
52
  <refsynopsisdiv>
55
53
    <cmdsynopsis>
56
54
      <command>&COMMANDNAME;</command>
85
83
      <replaceable>DIRECTORY</replaceable></option></arg>
86
84
      <sbr/>
87
85
      <arg><option>--debug</option></arg>
88
 
      <sbr/>
89
 
      <arg><option>--no-ipv6</option></arg>
90
86
    </cmdsynopsis>
91
87
    <cmdsynopsis>
92
88
      <command>&COMMANDNAME;</command>
104
100
      <arg choice="plain"><option>--check</option></arg>
105
101
    </cmdsynopsis>
106
102
  </refsynopsisdiv>
107
 
  
 
103
 
108
104
  <refsect1 id="description">
109
105
    <title>DESCRIPTION</title>
110
106
    <para>
119
115
      Any authenticated client is then given the stored pre-encrypted
120
116
      password for that specific client.
121
117
    </para>
 
118
 
122
119
  </refsect1>
123
120
  
124
121
  <refsect1 id="purpose">
125
122
    <title>PURPOSE</title>
 
123
 
126
124
    <para>
127
125
      The purpose of this is to enable <emphasis>remote and unattended
128
126
      rebooting</emphasis> of client host computer with an
129
127
      <emphasis>encrypted root file system</emphasis>.  See <xref
130
128
      linkend="overview"/> for details.
131
129
    </para>
 
130
    
132
131
  </refsect1>
133
132
  
134
133
  <refsect1 id="options">
135
134
    <title>OPTIONS</title>
 
135
    
136
136
    <variablelist>
137
137
      <varlistentry>
138
138
        <term><option>--help</option></term>
190
190
          <xi:include href="mandos-options.xml" xpointer="debug"/>
191
191
        </listitem>
192
192
      </varlistentry>
193
 
      
 
193
 
194
194
      <varlistentry>
195
195
        <term><option>--priority <replaceable>
196
196
        PRIORITY</replaceable></option></term>
198
198
          <xi:include href="mandos-options.xml" xpointer="priority"/>
199
199
        </listitem>
200
200
      </varlistentry>
201
 
      
 
201
 
202
202
      <varlistentry>
203
203
        <term><option>--servicename
204
204
        <replaceable>NAME</replaceable></option></term>
207
207
                      xpointer="servicename"/>
208
208
        </listitem>
209
209
      </varlistentry>
210
 
      
 
210
 
211
211
      <varlistentry>
212
212
        <term><option>--configdir
213
213
        <replaceable>DIRECTORY</replaceable></option></term>
222
222
          </para>
223
223
        </listitem>
224
224
      </varlistentry>
225
 
      
 
225
 
226
226
      <varlistentry>
227
227
        <term><option>--version</option></term>
228
228
        <listitem>
231
231
          </para>
232
232
        </listitem>
233
233
      </varlistentry>
234
 
      
235
 
      <varlistentry>
236
 
        <term><option>--no-ipv6</option></term>
237
 
        <listitem>
238
 
          <xi:include href="mandos-options.xml" xpointer="ipv6"/>
239
 
        </listitem>
240
 
      </varlistentry>
241
234
    </variablelist>
242
235
  </refsect1>
243
 
  
 
236
 
244
237
  <refsect1 id="overview">
245
238
    <title>OVERVIEW</title>
246
239
    <xi:include href="overview.xml"/>
250
243
      <acronym>RAM</acronym> disk environment.
251
244
    </para>
252
245
  </refsect1>
253
 
  
 
246
 
254
247
  <refsect1 id="protocol">
255
248
    <title>NETWORK PROTOCOL</title>
256
249
    <para>
308
301
      </row>
309
302
    </tbody></tgroup></table>
310
303
  </refsect1>
311
 
  
 
304
 
312
305
  <refsect1 id="checking">
313
306
    <title>CHECKING</title>
314
307
    <para>
322
315
      <manvolnum>5</manvolnum></citerefentry>.
323
316
    </para>
324
317
  </refsect1>
325
 
  
 
318
 
326
319
  <refsect1 id="logging">
327
320
    <title>LOGGING</title>
328
321
    <para>
332
325
      and also show them on the console.
333
326
    </para>
334
327
  </refsect1>
335
 
  
 
328
 
336
329
  <refsect1 id="exit_status">
337
330
    <title>EXIT STATUS</title>
338
331
    <para>
340
333
      critical error is encountered.
341
334
    </para>
342
335
  </refsect1>
343
 
  
 
336
 
344
337
  <refsect1 id="environment">
345
338
    <title>ENVIRONMENT</title>
346
339
    <variablelist>
360
353
      </varlistentry>
361
354
    </variablelist>
362
355
  </refsect1>
363
 
  
364
 
  <refsect1 id="files">
 
356
 
 
357
  <refsect1 id="file">
365
358
    <title>FILES</title>
366
359
    <para>
367
360
      Use the <option>--configdir</option> option to change where
390
383
        </listitem>
391
384
      </varlistentry>
392
385
      <varlistentry>
393
 
        <term><filename>/var/run/mandos.pid</filename></term>
 
386
        <term><filename>/var/run/mandos/mandos.pid</filename></term>
394
387
        <listitem>
395
388
          <para>
396
389
            The file containing the process id of
431
424
      Currently, if a client is declared <quote>invalid</quote> due to
432
425
      having timed out, the server does not record this fact onto
433
426
      permanent storage.  This has some security implications, see
434
 
      <xref linkend="clients"/>.
 
427
      <xref linkend="CLIENTS"/>.
435
428
    </para>
436
429
    <para>
437
430
      There is currently no way of querying the server of the current
445
438
      Debug mode is conflated with running in the foreground.
446
439
    </para>
447
440
    <para>
448
 
      The console log messages does not show a time stamp.
449
 
    </para>
450
 
    <para>
451
 
      This server does not check the expire time of clients’ OpenPGP
452
 
      keys.
 
441
      The console log messages does not show a timestamp.
453
442
    </para>
454
443
  </refsect1>
455
444
  
490
479
      </para>
491
480
    </informalexample>
492
481
  </refsect1>
493
 
  
 
482
 
494
483
  <refsect1 id="security">
495
484
    <title>SECURITY</title>
496
 
    <refsect2 id="server">
 
485
    <refsect2 id="SERVER">
497
486
      <title>SERVER</title>
498
487
      <para>
499
488
        Running this <command>&COMMANDNAME;</command> server program
500
489
        should not in itself present any security risk to the host
501
 
        computer running it.  The program switches to a non-root user
502
 
        soon after startup.
 
490
        computer running it.  The program does not need any special
 
491
        privileges to run, and is designed to run as a non-root user.
503
492
      </para>
504
493
    </refsect2>
505
 
    <refsect2 id="clients">
 
494
    <refsect2 id="CLIENTS">
506
495
      <title>CLIENTS</title>
507
496
      <para>
508
497
        The server only gives out its stored data to clients which
515
504
        <citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>
516
505
        <manvolnum>5</manvolnum></citerefentry>)
517
506
        <emphasis>must</emphasis> be made non-readable by anyone
518
 
        except the user starting the server (usually root).
 
507
        except the user running the server.
519
508
      </para>
520
509
      <para>
521
510
        As detailed in <xref linkend="checking"/>, the status of all
540
529
      </para>
541
530
      <para>
542
531
        For more details on client-side security, see
543
 
        <citerefentry><refentrytitle>mandos-client</refentrytitle>
 
532
        <citerefentry><refentrytitle>password-request</refentrytitle>
544
533
        <manvolnum>8mandos</manvolnum></citerefentry>.
545
534
      </para>
546
535
    </refsect2>
547
536
  </refsect1>
548
 
  
 
537
 
549
538
  <refsect1 id="see_also">
550
539
    <title>SEE ALSO</title>
551
540
    <para>
554
543
        <manvolnum>5</manvolnum></citerefentry>, <citerefentry>
555
544
        <refentrytitle>mandos.conf</refentrytitle>
556
545
        <manvolnum>5</manvolnum></citerefentry>, <citerefentry>
557
 
        <refentrytitle>mandos-client</refentrytitle>
 
546
        <refentrytitle>password-request</refentrytitle>
558
547
        <manvolnum>8mandos</manvolnum></citerefentry>, <citerefentry>
559
548
        <refentrytitle>sh</refentrytitle><manvolnum>1</manvolnum>
560
549
      </citerefentry>