3
3
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4
4
<!ENTITY CONFNAME "mandos-clients.conf">
5
5
<!ENTITY CONFPATH "<filename>/etc/mandos/clients.conf</filename>">
6
<!ENTITY TIMESTAMP "2017-02-23">
6
<!ENTITY TIMESTAMP "2011-02-27">
7
7
<!ENTITY % common SYSTEM "common.ent">
20
20
<firstname>Björn</firstname>
21
21
<surname>Påhlsson</surname>
23
<email>belorn@recompile.se</email>
23
<email>belorn@fukt.bsnet.se</email>
27
27
<firstname>Teddy</firstname>
28
28
<surname>Hogeborn</surname>
30
<email>teddy@recompile.se</email>
30
<email>teddy@fukt.bsnet.se</email>
71
65
><refentrytitle>mandos</refentrytitle>
72
66
<manvolnum>8</manvolnum></citerefentry>, read by it at startup.
73
67
The file needs to list all clients that should be able to use
74
the service. The settings in this file can be overridden by
75
runtime changes to the server, which it saves across restarts.
76
(See the section called <quote>PERSISTENT STATE</quote> in
77
<citerefentry><refentrytitle>mandos</refentrytitle><manvolnum
78
>8</manvolnum></citerefentry>.) However, any <emphasis
79
>changes</emphasis> to this file (including adding and removing
80
clients) will, at startup, override changes done during runtime.
68
the service. All clients listed will be regarded as enabled,
69
even if a client was disabled in a previous run of the server.
83
72
The format starts with a <literal>[<replaceable>section
123
112
How long to wait for external approval before resorting to
124
113
use the <option>approved_by_default</option> value. The
125
default is <quote>PT0S</quote>, i.e. not to wait.
114
default is <quote>0s</quote>, i.e. not to wait.
128
117
The format of <replaceable>TIME</replaceable> is the same
172
161
This option is <emphasis>optional</emphasis>.
175
This option overrides the default shell command that the
176
server will use to check if the client is still up. Any
177
output of the command will be ignored, only the exit code
178
is checked: If the exit code of the command is zero, the
179
client is considered up. The command will be run using
180
<quote><command><filename>/bin/sh</filename>
164
This option allows you to override the default shell
165
command that the server will use to check if the client is
166
still up. Any output of the command will be ignored, only
167
the exit code is checked: If the exit code of the command
168
is zero, the client is considered up. The command will be
169
run using <quote><command><filename>/bin/sh</filename>
181
170
<option>-c</option></command></quote>, so
182
171
<varname>PATH</varname> will be searched. The default
183
172
value for the checker command is <quote><literal
184
173
><command>fping</command> <option>-q</option> <option
185
>--</option> %%(host)s</literal></quote>. Note that
186
<command>mandos-keygen</command>, when generating output
187
to be inserted into this file, normally looks for an SSH
188
server on the Mandos client, and, if it find one, outputs
189
a <option>checker</option> option to check for the
190
client’s key fingerprint – this is more secure against
174
>--</option> %%(host)s</literal></quote>.
194
177
In addition to normal start time expansion, this option
202
<term><option>extended_timeout<literal> = </literal><replaceable
203
>TIME</replaceable></option></term>
206
This option is <emphasis>optional</emphasis>.
209
Extended timeout is an added timeout that is given once
210
after a password has been sent successfully to a client.
211
The timeout is by default longer than the normal timeout,
212
and is used for handling the extra long downtime while a
213
machine is booting up. Time to take into consideration
214
when changing this value is file system checks and quota
215
checks. The default value is 15 minutes.
218
The format of <replaceable>TIME</replaceable> is the same
219
as for <varname>timeout</varname> below.
225
185
<term><option>fingerprint<literal> = </literal
226
186
><replaceable>HEXSTRING</replaceable></option></term>
232
192
This option sets the OpenPGP fingerprint that identifies
233
193
the public key that clients authenticate themselves with
234
through TLS. The string needs to be in hexadecimal form,
194
through TLS. The string needs to be in hexidecimal form,
235
195
but spaces or upper/lower case are not significant.
269
229
will wait for a checker to complete until the below
270
230
<quote><varname>timeout</varname></quote> occurs, at which
271
231
time the client will be disabled, and any running checker
272
killed. The default interval is 2 minutes.
232
killed. The default interval is 5 minutes.
275
235
The format of <replaceable>TIME</replaceable> is the same
339
299
This option is <emphasis>optional</emphasis>.
342
The timeout is how long the server will wait, after a
343
successful checker run, until a client is disabled and not
344
allowed to get the data this server holds. By default
345
Mandos will use 5 minutes. See also the
346
<option>extended_timeout</option> option.
349
The <replaceable>TIME</replaceable> is specified as an RFC
350
3339 duration; for example
351
<quote><literal>P1Y2M3DT4H5M6S</literal></quote> meaning
352
one year, two months, three days, four hours, five
353
minutes, and six seconds. Some values can be omitted, see
354
RFC 3339 Appendix A for details.
360
<term><option>enabled<literal> = </literal>{ <literal
361
>1</literal> | <literal>yes</literal> | <literal>true</literal
362
> | <literal >on</literal> | <literal>0</literal> | <literal
363
>no</literal> | <literal>false</literal> | <literal
364
>off</literal> }</option></term>
367
Whether this client should be enabled by default. The
368
default is <quote>true</quote>.
302
The timeout is how long the server will wait (for either a
303
successful checker run or a client receiving its secret)
304
until a client is disabled and not allowed to get the data
305
this server holds. By default Mandos will use 1 hour.
308
The <replaceable>TIME</replaceable> is specified as a
309
space-separated number of values, each of which is a
310
number and a one-character suffix. The suffix must be one
311
of <quote>d</quote>, <quote>s</quote>, <quote>m</quote>,
312
<quote>h</quote>, and <quote>w</quote> for days, seconds,
313
minutes, hours, and weeks, respectively. The values are
314
added together to give the total time value, so all of
315
<quote><literal>330s</literal></quote>,
316
<quote><literal>110s 110s 110s</literal></quote>, and
317
<quote><literal>5m 30s</literal></quote> will give a value
318
of five minutes and thirty seconds.
415
365
<quote><literal>approval_duration</literal></quote>,
416
366
<quote><literal>created</literal></quote>,
417
367
<quote><literal>enabled</literal></quote>,
418
<quote><literal>expires</literal></quote>,
419
368
<quote><literal>fingerprint</literal></quote>,
420
369
<quote><literal>host</literal></quote>,
421
370
<quote><literal>interval</literal></quote>,
512
460
<refsect1 id="see_also">
513
461
<title>SEE ALSO</title>
515
<citerefentry><refentrytitle>intro</refentrytitle>
516
<manvolnum>8mandos</manvolnum></citerefentry>,
517
463
<citerefentry><refentrytitle>mandos-keygen</refentrytitle>
518
464
<manvolnum>8</manvolnum></citerefentry>,
519
465
<citerefentry><refentrytitle>mandos.conf</refentrytitle>
520
466
<manvolnum>5</manvolnum></citerefentry>,
521
467
<citerefentry><refentrytitle>mandos</refentrytitle>
522
<manvolnum>8</manvolnum></citerefentry>,
523
<citerefentry><refentrytitle>fping</refentrytitle>
524
468
<manvolnum>8</manvolnum></citerefentry>
529
RFC 3339: <citetitle>Date and Time on the Internet:
530
Timestamps</citetitle>
534
The time intervals are in the "duration" format, as
535
specified in ABNF in Appendix A of RFC 3339.
542
472
<!-- Local Variables: -->
added
removed
mandos-clients.conf.xml
