/mandos/release : revision 370

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/release

« back to all changes in this revision

Viewing changes to mandos-clients.conf.xml

Committer: Teddy Hogeborn
Date: 2019-02-10 04:21:31 UTC
mfrom: (237.7.517 trunk)
Revision ID: teddy@recompile.se-20190210042131-5t7gplpmxqplq9r6

Merge from trunk

files added:
bugs.xml

debian/mandos-client.examples

debian/mandos-client.templates

debian/mandos.templates

debian/source/local-options

debian/upstream

debian/upstream/signing-key.asc

initramfs-tools-conf

initramfs-tools-script-stop

initramfs-unpack

intro.xml

mandos-to-cryptroot-unlock

mandos.service

network-hooks.d

network-hooks.d/bridge

network-hooks.d/bridge.conf

network-hooks.d/openvpn

network-hooks.d/openvpn.conf

network-hooks.d/wireless

network-hooks.d/wireless.conf

plugin-helpers

plugin-helpers/mandos-client-iprouteadddel.c

tmpfiles.d-mandos.conf

files removed:
initramfs-tools-hook-conf

files modified:
.bzrignore

DBUS-API

INSTALL

Makefile

NEWS

README

TODO

clients.conf

common.ent

dbus-mandos.conf

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/rules

debian/watch

init.d-mandos

initramfs-tools-hook

initramfs-tools-script

legalnotice.xml

mandos

mandos-clients.conf.xml

mandos-ctl

mandos-ctl.xml

mandos-keygen

mandos-keygen.xml

mandos-monitor

mandos-monitor.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.lsm

mandos.xml

overview.xml

plugin-runner.c

plugin-runner.xml

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/mandos-client.c

plugins.d/mandos-client.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

Show diffs side-by-side

added added

removed removed

mandos-clients.conf.xml

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY CONFNAME "mandos-clients.conf">

<!ENTITY CONFPATH "<filename>/etc/mandos/clients.conf</filename>">

<!ENTITY TIMESTAMP "2011-02-27">

<!ENTITY TIMESTAMP "2019-02-10">

<!ENTITY % common SYSTEM "common.ent">

%common;

<firstname>Björn</firstname>

<surname>Påhlsson</surname>

<email>belorn@fukt.bsnet.se</email>

<email>belorn@recompile.se</email>

</address>

</author>

<firstname>Teddy</firstname>

<surname>Hogeborn</surname>

<email>teddy@fukt.bsnet.se</email>

<email>teddy@recompile.se</email>

</address>

</author>

</authorgroup>

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

><refentrytitle>mandos</refentrytitle>

<manvolnum>8</manvolnum></citerefentry>, read by it at startup.

The file needs to list all clients that should be able to use

the service. All clients listed will be regarded as enabled,

even if a client was disabled in a previous run of the server.

the service. The settings in this file can be overridden by

runtime changes to the server, which it saves across restarts.

(See the section called <quote>PERSISTENT STATE</quote> in

<citerefentry><refentrytitle>mandos</refentrytitle><manvolnum

>8</manvolnum></citerefentry>.) However, any <emphasis

>changes</emphasis> to this file (including adding and removing

clients) will, at startup, override changes done during runtime.

</para>

<para>

The format starts with a <literal>[<replaceable>section

111

124

<para>

112

125

How long to wait for external approval before resorting to

113

126

use the <option>approved_by_default</option> value. The

114

default is <quote>0s</quote>, i.e. not to wait.

127

default is <quote>PT0S</quote>, i.e. not to wait.

115

128

</para>

116

129

<para>

117

130

The format of <replaceable>TIME</replaceable> is the same

161

174

This option is <emphasis>optional</emphasis>.

162

175

</para>

163

176

<para>

164

This option allows you to override the default shell

165

command that the server will use to check if the client is

166

still up. Any output of the command will be ignored, only

167

the exit code is checked: If the exit code of the command

168

is zero, the client is considered up. The command will be

169

run using <quote><command><filename>/bin/sh</filename>

177

This option overrides the default shell command that the

178

server will use to check if the client is still up. Any

179

output of the command will be ignored, only the exit code

180

is checked: If the exit code of the command is zero, the

181

client is considered up. The command will be run using

182

170

183

<option>-c</option></command></quote>, so

171

184

<varname>PATH</varname> will be searched. The default

172

185

value for the checker command is <quote><literal

173

186

><command>fping</command> <option>-q</option> <option

174

>--</option> %%(host)s</literal></quote>.

187

>--</option> %%(host)s</literal></quote>. Note that

188

<command>mandos-keygen</command>, when generating output

189

to be inserted into this file, normally looks for an SSH

190

server on the Mandos client, and, if it finds one, outputs

191

a <option>checker</option> option to check for the

192

client’s SSH key fingerprint – this is more secure against

193

spoofing.

175

194

</para>

176

195

<para>

177

196

In addition to normal start time expansion, this option

182

201

</varlistentry>

183

202

184

203

204

<term><option>extended_timeout<literal> = </literal><replaceable

205

>TIME</replaceable></option></term>

206

207

<para>

208

This option is <emphasis>optional</emphasis>.

209

</para>

210

<para>

211

Extended timeout is an added timeout that is given once

212

after a password has been sent successfully to a client.

213

The timeout is by default longer than the normal timeout,

214

and is used for handling the extra long downtime while a

215

machine is booting up. Time to take into consideration

216

when changing this value is file system checks and quota

217

checks. The default value is 15 minutes.

218

</para>

219

<para>

220

The format of <replaceable>TIME</replaceable> is the same

221

as for <varname>timeout</varname> below.

222

</para>

223

</listitem>

224

</varlistentry>

225

226

185

227

<term><option>fingerprint<literal> = </literal

186

228

><replaceable>HEXSTRING</replaceable></option></term>

187

229

191

233

<para>

192

234

This option sets the OpenPGP fingerprint that identifies

193

235

the public key that clients authenticate themselves with

194

through TLS. The string needs to be in hexidecimal form,

236

through TLS. The string needs to be in hexadecimal form,

237

but spaces or upper/lower case are not significant.

238

</para>

239

</listitem>

240

</varlistentry>

241

242

243

<term><option>key_id<literal> = </literal

244

><replaceable>HEXSTRING</replaceable></option></term>

245

246

<para>

247

This option is <emphasis>optional</emphasis>.

248

</para>

249

<para>

250

This option sets the certificate key ID that identifies

251

the public key that clients authenticate themselves with

252

through TLS. The string needs to be in hexadecimal form,

195

253

but spaces or upper/lower case are not significant.

196

254

</para>

197

255

</listitem>

229

287

will wait for a checker to complete until the below

230

288

<quote><varname>timeout</varname></quote> occurs, at which

231

289

time the client will be disabled, and any running checker

232

killed. The default interval is 5 minutes.

290

killed. The default interval is 2 minutes.

233

291

</para>

234

292

<para>

235

293

The format of <replaceable>TIME</replaceable> is the same

273

331

<para>

274

332

If present, this option must be set to a string of

275

333

base64-encoded binary data. It will be decoded and sent

276

to the client matching the above

277

<option>fingerprint</option>. This should, of course, be

278

OpenPGP encrypted data, decryptable only by the client.

334

to the client matching the above <option>key_id</option>

335

or <option>fingerprint</option>. This should, of course,

336

be OpenPGP encrypted data, decryptable only by the client.

279

337

The program <citerefentry><refentrytitle><command

280

338

>mandos-keygen</command></refentrytitle><manvolnum

281

339

>8</manvolnum></citerefentry> can, using its

299

357

This option is <emphasis>optional</emphasis>.

300

358

</para>

301

359

<para>

302

The timeout is how long the server will wait (for either a

303

successful checker run or a client receiving its secret)

304

until a client is disabled and not allowed to get the data

305

this server holds. By default Mandos will use 1 hour.

306

</para>

307

<para>

308

The <replaceable>TIME</replaceable> is specified as a

309

space-separated number of values, each of which is a

310

number and a one-character suffix. The suffix must be one

311

of <quote>d</quote>, <quote>s</quote>, <quote>m</quote>,

312

<quote>h</quote>, and <quote>w</quote> for days, seconds,

313

minutes, hours, and weeks, respectively. The values are

314

added together to give the total time value, so all of

315

<quote><literal>330s</literal></quote>,

316

<quote><literal>110s 110s 110s</literal></quote>, and

317

<quote><literal>5m 30s</literal></quote> will give a value

318

of five minutes and thirty seconds.

360

The timeout is how long the server will wait, after a

361

successful checker run, until a client is disabled and not

362

allowed to get the data this server holds. By default

363

Mandos will use 5 minutes. See also the

364

<option>extended_timeout</option> option.

365

</para>

366

<para>

367

The <replaceable>TIME</replaceable> is specified as an RFC

368

3339 duration; for example

369

<quote><literal>P1Y2M3DT4H5M6S</literal></quote> meaning

370

one year, two months, three days, four hours, five

371

minutes, and six seconds. Some values can be omitted, see

372

RFC 3339 Appendix A for details.

373

</para>

374

</listitem>

375

</varlistentry>

376

377

378

<term><option>enabled<literal> = </literal>{ <literal

379

>1</literal> | <literal>yes</literal> | <literal>true</literal

380

> | <literal >on</literal> | <literal>0</literal> | <literal

381

>no</literal> | <literal>false</literal> | <literal

382

>off</literal> }</option></term>

383

384

<para>

385

Whether this client should be enabled by default. The

386

default is <quote>true</quote>.

319

387

</para>

320

388

</listitem>

321

389

</varlistentry>

365

433

<quote><literal>approval_duration</literal></quote>,

366

434

<quote><literal>created</literal></quote>,

367

435

<quote><literal>enabled</literal></quote>,

436

<quote><literal>expires</literal></quote>,

437

<quote><literal>key_id</literal></quote>,

368

438

<quote><literal>fingerprint</literal></quote>,

369

439

<quote><literal>host</literal></quote>,

370

440

<quote><literal>interval</literal></quote>,

413

483

<literal>%(<replaceable>foo</replaceable>)s</literal> is

414

484

obscure.

415

485

</para>

486

<xi:include href="bugs.xml"/>

416

487

</refsect1>

417

488

418

489

420

491

421

492

422

493

[DEFAULT]

423

timeout = 1h

424

interval = 5m

494

timeout = PT5M

495

interval = PT2M

425

496

checker = fping -q -- %%(host)s

426

497

427

498

# Client "foo"

428

499

[foo]

500

key_id = 788cd77115cd0bb7b2d5e0ae8496f6b48149d5e712c652076b1fd2d957ef7c1f

429

501

fingerprint = 7788 2722 5BA7 DE53 9C5A 7CFA 59CF F7CD BD9A 5920

430

502

secret =

431

503

hQIOA6QdEjBs2L/HEAf/TCyrDe5Xnm9esa+Pb/vWF9CUqfn4srzVgSu234

444

516

4T2zw4dxS5NswXWU0sVEXxjs6PYxuIiCTL7vdpx8QjBkrPWDrAbcMyBr2O

445

517

QlnHIvPzEArRQLo=

446

518

host = foo.example.org

447

interval = 1m

519

interval = PT1M

448

520

449

521

# Client "bar"

450

522

[bar]

523

key_id = F90C7A81D72D1EA69A51031A91FF8885F36C8B46D155C8C58709A4C99AE9E361

451

524

fingerprint = 3e393aeaefb84c7e89e2f547b3a107558fca3a27

452

525

secfile = /etc/mandos/bar-secret

453

timeout = 15m

526

timeout = PT15M

454

527

approved_by_default = False

455

approval_delay = 30s

528

approval_delay = PT30S

456

529

</programlisting>

457

530

</informalexample>

458

531

</refsect1>

460

533

461

534

462

535

<para>

536

<citerefentry><refentrytitle>intro</refentrytitle>

537

<manvolnum>8mandos</manvolnum></citerefentry>,

463

538

<citerefentry><refentrytitle>mandos-keygen</refentrytitle>

464

539

<manvolnum>8</manvolnum></citerefentry>,

465

540

<citerefentry><refentrytitle>mandos.conf</refentrytitle>

466

541

<manvolnum>5</manvolnum></citerefentry>,

467

542

<citerefentry><refentrytitle>mandos</refentrytitle>

543

<manvolnum>8</manvolnum></citerefentry>,

544

<citerefentry><refentrytitle>fping</refentrytitle>

468

545

469

546

</para>

547

548

549

<term>

550

RFC 3339: <citetitle>Date and Time on the Internet:

551

Timestamps</citetitle>

552

</term>

553

554

<para>

555

The time intervals are in the "duration" format, as

556

specified in ABNF in Appendix A of RFC 3339.

557

</para>

558

</listitem>

559

</varlistentry>

560

</variablelist>

470

561

</refsect1>

471

562

</refentry>

472

563

Older »