/mandos/release : revision 87

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/release

« back to all changes in this revision

Viewing changes to mandos.xml

Committer: Teddy Hogeborn
Date: 2008-08-18 05:24:20 UTC
Revision ID: teddy@fukt.bsnet.se-20080818052420-ab5eurrioz8n2qy6

* Makefile: Bug fix: fixed creation of man pages in "plugins.d".

* mandos-keygen Bug fix: make the --expire option modify
                KEYEXPIRE, not KEYCOMMENT.  Use the "--no-options"
                option to gpg when exporting keys from the temporary
                key ring files.

* mandos-keygen.xml (EXIT STATUS): Filled in.
  (ENVIRONMENT): New section, documenting use of TMPDIR.
  (FILES): Document use of key files and /tmp.
  (BUGS): Filled in.
  (EXAMPLE): Added two examples.
  (SECURITY): Added some text.

* plugins.d/password-prompt.xml (NOTES): Removed, since this is
                                         created automatically for
                                         footnotes.
  (ENVIRONMENT, FILES): Added empty sections.
  (EXAMPLES): Renamed to "EXAMPLE", as per man-pages(7).

* plugins.d/password-request.xml: Reordered sections.
  (ENVIRONMENT): New empty section.
  (EXAMPLES): Renamed to "EXAMPLE", as per man-pages(7).

Show diffs side-by-side

added added

removed removed

mandos.xml

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY VERSION "1.0">

<!ENTITY COMMANDNAME "mandos">

<!ENTITY TIMESTAMP "2008-08-31">

<!ENTITY OVERVIEW SYSTEM "overview.xml">

<title>Mandos Manual</title>

<title>&COMMANDNAME;</title>

<productname>Mandos</productname>

<productname>&COMMANDNAME;</productname>

<productnumber>&VERSION;</productnumber>

<date>&TIMESTAMP;</date>

<firstname>Björn</firstname>

<refname><command>&COMMANDNAME;</command></refname>

Gives encrypted passwords to authenticated Mandos clients

Sends encrypted passwords to authenticated Mandos clients

</refpurpose>

</refnamediv>

<command>&COMMANDNAME;</command>

<group>

<arg choice="plain"><option>--interface

<arg choice="plain"><option>-i

</group>

<sbr/>

<group>

<arg choice="plain"><option>--address

<replaceable>ADDRESS</replaceable></option></arg>

<arg choice="plain"><option>-a

<replaceable>ADDRESS</replaceable></option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--port

<arg choice="plain"><option>-p

</group>

<sbr/>

<arg><option>--priority

<replaceable>PRIORITY</replaceable></option></arg>

100

<sbr/>

101

<arg><option>--servicename

102

103

<sbr/>

104

<arg><option>--configdir

105

<replaceable>DIRECTORY</replaceable></option></arg>

106

<sbr/>

107

<arg><option>--debug</option></arg>

<arg>--interface<arg choice="plain">IF</arg></arg>

<arg>--address<arg choice="plain">ADDRESS</arg></arg>

<arg>--priority<arg choice="plain">PRIORITY</arg></arg>

<arg>--servicename<arg choice="plain">NAME</arg></arg>

<arg>--configdir<arg choice="plain">DIRECTORY</arg></arg>

<arg>--debug</arg>

</cmdsynopsis>

<command>&COMMANDNAME;</command>

<arg>-a<arg choice="plain">ADDRESS</arg></arg>

<arg>--priority<arg choice="plain">PRIORITY</arg></arg>

<arg>--servicename<arg choice="plain">NAME</arg></arg>

<arg>--configdir<arg choice="plain">DIRECTORY</arg></arg>

<arg>--debug</arg>

108

</cmdsynopsis>

109

110

<command>&COMMANDNAME;</command>

111

112

113

114

</group>

115

100

</cmdsynopsis>

116

101

117

102

<command>&COMMANDNAME;</command>

118

<arg choice="plain"><option>--version</option></arg>

103

<arg choice="plain">--version</arg>

119

104

</cmdsynopsis>

120

105

121

106

<command>&COMMANDNAME;</command>

122

<arg choice="plain"><option>--check</option></arg>

107

<arg choice="plain">--check</arg>

123

108

</cmdsynopsis>

124

109

</refsynopsisdiv>

125

110

149

134

<emphasis>encrypted root file system</emphasis>. See <xref

150

135

linkend="overview"/> for details.

151

136

</para>

152

137

153

138

</refsect1>

154

139

155

140

156

141

<title>OPTIONS</title>

157

142

158

143

159

144

160

161

145

162

146

163

147

<para>

164

148

Show a help message and exit

165

149

</para>

166

150

</listitem>

167

151

</varlistentry>

168

169

170

<term><option>--interface</option>

171

172

173

174

175

<xi:include href="mandos-options.xml" xpointer="interface"/>

176

</listitem>

177

</varlistentry>

178

179

180

<term><option>--address

181

<replaceable>ADDRESS</replaceable></option></term>

182

<term><option>-a

183

<replaceable>ADDRESS</replaceable></option></term>

184

185

<xi:include href="mandos-options.xml" xpointer="address"/>

186

</listitem>

187

</varlistentry>

188

189

190

<term><option>--port

191

192

<term><option>-p

193

194

195

<xi:include href="mandos-options.xml" xpointer="port"/>

196

</listitem>

197

</varlistentry>

198

199

200

<term><option>--check</option></term>

152

153

154

<term><literal>-i</literal>, <literal>--interface <replaceable>

155

IF</replaceable></literal></term>

156

157

<para>

158

Only announce the server and listen to requests on network

159

interface <replaceable>IF</replaceable>. Default is to

160

use all available interfaces. <emphasis>Note:</emphasis>

161

a failure to bind to the specified interface is not

162

considered critical, and the server does not exit.

163

</para>

164

</listitem>

165

</varlistentry>

166

167

168

<term><literal>-a</literal>, <literal>--address <replaceable>

169

ADDRESS</replaceable></literal></term>

170

171

<para>

172

If this option is used, the server will only listen to a

173

specific address. This must currently be an IPv6 address;

174

an IPv4 address can be specified using the

175

<quote><literal>::FFFF:192.0.2.3</literal></quote> syntax.

176

Also, if a link-local address is specified, an interface

177

should be set, since a link-local address is only valid on

178

a single interface. By default, the server will listen to

179

all available addresses.

180

</para>

181

</listitem>

182

</varlistentry>

183

184

185

186

PORT</replaceable></literal></term>

187

188

<para>

189

If this option is used, the server to bind to that

190

port. By default, the server will listen to an arbitrary

191

port given by the operating system.

192

</para>

193

</listitem>

194

</varlistentry>

195

196

197

<term><literal>--check</literal></term>

201

198

202

199

<para>

203

200

Run the server’s self-tests. This includes any unit

205

202

</para>

206

203

</listitem>

207

204

</varlistentry>

208

209

210

<term><option>--debug</option></term>

211

212

<xi:include href="mandos-options.xml" xpointer="debug"/>

213

</listitem>

214

</varlistentry>

215

216

217

<term><option>--priority <replaceable>

218

PRIORITY</replaceable></option></term>

219

220

<xi:include href="mandos-options.xml" xpointer="priority"/>

221

</listitem>

222

</varlistentry>

223

224

225

<term><option>--servicename

226

227

228

<xi:include href="mandos-options.xml"

229

xpointer="servicename"/>

230

</listitem>

231

</varlistentry>

232

233

234

<term><option>--configdir

235

<replaceable>DIRECTORY</replaceable></option></term>

205

206

207

<term><literal>--debug</literal></term>

208

209

<para>

210

If the server is run in debug mode, it will run in the

211

foreground and print a lot of debugging information. The

212

default is <emphasis>not</emphasis> to run in debug mode.

213

</para>

214

</listitem>

215

</varlistentry>

216

217

218

<term><literal>--priority <replaceable>

219

PRIORITY</replaceable></literal></term>

220

221

<para>

222

GnuTLS priority string for the TLS handshake with the

223

clients. The default is

224

<quote><literal>SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP</literal></quote>.

225

See <citerefentry><refentrytitle>gnutls_priority_init

226

</refentrytitle><manvolnum>3</manvolnum></citerefentry>

227

for the syntax. <emphasis>Warning</emphasis>: changing

228

this may make the TLS handshake fail, making communication

229

with clients impossible.

230

</para>

231

</listitem>

232

</varlistentry>

233

234

235

<term><literal>--servicename <replaceable>NAME</replaceable>

236

</literal></term>

237

238

<para>

239

Zeroconf service name. The default is

240

<quote><literal>Mandos</literal></quote>. This only needs

241

to be changed this if it, for some reason, is necessary to

242

run more than one server on the same

243

<emphasis>host</emphasis>, which would not normally be

244

useful. If there are name collisions on the same

245

<emphasis>network</emphasis>, the newer server will

246

automatically rename itself to <quote><literal>Mandos

247

#2</literal></quote>, and so on; therefore, this option is

248

not needed in that case.

249

</para>

250

</listitem>

251

</varlistentry>

252

253

254

<term><literal>--configdir <replaceable>DIR</replaceable>

255

</literal></term>

236

256

237

257

<para>

238

258

Directory to search for configuration files. Default is

246

266

</varlistentry>

247

267

248

268

249

<term><option>--version</option></term>

269

<term><literal>--version</literal></term>

250

270

251

271

<para>

252

272

Prints the program version and exit.

258

278

259

279

260

280

<title>OVERVIEW</title>

261

<xi:include href="overview.xml"/>

281

&OVERVIEW;

262

282

<para>

263

283

This program is the server part. It is a normal server program

264

284

and will run in a normal system environment, not in an initial

297

317

298

318

</row>

299

319

<row>

300

320

301

321

302

322

</row>

303

323

<row>

333

353

longer eligible to receive the encrypted password. The timeout,

334

354

checker program, and interval between checks can be configured

335

355

both globally and per client; see <citerefentry>

356

<refentrytitle>mandos.conf</refentrytitle>

357

336

358

<refentrytitle>mandos-clients.conf</refentrytitle>

337

359

<manvolnum>5</manvolnum></citerefentry>.

338

360

</para>

341

363

342

364

<title>LOGGING</title>

343

365

<para>

344

The server will send log message with various severity levels to

345

<filename>/dev/log</filename>. With the

366

The server will send log messaged with various severity levels

367

to <filename>/dev/log</filename>. With the

346

368

<option>--debug</option> option, it will log even more messages,

347

369

and also show them on the console.

348

370

</para>

360

382

<title>ENVIRONMENT</title>

361

383

362

384

363

385

364

386

365

387

<para>

366

388

To start the configured checker (see <xref

369

391

<varname>PATH</varname> to search for matching commands if

370

392

an absolute path is not given. See <citerefentry>

371

393

372

</citerefentry>.

394

</citerefentry>

373

395

</para>

374

396

</listitem>

375

397

</varlistentry>

471

493

Normal invocation needs no options:

472

494

</para>

473

495

<para>

474

<userinput>&COMMANDNAME;</userinput>

496

<userinput>mandos</userinput>

475

497

</para>

476

498

</informalexample>

477

499

484

506

<para>

485

507

486

508

487

<userinput>&COMMANDNAME; --debug --configdir ~/mandos --servicename Test</userinput>

509

<userinput>mandos --debug --configdir ~/mandos --servicename Test</userinput>

488

510

489

511

</para>

490

512

</informalexample>

496

518

<para>

497

519

498

520

499

<userinput>&COMMANDNAME; --interface eth7 --address fe80::aede:48ff:fe71:f6f2</userinput>

521

<userinput>mandos --interface eth7 --address fe80::aede:48ff:fe71:f6f2</userinput>

500

522

501

523

</para>

502

524

</informalexample>

559

581

560

582

561

583

562

<para>

563

564

<refentrytitle>mandos-clients.conf</refentrytitle>

565

566

<refentrytitle>mandos.conf</refentrytitle>

567

568

<refentrytitle>password-request</refentrytitle>

569

<manvolnum>8mandos</manvolnum></citerefentry>, <citerefentry>

570

571

</citerefentry>

572

</para>

573

584

574

585

575

586

<term>

587

588

<refentrytitle>password-request</refentrytitle>

589

<manvolnum>8mandos</manvolnum>

590

</citerefentry>

591

</term>

592

593

<para>

594

This is the actual program which talks to this server.

595

Note that it is normally not invoked directly, and is only

596

run in the initial RAM disk environment, and not on a

597

fully started system.

598

</para>

599

</listitem>

600

</varlistentry>

601

602

<term>

576

603

<ulink url="http://www.zeroconf.org/">Zeroconf</ulink>

577

604

</term>

578

605

595

622

</varlistentry>

596

623

597

624

<term>

598

<ulink url="http://www.gnu.org/software/gnutls/"

599

>GnuTLS</ulink>

625

<ulink

626

url="http://www.gnu.org/software/gnutls/">GnuTLS</ulink>

600

627

</term>

601

628

602

629

<para>

608

635

</varlistentry>

609

636

610

637

<term>

611

RFC 4291: <citetitle>IP Version 6 Addressing

612

Architecture</citetitle>

638

<citation>RFC 4291: <citetitle>IP Version 6 Addressing

639

Architecture</citetitle>, section 2.5.6, Link-Local IPv6

640

Unicast Addresses</citation>

613

641

</term>

614

642

615

616

617

<term>Section 2.2: <citetitle>Text Representation of

618

Addresses</citetitle></term>

619

620

</varlistentry>

621

622

<term>Section 2.5.5.2: <citetitle>IPv4-Mapped IPv6

623

Address</citetitle></term>

624

625

</varlistentry>

626

627

<term>Section 2.5.6, <citetitle>Link-Local IPv6 Unicast

628

Addresses</citetitle></term>

629

630

<para>

631

The clients use IPv6 link-local addresses, which are

632

immediately usable since a link-local addresses is

633

automatically assigned to a network interfaces when it

634

is brought up.

635

</para>

636

</listitem>

637

</varlistentry>

638

</variablelist>

643

<para>

644

The clients use IPv6 link-local addresses, which are

645

immediately usable since a link-local addresses is

646

automatically assigned to a network interfaces when it is

647

brought up.

648

</para>

639

649

</listitem>

640

650

</varlistentry>

641

651

642

652

<term>

643

RFC 4346: <citetitle>The Transport Layer Security (TLS)

644

Protocol Version 1.1</citetitle>

653

<citation>RFC 4346: <citetitle>The Transport Layer Security

654

(TLS) Protocol Version 1.1</citetitle></citation>

645

655

</term>

646

656

647

657

<para>

651

661

</varlistentry>

652

662

653

663

<term>

654

RFC 4880: <citetitle>OpenPGP Message Format</citetitle>

664

<citation>RFC 4880: <citetitle>OpenPGP Message

665

Format</citetitle></citation>

655

666

</term>

656

667

657

668

<para>

661

672

</varlistentry>

662

673

663

674

<term>

664

RFC 5081: <citetitle>Using OpenPGP Keys for Transport Layer

665

Security</citetitle>

675

<citation>RFC 5081: <citetitle>Using OpenPGP Keys for

676

Transport Layer Security</citetitle></citation>

666

677

</term>

667

678

668

679

<para>

674

685

</variablelist>

675

686

</refsect1>

676

687

</refentry>

677

678

679

680

681

Older »