/mandos/release : revision 91

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/release

« back to all changes in this revision

Viewing changes to mandos.xml

Committer: Teddy Hogeborn
Date: 2008-08-19 23:44:17 UTC
Revision ID: teddy@fukt.bsnet.se-20080819234417-8dz5prw19ihrklx6

* Makefile (DOCBOOKTOMAN): Include all DocBook-to-manpage-related
                           commands here, and use it everywhere.
  (mandos.8, mandos.conf.5): New; also depend on "mandos-options.xml".

* mandos-keygen.xml: Removed OVERVIEW entity.  Add XInclude namespace.
  (OVERVIEW): Changed to do <xi:include/>.

* mandos-options.xml (<simplesect>): Changed to a <section>.
  ([@id="address"]): Reordered sentences.

* mandos.conf.xml (OPTIONS): Removed illegal <arg> tags.
  (EXAMPLE): Added empty example.

* mandos.xml (NETWORK PROTOCOL): Bug fix: Changed "1\r\en" back to
                                 "1\r\n".
  (CHECKING): Do not refer to the non-relevant mandos.conf(5) manual.

files added:
mandos-options.xml

files modified:
Makefile

TODO

mandos

mandos-keygen

mandos-keygen.xml

mandos.conf

mandos.conf.xml

mandos.xml

overview.xml

plugins.d/password-prompt.xml

plugins.d/password-request.xml

Show diffs side-by-side

added added

removed removed

mandos.xml

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY VERSION "1.0">

<!ENTITY COMMANDNAME "mandos">

<!ENTITY OVERVIEW SYSTEM "overview.xml">

<title>&COMMANDNAME;</title>

154

153

<term><literal>-i</literal>, <literal>--interface <replaceable>

155

154

IF</replaceable></literal></term>

156

155

157

<para>

158

Only announce the server and listen to requests on network

159

interface <replaceable>IF</replaceable>. Default is to

160

use all available interfaces. <emphasis>Note:</emphasis>

161

a failure to bind to the specified interface is not

162

considered critical, and the server does not exit.

163

</para>

156

<xi:include href="mandos-options.xml" xpointer="interface"/>

164

157

</listitem>

165

158

</varlistentry>

166

159

168

161

<term><literal>-a</literal>, <literal>--address <replaceable>

169

162

ADDRESS</replaceable></literal></term>

170

163

171

<para>

172

If this option is used, the server will only listen to a

173

specific address. This must currently be an IPv6 address;

174

an IPv4 address can be specified using the

175

<quote><literal>::FFFF:192.0.2.3</literal></quote> syntax.

176

Also, if a link-local address is specified, an interface

177

should be set, since a link-local address is only valid on

178

a single interface. By default, the server will listen to

179

all available addresses.

180

</para>

164

<xi:include href="mandos-options.xml" xpointer="address"/>

181

165

</listitem>

182

166

</varlistentry>

183

167

185

169

186

170

PORT</replaceable></literal></term>

187

171

188

<para>

189

If this option is used, the server to bind to that

190

port. By default, the server will listen to an arbitrary

191

port given by the operating system.

192

</para>

172

<xi:include href="mandos-options.xml" xpointer="port"/>

193

173

</listitem>

194

174

</varlistentry>

195

175

206

186

207

187

<term><literal>--debug</literal></term>

208

188

209

<para>

210

If the server is run in debug mode, it will run in the

211

foreground and print a lot of debugging information. The

212

default is <emphasis>not</emphasis> to run in debug mode.

213

</para>

189

<xi:include href="mandos-options.xml" xpointer="debug"/>

214

190

</listitem>

215

191

</varlistentry>

216

192

218

194

<term><literal>--priority <replaceable>

219

195

PRIORITY</replaceable></literal></term>

220

196

221

<para>

222

GnuTLS priority string for the TLS handshake with the

223

clients. The default is

224

<quote><literal>SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP</literal></quote>.

225

See <citerefentry><refentrytitle>gnutls_priority_init

226

</refentrytitle><manvolnum>3</manvolnum></citerefentry>

227

for the syntax. <emphasis>Warning</emphasis>: changing

228

this may make the TLS handshake fail, making communication

229

with clients impossible.

230

</para>

197

<xi:include href="mandos-options.xml" xpointer="priority"/>

231

198

</listitem>

232

199

</varlistentry>

233

200

235

202

<term><literal>--servicename <replaceable>NAME</replaceable>

236

203

</literal></term>

237

204

238

<para>

239

Zeroconf service name. The default is

240

<quote><literal>Mandos</literal></quote>. You only need

241

to change this if you for some reason want to run more

242

than one server on the same <emphasis>host</emphasis>,

243

which would not normally be useful. If there are name

244

collisions on the same <emphasis>network</emphasis>, the

245

newer server will automatically rename itself to

246

<quote><literal>Mandos #2</literal></quote>, and so on;

247

therefore, this option is not needed in that case.

248

</para>

205

<xi:include href="mandos-options.xml"

206

xpointer="servicename"/>

249

207

</listitem>

250

208

</varlistentry>

251

209

277

235

278

236

279

237

<title>OVERVIEW</title>

280

&OVERVIEW;

238

<xi:include href="overview.xml"/>

281

239

<para>

282

240

This program is the server part. It is a normal server program

283

241

and will run in a normal system environment, not in an initial

316

274

317

275

</row>

318

276

<row>

319

277

320

278

321

279

</row>

322

280

<row>

352

310

longer eligible to receive the encrypted password. The timeout,

353

311

checker program, and interval between checks can be configured

354

312

both globally and per client; see <citerefentry>

355

<refentrytitle>mandos.conf</refentrytitle>

356

357

313

<refentrytitle>mandos-clients.conf</refentrytitle>

358

314

<manvolnum>5</manvolnum></citerefentry>.

359

315

</para>

362

318

363

319

<title>LOGGING</title>

364

320

<para>

365

The server will send log messaged with various severity levels

366

to <filename>/dev/log</filename>. With the

321

The server will send log message with various severity levels to

322

<filename>/dev/log</filename>. With the

367

323

<option>--debug</option> option, it will log even more messages,

368

324

and also show them on the console.

369

325

</para>

390

346

<varname>PATH</varname> to search for matching commands if

391

347

an absolute path is not given. See <citerefentry>

392

348

393

</citerefentry>

349

</citerefentry>.

394

350

</para>

395

351

</listitem>

396

352

</varlistentry>

561

517

re-read its client list from its configuration file and again

562

518

regard all clients therein as valid, and hence eligible to

563

519

receive their passwords. Therefore, be careful when

564

restarting servers if you suspect that a client has, in fact,

565

been compromised by parties who may now be running a fake

566

Mandos client with the keys from the non-encrypted initial RAM

567

image of the client host. What should be done in that case

568

(if restarting the server program really is necessary) is to

569

stop the server program, edit the configuration file to omit

570

any suspect clients, and restart the server program.

520

restarting servers if it is suspected that a client has, in

521

fact, been compromised by parties who may now be running a

522

fake Mandos client with the keys from the non-encrypted

523

initial RAM image of the client host. What should be done in

524

that case (if restarting the server program really is

525

necessary) is to stop the server program, edit the

526

configuration file to omit any suspect clients, and restart

527

the server program.

571

528

</para>

572

529

<para>

573

530

For more details on client-side security, see

Older »