/mandos/trunk

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

	"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY CONFNAME "mandos-clients.conf">

<!ENTITY CONFPATH "<filename>/etc/mandos/clients.conf</filename>">

<!ENTITY TIMESTAMP "2009-02-15">

<!ENTITY % common SYSTEM "common.ent">

%common;

]>

<refentry xmlns:xi="http://www.w3.org/2001/XInclude">

  <refentryinfo>

    <title>Mandos Manual</title>

    <!-- NWalsh’s docbook scripts use this to generate the footer: -->

    <productname>Mandos</productname>

    <productnumber>&version;</productnumber>

    <date>&TIMESTAMP;</date>

    <authorgroup>

      <author>

	<firstname>Björn</firstname>

	<surname>Påhlsson</surname>

	<address>

	  <email>belorn@fukt.bsnet.se</email>

	</address>

      </author>

      <author>

	<firstname>Teddy</firstname>

	<surname>Hogeborn</surname>

	<address>

	  <email>teddy@fukt.bsnet.se</email>

	</address>

      </author>

    </authorgroup>

    <copyright>

      <year>2008</year>

      <year>2009</year>

      <holder>Teddy Hogeborn</holder>

      <holder>Björn Påhlsson</holder>

    </copyright>

    <xi:include href="legalnotice.xml"/>

  </refentryinfo>

  <refmeta>

    <refentrytitle>&CONFNAME;</refentrytitle>

    <manvolnum>5</manvolnum>

  </refmeta>

  <refnamediv>

    <refname><filename>&CONFNAME;</filename></refname>

    <refpurpose>

      Configuration file for the Mandos server

    </refpurpose>

  </refnamediv>

  <refsynopsisdiv>

    <synopsis>&CONFPATH;</synopsis>

  </refsynopsisdiv>

  <refsect1 id="description">

    <title>DESCRIPTION</title>

    <para>

      The file &CONFPATH; is a configuration file for <citerefentry

      ><refentrytitle>mandos</refentrytitle>

      <manvolnum>8</manvolnum></citerefentry>, read by it at startup.

      The file needs to list all clients that should be able to use

      the service.  All clients listed will be regarded as valid, even

      if a client was declared invalid in a previous run of the

      server.

    </para>

    <para>

      The format starts with a <literal>[<replaceable>section

      header</replaceable>]</literal> which is either

      <literal>[DEFAULT]</literal> or <literal>[<replaceable>client

      name</replaceable>]</literal>.  The <replaceable>client

      name</replaceable> can be anything, and is not tied to a host

      name.  Following the section header is any number of

      <quote><varname><replaceable>option</replaceable

      ></varname>=<replaceable>value</replaceable></quote> entries,

      with continuations in the style of RFC 822.  <quote><varname

      ><replaceable>option</replaceable></varname>: <replaceable

      >value</replaceable></quote> is also accepted.  Note that

      leading whitespace is removed from values.  Values can contain

      format strings which refer to other values in the same section,

      or values in the <quote>DEFAULT</quote> section (see <xref

      linkend="expansion"/>).  Lines beginning with <quote>#</quote>

      or <quote>;</quote> are ignored and may be used to provide

      comments.

    </para>

  </refsect1>

  <refsect1 id="options">

    <title>OPTIONS</title>

    <para>

      <emphasis>Note:</emphasis> all option values are subject to

      start time expansion, see <xref linkend="expansion"/>.

    </para>

    <para>

      Unknown options are ignored.  The used options are as follows:

    </para>

    <variablelist>

      <varlistentry>

	<term><option>timeout<literal> = </literal><replaceable

	>TIME</replaceable></option></term>

	<listitem>

	  <para>

	    This option is <emphasis>optional</emphasis>.

	  </para>

	  <para>

	    The timeout is how long the server will wait for a

	    successful checker run until a client is considered

	    invalid - that is, ineligible to get the data this server

	    holds.  By default Mandos will use 1 hour.

	  </para>

	  <para>

	    The <replaceable>TIME</replaceable> is specified as a

	    space-separated number of values, each of which is a

	    number and a one-character suffix.  The suffix must be one

	    of <quote>d</quote>, <quote>s</quote>, <quote>m</quote>,

	    <quote>h</quote>, and <quote>w</quote> for days, seconds,

	    minutes, hours, and weeks, respectively.  The values are

	    added together to give the total time value, so all of

	    <quote><literal>330s</literal></quote>,

	    <quote><literal>110s 110s 110s</literal></quote>, and

	    <quote><literal>5m 30s</literal></quote> will give a value

	    of five minutes and thirty seconds.

	  </para>

	</listitem>

      </varlistentry>

      <varlistentry>

	<term><option>interval<literal> = </literal><replaceable

	>TIME</replaceable></option></term>

	<listitem>

	  <para>

	    This option is <emphasis>optional</emphasis>.

	  </para>

	  <para>

	    How often to run the checker to confirm that a client is

	    still up.  <emphasis>Note:</emphasis> a new checker will

	    not be started if an old one is still running.  The server

	    will wait for a checker to complete until the above

	    <quote><varname>timeout</varname></quote> occurs, at which

	    time the client will be marked invalid, and any running

	    checker killed.  The default interval is 5 minutes.

	  </para>

	  <para>

	    The format of <replaceable>TIME</replaceable> is the same

	    as for <varname>timeout</varname> above.

	  </para>

	</listitem>

      </varlistentry>

      <varlistentry>

	<term><option>checker<literal> = </literal><replaceable

	>COMMAND</replaceable></option></term>

	<listitem>

	  <para>

	    This option is <emphasis>optional</emphasis>.

	  </para>

	  <para>

	    This option allows you to override the default shell

	    command that the server will use to check if the client is

	    still up.  Any output of the command will be ignored, only

	    the exit code is checked:  If the exit code of the command

	    is zero, the client is considered up.  The command will be

	    run using <quote><command><filename>/bin/sh</filename>

	    <option>-c</option></command></quote>, so

	    <varname>PATH</varname> will be searched.  The default

	    value for the checker command is <quote><literal

	    ><command>fping</command> <option>-q</option> <option

	    >--</option> %%(host)s</literal></quote>.

	  </para>

	  <para>

	    In addition to normal start time expansion, this option

	    will also be subject to runtime expansion; see <xref

	    linkend="expansion"/>.

	  </para>

	</listitem>

      </varlistentry>

      <varlistentry>

	<term><option>fingerprint<literal> = </literal

	><replaceable>HEXSTRING</replaceable></option></term>

	<listitem>

	  <para>

	    This option is <emphasis>required</emphasis>.

	  </para>

	  <para>

	    This option sets the OpenPGP fingerprint that identifies

	    the public key that clients authenticate themselves with

	    through TLS.  The string needs to be in hexidecimal form,

	    but spaces or upper/lower case are not significant.

	  </para>

	</listitem>

      </varlistentry>

      <varlistentry>

	<term><option>secret<literal> = </literal><replaceable

	>BASE64_ENCODED_DATA</replaceable></option></term>

	<listitem>

	  <para>

	    If this option is not specified, the <option

	    >secfile</option> option is <emphasis>required</emphasis>

	    to be present.

	  </para>

	  <para>

	    If present, this option must be set to a string of

	    base64-encoded binary data.  It will be decoded and sent

	    to the client matching the above

	    <option>fingerprint</option>.  This should, of course, be

	    OpenPGP encrypted data, decryptable only by the client.

	    The program <citerefentry><refentrytitle><command

	    >mandos-keygen</command></refentrytitle><manvolnum

	    >8</manvolnum></citerefentry> can, using its

	    <option>--password</option> option, be used to generate

	    this, if desired.

	  </para>

	  <para>

	    Note: this value of this option will probably be very

	    long.  A useful feature to avoid having unreadably-long

	    lines is that a line beginning with white space adds to

	    the value of the previous line, RFC 822-style.

	  </para>

	</listitem>

      </varlistentry>

      <varlistentry>

	<term><option>secfile<literal> = </literal><replaceable

	>FILENAME</replaceable></option></term>

	<listitem>

	  <para>

	    This option is only used if <option>secret</option> is not

	    specified, in which case this option is

	    <emphasis>required</emphasis>.

	  </para>

	  <para>

	    Similar to the <option>secret</option>, except the secret

	    data is in an external file.  The contents of the file

	    should <emphasis>not</emphasis> be base64-encoded, but

	    will be sent to clients verbatim.

	  </para>

	  <para>

	    File names of the form <filename>~user/foo/bar</filename>

	    and <filename>$<envar>ENVVAR</envar>/foo/bar</filename>

	    are supported.

	  </para>

	</listitem>

      </varlistentry>

      <varlistentry>

	<term><option><literal>host = </literal><replaceable

	>STRING</replaceable></option></term>

	<listitem>

	  <para>

	    This option is <emphasis>optional</emphasis>, but highly

	    <emphasis>recommended</emphasis> unless the

	    <option>checker</option> option is modified to a

	    non-standard value without <quote>%%(host)s</quote> in it.

	  </para>

	  <para>

	    Host name for this client.  This is not used by the server

	    directly, but can be, and is by default, used by the

	    checker.  See the <option>checker</option> option.

	  </para>

	</listitem>

      </varlistentry>

    </variablelist>

  </refsect1>

  <refsect1 id="expansion">

    <title>EXPANSION</title>

    <para>

      There are two forms of expansion: Start time expansion and

      runtime expansion.

    </para>

    <refsect2 id="start_time_expansion">

      <title>START TIME EXPANSION</title>

      <para>

	Any string in an option value of the form

	<quote><literal>%(<replaceable>foo</replaceable>)s</literal

	></quote> will be replaced by the value of the option

	<varname>foo</varname> either in the same section, or, if it

	does not exist there, the <literal>[DEFAULT]</literal>

	section.  This is done at start time, when the configuration

	file is read.

      </para>

      <para>

	Note that this means that, in order to include an actual

	percent character (<quote>%</quote>) in an option value, two

	percent characters in a row (<quote>%%</quote>) must be

	entered.

      </para>

    </refsect2>

    <refsect2 id="runtime_expansion">

      <title>RUNTIME EXPANSION</title>

      <para>

	This is currently only done for the <varname>checker</varname>

	option.

      </para>

      <para>

	Any string in an option value of the form

	<quote><literal>%%(<replaceable>foo</replaceable>)s</literal

	></quote> will be replaced by the value of the attribute

	<varname>foo</varname> of the internal

	<quote><classname>Client</classname></quote> object.  See the

	source code for details, and let the authors know of any

	attributes that are useful so they may be preserved to any new

	versions of this software.

      </para>

      <para>

	Note that this means that, in order to include an actual

	percent character (<quote>%</quote>) in a

	<varname>checker</varname> option, <emphasis>four</emphasis>

	percent characters in a row (<quote>%%%%</quote>) must be

	entered.  Also, a bad format here will lead to an immediate

	but <emphasis>silent</emphasis> run-time fatal exit; debug

	mode is needed to expose an error of this kind.

      </para>

    </refsect2>

  </refsect1>

  <refsect1 id="files">

    <title>FILES</title>

    <para>

      The file described here is &CONFPATH;

    </para>

  </refsect1>

  <refsect1 id="bugs">

    <title>BUGS</title>

    <para>

      The format for specifying times for <varname>timeout</varname>

      and <varname>interval</varname> is not very good.

    </para>

    <para>

      The difference between

      <literal>%%(<replaceable>foo</replaceable>)s</literal> and

      <literal>%(<replaceable>foo</replaceable>)s</literal> is

      obscure.

    </para>

  </refsect1>

  <refsect1 id="example">

    <title>EXAMPLE</title>

    <informalexample>

      <programlisting>

[DEFAULT]

timeout = 1h

interval = 5m

checker = fping -q -- %%(host)s

# Client "foo"

[foo]

fingerprint =  7788 2722 5BA7 DE53 9C5A  7CFA 59CF F7CD BD9A 5920

secret =

        hQIOA6QdEjBs2L/HEAf/TCyrDe5Xnm9esa+Pb/vWF9CUqfn4srzVgSu234

        REJMVv7lBSrPE2132Lmd2gqF1HeLKDJRSVxJpt6xoWOChGHg+TMyXDxK+N

        Xl89vGvdU1XfhKkVm9MDLOgT5ECDPysDGHFPDhqHOSu3Kaw2DWMV/iH9vz

        3Z20erVNbdcvyBnuojcoWO/6yfB5EQO0BXp7kcyy00USA3CjD5FGZdoQGI

        Tb8A/ar0tVA5crSQmaSotm6KmNLhrFnZ5BxX+TiE+eTUTqSloWRY6VAvqW

        QHC7OASxK5E6RXPBuFH5IohUA2Qbk5AHt99pYvsIPX88j2rWauOokoiKZo

        t/9leJ8VxO5l3wf/U64IH8bkPIoWmWZfd/nqh4uwGNbCgKMyT+AnvH7kMJ

        3i7DivfWl2mKLV0PyPHUNva0VQxX6yYjcOhj1R6fCr/at8/NSLe2OhLchz

        dC+Ls9h+kvJXgF8Sisv+Wk/1RadPLFmraRlqvJwt6Ww21LpiXqXHV2mIgq

        WnR98YgSvUi3TJHrUQiNc9YyBzuRo0AjgG2C9qiE3FM+Y28+iQ/sR3+bFs

        zYuZKVTObqiIslwXu7imO0cvvFRgJF/6u3HNFQ4LUTGhiM3FQmC6NNlF3/

        vJM2hwRDMcJqDd54Twx90Wh+tYz0z7QMsK4ANXWHHWHR0JchnLWmenzbtW

        5MHdW9AYsNJZAQSOpirE4Xi31CSlWAi9KV+cUCmWF5zOFy1x23P6PjdaRm

        4T2zw4dxS5NswXWU0sVEXxjs6PYxuIiCTL7vdpx8QjBkrPWDrAbcMyBr2O

        QlnHIvPzEArRQLo=

host = foo.example.org

interval = 1m

# Client "bar"

[bar]

fingerprint = 3e393aeaefb84c7e89e2f547b3a107558fca3a27

secfile = /etc/mandos/bar-secret

timeout = 15m

      </programlisting>

    </informalexample>

  </refsect1>

  <refsect1 id="see_also">

    <title>SEE ALSO</title>

    <para>

      <citerefentry><refentrytitle>mandos-keygen</refentrytitle>

      <manvolnum>8</manvolnum></citerefentry>,

      <citerefentry><refentrytitle>mandos.conf</refentrytitle>

      <manvolnum>5</manvolnum></citerefentry>,

      <citerefentry><refentrytitle>mandos</refentrytitle>

      <manvolnum>8</manvolnum></citerefentry>

    </para>

  </refsect1>

</refentry>

<!-- Local Variables: -->

<!-- time-stamp-start: "<!ENTITY TIMESTAMP [\"']" -->

<!-- time-stamp-end: "[\"']>" -->

<!-- time-stamp-format: "%:y-%02m-%02d" -->

<!-- End: -->