/mandos/trunk

To get this branch, use:
bzr branch http://bzr.recompile.se/loggerhead/mandos/trunk
129 by Teddy Hogeborn
* mandos-clients.conf.xml: Changed all single quotes to double quotes
1
<?xml version="1.0" encoding="UTF-8"?>
24.1.23 by Björn Påhlsson
Added manual pages for:
2
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3
	"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
171 by Teddy Hogeborn
Renamed "password-request" to "mandos-client".
4
<!ENTITY COMMANDNAME "mandos-client">
505.3.13 by Teddy Hogeborn
* debian/mandos-client.README.Debian: Document network hook facility.
5
<!ENTITY TIMESTAMP "2011-11-27">
217 by Teddy Hogeborn
* .bzrignore: Added "man" directory (created by "make install-html").
6
<!ENTITY % common SYSTEM "../common.ent">
7
%common;
24.1.23 by Björn Påhlsson
Added manual pages for:
8
]>
9
131 by Teddy Hogeborn
* Makefile: Make all DocBook rules include legalnotice.xml as a
10
<refentry xmlns:xi="http://www.w3.org/2001/XInclude">
24.1.23 by Björn Påhlsson
Added manual pages for:
11
  <refentryinfo>
112 by Teddy Hogeborn
* mandos-clients.conf.xml (/refentry/refentryinfo/title): Changed to
12
    <title>Mandos Manual</title>
217 by Teddy Hogeborn
* .bzrignore: Added "man" directory (created by "make install-html").
13
    <!-- NWalsh’s docbook scripts use this to generate the footer: -->
112 by Teddy Hogeborn
* mandos-clients.conf.xml (/refentry/refentryinfo/title): Changed to
14
    <productname>Mandos</productname>
217 by Teddy Hogeborn
* .bzrignore: Added "man" directory (created by "make install-html").
15
    <productnumber>&version;</productnumber>
111 by Teddy Hogeborn
* mandos-clients.conf.xml (ENTITY TIMESTAMP): New. Automatically
16
    <date>&TIMESTAMP;</date>
24.1.23 by Björn Påhlsson
Added manual pages for:
17
    <authorgroup>
18
      <author>
19
	<firstname>Björn</firstname>
20
	<surname>Påhlsson</surname>
21
	<address>
505.1.2 by Teddy Hogeborn
Change "fukt.bsnet.se" to "recompile.se" throughout.
22
	  <email>belorn@recompile.se</email>
24.1.23 by Björn Påhlsson
Added manual pages for:
23
	</address>
24
      </author>
25
      <author>
26
	<firstname>Teddy</firstname>
27
	<surname>Hogeborn</surname>
28
	<address>
505.1.2 by Teddy Hogeborn
Change "fukt.bsnet.se" to "recompile.se" throughout.
29
	  <email>teddy@recompile.se</email>
24.1.23 by Björn Påhlsson
Added manual pages for:
30
	</address>
31
      </author>
32
    </authorgroup>
33
    <copyright>
34
      <year>2008</year>
246 by Teddy Hogeborn
* README: Update copyright year; add "2009".
35
      <year>2009</year>
493 by Teddy Hogeborn
* Makefile (DOCS): Added "intro.8mandos".
36
      <year>2011</year>
128 by Teddy Hogeborn
* plugin-runner.xml (/refentry/refentryinfo/copyright): Split
37
      <holder>Teddy Hogeborn</holder>
38
      <holder>Björn Påhlsson</holder>
24.1.23 by Björn Påhlsson
Added manual pages for:
39
    </copyright>
131 by Teddy Hogeborn
* Makefile: Make all DocBook rules include legalnotice.xml as a
40
    <xi:include href="../legalnotice.xml"/>
24.1.23 by Björn Påhlsson
Added manual pages for:
41
  </refentryinfo>
182 by Teddy Hogeborn
* Makefile (install): Use "install-client-nokey".
42
  
24.1.23 by Björn Påhlsson
Added manual pages for:
43
  <refmeta>
44
    <refentrytitle>&COMMANDNAME;</refentrytitle>
45
    <manvolnum>8mandos</manvolnum>
46
  </refmeta>
47
  
48
  <refnamediv>
49
    <refname><command>&COMMANDNAME;</command></refname>
50
    <refpurpose>
172 by Teddy Hogeborn
* plugins.d/mandos-client.xml (NAME, OVERVIEW, EXIT STATUS): Improved
51
      Client for <application>Mandos</application>
24.1.23 by Björn Påhlsson
Added manual pages for:
52
    </refpurpose>
53
  </refnamediv>
182 by Teddy Hogeborn
* Makefile (install): Use "install-client-nokey".
54
  
24.1.23 by Björn Påhlsson
Added manual pages for:
55
  <refsynopsisdiv>
56
    <cmdsynopsis>
57
      <command>&COMMANDNAME;</command>
118 by Teddy Hogeborn
* mandos-keygen.xml (SYNOPSIS): Fixed tags. Unify short and long
58
      <group>
59
	<arg choice="plain"><option>--connect
156 by Teddy Hogeborn
* mandos-clients.conf.xml (OPTIONS): Improved spelling.
60
	<replaceable>ADDRESS</replaceable><literal>:</literal
118 by Teddy Hogeborn
* mandos-keygen.xml (SYNOPSIS): Fixed tags. Unify short and long
61
	><replaceable>PORT</replaceable></option></arg>
62
	<arg choice="plain"><option>-c
156 by Teddy Hogeborn
* mandos-clients.conf.xml (OPTIONS): Improved spelling.
63
	<replaceable>ADDRESS</replaceable><literal>:</literal
118 by Teddy Hogeborn
* mandos-keygen.xml (SYNOPSIS): Fixed tags. Unify short and long
64
	><replaceable>PORT</replaceable></option></arg>
65
      </group>
66
      <sbr/>
67
      <group>
68
	<arg choice="plain"><option>--interface
69
	<replaceable>NAME</replaceable></option></arg>
70
	<arg choice="plain"><option>-i
71
	<replaceable>NAME</replaceable></option></arg>
72
      </group>
73
      <sbr/>
74
      <group>
75
	<arg choice="plain"><option>--pubkey
76
	<replaceable>FILE</replaceable></option></arg>
77
	<arg choice="plain"><option>-p
78
	<replaceable>FILE</replaceable></option></arg>
79
      </group>
80
      <sbr/>
81
      <group>
82
	<arg choice="plain"><option>--seckey
83
	<replaceable>FILE</replaceable></option></arg>
84
	<arg choice="plain"><option>-s
85
	<replaceable>FILE</replaceable></option></arg>
86
      </group>
87
      <sbr/>
88
      <arg>
89
	<option>--priority <replaceable>STRING</replaceable></option>
90
      </arg>
91
      <sbr/>
92
      <arg>
93
	<option>--dh-bits <replaceable>BITS</replaceable></option>
94
      </arg>
95
      <sbr/>
96
      <arg>
24.1.124 by Björn Påhlsson
Added lower kernel loglevel to reduce clutter on system console.
97
	<option>--delay <replaceable>SECONDS</replaceable></option>
98
      </arg>
99
      <sbr/>
100
      <arg>
24.1.174 by Björn Påhlsson
* Makefile (CFLAGS): Added "-lrt" to include real time library.
101
	<option>--retry <replaceable>SECONDS</replaceable></option>
102
      </arg>
103
      <sbr/>
104
      <arg>
505.3.13 by Teddy Hogeborn
* debian/mandos-client.README.Debian: Document network hook facility.
105
	<option>--network-hook-dir
106
	<replaceable>DIR</replaceable></option>
505.3.5 by teddy at bsnet
* plugins.d/mandos-client.c (SYNOPSIS, OPTIONS): Document
107
      </arg>
108
      <sbr/>
109
      <arg>
118 by Teddy Hogeborn
* mandos-keygen.xml (SYNOPSIS): Fixed tags. Unify short and long
110
	<option>--debug</option>
111
      </arg>
112
    </cmdsynopsis>
113
    <cmdsynopsis>
114
      <command>&COMMANDNAME;</command>
115
      <group choice="req">
129 by Teddy Hogeborn
* mandos-clients.conf.xml: Changed all single quotes to double quotes
116
	<arg choice="plain"><option>--help</option></arg>
117
	<arg choice="plain"><option>-?</option></arg>
118 by Teddy Hogeborn
* mandos-keygen.xml (SYNOPSIS): Fixed tags. Unify short and long
118
      </group>
119
    </cmdsynopsis>
120
    <cmdsynopsis>
121
      <command>&COMMANDNAME;</command>
129 by Teddy Hogeborn
* mandos-clients.conf.xml: Changed all single quotes to double quotes
122
      <arg choice="plain"><option>--usage</option></arg>
118 by Teddy Hogeborn
* mandos-keygen.xml (SYNOPSIS): Fixed tags. Unify short and long
123
    </cmdsynopsis>
124
    <cmdsynopsis>
125
      <command>&COMMANDNAME;</command>
126
      <group choice="req">
129 by Teddy Hogeborn
* mandos-clients.conf.xml: Changed all single quotes to double quotes
127
	<arg choice="plain"><option>--version</option></arg>
128
	<arg choice="plain"><option>-V</option></arg>
118 by Teddy Hogeborn
* mandos-keygen.xml (SYNOPSIS): Fixed tags. Unify short and long
129
      </group>
130
    </cmdsynopsis>
24.1.23 by Björn Påhlsson
Added manual pages for:
131
  </refsynopsisdiv>
182 by Teddy Hogeborn
* Makefile (install): Use "install-client-nokey".
132
  
24.1.23 by Björn Påhlsson
Added manual pages for:
133
  <refsect1 id="description">
134
    <title>DESCRIPTION</title>
135
    <para>
142 by Teddy Hogeborn
* plugins.d/password-request.c (main): Change default GnuTLS priority
136
      <command>&COMMANDNAME;</command> is a client program that
137
      communicates with <citerefentry><refentrytitle
138
      >mandos</refentrytitle><manvolnum>8</manvolnum></citerefentry>
285 by Teddy Hogeborn
* plugins.d/mandos-client.c (main): Use remove() instead of unlink(),
139
      to get a password.  In slightly more detail, this client program
140
      brings up a network interface, uses the interface’s IPv6
141
      link-local address to get network connectivity, uses Zeroconf to
142
      find servers on the local network, and communicates with servers
143
      using TLS with an OpenPGP key to ensure authenticity and
144
      confidentiality.  This client program keeps running, trying all
145
      servers on the network, until it receives a satisfactory reply
491 by teddy at bsnet
* plugins.d/mandos-client.c (avahi_loop_with_timeout): Fix warning.
146
      or a TERM signal.  After all servers have been tried, all
147
      servers are periodically retried.  If no servers are found it
148
      will wait indefinitely for new servers to appear.
142 by Teddy Hogeborn
* plugins.d/password-request.c (main): Change default GnuTLS priority
149
    </para>
150
    <para>
505.3.13 by Teddy Hogeborn
* debian/mandos-client.README.Debian: Document network hook facility.
151
      The network interface is selected like this: If an interface is
152
      specified using the <option>--interface</option> option, that
153
      interface is used.  Otherwise, <command>&COMMANDNAME;</command>
154
      will choose any interface that is up and running and is not a
155
      loopback interface, is not a point-to-point interface, is
156
      capable of broadcasting and does not have the NOARP flag (see
157
      <citerefentry><refentrytitle>netdevice</refentrytitle>
158
      <manvolnum>7</manvolnum></citerefentry>).  (If the
159
      <option>--connect</option> option is used, point-to-point
160
      interfaces and non-broadcast interfaces are accepted.)  If no
161
      acceptable interfaces are found, re-run the check but without
162
      the <quote>up and running</quote> requirement, and manually take
163
      the selected interface up (and later take it down on program
164
      exit).
165
    </para>
166
    <para>
167
      Before a network interface is selected, all <quote>network
168
      hooks</quote> are run; see <xref linkend="network-hooks"/>.
169
    </para>
170
    <para>
142 by Teddy Hogeborn
* plugins.d/password-request.c (main): Change default GnuTLS priority
171
      This program is not meant to be run directly; it is really meant
172
      to run as a plugin of the <application>Mandos</application>
173
      <citerefentry><refentrytitle>plugin-runner</refentrytitle>
143 by Teddy Hogeborn
* Makefile (mandos.8): Add dependency on "overview.xml" and
174
      <manvolnum>8mandos</manvolnum></citerefentry>, which runs in the
175
      initial <acronym>RAM</acronym> disk environment because it is
176
      specified as a <quote>keyscript</quote> in the <citerefentry>
177
      <refentrytitle>crypttab</refentrytitle><manvolnum>5</manvolnum>
178
      </citerefentry> file.
142 by Teddy Hogeborn
* plugins.d/password-request.c (main): Change default GnuTLS priority
179
    </para>
180
  </refsect1>
181
  
182
  <refsect1 id="purpose">
183
    <title>PURPOSE</title>
184
    <para>
185
      The purpose of this is to enable <emphasis>remote and unattended
186
      rebooting</emphasis> of client host computer with an
187
      <emphasis>encrypted root file system</emphasis>.  See <xref
188
      linkend="overview"/> for details.
189
    </para>
190
  </refsect1>
191
  
24.1.55 by Björn Påhlsson
updated some partial manual pages
192
  <refsect1 id="options">
193
    <title>OPTIONS</title>
194
    <para>
142 by Teddy Hogeborn
* plugins.d/password-request.c (main): Change default GnuTLS priority
195
      This program is commonly not invoked from the command line; it
196
      is normally started by the <application>Mandos</application>
197
      plugin runner, see <citerefentry><refentrytitle
198
      >plugin-runner</refentrytitle><manvolnum>8mandos</manvolnum>
199
      </citerefentry>.  Any command line options this program accepts
200
      are therefore normally provided by the plugin runner, and not
201
      directly.
24.1.55 by Björn Påhlsson
updated some partial manual pages
202
    </para>
142 by Teddy Hogeborn
* plugins.d/password-request.c (main): Change default GnuTLS priority
203
    
24.1.23 by Björn Påhlsson
Added manual pages for:
204
    <variablelist>
205
      <varlistentry>
127 by Teddy Hogeborn
* plugins.d/password-request.xml (OPTIONS): Make replaceables match
206
	<term><option>--connect=<replaceable
143 by Teddy Hogeborn
* Makefile (mandos.8): Add dependency on "overview.xml" and
207
	>ADDRESS</replaceable><literal>:</literal><replaceable
127 by Teddy Hogeborn
* plugins.d/password-request.xml (OPTIONS): Make replaceables match
208
	>PORT</replaceable></option></term>
209
	<term><option>-c
143 by Teddy Hogeborn
* Makefile (mandos.8): Add dependency on "overview.xml" and
210
	<replaceable>ADDRESS</replaceable><literal>:</literal
127 by Teddy Hogeborn
* plugins.d/password-request.xml (OPTIONS): Make replaceables match
211
	><replaceable>PORT</replaceable></option></term>
24.1.23 by Björn Påhlsson
Added manual pages for:
212
	<listitem>
213
	  <para>
142 by Teddy Hogeborn
* plugins.d/password-request.c (main): Change default GnuTLS priority
214
	    Do not use Zeroconf to locate servers.  Connect directly
215
	    to only one specified <application>Mandos</application>
216
	    server.  Note that an IPv6 address has colon characters in
217
	    it, so the <emphasis>last</emphasis> colon character is
218
	    assumed to separate the address from the port number.
219
	  </para>
220
	  <para>
143 by Teddy Hogeborn
* Makefile (mandos.8): Add dependency on "overview.xml" and
221
	    This option is normally only useful for testing and
222
	    debugging.
24.1.23 by Björn Påhlsson
Added manual pages for:
223
	  </para>
224
	</listitem>
225
      </varlistentry>
142 by Teddy Hogeborn
* plugins.d/password-request.c (main): Change default GnuTLS priority
226
      
24.1.23 by Björn Påhlsson
Added manual pages for:
227
      <varlistentry>
304 by Teddy Hogeborn
Four new interrelated features:
228
	<term><option>--interface=<replaceable
229
	>NAME</replaceable></option></term>
127 by Teddy Hogeborn
* plugins.d/password-request.xml (OPTIONS): Make replaceables match
230
	<term><option>-i
231
	<replaceable>NAME</replaceable></option></term>
24.1.23 by Björn Påhlsson
Added manual pages for:
232
	<listitem>
233
	  <para>
142 by Teddy Hogeborn
* plugins.d/password-request.c (main): Change default GnuTLS priority
234
	    Network interface that will be brought up and scanned for
237.2.33 by teddy at bsnet
* plugins.d/mandos-client.c: An empty interface name now means to
235
	    Mandos servers to connect to.  The default is the empty
236
	    string, which will automatically choose an appropriate
237
	    interface.
24.1.23 by Björn Påhlsson
Added manual pages for:
238
	  </para>
146 by Teddy Hogeborn
* plugins.d/password-request.xml (OPTIONS): Improved wording.
239
	  <para>
240
	    If the <option>--connect</option> option is used, this
241
	    specifies the interface to use to connect to the address
242
	    given.
243
	  </para>
285 by Teddy Hogeborn
* plugins.d/mandos-client.c (main): Use remove() instead of unlink(),
244
	  <para>
245
	    Note that since this program will normally run in the
246
	    initial RAM disk environment, the interface must be an
247
	    interface which exists at that stage.  Thus, the interface
248
	    can not be a pseudo-interface such as <quote>br0</quote>
249
	    or <quote>tun0</quote>; such interfaces will not exist
250
	    until much later in the boot process, and can not be used
505.3.13 by Teddy Hogeborn
* debian/mandos-client.README.Debian: Document network hook facility.
251
	    by this program, unless created by a <quote>network
252
	    hook</quote>  see <xref linkend="network-hooks"/>.
285 by Teddy Hogeborn
* plugins.d/mandos-client.c (main): Use remove() instead of unlink(),
253
	  </para>
304 by Teddy Hogeborn
Four new interrelated features:
254
	  <para>
237.2.33 by teddy at bsnet
* plugins.d/mandos-client.c: An empty interface name now means to
255
	    <replaceable>NAME</replaceable> can be the string
256
	    <quote><literal>none</literal></quote>; this will not use
257
	    any specific interface, and will not bring up an interface
258
	    on startup.  This is not recommended, and only meant for
259
	    advanced users.
304 by Teddy Hogeborn
Four new interrelated features:
260
	  </para>
24.1.23 by Björn Påhlsson
Added manual pages for:
261
	</listitem>
118 by Teddy Hogeborn
* mandos-keygen.xml (SYNOPSIS): Fixed tags. Unify short and long
262
      </varlistentry>
142 by Teddy Hogeborn
* plugins.d/password-request.c (main): Change default GnuTLS priority
263
      
24.1.23 by Björn Påhlsson
Added manual pages for:
264
      <varlistentry>
127 by Teddy Hogeborn
* plugins.d/password-request.xml (OPTIONS): Make replaceables match
265
	<term><option>--pubkey=<replaceable
266
	>FILE</replaceable></option></term>
267
	<term><option>-p
268
	<replaceable>FILE</replaceable></option></term>
24.1.23 by Björn Påhlsson
Added manual pages for:
269
	<listitem>
270
	  <para>
151 by Teddy Hogeborn
* plugins.d/password-request.xml (SYNOPSYS): Removed "--keydir".
271
	    OpenPGP public key file name.  The default name is
272
	    <quote><filename>/conf/conf.d/mandos/pubkey.txt</filename
273
	    ></quote>.
24.1.23 by Björn Påhlsson
Added manual pages for:
274
	  </para>
275
	</listitem>
118 by Teddy Hogeborn
* mandos-keygen.xml (SYNOPSIS): Fixed tags. Unify short and long
276
      </varlistentry>
182 by Teddy Hogeborn
* Makefile (install): Use "install-client-nokey".
277
      
24.1.23 by Björn Påhlsson
Added manual pages for:
278
      <varlistentry>
127 by Teddy Hogeborn
* plugins.d/password-request.xml (OPTIONS): Make replaceables match
279
	<term><option>--seckey=<replaceable
280
	>FILE</replaceable></option></term>
281
	<term><option>-s
282
	<replaceable>FILE</replaceable></option></term>
24.1.23 by Björn Påhlsson
Added manual pages for:
283
	<listitem>
284
	  <para>
151 by Teddy Hogeborn
* plugins.d/password-request.xml (SYNOPSYS): Removed "--keydir".
285
	    OpenPGP secret key file name.  The default name is
286
	    <quote><filename>/conf/conf.d/mandos/seckey.txt</filename
287
	    ></quote>.
24.1.23 by Björn Påhlsson
Added manual pages for:
288
	  </para>
289
	</listitem>
118 by Teddy Hogeborn
* mandos-keygen.xml (SYNOPSIS): Fixed tags. Unify short and long
290
      </varlistentry>
24.1.23 by Björn Påhlsson
Added manual pages for:
291
      
292
      <varlistentry>
127 by Teddy Hogeborn
* plugins.d/password-request.xml (OPTIONS): Make replaceables match
293
	<term><option>--priority=<replaceable
294
	>STRING</replaceable></option></term>
24.1.23 by Björn Påhlsson
Added manual pages for:
295
	<listitem>
143 by Teddy Hogeborn
* Makefile (mandos.8): Add dependency on "overview.xml" and
296
	  <xi:include href="../mandos-options.xml"
297
		      xpointer="priority"/>
24.1.23 by Björn Påhlsson
Added manual pages for:
298
	</listitem>
118 by Teddy Hogeborn
* mandos-keygen.xml (SYNOPSIS): Fixed tags. Unify short and long
299
      </varlistentry>
182 by Teddy Hogeborn
* Makefile (install): Use "install-client-nokey".
300
      
24.1.23 by Björn Påhlsson
Added manual pages for:
301
      <varlistentry>
127 by Teddy Hogeborn
* plugins.d/password-request.xml (OPTIONS): Make replaceables match
302
	<term><option>--dh-bits=<replaceable
303
	>BITS</replaceable></option></term>
24.1.23 by Björn Påhlsson
Added manual pages for:
304
	<listitem>
305
	  <para>
142 by Teddy Hogeborn
* plugins.d/password-request.c (main): Change default GnuTLS priority
306
	    Sets the number of bits to use for the prime number in the
307
	    TLS Diffie-Hellman key exchange.  Default is 1024.
24.1.23 by Björn Påhlsson
Added manual pages for:
308
	  </para>
309
	</listitem>
118 by Teddy Hogeborn
* mandos-keygen.xml (SYNOPSIS): Fixed tags. Unify short and long
310
      </varlistentry>
24.1.124 by Björn Påhlsson
Added lower kernel loglevel to reduce clutter on system console.
311
312
      <varlistentry>
313
	<term><option>--delay=<replaceable
314
	>SECONDS</replaceable></option></term>
315
	<listitem>
316
	  <para>
317
	    After bringing the network interface up, the program waits
318
	    for the interface to arrive in a <quote>running</quote>
319
	    state before proceeding.  During this time, the kernel log
320
	    level will be lowered to reduce clutter on the system
321
	    console, alleviating any other plugins which might be
322
	    using the system console.  This option sets the upper
323
	    limit of seconds to wait.  The default is 2.5 seconds.
324
	  </para>
325
	</listitem>
326
      </varlistentry>
24.1.174 by Björn Påhlsson
* Makefile (CFLAGS): Added "-lrt" to include real time library.
327
328
      <varlistentry>
329
	<term><option>--retry=<replaceable
330
	>SECONDS</replaceable></option></term>
331
	<listitem>
332
	  <para>
491 by teddy at bsnet
* plugins.d/mandos-client.c (avahi_loop_with_timeout): Fix warning.
333
	    All Mandos servers are tried repeatedly until a password
334
	    is received.  This value specifies, in seconds, how long
335
	    between each successive try <emphasis>for the same
336
	    server</emphasis>.  The default is 10 seconds.
24.1.174 by Björn Påhlsson
* Makefile (CFLAGS): Added "-lrt" to include real time library.
337
	  </para>
338
	</listitem>
339
      </varlistentry>
505.3.5 by teddy at bsnet
* plugins.d/mandos-client.c (SYNOPSIS, OPTIONS): Document
340
341
      <varlistentry>
342
	<term><option>--network-hook-dir=<replaceable
343
	>DIR</replaceable></option></term>
344
	<listitem>
345
	  <para>
346
	    Network hook directory.  The default directory is
505.3.7 by teddy at bsnet
* initramfs-tools-hook: Install network hooks (and any required files)
347
	    <quote><filename class="directory"
348
	    >/lib/mandos/network-hooks.d</filename></quote>.
505.3.5 by teddy at bsnet
* plugins.d/mandos-client.c (SYNOPSIS, OPTIONS): Document
349
	  </para>
350
	</listitem>
351
      </varlistentry>
24.1.23 by Björn Påhlsson
Added manual pages for:
352
      
353
      <varlistentry>
127 by Teddy Hogeborn
* plugins.d/password-request.xml (OPTIONS): Make replaceables match
354
	<term><option>--debug</option></term>
24.1.23 by Björn Påhlsson
Added manual pages for:
355
	<listitem>
356
	  <para>
142 by Teddy Hogeborn
* plugins.d/password-request.c (main): Change default GnuTLS priority
357
	    Enable debug mode.  This will enable a lot of output to
358
	    standard error about what the program is doing.  The
359
	    program will still perform all other functions normally.
360
	  </para>
361
	  <para>
362
	    It will also enable debug mode in the Avahi and GnuTLS
363
	    libraries, making them print large amounts of debugging
364
	    output.
24.1.23 by Björn Påhlsson
Added manual pages for:
365
	  </para>
366
	</listitem>
367
      </varlistentry>
368
      
369
      <varlistentry>
127 by Teddy Hogeborn
* plugins.d/password-request.xml (OPTIONS): Make replaceables match
370
	<term><option>--help</option></term>
371
	<term><option>-?</option></term>
24.1.23 by Björn Påhlsson
Added manual pages for:
372
	<listitem>
373
	  <para>
142 by Teddy Hogeborn
* plugins.d/password-request.c (main): Change default GnuTLS priority
374
	    Gives a help message about options and their meanings.
24.1.23 by Björn Påhlsson
Added manual pages for:
375
	  </para>
376
	</listitem>
377
      </varlistentry>
378
      
379
      <varlistentry>
127 by Teddy Hogeborn
* plugins.d/password-request.xml (OPTIONS): Make replaceables match
380
	<term><option>--usage</option></term>
24.1.23 by Björn Påhlsson
Added manual pages for:
381
	<listitem>
382
	  <para>
142 by Teddy Hogeborn
* plugins.d/password-request.c (main): Change default GnuTLS priority
383
	    Gives a short usage message.
24.1.23 by Björn Påhlsson
Added manual pages for:
384
	  </para>
385
	</listitem>
386
      </varlistentry>
182 by Teddy Hogeborn
* Makefile (install): Use "install-client-nokey".
387
      
24.1.23 by Björn Påhlsson
Added manual pages for:
388
      <varlistentry>
127 by Teddy Hogeborn
* plugins.d/password-request.xml (OPTIONS): Make replaceables match
389
	<term><option>--version</option></term>
390
	<term><option>-V</option></term>
24.1.23 by Björn Påhlsson
Added manual pages for:
391
	<listitem>
392
	  <para>
142 by Teddy Hogeborn
* plugins.d/password-request.c (main): Change default GnuTLS priority
393
	    Prints the program version.
24.1.23 by Björn Påhlsson
Added manual pages for:
394
	  </para>
395
	</listitem>
118 by Teddy Hogeborn
* mandos-keygen.xml (SYNOPSIS): Fixed tags. Unify short and long
396
      </varlistentry>
24.1.23 by Björn Påhlsson
Added manual pages for:
397
    </variablelist>
398
  </refsect1>
182 by Teddy Hogeborn
* Makefile (install): Use "install-client-nokey".
399
  
143 by Teddy Hogeborn
* Makefile (mandos.8): Add dependency on "overview.xml" and
400
  <refsect1 id="overview">
401
    <title>OVERVIEW</title>
402
    <xi:include href="../overview.xml"/>
403
    <para>
404
      This program is the client part.  It is a plugin started by
405
      <citerefentry><refentrytitle>plugin-runner</refentrytitle>
406
      <manvolnum>8mandos</manvolnum></citerefentry> which will run in
407
      an initial <acronym>RAM</acronym> disk environment.
408
    </para>
409
    <para>
410
      This program could, theoretically, be used as a keyscript in
411
      <filename>/etc/crypttab</filename>, but it would then be
144 by Teddy Hogeborn
* plugins.d/password-request.xml (OVERVIEW): Improved wording.
412
      impossible to enter a password for the encrypted root disk at
413
      the console, since this program does not read from the console
172 by Teddy Hogeborn
* plugins.d/mandos-client.xml (NAME, OVERVIEW, EXIT STATUS): Improved
414
      at all.  This is why a separate plugin runner (<citerefentry>
415
      <refentrytitle>plugin-runner</refentrytitle>
416
      <manvolnum>8mandos</manvolnum></citerefentry>) is used to run
417
      both this program and others in in parallel,
505.3.13 by Teddy Hogeborn
* debian/mandos-client.README.Debian: Document network hook facility.
418
      <emphasis>one</emphasis> of which (<citerefentry>
419
      <refentrytitle>password-prompt</refentrytitle>
420
      <manvolnum>8mandos</manvolnum></citerefentry>) will prompt for
421
      passwords on the system console.
143 by Teddy Hogeborn
* Makefile (mandos.8): Add dependency on "overview.xml" and
422
    </para>
423
  </refsect1>
424
  
24.1.55 by Björn Påhlsson
updated some partial manual pages
425
  <refsect1 id="exit_status">
426
    <title>EXIT STATUS</title>
427
    <para>
142 by Teddy Hogeborn
* plugins.d/password-request.c (main): Change default GnuTLS priority
428
      This program will exit with a successful (zero) exit status if a
429
      server could be found and the password received from it could be
430
      successfully decrypted and output on standard output.  The
431
      program will exit with a non-zero exit status only if a critical
491 by teddy at bsnet
* plugins.d/mandos-client.c (avahi_loop_with_timeout): Fix warning.
432
      error occurs.  Otherwise, it will forever connect to any
433
      discovered <application>Mandos</application> servers, trying to
434
      get a decryptable password and print it.
142 by Teddy Hogeborn
* plugins.d/password-request.c (main): Change default GnuTLS priority
435
    </para>
436
  </refsect1>
437
  
143 by Teddy Hogeborn
* Makefile (mandos.8): Add dependency on "overview.xml" and
438
  <refsect1 id="environment">
439
    <title>ENVIRONMENT</title>
440
    <para>
441
      This program does not use any environment variables, not even
442
      the ones provided by <citerefentry><refentrytitle
443
      >cryptsetup</refentrytitle><manvolnum>8</manvolnum>
444
    </citerefentry>.
445
    </para>
446
  </refsect1>
142 by Teddy Hogeborn
* plugins.d/password-request.c (main): Change default GnuTLS priority
447
  
505.3.13 by Teddy Hogeborn
* debian/mandos-client.README.Debian: Document network hook facility.
448
  <refsect1 id="network-hooks">
449
    <title>NETWORK HOOKS</title>
450
    <para>
451
      If a network interface like a bridge or tunnel is required to
452
      find a Mandos server, this requires the interface to be up and
453
      running before <command>&COMMANDNAME;</command> starts looking
454
      for Mandos servers.  This can be accomplished by creating a
455
      <quote>network hook</quote> program, and placing it in a special
456
      directory.
457
    </para>
458
    <para>
459
      Before the network is used (and again before program exit), any
460
      runnable programs found in the network hook directory are run
461
      with the argument <quote><literal>start</literal></quote> or
462
      <quote><literal>stop</literal></quote>.  This should bring up or
463
      down, respectively, any network interface which
464
      <command>&COMMANDNAME;</command> should use.
465
    </para>
466
    <refsect2 id="hook-requirements">
467
      <title>REQUIREMENTS</title>
468
      <para>
469
	A network hook must be an executable file, and its name must
470
	consist entirely of upper and lower case letters, digits,
471
	underscores, and hyphens.
472
      </para>
473
      <para>
474
	A network hook will receive one argument, which can be one of
475
	the following:
476
      </para>
477
      <variablelist>
478
	<varlistentry>
479
	  <term><literal>start</literal></term>
480
	  <listitem>
481
	    <para>
482
	      This should make the network hook create (if necessary)
483
	      and bring up a network interface.
484
	    </para>
485
	  </listitem>
486
	</varlistentry>
487
	<varlistentry>
488
	  <term><literal>stop</literal></term>
489
	  <listitem>
490
	    <para>
491
	      This should make the network hook take down a network
492
	      interface, and delete it if it did not exist previously.
493
	    </para>
494
	  </listitem>
495
	</varlistentry>
496
	<varlistentry>
497
	  <term><literal>files</literal></term>
498
	  <listitem>
499
	    <para>
500
	      This should make the network hook print, <emphasis>on
501
	      separate lines</emphasis>, all the files needed for it
502
	      to run.  (These files will be copied into the initial
503
	      RAM filesystem.)  Intended use is for a network hook
504
	      which is a shell script to print its needed binaries.
505
	    </para>
506
	    <para>
507
	      It is not necessary to print any non-executable files
508
	      already in the network hook directory, these will be
509
	      copied implicitly if they otherwise satisfy the name
510
	      requirement.
511
	    </para>
512
	  </listitem>
513
	</varlistentry>
514
      </variablelist>
515
      <para>
516
	The network hook will be provided with a number of environment
517
	variables:
518
      </para>
519
      <variablelist>
520
	<varlistentry>
521
	  <term><envar>MANDOSNETHOOKDIR</envar></term>
522
	  <listitem>
523
	    <para>
524
	      The network hook directory, specified to
525
	      <command>&COMMANDNAME;</command> by the
526
	      <option>--network-hook-dir</option> option.  Note: this
527
	      should <emphasis>always</emphasis> be used by the
528
	      network hook to refer to itself or any files it may
529
	      require.
530
	    </para>
531
	  </listitem>
532
	</varlistentry>
533
	<varlistentry>
534
	  <term><envar>DEVICE</envar></term>
535
	  <listitem>
536
	    <para>
537
	      The network interface, as specified to
538
	      <command>&COMMANDNAME;</command> by the
539
	      <option>--interface</option> option.  If this is not the
540
	      interface a hook will bring up, there is no reason for a
541
	      hook to continue.
542
	    </para>
543
	  </listitem>
544
	</varlistentry>
545
	<varlistentry>
546
	  <term><envar>MODE</envar></term>
547
	  <listitem>
548
	    <para>
549
	      This will be the same as the first argument;
550
	      i.e. <quote><literal>start</literal></quote>,
551
	      <quote><literal>stop</literal></quote>, or
552
	      <quote><literal>files</literal></quote>.
553
	    </para>
554
	  </listitem>
555
	</varlistentry>
556
	<varlistentry>
557
	  <term><envar>VERBOSITY</envar></term>
558
	  <listitem>
559
	    <para>
560
	      This will be the <quote><literal>1</literal></quote> if
561
	      the <option>--debug</option> option is passed to
562
	      <command>&COMMANDNAME;</command>, otherwise
563
	      <quote><literal>0</literal></quote>.
564
	    </para>
565
	  </listitem>
566
	</varlistentry>
567
	<varlistentry>
568
	  <term><envar>DELAY</envar></term>
569
	  <listitem>
570
	    <para>
571
	      This will be the same as the <option>--delay</option>
572
	      option passed to <command>&COMMANDNAME;</command>.
573
	    </para>
574
	  </listitem>
575
	</varlistentry>
576
      </variablelist>
577
      <para>
578
	A hook may not read from standard input, and should be
579
	restrictive in printing to standard output or standard error
580
	unless <varname>VERBOSITY</varname> is
581
	<quote><literal>1</literal></quote>.
582
      </para>
583
    </refsect2>
584
  </refsect1>
585
  
224 by Teddy Hogeborn
* mandos-keygen.xml (FILES): Fixed id to be "files", not "file".
586
  <refsect1 id="files">
24.1.55 by Björn Påhlsson
updated some partial manual pages
587
    <title>FILES</title>
146 by Teddy Hogeborn
* plugins.d/password-request.xml (OPTIONS): Improved wording.
588
    <variablelist>
589
      <varlistentry>
590
	<term><filename>/conf/conf.d/mandos/pubkey.txt</filename
591
	></term>
592
	<term><filename>/conf/conf.d/mandos/seckey.txt</filename
593
	></term>
594
	<listitem>
595
	  <para>
596
	    OpenPGP public and private key files, in <quote>ASCII
597
	    Armor</quote> format.  These are the default file names,
598
	    they can be changed with the <option>--pubkey</option> and
599
	    <option>--seckey</option> options.
600
	  </para>
601
	</listitem>
602
      </varlistentry>
505.3.13 by Teddy Hogeborn
* debian/mandos-client.README.Debian: Document network hook facility.
603
      <varlistentry>
604
	<term><filename
605
	class="directory">/lib/mandos/network-hooks.d</filename></term>
606
	<listitem>
607
	  <para>
608
	    Directory where network hooks are located.  Change this
609
	    with the <option>--network-hook-dir</option> option.  See
610
	    <xref linkend="network-hooks"/>.
611
	  </para>
612
	</listitem>
613
      </varlistentry>
146 by Teddy Hogeborn
* plugins.d/password-request.xml (OPTIONS): Improved wording.
614
    </variablelist>
118 by Teddy Hogeborn
* mandos-keygen.xml (SYNOPSIS): Fixed tags. Unify short and long
615
  </refsect1>
24.1.55 by Björn Påhlsson
updated some partial manual pages
616
  
146 by Teddy Hogeborn
* plugins.d/password-request.xml (OPTIONS): Improved wording.
617
<!--   <refsect1 id="bugs"> -->
618
<!--     <title>BUGS</title> -->
619
<!--     <para> -->
620
<!--     </para> -->
621
<!--   </refsect1> -->
182 by Teddy Hogeborn
* Makefile (install): Use "install-client-nokey".
622
  
87 by Teddy Hogeborn
* Makefile: Bug fix: fixed creation of man pages in "plugins.d".
623
  <refsect1 id="example">
624
    <title>EXAMPLE</title>
24.1.55 by Björn Påhlsson
updated some partial manual pages
625
    <para>
146 by Teddy Hogeborn
* plugins.d/password-request.xml (OPTIONS): Improved wording.
626
      Note that normally, command line options will not be given
627
      directly, but via options for the Mandos <citerefentry
628
      ><refentrytitle>plugin-runner</refentrytitle>
629
      <manvolnum>8mandos</manvolnum></citerefentry>.
24.1.55 by Björn Påhlsson
updated some partial manual pages
630
    </para>
146 by Teddy Hogeborn
* plugins.d/password-request.xml (OPTIONS): Improved wording.
631
    <informalexample>
632
      <para>
633
	Normal invocation needs no options, if the network interface
634
	is <quote>eth0</quote>:
635
      </para>
636
      <para>
637
	<userinput>&COMMANDNAME;</userinput>
638
      </para>
639
    </informalexample>
640
    <informalexample>
641
      <para>
158 by Teddy Hogeborn
* plugins.d/password-request.xml (EXAMPLE): Improved wording.
642
	Search for Mandos servers (and connect to them) using another
643
	interface:
146 by Teddy Hogeborn
* plugins.d/password-request.xml (OPTIONS): Improved wording.
644
      </para>
645
      <para>
646
	<!-- do not wrap this line -->
647
	<userinput>&COMMANDNAME; --interface eth1</userinput>
648
      </para>
649
    </informalexample>
650
    <informalexample>
651
      <para>
151 by Teddy Hogeborn
* plugins.d/password-request.xml (SYNOPSYS): Removed "--keydir".
652
	Run in debug mode, and use a custom key:
146 by Teddy Hogeborn
* plugins.d/password-request.xml (OPTIONS): Improved wording.
653
      </para>
654
      <para>
151 by Teddy Hogeborn
* plugins.d/password-request.xml (SYNOPSYS): Removed "--keydir".
655
656
<!-- do not wrap this line -->
657
<userinput>&COMMANDNAME; --debug --pubkey keydir/pubkey.txt --seckey keydir/seckey.txt</userinput>
658
146 by Teddy Hogeborn
* plugins.d/password-request.xml (OPTIONS): Improved wording.
659
      </para>
660
    </informalexample>
661
    <informalexample>
662
      <para>
151 by Teddy Hogeborn
* plugins.d/password-request.xml (SYNOPSYS): Removed "--keydir".
663
	Run in debug mode, with a custom key, and do not use Zeroconf
304 by Teddy Hogeborn
Four new interrelated features:
664
	to locate a server; connect directly to the IPv6 link-local
665
	address <quote><systemitem class="ipaddress"
666
	>fe80::aede:48ff:fe71:f6f2</systemitem></quote>, port 4711,
667
	using interface eth2:
146 by Teddy Hogeborn
* plugins.d/password-request.xml (OPTIONS): Improved wording.
668
      </para>
669
      <para>
670
671
<!-- do not wrap this line -->
304 by Teddy Hogeborn
Four new interrelated features:
672
<userinput>&COMMANDNAME; --debug --pubkey keydir/pubkey.txt --seckey keydir/seckey.txt --connect fe80::aede:48ff:fe71:f6f2:4711 --interface eth2</userinput>
146 by Teddy Hogeborn
* plugins.d/password-request.xml (OPTIONS): Improved wording.
673
674
      </para>
675
    </informalexample>
24.1.55 by Björn Påhlsson
updated some partial manual pages
676
  </refsect1>
182 by Teddy Hogeborn
* Makefile (install): Use "install-client-nokey".
677
  
24.1.55 by Björn Påhlsson
updated some partial manual pages
678
  <refsect1 id="security">
679
    <title>SECURITY</title>
680
    <para>
147 by Teddy Hogeborn
* plugins.d/password-request.c (init_gnutls_global): Improved wording
681
      This program is set-uid to root, but will switch back to the
148 by Teddy Hogeborn
* plugins.d/password-request.xml (OVERVIEW): Refer to
682
      original (and presumably non-privileged) user and group after
683
      bringing up the network interface.
147 by Teddy Hogeborn
* plugins.d/password-request.c (init_gnutls_global): Improved wording
684
    </para>
685
    <para>
686
      To use this program for its intended purpose (see <xref
687
      linkend="purpose"/>), the password for the root file system will
688
      have to be given out to be stored in a server computer, after
689
      having been encrypted using an OpenPGP key.  This encrypted data
690
      which will be stored in a server can only be decrypted by the
691
      OpenPGP key, and the data will only be given out to those
692
      clients who can prove they actually have that key.  This key,
693
      however, is stored unencrypted on the client side in its initial
694
      <acronym>RAM</acronym> disk image file system.  This is normally
695
      readable by all, but this is normally fixed during installation
696
      of this program; file permissions are set so that no-one is able
697
      to read that file.
698
    </para>
699
    <para>
700
      The only remaining weak point is that someone with physical
701
      access to the client hard drive might turn off the client
702
      computer, read the OpenPGP keys directly from the hard drive,
216 by Teddy Hogeborn
* Makefile: Add HTML rules for manual pages.
703
      and communicate with the server.  To safeguard against this, the
704
      server is supposed to notice the client disappearing and stop
705
      giving out the encrypted data.  Therefore, it is important to
706
      set the timeout and checker interval values tightly on the
707
      server.  See <citerefentry><refentrytitle
147 by Teddy Hogeborn
* plugins.d/password-request.c (init_gnutls_global): Improved wording
708
      >mandos</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
709
    </para>
710
    <para>
148 by Teddy Hogeborn
* plugins.d/password-request.xml (OVERVIEW): Refer to
711
      It will also help if the checker program on the server is
712
      configured to request something from the client which can not be
713
      spoofed by someone else on the network, unlike unencrypted
714
      <acronym>ICMP</acronym> echo (<quote>ping</quote>) replies.
715
    </para>
716
    <para>
717
      <emphasis>Note</emphasis>: This makes it completely insecure to
718
      have <application >Mandos</application> clients which dual-boot
719
      to another operating system which is <emphasis>not</emphasis>
720
      trusted to keep the initial <acronym>RAM</acronym> disk image
721
      confidential.
24.1.55 by Björn Påhlsson
updated some partial manual pages
722
    </para>
723
  </refsect1>
182 by Teddy Hogeborn
* Makefile (install): Use "install-client-nokey".
724
  
24.1.55 by Björn Påhlsson
updated some partial manual pages
725
  <refsect1 id="see_also">
726
    <title>SEE ALSO</title>
114 by Teddy Hogeborn
* mandos-clients.conf.xml (SEE ALSO): Alphabetized, as per
727
    <para>
493 by Teddy Hogeborn
* Makefile (DOCS): Added "intro.8mandos".
728
      <citerefentry><refentrytitle>intro</refentrytitle>
729
      <manvolnum>8mandos</manvolnum></citerefentry>,
148 by Teddy Hogeborn
* plugins.d/password-request.xml (OVERVIEW): Refer to
730
      <citerefentry><refentrytitle>cryptsetup</refentrytitle>
731
      <manvolnum>8</manvolnum></citerefentry>,
732
      <citerefentry><refentrytitle>crypttab</refentrytitle>
733
      <manvolnum>5</manvolnum></citerefentry>,
114 by Teddy Hogeborn
* mandos-clients.conf.xml (SEE ALSO): Alphabetized, as per
734
      <citerefentry><refentrytitle>mandos</refentrytitle>
735
      <manvolnum>8</manvolnum></citerefentry>,
736
      <citerefentry><refentrytitle>password-prompt</refentrytitle>
737
      <manvolnum>8mandos</manvolnum></citerefentry>,
738
      <citerefentry><refentrytitle>plugin-runner</refentrytitle>
739
      <manvolnum>8mandos</manvolnum></citerefentry>
740
    </para>
148 by Teddy Hogeborn
* plugins.d/password-request.xml (OVERVIEW): Refer to
741
    <variablelist>
742
      <varlistentry>
743
	<term>
744
	  <ulink url="http://www.zeroconf.org/">Zeroconf</ulink>
745
	</term>
746
	<listitem>
747
	  <para>
748
	    Zeroconf is the network protocol standard used for finding
749
	    Mandos servers on the local network.
750
	  </para>
751
	</listitem>
752
      </varlistentry>
753
      <varlistentry>
754
	<term>
755
	  <ulink url="http://www.avahi.org/">Avahi</ulink>
756
	</term>
757
      <listitem>
758
	<para>
759
	  Avahi is the library this program calls to find Zeroconf
760
	  services.
761
	</para>
762
      </listitem>
763
      </varlistentry>
764
      <varlistentry>
765
	<term>
766
	  <ulink url="http://www.gnu.org/software/gnutls/"
767
	  >GnuTLS</ulink>
768
	</term>
769
      <listitem>
770
	<para>
771
	  GnuTLS is the library this client uses to implement TLS for
772
	  communicating securely with the server, and at the same time
773
	  send the public OpenPGP key to the server.
774
	</para>
775
      </listitem>
776
      </varlistentry>
777
      <varlistentry>
778
	<term>
779
	  <ulink url="http://www.gnupg.org/related_software/gpgme/"
780
		 >GPGME</ulink>
781
	</term>
782
	<listitem>
783
	  <para>
784
	    GPGME is the library used to decrypt the OpenPGP data sent
785
	    by the server.
786
	  </para>
787
	</listitem>
788
      </varlistentry>
789
      <varlistentry>
790
	<term>
791
	  RFC 4291: <citetitle>IP Version 6 Addressing
792
	  Architecture</citetitle>
793
	</term>
794
	<listitem>
795
	  <variablelist>
796
	    <varlistentry>
797
	      <term>Section 2.2: <citetitle>Text Representation of
798
	      Addresses</citetitle></term>
799
	      <listitem><para/></listitem>
800
	    </varlistentry>
801
	    <varlistentry>
802
	      <term>Section 2.5.5.2: <citetitle>IPv4-Mapped IPv6
803
	      Address</citetitle></term>
804
	      <listitem><para/></listitem>
805
	    </varlistentry>
806
	    <varlistentry>
807
	    <term>Section 2.5.6, <citetitle>Link-Local IPv6 Unicast
808
	    Addresses</citetitle></term>
809
	    <listitem>
810
	      <para>
811
		This client uses IPv6 link-local addresses, which are
812
		immediately usable since a link-local addresses is
813
		automatically assigned to a network interfaces when it
814
		is brought up.
815
	      </para>
816
	    </listitem>
817
	    </varlistentry>
818
	  </variablelist>
819
	</listitem>
820
      </varlistentry>
821
      <varlistentry>
822
	<term>
823
	  RFC 4346: <citetitle>The Transport Layer Security (TLS)
824
	  Protocol Version 1.1</citetitle>
825
	</term>
826
      <listitem>
827
	<para>
828
	  TLS 1.1 is the protocol implemented by GnuTLS.
829
	</para>
830
      </listitem>
831
      </varlistentry>
832
      <varlistentry>
833
	<term>
834
	  RFC 4880: <citetitle>OpenPGP Message Format</citetitle>
835
	</term>
836
      <listitem>
837
	<para>
838
	  The data received from the server is binary encrypted
839
	  OpenPGP data.
840
	</para>
841
      </listitem>
842
      </varlistentry>
843
      <varlistentry>
844
	<term>
845
	  RFC 5081: <citetitle>Using OpenPGP Keys for Transport Layer
846
	  Security</citetitle>
847
	</term>
848
      <listitem>
849
	<para>
850
	  This is implemented by GnuTLS and used by this program so
851
	  that OpenPGP keys can be used.
852
	</para>
853
      </listitem>
854
      </varlistentry>
855
    </variablelist>
81 by Teddy Hogeborn
* Makefile (GNUTLS_CFLAGS, GNUTLS_LIBS, AVAHI_CFLAGS, AVAHI_LIBS,
856
  </refsect1>
24.1.23 by Björn Påhlsson
Added manual pages for:
857
</refentry>
182 by Teddy Hogeborn
* Makefile (install): Use "install-client-nokey".
858
111 by Teddy Hogeborn
* mandos-clients.conf.xml (ENTITY TIMESTAMP): New. Automatically
859
<!-- Local Variables: -->
860
<!-- time-stamp-start: "<!ENTITY TIMESTAMP [\"']" -->
861
<!-- time-stamp-end: "[\"']>" -->
862
<!-- time-stamp-format: "%:y-%02m-%02d" -->
863
<!-- End: -->