=== modified file 'TODO'
--- TODO	2008-08-18 05:57:11 +0000
+++ TODO	2008-08-20 03:22:45 +0000
@@ -83,7 +83,6 @@
    [[http://www.steve.org.uk/Reference/Unix/faq_4.html#SEC48][Unix Programming FAQ 3.1 How can I make my program not echo input?]]
 
 * mandos (server)
-** [#A] Config file man page: man5/mandos.conf (mandos.conf)
 ** [#A] Config file man page: man5/mandos-clients.conf (clients.conf)
 ** [#A] /etc/init.d/mandos-server		:teddy:
 ** [#B] Log level				:bugs:

=== modified file 'clients.conf'
--- clients.conf	2008-08-10 20:35:01 +0000
+++ clients.conf	2008-08-20 03:22:45 +0000
@@ -9,7 +9,7 @@
 # How often to run the checker to confirm that a client is still up.
 # Note: a new checker will not be started if an old one is still
 # running.  The server will wait for a checker to complete until the
-# "timeout" above occurs, at which time the client will be marked
+# above "timeout" occurs, at which time the client will be marked
 # invalid, and any running checker killed.
 ;interval = 5m
 

=== modified file 'mandos'
--- mandos	2008-08-18 23:55:28 +0000
+++ mandos	2008-08-20 03:22:45 +0000
@@ -563,25 +563,30 @@
     datetime.timedelta(1)
     >>> string_to_delta(u'1w')
     datetime.timedelta(7)
+    >>> string_to_delta('5m 30s')
+    datetime.timedelta(0, 330)
     """
-    try:
-        suffix=unicode(interval[-1])
-        value=int(interval[:-1])
-        if suffix == u"d":
-            delta = datetime.timedelta(value)
-        elif suffix == u"s":
-            delta = datetime.timedelta(0, value)
-        elif suffix == u"m":
-            delta = datetime.timedelta(0, 0, 0, 0, value)
-        elif suffix == u"h":
-            delta = datetime.timedelta(0, 0, 0, 0, 0, value)
-        elif suffix == u"w":
-            delta = datetime.timedelta(0, 0, 0, 0, 0, 0, value)
-        else:
+    timevalue = datetime.timedelta(0)
+    for s in interval.split():
+        try:
+            suffix=unicode(s[-1])
+            value=int(s[:-1])
+            if suffix == u"d":
+                delta = datetime.timedelta(value)
+            elif suffix == u"s":
+                delta = datetime.timedelta(0, value)
+            elif suffix == u"m":
+                delta = datetime.timedelta(0, 0, 0, 0, value)
+            elif suffix == u"h":
+                delta = datetime.timedelta(0, 0, 0, 0, 0, value)
+            elif suffix == u"w":
+                delta = datetime.timedelta(0, 0, 0, 0, 0, 0, value)
+            else:
+                raise ValueError
+        except (ValueError, IndexError):
             raise ValueError
-    except (ValueError, IndexError):
-        raise ValueError
-    return delta
+        timevalue += delta
+    return timevalue
 
 
 def server_state_changed(state):
@@ -733,6 +738,7 @@
     client_defaults = { "timeout": "1h",
                         "interval": "5m",
                         "checker": "fping -q -- %%(host)s",
+                        "host": "",
                         }
     client_config = ConfigParser.SafeConfigParser(client_defaults)
     client_config.read(os.path.join(server_settings["configdir"],

=== modified file 'mandos-clients.conf.xml'
--- mandos-clients.conf.xml	2008-08-09 01:39:09 +0000
+++ mandos-clients.conf.xml	2008-08-20 03:22:45 +0000
@@ -1,6 +1,4 @@
 <?xml version='1.0' encoding='UTF-8'?>
-<?xml-stylesheet type="text/xsl"
-	href="http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl"?>
 <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
 	"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
 <!ENTITY VERSION "1.0">
@@ -11,7 +9,7 @@
 <refentry>
   <refentryinfo>
     <title>&CONFNAME;</title>
-    <!-- NWalsh's docbook scripts use this to generate the footer: -->
+    <!-- NWalsh’s docbook scripts use this to generate the footer: -->
     <productname>&CONFNAME;</productname>
     <productnumber>&VERSION;</productnumber>
     <authorgroup>
@@ -32,7 +30,8 @@
     </authorgroup>
     <copyright>
       <year>2008</year>
-      <holder>Teddy Hogeborn &amp; Björn Påhlsson</holder>
+      <holder>Teddy Hogeborn</holder>
+      <holder>Björn Påhlsson</holder>
     </copyright>
     <legalnotice>
       <para>
@@ -67,7 +66,7 @@
   <refnamediv>
     <refname><filename>&CONFNAME;</filename></refname>
     <refpurpose>
-      Configuration file for Mandos clients
+      Configuration file for the Mandos server
     </refpurpose>
   </refnamediv>
 
@@ -80,42 +79,85 @@
   <refsect1 id="description">
     <title>DESCRIPTION</title>
     <para>
-      The file &CONFPATH; is the configuration file for mandos where
-      each client that will be abel to use the service need to be
-      specified. The configuration file is looked on at the startup of
-      the service, so to reenable timedout clients one need to only
-      restart the server. The format starts with a section under []
-      which is eather <literal>[DEFAULT]</literal> or a client
-      name. Values is set through the use of VAR = VALUE pair. Values
-      may not be empty.
+      The file &CONFPATH; is the configuration file for <citerefentry
+      ><refentrytitle>mandos</refentrytitle>
+      <manvolnum>8</manvolnum></citerefentry>, read by it at startup,
+      where each client that will be able to use the service needs to
+      be listed.  All clients listed will be regarded as valid, even
+      if a client was declared invalid in a previous run of the
+      server.
+    </para>
+    <para>
+      The format starts with a section under [] which is either
+      <literal>[DEFAULT]</literal> or <literal>[<replaceable>client
+      name</replaceable>]</literal>.  Following the section is any
+      number of <quote><varname><replaceable>option</replaceable
+      ></varname>=<replaceable>value</replaceable></quote> entries,
+      with continuations in the style of RFC 822.  <quote><varname
+      ><replaceable>option</replaceable></varname>: <replaceable
+      >value</replaceable></quote> is also accepted.  Note that
+      leading whitespace is removed from values.  Values can contain
+      format strings which refer to other values in the same section,
+      or values in the <quote>DEFAULT</quote> section.  Lines
+      beginning with <quote>#</quote> or <quote>;</quote> are ignored
+      and may be used to provide comments.
     </para>
   </refsect1>
-
-  <refsect1 id="default">
-    <title>DEFAULTS</title>
+  
+  <refsect1 id="options">
+    <title>OPTIONS</title>
     <para>
-      The paramters for <literal>[DEFAULT]</literal> are:
+      The possible options are:
     </para>
 
     <variablelist>
-      
+
       <varlistentry>
-	<term><literal>timeout</literal></term>
+	<term><literal><varname>timeout</varname></literal></term>
 	<listitem>
-	  <para>
-	    This option allows you to override the default timeout
-	    that clients will get. By default mandos will use 1hr.
+	  <synopsis><literal>timeout = </literal><replaceable
+	  >TIME</replaceable>
+	  </synopsis>
+	  <para>
+	    The timeout is how long the server will wait for a
+	    successful checker run until a client is considered
+	    invalid - that is, ineligible to get the data this server
+	    holds.  By default Mandos will use 1 hour.
+	  </para>
+	  <para>
+	    The <replaceable>TIME</replaceable> is specified as a
+	    space-separated number of values, each of which is a
+	    number and a one-character suffix.  The suffix must be one
+	    of <quote>d</quote>, <quote>s</quote>, <quote>m</quote>,
+	    <quote>h</quote>, and <quote>w</quote> for days, seconds,
+	    minutes, hours, and weeks, respectively.  The values are
+	    added together to give the total time value, so all of
+	    <quote><literal>330s</literal></quote>,
+	    <quote><literal>110s 110s 110s</literal></quote>, and
+	    <quote><literal>5m 30s</literal></quote> will give a value
+	    of five minutes and thirty seconds.
 	  </para>
 	</listitem>
       </varlistentry>
 
       <varlistentry>
-	<term><literal>interval</literal></term>
+	<term><literal><varname>interval</varname></literal></term>
 	<listitem>
-	  <para>
-	    This option allows you to override the default interval
-	    used between checkups for disconnected clients. By default
-	    mandos will use 5m.
+	  <synopsis><literal>interval = </literal><replaceable
+	  >TIME</replaceable>
+	  </synopsis>
+	  <para>
+	    How often to run the checker to confirm that a client is
+	    still up.  <emphasis>Note:</emphasis> a new checker will
+	    not be started if an old one is still running.  The server
+	    will wait for a checker to complete until the above
+	    <quote><varname>timeout</varname></quote> occurs, at which
+	    time the client will be marked invalid, and any running
+	    checker killed.  The default interval is 5 minutes.
+	  </para>
+	  <para>
+	    The format of <replaceable>TIME</replaceable> is the same
+	    as for <varname>timeout</varname> above.
 	  </para>
 	</listitem>
       </varlistentry>      
@@ -131,17 +173,6 @@
 	</listitem>
       </varlistentry>
       
-    </variablelist>
-  </refsect1>
-
-  <refsect1 id="clients">
-    <title>CLIENTS</title>
-    <para>
-      The paramters for clients are:
-    </para>
-
-    <variablelist>
-      
       <varlistentry>
 	<term><literal>fingerprint</literal></term>
 	<listitem>
@@ -204,9 +235,83 @@
       
     </variablelist>
   </refsect1>  
+  
+  <refsect1 id="expansion">
+    <title>EXPANSION</title>
+    <para>
+      There are two forms of expansion: Start time expansion and
+      runtime expansion.
+    </para>
+    <refsect2>
+      <title>START TIME EXPANSION</title>
+      <para>
+	Any string in an option value of the form
+	<quote><literal>%(<replaceable>foo</replaceable>)s</literal
+	></quote> will be replaced by the value of the option
+	<varname>foo</varname> either in the same section, or, if it
+	does not exist there, the <literal>[DEFAULT]</literal>
+	section.  This is done at start time, when the configuration
+	file is read.
+      </para>
+      <para>
+	Note that this means that, in order to include an actual
+	percent character (<quote>%</quote>) in an option value, two
+	percent characters in a row (<quote>%%</quote>) must be
+	entered.
+      </para>
+    </refsect2>
+    <refsect2>
+      <title>RUNTIME EXPANSION</title>
+      <para>
+	This is currently only done for the <varname>checker</varname>
+	option.
+      </para>
+      <para>
+	Any string in an option value of the form
+	<quote><literal>%%(<replaceable>foo</replaceable>)s</literal
+	></quote> will be replaced by the value of the attribute
+	<varname>foo</varname> of the internal
+	<quote><classname>Client</classname></quote> object.  See the
+	source code for details, and let the authors know of any
+	attributes that are useful so they may be preserved to any new
+	versions of this software.
+      </para>
+      <para>
+	Note that this means that, in order to include an actual
+	percent character (<quote>%</quote>) in a
+	<varname>checker</varname> options, <emphasis>four</emphasis>
+	percent characters in a row (<quote>%%%%</quote>) must be
+	entered.  Also, a bad format here will lead to an immediate
+	but <emphasis>silent</emphasis> run-time fatal exit; debug
+	mode is needed to track down an error of this kind.
+      </para>
+    </refsect2>
 
-  <refsect1 id="examples">
-    <title>EXAMPLES</title>
+  </refsect1>  
+  
+  <refsect1 id="files">
+    <title>FILES</title>
+    <para>
+      The file described here is &CONFPATH;
+    </para>
+  </refsect1>
+  
+  <refsect1 id="bugs">
+    <title>BUGS</title>
+    <para>
+      The format for specifying times for <varname>timeout</varname>
+      and <varname>interval</varname> is not very good.
+    </para>
+    <para>
+      The difference between
+      <literal>%%(<replaceable>foo</replaceable>)s</literal> and
+      <literal>%(<replaceable>foo</replaceable>)s</literal> is
+      obscure.
+    </para>
+  </refsect1>
+  
+  <refsect1 id="example">
+    <title>EXAMPLE</title>
     <informalexample>
       <programlisting>
 [DEFAULT]
@@ -214,9 +319,9 @@
 interval = 5m
 checker = fping -q -- %%(host)s
 
-[example_client]
+# Client "foo"
+[foo]
 fingerprint =  7788 2722 5BA7 DE53 9C5A  7CFA 59CF F7CD BD9A 5920
-
 secret =
         hQIOA6QdEjBs2L/HEAf/TCyrDe5Xnm9esa+Pb/vWF9CUqfn4srzVgSu234
         REJMVv7lBSrPE2132Lmd2gqF1HeLKDJRSVxJpt6xoWOChGHg+TMyXDxK+N
@@ -234,17 +339,16 @@
         4T2zw4dxS5NswXWU0sVEXxjs6PYxuIiCTL7vdpx8QjBkrPWDrAbcMyBr2O
         QlnHIvPzEArRQLo=
         =iHhv
-
-host = localhost
+host = foo.example.org
 interval = 5m
+
+# Client "bar"
+[bar]
+fingerprint = 3e393aeaefb84c7e89e2f547b3a107558fca3a27
+secfile = /etc/mandos/bar-secret.txt.asc
+
       </programlisting>
     </informalexample>
   </refsect1>  
-  
-  <refsect1 id="files">
-    <title>FILES</title>
-    <para>
-      The file described here is &CONFPATH;
-    </para>
-  </refsect1>
+
 </refentry>

=== modified file 'mandos.conf.xml'
--- mandos.conf.xml	2008-08-20 00:35:41 +0000
+++ mandos.conf.xml	2008-08-20 03:22:45 +0000
@@ -4,7 +4,6 @@
 <!ENTITY VERSION "1.0">
 <!ENTITY CONFNAME "mandos.conf">
 <!ENTITY CONFPATH "<filename>/etc/mandos/mandos.conf</filename>">
-<!ENTITY OVERVIEW SYSTEM "overview.xml">
 ]>
 
 <refentry xmlns:xi="http://www.w3.org/2001/XInclude">
@@ -83,16 +82,16 @@
       The file &CONFPATH; is a simple configuration file for
       <citerefentry><refentrytitle>mandos</refentrytitle>
       <manvolnum>8</manvolnum></citerefentry>, and is read by it at
-      startup.  The configuration file starts with
-      <quote><literal>[DEFAULT]</literal></quote> on a line by itself,
-      followed by any number of
-      <quote><varname><replaceable>option</replaceable></varname>=<replaceable>value</replaceable></quote>
-      entries, with continuations in the style of RFC 822.
-      <quote><varname><replaceable>option</replaceable></varname>:
-      <replaceable>value</replaceable></quote> is also accepted.  Note
-      that leading whitespace is removed from values.  Lines beginning
-      with <quote>#</quote> or <quote>;</quote> are ignored and may be
-      used to provide comments.
+      startup.  The configuration file starts with <quote><literal
+      >[DEFAULT]</literal></quote> on a line by itself, followed by
+      any number of <quote><varname><replaceable>option</replaceable
+      ></varname>=<replaceable>value</replaceable></quote> entries,
+      with continuations in the style of RFC 822.  <quote><varname
+      ><replaceable>option</replaceable></varname>: <replaceable
+      >value</replaceable></quote> is also accepted.  Note that
+      leading whitespace is removed from values.  Lines beginning with
+      <quote>#</quote> or <quote>;</quote> are ignored and may be used
+      to provide comments.
     </para>
 
   </refsect1>