START TIME EXPANSION

=== modified file 'TODO' --- TODO 2008-08-20 03:22:45 +0000 +++ TODO 2008-08-22 00:16:20 +0000 @@ -84,6 +84,7 @@ * mandos (server) ** [#A] Config file man page: man5/mandos-clients.conf (clients.conf) +*** For option "secret", document which program can help generate it. ** [#A] /etc/init.d/mandos-server :teddy: ** [#B] Log level :bugs: ** /etc/mandos/clients.d/*.conf === modified file 'clients.conf' --- clients.conf 2008-08-20 03:22:45 +0000 +++ clients.conf 2008-08-22 00:16:20 +0000 @@ -14,7 +14,7 @@ ;interval = 5m # What command to run as "the checker". -;checker = fping -q -- %%(host)s +;checker = fping -q -- %(host)s ;#### === modified file 'mandos' --- mandos 2008-08-20 03:22:45 +0000 +++ mandos 2008-08-22 00:16:20 +0000 @@ -337,13 +337,17 @@ try: logger.info(u"Starting checker %r for %s", command, self.name) + # We don't need to redirect stdout and stderr, since + # in normal mode, that is already done by daemon(), + # and in debug mode we don't want to. (Stdin is + # always replaced by /dev/null.) self.checker = subprocess.Popen(command, close_fds=True, shell=True, cwd="/") self.checker_callback_tag = gobject.child_watch_add\ (self.checker.pid, self.checker_callback) - except subprocess.OSError, error: + except OSError, error: logger.error(u"Failed to start subprocess: %s", error) # Re-run this periodically if run by gobject.timeout_add @@ -737,7 +741,7 @@ # Parse config file with clients client_defaults = { "timeout": "1h", "interval": "5m", - "checker": "fping -q -- %%(host)s", + "checker": "fping -q -- %(host)s", "host": "", } client_config = ConfigParser.SafeConfigParser(client_defaults) @@ -778,8 +782,16 @@ logger.critical(u"No clients defined") sys.exit(1) - if not debug: + if debug: + # Redirect stdin so all checkers get /dev/null + null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR) + os.dup2(null, sys.stdin.fileno()) + if null > 2: + os.close(null) + else: + # No console logging logger.removeHandler(console) + # Close all input and output, do double fork, etc. daemon() pidfilename = "/var/run/mandos/mandos.pid" === modified file 'mandos-clients.conf.xml' --- mandos-clients.conf.xml 2008-08-20 03:22:45 +0000 +++ mandos-clients.conf.xml 2008-08-22 00:16:20 +0000 @@ -88,19 +88,23 @@ server. - The format starts with a section under [] which is either + The format starts with a [section + header] which is either [DEFAULT] or [client - name]. Following the section is any - number of option]. The client + name can be anything, and is not tied to a host + name. Following the section header is any number of + option=value entries, with continuations in the style of RFC 822. option: value is also accepted. Note that leading whitespace is removed from values. Values can contain format strings which refer to other values in the same section, - or values in the DEFAULT section. Lines - beginning with # or ; are ignored - and may be used to provide comments. + or values in the DEFAULT section (see ). Lines beginning with # + or ; are ignored and may be used to provide + comments. @@ -165,10 +169,24 @@ checker + checker = COMMAND + This option allows you to override the default shell - command that the server will use to check up if the client - is still up. By default mandos will "fping -q -- %%(host)s" + command that the server will use to check if the client is + still up. The output of the command will be ignored, only + the exit code is checked. The command will be run using + /bin/sh + . The default + command is fping + + %(host)s. + + + In addition to normal start time expansion, this option + will also be subject to runtime expansion; see . @@ -176,10 +194,14 @@ fingerprint + fingerprint = HEXSTRING + - This option sets the openpgp fingerprint that identifies - the public certificate that clients authenticates themself - through gnutls. The string need to be in hex-decimal form. + This option sets the OpenPGP fingerprint that identifies + the public key that clients authenticate themselves with + through TLS. The string needs to be in hexidecimal form, + but spaces or upper/lower case are not significant. @@ -187,9 +209,25 @@ secret - - Base 64 encoded OpenPGP encrypted password encrypted by - the clients openpgp certificate. + secret = BASE64_ENCODED_DATA + + + If present, this option must be set to a string of + base64-encoded binary data. It will be decoded and sent + to the client matching the above + . This should, of course, be + OpenPGP encrypted data, decryptable only by the client. + + + + + + + Note: this value of this option will probably run over + many lines, and will then have to use the fact that a line + beginning with white space adds to the value of the + previous line, RFC 822-style. @@ -242,7 +280,7 @@ There are two forms of expansion: Start time expansion and runtime expansion. - + START TIME EXPANSION Any string in an option value of the form @@ -260,7 +298,7 @@ entered. - + RUNTIME EXPANSION This is currently only done for the checker @@ -317,7 +355,7 @@ [DEFAULT] timeout = 1h interval = 5m -checker = fping -q -- %%(host)s +checker = fping -q -- %(host)s # Client "foo" [foo] === modified file 'mandos-keygen' --- mandos-keygen 2008-08-18 05:24:20 +0000 +++ mandos-keygen 2008-08-22 00:16:20 +0000 @@ -142,7 +142,12 @@ PUBRING="`mktemp -t mandos-gpg-pubring.XXXXXXXXXX`" # Remove temporary files on exit -trap "rm --force $PUBRING $BATCHFILE; shred --remove $SECRING" EXIT +trap " +set +e +rm --force $PUBRING $BATCHFILE; +shred --remove $SECRING; +stty echo +" EXIT # Create batch file for GnuPG cat >"$BATCHFILE" <