/mandos/trunk : revision 106

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos-clients.conf.xml

Committer: Teddy Hogeborn
Date: 2008-08-25 07:52:35 UTC
Revision ID: teddy@fukt.bsnet.se-20080825075235-gq338t4ywhqhire8

* mandos-clients.conf.xml (DESCRIPTION): Do not imply that this is the
                                         only configuration file of
                                         mandos(8).
  (OPTIONS): Note that unknown options are ignored.  When describing
             "checker", be more specific about exit codes, and refer
             to PATH.  When describing "secret", refer to
             mandos-keygen(8), and note the relationship with
             "secfile".  Added synopsis to "secfile", and note
             relationship with "secret".  Added synopsis and more text
             to "host".
  (EXAMPLE): Remove Radix-64 checksum from "secret" option value.
  (SEE ALSO): New section, refer to mandos(8), mandos-keygen(8), and
              mandos.conf(5).

files modified:
TODO

mandos-clients.conf.xml

Show diffs side-by-side

added added

removed removed

mandos-clients.conf.xml

<title>DESCRIPTION</title>

<para>

The file &CONFPATH; is the configuration file for <citerefentry

The file &CONFPATH; is a configuration file for <citerefentry

><refentrytitle>mandos</refentrytitle>

<manvolnum>8</manvolnum></citerefentry>, read by it at startup,

where each client that will be able to use the service needs to

be listed. All clients listed will be regarded as valid, even

<manvolnum>8</manvolnum></citerefentry>, read by it at startup.

The file needs to list all clients that should be able to use

the service. All clients listed will be regarded as valid, even

if a client was declared invalid in a previous run of the

server.

</para>

111

112

<title>OPTIONS</title>

113

<para>

114

The possible options are:

114

<emphasis>Note:</emphasis> all option values are subject to

115

start time expansion, see <xref linkend="expansion"/>.

116

</para>

117

<para>

118

Uknown options are ignored. The used options are as follows:

115

119

</para>

116

120

117

121

175

179

<para>

176

180

This option allows you to override the default shell

177

181

command that the server will use to check if the client is

178

still up. The output of the command will be ignored, only

179

the exit code is checked. The command will be run using

180

181

<option>-c</option></command></quote>. The default

182

command is <quote><literal><command>fping</command>

183

184

%(host)s</literal></quote>.

182

still up. Any output of the command will be ignored, only

183

the exit code is checked: If the exit code of the command

184

is zero, the client is considered up. The command will be

185

run using <quote><command><filename>/bin/sh</filename>

186

<option>-c</option></command></quote>, so

187

<varname>PATH</varname> will be searched. The default

188

value for the checker command is <quote><literal

189

><command>fping</command> <option>-q</option> <option

190

>--</option> %(host)s</literal></quote>.

185

191

</para>

186

192

<para>

187

193

In addition to normal start time expansion, this option

218

224

to the client matching the above

219

225

<option>fingerprint</option>. This should, of course, be

220

226

OpenPGP encrypted data, decryptable only by the client.

221

222

223

224

225

</para>

226

<para>

227

Note: this value of this option will probably run over

228

many lines, and will then have to use the fact that a line

229

beginning with white space adds to the value of the

230

previous line, RFC 822-style.

227

The program <citerefentry><refentrytitle><command

228

>mandos-keygen</command></refentrytitle><manvolnum

229

>8</manvolnum></citerefentry> can, using its

230

<option>--password</option> option, be used to generate

231

this, if desired.

232

</para>

233

<para>

234

Note: this value of this option will probably be very

235

long. A useful feature to avoid having unreadably-long

236

lines is that a line beginning with white space adds to

237

the value of the previous line, RFC 822-style.

238

</para>

239

<para>

240

If this option is not specified, the <option

241

>secfile</option> option is used instead, but one of them

242

<emphasis>must</emphasis> be present.

231

243

</para>

232

244

</listitem>

233

245

</varlistentry>

235

247

236

248

<term><literal>secfile</literal></term>

237

249

238

<para>

239

Base 64 encoded OpenPGP encrypted password encrypted by

240

the clients openpgp certificate as a binary file.

250

<synopsis><literal>secfile = </literal><replaceable

251

>FILENAME</replaceable>

252

</synopsis>

253

<para>

254

The same as <option>secret</option>, but the secret data

255

is in an external file. The contents of the file should

256

<emphasis>not</emphasis> be base64-encoded, but will be

257

sent to clients verbatim.

258

</para>

259

<para>

260

This option is only used, and <emphasis>must</emphasis> be

261

present, if <option>secret</option> is not specified.

241

262

</para>

242

263

</listitem>

243

264

</varlistentry>

245

266

246

267

247

268

269

<synopsis><literal>host = </literal><replaceable

270

>STRING</replaceable>

271

</synopsis>

248

272

<para>

249

Host name that can be used in for checking that the client is up.

273

Host name for this client. This is not used by the server

274

directly, but can be, and is by default, used by the

275

checker. See the <option>checker</option> option.

250

276

</para>

251

277

</listitem>

252

278

</varlistentry>

253

254

255

<term><literal>checker</literal></term>

256

257

<para>

258

Shell command that the server will use to check up if a

259

client is still up.

260

</para>

261

</listitem>

262

</varlistentry>

263

264

265

<term><literal>timeout</literal></term>

266

267

<para>

268

Duration that a client can be down whitout be removed from

269

the client list.

270

</para>

271

</listitem>

272

</varlistentry>

273

279

274

280

</variablelist>

275

281

</refsect1>

317

323

<para>

318

324

Note that this means that, in order to include an actual

319

325

percent character (<quote>%</quote>) in a

320

<varname>checker</varname> options, <emphasis>four</emphasis>

326

<varname>checker</varname> option, <emphasis>four</emphasis>

321

327

percent characters in a row (<quote>%%%%</quote>) must be

322

328

entered. Also, a bad format here will lead to an immediate

323

329

but <emphasis>silent</emphasis> run-time fatal exit; debug

376

382

5MHdW9AYsNJZAQSOpirE4Xi31CSlWAi9KV+cUCmWF5zOFy1x23P6PjdaRm

377

383

4T2zw4dxS5NswXWU0sVEXxjs6PYxuIiCTL7vdpx8QjBkrPWDrAbcMyBr2O

378

384

QlnHIvPzEArRQLo=

379

=iHhv

380

385

host = foo.example.org

381

interval = 5m

386

interval = 1m

382

387

383

388

# Client "bar"

384

389

[bar]

385

390

fingerprint = 3e393aeaefb84c7e89e2f547b3a107558fca3a27

386

secfile = /etc/mandos/bar-secret.txt.asc

391

secfile = /etc/mandos/bar-secret

392

timeout = 15m

387

393

388

394

</programlisting>

389

395

</informalexample>

390

396

</refsect1>

391

397

398

399

400

<para>

401

402

<refentrytitle>mandos</refentrytitle>

403

404

<refentrytitle>mandos-keygen</refentrytitle>

405

406

<refentrytitle>mandos.conf</refentrytitle>

407

408

</para>

409

</refsect1>

392

410

</refentry>

Older »