/mandos/trunk : revision 109

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos-clients.conf.xml

Committer: Teddy Hogeborn
Date: 2008-08-27 01:18:25 UTC
Revision ID: teddy@fukt.bsnet.se-20080827011825-ka3ni6xvy2ehi1y8

* .bzrignore: New.

* clients.conf ([foo]): Remove Radix-64 checksum.

* mandos (AvahiService.rename, server_state_changed,
          entry_group_state_changed): Make Avahi log messages more
                                      clear that they are about
                                      Zeroconf.
  (fingerprint): Use plain "0" instead of "ctypes.c_uint(0)".

files added:
plugins.d/usplash

files removed:
.bzr-builddeb

.bzr-builddeb/default.conf

DBUS-API

INSTALL

NEWS

README

common.ent

dbus-mandos.conf

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/po

debian/rules

debian/watch

default-mandos

init.d-mandos

legalnotice.xml

mandos-ctl

mandos-ctl.xml

mandos-monitor

mandos-monitor.xml

mandos.lsm

plugin-runner.conf

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

files renamed:
plugins.d/mandos-client.c => plugins.d/password-request.c

plugins.d/mandos-client.xml => plugins.d/password-request.xml

files modified:
.bzrignore

Makefile

TODO

clients.conf

initramfs-tools-hook

initramfs-tools-hook-conf

initramfs-tools-script

mandos

mandos-clients.conf.xml

mandos-keygen

mandos-keygen.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.xml

overview.xml

plugin-runner.c

plugin-runner.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

Show diffs side-by-side

added added

removed removed

mandos-clients.conf.xml

<?xml version="1.0" encoding="UTF-8"?>

<?xml version='1.0' encoding='UTF-8'?>

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY VERSION "1.0">

<!ENTITY CONFNAME "mandos-clients.conf">

<!ENTITY CONFPATH "<filename>/etc/mandos/clients.conf</filename>">

<!ENTITY TIMESTAMP "2010-09-26">

<!ENTITY % common SYSTEM "common.ent">

%common;

<title>Mandos Manual</title>

<title>&CONFNAME;</title>

<productname>Mandos</productname>

<productnumber>&version;</productnumber>

<date>&TIMESTAMP;</date>

<productname>&CONFNAME;</productname>

<productnumber>&VERSION;</productnumber>

<firstname>Björn</firstname>

</authorgroup>

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

<xi:include href="legalnotice.xml"/>

<para>

This manual page is free software: you can redistribute it

and/or modify it under the terms of the GNU General Public

License as published by the Free Software Foundation,

either version 3 of the License, or (at your option) any

later version.

</para>

<para>

This manual page is distributed in the hope that it will

be useful, but WITHOUT ANY WARRANTY; without even the

implied warranty of MERCHANTABILITY or FITNESS FOR A

PARTICULAR PURPOSE. See the GNU General Public License

for more details.

</para>

<para>

You should have received a copy of the GNU General Public

License along with this program; If not, see

<ulink url="http://www.gnu.org/licenses/"/>.

</para>

</legalnotice>

</refentryinfo>

<refentrytitle>&CONFNAME;</refentrytitle>

Configuration file for the Mandos server

</refpurpose>

</refnamediv>

<synopsis>&CONFPATH;</synopsis>

&CONFPATH;

</synopsis>

</refsynopsisdiv>

<title>DESCRIPTION</title>

<para>

><refentrytitle>mandos</refentrytitle>

<manvolnum>8</manvolnum></citerefentry>, read by it at startup.

The file needs to list all clients that should be able to use

the service. All clients listed will be regarded as enabled,

even if a client was disabled in a previous run of the server.

the service. All clients listed will be regarded as valid, even

if a client was declared invalid in a previous run of the

server.

</para>

<para>

The format starts with a <literal>[<replaceable>section

115

start time expansion, see <xref linkend="expansion"/>.

116

</para>

117

<para>

Unknown options are ignored. The used options are as follows:

118

Uknown options are ignored. The used options are as follows:

119

</para>

100

120

101

121

102

103

104

<term><option>approval_delay<literal> = </literal><replaceable

105

>TIME</replaceable></option></term>

106

107

<para>

108

This option is <emphasis>optional</emphasis>.

109

</para>

110

<para>

111

How long to wait for external approval before resorting to

112

use the <option>approved_by_default</option> value. The

113

default is <quote>0s</quote>, i.e. not to wait.

114

</para>

115

<para>

116

The format of <replaceable>TIME</replaceable> is the same

117

as for <varname>timeout</varname> below.

118

</para>

119

</listitem>

120

</varlistentry>

121

122

123

<term><option>approval_duration<literal> = </literal

124

><replaceable>TIME</replaceable></option></term>

125

126

<para>

127

This option is <emphasis>optional</emphasis>.

128

</para>

129

<para>

130

How long an external approval lasts. The default is 1

131

second.

132

</para>

133

<para>

134

The format of <replaceable>TIME</replaceable> is the same

135

as for <varname>timeout</varname> below.

136

</para>

137

</listitem>

138

</varlistentry>

139

140

141

<term><option>approved_by_default<literal> = </literal

142

>{ <literal >1</literal> | <literal>yes</literal> | <literal

143

>true</literal> | <literal>on</literal> | <literal

144

>0</literal> | <literal>no</literal> | <literal

145

>false</literal> | <literal>off</literal> }</option></term>

146

147

<para>

148

Whether to approve a client by default after

149

the <option>approval_delay</option>. The default

150

is <quote>True</quote>.

151

</para>

152

</listitem>

153

</varlistentry>

154

155

156

<term><option>checker<literal> = </literal><replaceable

157

>COMMAND</replaceable></option></term>

158

159

<para>

160

This option is <emphasis>optional</emphasis>.

161

</para>

122

123

124

<term><literal><varname>timeout</varname></literal></term>

125

126

<synopsis><literal>timeout = </literal><replaceable

127

>TIME</replaceable>

128

</synopsis>

129

<para>

130

The timeout is how long the server will wait for a

131

successful checker run until a client is considered

132

invalid - that is, ineligible to get the data this server

133

holds. By default Mandos will use 1 hour.

134

</para>

135

<para>

136

The <replaceable>TIME</replaceable> is specified as a

137

space-separated number of values, each of which is a

138

number and a one-character suffix. The suffix must be one

139

of <quote>d</quote>, <quote>s</quote>, <quote>m</quote>,

140

<quote>h</quote>, and <quote>w</quote> for days, seconds,

141

minutes, hours, and weeks, respectively. The values are

142

added together to give the total time value, so all of

143

<quote><literal>330s</literal></quote>,

144

<quote><literal>110s 110s 110s</literal></quote>, and

145

<quote><literal>5m 30s</literal></quote> will give a value

146

of five minutes and thirty seconds.

147

</para>

148

</listitem>

149

</varlistentry>

150

151

152

<term><literal><varname>interval</varname></literal></term>

153

154

<synopsis><literal>interval = </literal><replaceable

155

>TIME</replaceable>

156

</synopsis>

157

<para>

158

How often to run the checker to confirm that a client is

159

still up. <emphasis>Note:</emphasis> a new checker will

160

not be started if an old one is still running. The server

161

will wait for a checker to complete until the above

162

<quote><varname>timeout</varname></quote> occurs, at which

163

time the client will be marked invalid, and any running

164

checker killed. The default interval is 5 minutes.

165

</para>

166

<para>

167

The format of <replaceable>TIME</replaceable> is the same

168

as for <varname>timeout</varname> above.

169

</para>

170

</listitem>

171

</varlistentry>

172

173

174

<term><literal>checker</literal></term>

175

176

<synopsis><literal>checker = </literal><replaceable

177

>COMMAND</replaceable>

178

</synopsis>

162

179

<para>

163

180

This option allows you to override the default shell

164

181

command that the server will use to check if the client is

170

187

<varname>PATH</varname> will be searched. The default

171

188

value for the checker command is <quote><literal

172

189

><command>fping</command> <option>-q</option> <option

173

>--</option> %%(host)s</literal></quote>.

190

>--</option> %(host)s</literal></quote>.

174

191

</para>

175

192

<para>

176

193

In addition to normal start time expansion, this option

181

198

</varlistentry>

182

199

183

200

184

<term><option>fingerprint<literal> = </literal

185

><replaceable>HEXSTRING</replaceable></option></term>

201

<term><literal>fingerprint</literal></term>

186

202

187

<para>

188

This option is <emphasis>required</emphasis>.

189

</para>

203

<synopsis><literal>fingerprint = </literal><replaceable

204

>HEXSTRING</replaceable>

205

</synopsis>

190

206

<para>

191

207

This option sets the OpenPGP fingerprint that identifies

192

208

the public key that clients authenticate themselves with

197

213

</varlistentry>

198

214

199

215

200

<term><option><literal>host = </literal><replaceable

201

>STRING</replaceable></option></term>

202

203

<para>

204

This option is <emphasis>optional</emphasis>, but highly

205

<emphasis>recommended</emphasis> unless the

206

<option>checker</option> option is modified to a

207

non-standard value without <quote>%%(host)s</quote> in it.

208

</para>

209

<para>

210

Host name for this client. This is not used by the server

211

directly, but can be, and is by default, used by the

212

checker. See the <option>checker</option> option.

213

</para>

214

</listitem>

215

</varlistentry>

216

217

218

<term><option>interval<literal> = </literal><replaceable

219

>TIME</replaceable></option></term>

220

221

<para>

222

This option is <emphasis>optional</emphasis>.

223

</para>

224

<para>

225

How often to run the checker to confirm that a client is

226

still up. <emphasis>Note:</emphasis> a new checker will

227

not be started if an old one is still running. The server

228

will wait for a checker to complete until the below

229

<quote><varname>timeout</varname></quote> occurs, at which

230

time the client will be disabled, and any running checker

231

killed. The default interval is 5 minutes.

232

</para>

233

<para>

234

The format of <replaceable>TIME</replaceable> is the same

235

as for <varname>timeout</varname> below.

236

</para>

237

</listitem>

238

</varlistentry>

239

240

241

<term><option>secfile<literal> = </literal><replaceable

242

>FILENAME</replaceable></option></term>

243

244

<para>

245

This option is only used if <option>secret</option> is not

246

specified, in which case this option is

247

<emphasis>required</emphasis>.

248

</para>

249

<para>

250

Similar to the <option>secret</option>, except the secret

251

data is in an external file. The contents of the file

252

should <emphasis>not</emphasis> be base64-encoded, but

253

will be sent to clients verbatim.

254

</para>

255

<para>

256

File names of the form <filename>~user/foo/bar</filename>

257

and <filename>$<envar>ENVVAR</envar>/foo/bar</filename>

258

are supported.

259

</para>

260

</listitem>

261

</varlistentry>

262

263

264

<term><option>secret<literal> = </literal><replaceable

265

>BASE64_ENCODED_DATA</replaceable></option></term>

266

267

<para>

268

If this option is not specified, the <option

269

>secfile</option> option is <emphasis>required</emphasis>

270

to be present.

271

</para>

216

<term><literal>secret</literal></term>

217

218

<synopsis><literal>secret = </literal><replaceable

219

>BASE64_ENCODED_DATA</replaceable>

220

</synopsis>

272

221

<para>

273

222

If present, this option must be set to a string of

274

223

base64-encoded binary data. It will be decoded and sent

287

236

lines is that a line beginning with white space adds to

288

237

the value of the previous line, RFC 822-style.

289

238

</para>

290

</listitem>

291

</varlistentry>

292

293

294

<term><option>timeout<literal> = </literal><replaceable

295

>TIME</replaceable></option></term>

296

297

<para>

298

This option is <emphasis>optional</emphasis>.

299

</para>

300

<para>

301

The timeout is how long the server will wait (for either a

302

successful checker run or a client receiving its secret)

303

until a client is disabled and not allowed to get the data

304

this server holds. By default Mandos will use 1 hour.

305

</para>

306

<para>

307

The <replaceable>TIME</replaceable> is specified as a

308

space-separated number of values, each of which is a

309

number and a one-character suffix. The suffix must be one

310

of <quote>d</quote>, <quote>s</quote>, <quote>m</quote>,

311

<quote>h</quote>, and <quote>w</quote> for days, seconds,

312

minutes, hours, and weeks, respectively. The values are

313

added together to give the total time value, so all of

314

<quote><literal>330s</literal></quote>,

315

<quote><literal>110s 110s 110s</literal></quote>, and

316

<quote><literal>5m 30s</literal></quote> will give a value

317

of five minutes and thirty seconds.

239

<para>

240

If this option is not specified, the <option

241

>secfile</option> option is used instead, but one of them

242

<emphasis>must</emphasis> be present.

243

</para>

244

</listitem>

245

</varlistentry>

246

247

248

<term><literal>secfile</literal></term>

249

250

<synopsis><literal>secfile = </literal><replaceable

251

>FILENAME</replaceable>

252

</synopsis>

253

<para>

254

The same as <option>secret</option>, but the secret data

255

is in an external file. The contents of the file should

256

<emphasis>not</emphasis> be base64-encoded, but will be

257

sent to clients verbatim.

258

</para>

259

<para>

260

This option is only used, and <emphasis>must</emphasis> be

261

present, if <option>secret</option> is not specified.

262

</para>

263

</listitem>

264

</varlistentry>

265

266

267

268

269

<synopsis><literal>host = </literal><replaceable

270

>STRING</replaceable>

271

</synopsis>

272

<para>

273

Host name for this client. This is not used by the server

274

directly, but can be, and is by default, used by the

275

checker. See the <option>checker</option> option.

318

276

</para>

319

277

</listitem>

320

278

</varlistentry>

321

279

322

280

</variablelist>

323

</refsect1>

281

</refsect1>

324

282

325

283

326

284

<title>EXPANSION</title>

369

327

percent characters in a row (<quote>%%%%</quote>) must be

370

328

entered. Also, a bad format here will lead to an immediate

371

329

but <emphasis>silent</emphasis> run-time fatal exit; debug

372

mode is needed to expose an error of this kind.

330

mode is needed to track down an error of this kind.

373

331

</para>

374

332

</refsect2>

375

376

</refsect1>

333

334

</refsect1>

377

335

378

336

379

337

<title>FILES</title>

403

361

[DEFAULT]

404

362

timeout = 1h

405

363

interval = 5m

406

checker = fping -q -- %%(host)s

364

checker = fping -q -- %(host)s

407

365

408

366

# Client "foo"

409

367

[foo]

432

390

fingerprint = 3e393aeaefb84c7e89e2f547b3a107558fca3a27

433

391

secfile = /etc/mandos/bar-secret

434

392

timeout = 15m

435

approved_by_default = False

436

approval_delay = 30s

393

437

394

</programlisting>

438

395

</informalexample>

439

</refsect1>

396

</refsect1>

440

397

441

398

442

399

443

400

<para>

444

<citerefentry><refentrytitle>mandos-keygen</refentrytitle>

445

<manvolnum>8</manvolnum></citerefentry>,

446

<citerefentry><refentrytitle>mandos.conf</refentrytitle>

447

<manvolnum>5</manvolnum></citerefentry>,

448

<citerefentry><refentrytitle>mandos</refentrytitle>

449

401

402

<refentrytitle>mandos</refentrytitle>

403

404

<refentrytitle>mandos-keygen</refentrytitle>

405

406

<refentrytitle>mandos.conf</refentrytitle>

407

450

408

</para>

451

409

</refsect1>

452

410

</refentry>

453

454

455

456

457

Older »