/mandos/trunk : revision 1160

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos-clients.conf.xml

Committer: Teddy Hogeborn
Date: 2019-08-18 00:42:22 UTC
Revision ID: teddy@recompile.se-20190818004222-lfrgtnmqz766a08e

Client: Use the systemd sysusers.d mechanism, if present

* Makefile (install-client-nokey): Also install sysusers.d file, if
$(SYSUSERS) exists.
* sysusers.d-mandos.conf: Adjust comment to match reality.

files added:
bugs.xml

debian/mandos-client.examples

debian/mandos-client.templates

debian/mandos.templates

debian/po/POTFILES.in

debian/po/de.po

debian/po/en_US.po

debian/po/fr.po

debian/po/sv.po

debian/po/templates.pot

debian/source/lintian-overrides

debian/tests

debian/tests/control

debian/upstream

debian/upstream/metadata

debian/upstream/signing-key.asc

dracut-module

dracut-module/ask-password-mandos.path

dracut-module/ask-password-mandos.service

dracut-module/cmdline-mandos.sh

dracut-module/module-setup.sh

dracut-module/password-agent.c

dracut-module/password-agent.xml

initramfs-tools-conf

initramfs-tools-conf-hook

initramfs-tools-script-stop

initramfs-unpack

mandos-to-cryptroot-unlock

mandos.service

plugin-helpers

plugin-helpers/mandos-client-iprouteadddel.c

sysusers.d-mandos.conf

tmpfiles.d-mandos.conf

files removed:
initramfs-tools-hook-conf

files modified:
.bzrignore

DBUS-API

INSTALL

Makefile

NEWS

README

TODO

clients.conf

common.ent

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.dirs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/rules

debian/watch

init.d-mandos

initramfs-tools-hook

initramfs-tools-script

intro.xml

legalnotice.xml

mandos

mandos-clients.conf.xml

mandos-ctl

mandos-ctl.xml

mandos-keygen

mandos-keygen.xml

mandos-monitor

mandos-monitor.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.lsm

mandos.xml

network-hooks.d/bridge

network-hooks.d/openvpn

network-hooks.d/wireless

overview.xml

plugin-runner.c

plugin-runner.xml

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/mandos-client.c

plugins.d/mandos-client.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

Show diffs side-by-side

added added

removed removed

mandos-clients.conf.xml

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY CONFNAME "mandos-clients.conf">

<!ENTITY CONFPATH "<filename>/etc/mandos/clients.conf</filename>">

<!ENTITY TIMESTAMP "2012-01-01">

<!ENTITY TIMESTAMP "2019-02-10">

<!ENTITY % common SYSTEM "common.ent">

%common;

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

117

124

<para>

118

125

How long to wait for external approval before resorting to

119

126

use the <option>approved_by_default</option> value. The

120

default is <quote>0s</quote>, i.e. not to wait.

127

default is <quote>PT0S</quote>, i.e. not to wait.

121

128

</para>

122

129

<para>

123

130

The format of <replaceable>TIME</replaceable> is the same

167

174

This option is <emphasis>optional</emphasis>.

168

175

</para>

169

176

<para>

170

This option allows you to override the default shell

171

command that the server will use to check if the client is

172

still up. Any output of the command will be ignored, only

173

the exit code is checked: If the exit code of the command

174

is zero, the client is considered up. The command will be

175

run using <quote><command><filename>/bin/sh</filename>

177

This option overrides the default shell command that the

178

server will use to check if the client is still up. Any

179

output of the command will be ignored, only the exit code

180

is checked: If the exit code of the command is zero, the

181

client is considered up. The command will be run using

182

176

183

<option>-c</option></command></quote>, so

177

184

<varname>PATH</varname> will be searched. The default

178

185

value for the checker command is <quote><literal

179

186

><command>fping</command> <option>-q</option> <option

180

>--</option> %%(host)s</literal></quote>.

187

>--</option> %%(host)s</literal></quote>. Note that

188

<command>mandos-keygen</command>, when generating output

189

to be inserted into this file, normally looks for an SSH

190

server on the Mandos client, and, if it finds one, outputs

191

a <option>checker</option> option to check for the

192

client’s SSH key fingerprint – this is more secure against

193

spoofing.

181

194

</para>

182

195

<para>

183

196

In addition to normal start time expansion, this option

220

233

<para>

221

234

This option sets the OpenPGP fingerprint that identifies

222

235

the public key that clients authenticate themselves with

223

through TLS. The string needs to be in hexidecimal form,

236

through TLS. The string needs to be in hexadecimal form,

237

but spaces or upper/lower case are not significant.

238

</para>

239

</listitem>

240

</varlistentry>

241

242

243

<term><option>key_id<literal> = </literal

244

><replaceable>HEXSTRING</replaceable></option></term>

245

246

<para>

247

This option is <emphasis>optional</emphasis>.

248

</para>

249

<para>

250

This option sets the certificate key ID that identifies

251

the public key that clients authenticate themselves with

252

through TLS. The string needs to be in hexadecimal form,

224

253

but spaces or upper/lower case are not significant.

225

254

</para>

226

255

</listitem>

302

331

<para>

303

332

If present, this option must be set to a string of

304

333

base64-encoded binary data. It will be decoded and sent

305

to the client matching the above

306

<option>fingerprint</option>. This should, of course, be

307

OpenPGP encrypted data, decryptable only by the client.

334

to the client matching the above <option>key_id</option>

335

or <option>fingerprint</option>. This should, of course,

336

be OpenPGP encrypted data, decryptable only by the client.

308

337

The program <citerefentry><refentrytitle><command

309

338

>mandos-keygen</command></refentrytitle><manvolnum

310

339

>8</manvolnum></citerefentry> can, using its

335

364

<option>extended_timeout</option> option.

336

365

</para>

337

366

<para>

338

The <replaceable>TIME</replaceable> is specified as a

339

space-separated number of values, each of which is a

340

number and a one-character suffix. The suffix must be one

341

of <quote>d</quote>, <quote>s</quote>, <quote>m</quote>,

342

<quote>h</quote>, and <quote>w</quote> for days, seconds,

343

minutes, hours, and weeks, respectively. The values are

344

added together to give the total time value, so all of

345

<quote><literal>330s</literal></quote>,

346

<quote><literal>110s 110s 110s</literal></quote>, and

347

<quote><literal>5m 30s</literal></quote> will give a value

348

of five minutes and thirty seconds.

367

The <replaceable>TIME</replaceable> is specified as an RFC

368

3339 duration; for example

369

<quote><literal>P1Y2M3DT4H5M6S</literal></quote> meaning

370

one year, two months, three days, four hours, five

371

minutes, and six seconds. Some values can be omitted, see

372

RFC 3339 Appendix A for details.

349

373

</para>

350

374

</listitem>

351

375

</varlistentry>

409

433

<quote><literal>approval_duration</literal></quote>,

410

434

<quote><literal>created</literal></quote>,

411

435

<quote><literal>enabled</literal></quote>,

436

<quote><literal>expires</literal></quote>,

437

<quote><literal>key_id</literal></quote>,

412

438

<quote><literal>fingerprint</literal></quote>,

413

439

<quote><literal>host</literal></quote>,

414

440

<quote><literal>interval</literal></quote>,

457

483

<literal>%(<replaceable>foo</replaceable>)s</literal> is

458

484

obscure.

459

485

</para>

486

<xi:include href="bugs.xml"/>

460

487

</refsect1>

461

488

462

489

464

491

465

492

466

493

[DEFAULT]

467

timeout = 5m

468

interval = 2m

494

timeout = PT5M

495

interval = PT2M

469

496

checker = fping -q -- %%(host)s

470

497

471

498

# Client "foo"

472

499

[foo]

500

key_id = 788cd77115cd0bb7b2d5e0ae8496f6b48149d5e712c652076b1fd2d957ef7c1f

473

501

fingerprint = 7788 2722 5BA7 DE53 9C5A 7CFA 59CF F7CD BD9A 5920

474

502

secret =

475

503

hQIOA6QdEjBs2L/HEAf/TCyrDe5Xnm9esa+Pb/vWF9CUqfn4srzVgSu234

488

516

4T2zw4dxS5NswXWU0sVEXxjs6PYxuIiCTL7vdpx8QjBkrPWDrAbcMyBr2O

489

517

QlnHIvPzEArRQLo=

490

518

host = foo.example.org

491

interval = 1m

519

interval = PT1M

492

520

493

521

# Client "bar"

494

522

[bar]

523

key_id = F90C7A81D72D1EA69A51031A91FF8885F36C8B46D155C8C58709A4C99AE9E361

495

524

fingerprint = 3e393aeaefb84c7e89e2f547b3a107558fca3a27

496

525

secfile = /etc/mandos/bar-secret

497

timeout = 15m

526

timeout = PT15M

498

527

approved_by_default = False

499

approval_delay = 30s

528

approval_delay = PT30S

500

529

</programlisting>

501

530

</informalexample>

502

531

</refsect1>

511

540

<citerefentry><refentrytitle>mandos.conf</refentrytitle>

512

541

<manvolnum>5</manvolnum></citerefentry>,

513

542

<citerefentry><refentrytitle>mandos</refentrytitle>

543

<manvolnum>8</manvolnum></citerefentry>,

544

<citerefentry><refentrytitle>fping</refentrytitle>

514

545

515

546

</para>

547

548

549

<term>

550

RFC 3339: <citetitle>Date and Time on the Internet:

551

Timestamps</citetitle>

552

</term>

553

554

<para>

555

The time intervals are in the "duration" format, as

556

specified in ABNF in Appendix A of RFC 3339.

557

</para>

558

</listitem>

559

</varlistentry>

560

</variablelist>

516

561

</refsect1>

517

562

</refentry>

518

563

Older »