/mandos/trunk

To get this branch, use:
bzr branch http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos.xml

  • Committer: Teddy Hogeborn
  • Date: 2008-08-30 11:39:54 UTC
  • Revision ID: teddy@fukt.bsnet.se-20080830113954-sbvgeq7z0wkdvz17
* mandos-keygen.xml (ENVIRONMENT): Replaced <varname> with <envar>.
* mandos.xml (ENVIRONMENT): - '' -

Show diffs side-by-side

added added

removed removed

Lines of Context:
3
3
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4
4
<!ENTITY VERSION "1.0">
5
5
<!ENTITY COMMANDNAME "mandos">
6
 
<!ENTITY TIMESTAMP "2008-09-21">
 
6
<!ENTITY TIMESTAMP "2008-08-30">
7
7
]>
8
8
 
9
9
<refentry xmlns:xi="http://www.w3.org/2001/XInclude">
34
34
      <holder>Teddy Hogeborn</holder>
35
35
      <holder>Björn Påhlsson</holder>
36
36
    </copyright>
37
 
    <xi:include href="legalnotice.xml"/>
 
37
    <legalnotice>
 
38
      <para>
 
39
        This manual page is free software: you can redistribute it
 
40
        and/or modify it under the terms of the GNU General Public
 
41
        License as published by the Free Software Foundation,
 
42
        either version 3 of the License, or (at your option) any
 
43
        later version.
 
44
      </para>
 
45
 
 
46
      <para>
 
47
        This manual page is distributed in the hope that it will
 
48
        be useful, but WITHOUT ANY WARRANTY; without even the
 
49
        implied warranty of MERCHANTABILITY or FITNESS FOR A
 
50
        PARTICULAR PURPOSE.  See the GNU General Public License
 
51
        for more details.
 
52
      </para>
 
53
 
 
54
      <para>
 
55
        You should have received a copy of the GNU General Public
 
56
        License along with this program; If not, see
 
57
        <ulink url="http://www.gnu.org/licenses/"/>.
 
58
      </para>
 
59
    </legalnotice>
38
60
  </refentryinfo>
39
 
  
 
61
 
40
62
  <refmeta>
41
63
    <refentrytitle>&COMMANDNAME;</refentrytitle>
42
64
    <manvolnum>8</manvolnum>
48
70
      Gives encrypted passwords to authenticated Mandos clients
49
71
    </refpurpose>
50
72
  </refnamediv>
51
 
  
 
73
 
52
74
  <refsynopsisdiv>
53
75
    <cmdsynopsis>
54
76
      <command>&COMMANDNAME;</command>
55
 
      <group>
56
 
        <arg choice="plain"><option>--interface
57
 
        <replaceable>NAME</replaceable></option></arg>
58
 
        <arg choice="plain"><option>-i
59
 
        <replaceable>NAME</replaceable></option></arg>
60
 
      </group>
61
 
      <sbr/>
62
 
      <group>
63
 
        <arg choice="plain"><option>--address
64
 
        <replaceable>ADDRESS</replaceable></option></arg>
65
 
        <arg choice="plain"><option>-a
66
 
        <replaceable>ADDRESS</replaceable></option></arg>
67
 
      </group>
68
 
      <sbr/>
69
 
      <group>
70
 
        <arg choice="plain"><option>--port
71
 
        <replaceable>PORT</replaceable></option></arg>
72
 
        <arg choice="plain"><option>-p
73
 
        <replaceable>PORT</replaceable></option></arg>
74
 
      </group>
75
 
      <sbr/>
76
 
      <arg><option>--priority
77
 
      <replaceable>PRIORITY</replaceable></option></arg>
78
 
      <sbr/>
79
 
      <arg><option>--servicename
80
 
      <replaceable>NAME</replaceable></option></arg>
81
 
      <sbr/>
82
 
      <arg><option>--configdir
83
 
      <replaceable>DIRECTORY</replaceable></option></arg>
84
 
      <sbr/>
85
 
      <arg><option>--debug</option></arg>
 
77
      <arg>--interface<arg choice="plain">NAME</arg></arg>
 
78
      <arg>--address<arg choice="plain">ADDRESS</arg></arg>
 
79
      <arg>--port<arg choice="plain">PORT</arg></arg>
 
80
      <arg>--priority<arg choice="plain">PRIORITY</arg></arg>
 
81
      <arg>--servicename<arg choice="plain">NAME</arg></arg>
 
82
      <arg>--configdir<arg choice="plain">DIRECTORY</arg></arg>
 
83
      <arg>--debug</arg>
 
84
    </cmdsynopsis>
 
85
    <cmdsynopsis>
 
86
      <command>&COMMANDNAME;</command>
 
87
      <arg>-i<arg choice="plain">NAME</arg></arg>
 
88
      <arg>-a<arg choice="plain">ADDRESS</arg></arg>
 
89
      <arg>-p<arg choice="plain">PORT</arg></arg>
 
90
      <arg>--priority<arg choice="plain">PRIORITY</arg></arg>
 
91
      <arg>--servicename<arg choice="plain">NAME</arg></arg>
 
92
      <arg>--configdir<arg choice="plain">DIRECTORY</arg></arg>
 
93
      <arg>--debug</arg>
86
94
    </cmdsynopsis>
87
95
    <cmdsynopsis>
88
96
      <command>&COMMANDNAME;</command>
89
97
      <group choice="req">
90
 
        <arg choice="plain"><option>--help</option></arg>
91
 
        <arg choice="plain"><option>-h</option></arg>
 
98
        <arg choice="plain">-h</arg>
 
99
        <arg choice="plain">--help</arg>
92
100
      </group>
93
101
    </cmdsynopsis>
94
102
    <cmdsynopsis>
95
103
      <command>&COMMANDNAME;</command>
96
 
      <arg choice="plain"><option>--version</option></arg>
 
104
      <arg choice="plain">--version</arg>
97
105
    </cmdsynopsis>
98
106
    <cmdsynopsis>
99
107
      <command>&COMMANDNAME;</command>
100
 
      <arg choice="plain"><option>--check</option></arg>
 
108
      <arg choice="plain">--check</arg>
101
109
    </cmdsynopsis>
102
110
  </refsynopsisdiv>
103
 
  
 
111
 
104
112
  <refsect1 id="description">
105
113
    <title>DESCRIPTION</title>
106
114
    <para>
115
123
      Any authenticated client is then given the stored pre-encrypted
116
124
      password for that specific client.
117
125
    </para>
 
126
 
118
127
  </refsect1>
119
128
  
120
129
  <refsect1 id="purpose">
121
130
    <title>PURPOSE</title>
 
131
 
122
132
    <para>
123
133
      The purpose of this is to enable <emphasis>remote and unattended
124
134
      rebooting</emphasis> of client host computer with an
125
135
      <emphasis>encrypted root file system</emphasis>.  See <xref
126
136
      linkend="overview"/> for details.
127
137
    </para>
 
138
 
128
139
  </refsect1>
129
140
  
130
141
  <refsect1 id="options">
131
142
    <title>OPTIONS</title>
 
143
 
132
144
    <variablelist>
133
145
      <varlistentry>
 
146
        <term><option>-h</option></term>
134
147
        <term><option>--help</option></term>
135
 
        <term><option>-h</option></term>
136
148
        <listitem>
137
149
          <para>
138
150
            Show a help message and exit
139
151
          </para>
140
152
        </listitem>
141
153
      </varlistentry>
142
 
      
 
154
 
143
155
      <varlistentry>
 
156
        <term><option>-i</option>
 
157
        <replaceable>NAME</replaceable></term>
144
158
        <term><option>--interface</option>
145
159
        <replaceable>NAME</replaceable></term>
146
 
        <term><option>-i</option>
147
 
        <replaceable>NAME</replaceable></term>
148
160
        <listitem>
149
161
          <xi:include href="mandos-options.xml" xpointer="interface"/>
150
162
        </listitem>
151
163
      </varlistentry>
152
 
      
 
164
 
153
165
      <varlistentry>
154
 
        <term><option>--address
155
 
        <replaceable>ADDRESS</replaceable></option></term>
156
 
        <term><option>-a
157
 
        <replaceable>ADDRESS</replaceable></option></term>
 
166
        <term><literal>-a</literal>, <literal>--address <replaceable>
 
167
        ADDRESS</replaceable></literal></term>
158
168
        <listitem>
159
169
          <xi:include href="mandos-options.xml" xpointer="address"/>
160
170
        </listitem>
161
171
      </varlistentry>
162
 
      
 
172
 
163
173
      <varlistentry>
164
 
        <term><option>--port
165
 
        <replaceable>PORT</replaceable></option></term>
166
 
        <term><option>-p
167
 
        <replaceable>PORT</replaceable></option></term>
 
174
        <term><literal>-p</literal>, <literal>--port <replaceable>
 
175
        PORT</replaceable></literal></term>
168
176
        <listitem>
169
177
          <xi:include href="mandos-options.xml" xpointer="port"/>
170
178
        </listitem>
171
179
      </varlistentry>
172
 
      
 
180
 
173
181
      <varlistentry>
174
 
        <term><option>--check</option></term>
 
182
        <term><literal>--check</literal></term>
175
183
        <listitem>
176
184
          <para>
177
185
            Run the server’s self-tests.  This includes any unit
179
187
          </para>
180
188
        </listitem>
181
189
      </varlistentry>
182
 
      
 
190
 
183
191
      <varlistentry>
184
 
        <term><option>--debug</option></term>
 
192
        <term><literal>--debug</literal></term>
185
193
        <listitem>
186
194
          <xi:include href="mandos-options.xml" xpointer="debug"/>
187
195
        </listitem>
188
196
      </varlistentry>
189
 
      
 
197
 
190
198
      <varlistentry>
191
 
        <term><option>--priority <replaceable>
192
 
        PRIORITY</replaceable></option></term>
 
199
        <term><literal>--priority <replaceable>
 
200
        PRIORITY</replaceable></literal></term>
193
201
        <listitem>
194
202
          <xi:include href="mandos-options.xml" xpointer="priority"/>
195
203
        </listitem>
196
204
      </varlistentry>
197
 
      
 
205
 
198
206
      <varlistentry>
199
 
        <term><option>--servicename
200
 
        <replaceable>NAME</replaceable></option></term>
 
207
        <term><literal>--servicename <replaceable>NAME</replaceable>
 
208
        </literal></term>
201
209
        <listitem>
202
210
          <xi:include href="mandos-options.xml"
203
211
                      xpointer="servicename"/>
204
212
        </listitem>
205
213
      </varlistentry>
206
 
      
 
214
 
207
215
      <varlistentry>
208
 
        <term><option>--configdir
209
 
        <replaceable>DIRECTORY</replaceable></option></term>
 
216
        <term><literal>--configdir <replaceable>DIR</replaceable>
 
217
        </literal></term>
210
218
        <listitem>
211
219
          <para>
212
220
            Directory to search for configuration files.  Default is
218
226
          </para>
219
227
        </listitem>
220
228
      </varlistentry>
221
 
      
 
229
 
222
230
      <varlistentry>
223
 
        <term><option>--version</option></term>
 
231
        <term><literal>--version</literal></term>
224
232
        <listitem>
225
233
          <para>
226
234
            Prints the program version and exit.
229
237
      </varlistentry>
230
238
    </variablelist>
231
239
  </refsect1>
232
 
  
 
240
 
233
241
  <refsect1 id="overview">
234
242
    <title>OVERVIEW</title>
235
243
    <xi:include href="overview.xml"/>
236
244
    <para>
237
245
      This program is the server part.  It is a normal server program
238
246
      and will run in a normal system environment, not in an initial
239
 
      <acronym>RAM</acronym> disk environment.
 
247
      RAM disk environment.
240
248
    </para>
241
249
  </refsect1>
242
 
  
 
250
 
243
251
  <refsect1 id="protocol">
244
252
    <title>NETWORK PROTOCOL</title>
245
253
    <para>
297
305
      </row>
298
306
    </tbody></tgroup></table>
299
307
  </refsect1>
300
 
  
 
308
 
301
309
  <refsect1 id="checking">
302
310
    <title>CHECKING</title>
303
311
    <para>
311
319
      <manvolnum>5</manvolnum></citerefentry>.
312
320
    </para>
313
321
  </refsect1>
314
 
  
 
322
 
315
323
  <refsect1 id="logging">
316
324
    <title>LOGGING</title>
317
325
    <para>
321
329
      and also show them on the console.
322
330
    </para>
323
331
  </refsect1>
324
 
  
 
332
 
325
333
  <refsect1 id="exit_status">
326
334
    <title>EXIT STATUS</title>
327
335
    <para>
329
337
      critical error is encountered.
330
338
    </para>
331
339
  </refsect1>
332
 
  
 
340
 
333
341
  <refsect1 id="environment">
334
342
    <title>ENVIRONMENT</title>
335
343
    <variablelist>
349
357
      </varlistentry>
350
358
    </variablelist>
351
359
  </refsect1>
352
 
  
 
360
 
353
361
  <refsect1 id="file">
354
362
    <title>FILES</title>
355
363
    <para>
379
387
        </listitem>
380
388
      </varlistentry>
381
389
      <varlistentry>
382
 
        <term><filename>/var/run/mandos.pid</filename></term>
 
390
        <term><filename>/var/run/mandos/mandos.pid</filename></term>
383
391
        <listitem>
384
392
          <para>
385
393
            The file containing the process id of
434
442
      Debug mode is conflated with running in the foreground.
435
443
    </para>
436
444
    <para>
437
 
      The console log messages does not show a time stamp.
438
 
    </para>
439
 
    <para>
440
 
      This server does not check the expire time of clients’ OpenPGP
441
 
      keys.
 
445
      The console log messages does not show a timestamp.
442
446
    </para>
443
447
  </refsect1>
444
448
  
479
483
      </para>
480
484
    </informalexample>
481
485
  </refsect1>
482
 
  
 
486
 
483
487
  <refsect1 id="security">
484
488
    <title>SECURITY</title>
485
489
    <refsect2 id="SERVER">
487
491
      <para>
488
492
        Running this <command>&COMMANDNAME;</command> server program
489
493
        should not in itself present any security risk to the host
490
 
        computer running it.  The program switches to a non-root user
491
 
        soon after startup.
 
494
        computer running it.  The program does not need any special
 
495
        privileges to run, and is designed to run as a non-root user.
492
496
      </para>
493
497
    </refsect2>
494
498
    <refsect2 id="CLIENTS">
504
508
        <citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>
505
509
        <manvolnum>5</manvolnum></citerefentry>)
506
510
        <emphasis>must</emphasis> be made non-readable by anyone
507
 
        except the user starting the server (usually root).
 
511
        except the user running the server.
508
512
      </para>
509
513
      <para>
510
514
        As detailed in <xref linkend="checking"/>, the status of all
521
525
        restarting servers if it is suspected that a client has, in
522
526
        fact, been compromised by parties who may now be running a
523
527
        fake Mandos client with the keys from the non-encrypted
524
 
        initial <acronym>RAM</acronym> image of the client host.  What
525
 
        should be done in that case (if restarting the server program
526
 
        really is necessary) is to stop the server program, edit the
 
528
        initial RAM image of the client host.  What should be done in
 
529
        that case (if restarting the server program really is
 
530
        necessary) is to stop the server program, edit the
527
531
        configuration file to omit any suspect clients, and restart
528
532
        the server program.
529
533
      </para>
530
534
      <para>
531
535
        For more details on client-side security, see
532
 
        <citerefentry><refentrytitle>mandos-client</refentrytitle>
 
536
        <citerefentry><refentrytitle>password-request</refentrytitle>
533
537
        <manvolnum>8mandos</manvolnum></citerefentry>.
534
538
      </para>
535
539
    </refsect2>
536
540
  </refsect1>
537
 
  
 
541
 
538
542
  <refsect1 id="see_also">
539
543
    <title>SEE ALSO</title>
540
544
    <para>
543
547
        <manvolnum>5</manvolnum></citerefentry>, <citerefentry>
544
548
        <refentrytitle>mandos.conf</refentrytitle>
545
549
        <manvolnum>5</manvolnum></citerefentry>, <citerefentry>
546
 
        <refentrytitle>mandos-client</refentrytitle>
 
550
        <refentrytitle>password-request</refentrytitle>
547
551
        <manvolnum>8mandos</manvolnum></citerefentry>, <citerefentry>
548
552
        <refentrytitle>sh</refentrytitle><manvolnum>1</manvolnum>
549
553
      </citerefentry>