1
<?xml version="1.0" encoding="UTF-8"?>
1
<?xml version='1.0' encoding='UTF-8'?>
2
2
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3
3
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4
<!ENTITY VERSION "1.0">
4
5
<!ENTITY CONFNAME "mandos-clients.conf">
5
6
<!ENTITY CONFPATH "<filename>/etc/mandos/clients.conf</filename>">
6
<!ENTITY TIMESTAMP "2009-09-17">
7
<!ENTITY % common SYSTEM "common.ent">
7
<!ENTITY TIMESTAMP "2008-08-30">
11
<refentry xmlns:xi="http://www.w3.org/2001/XInclude">
13
12
<title>Mandos Manual</title>
14
13
<!-- NWalsh’s docbook scripts use this to generate the footer: -->
15
14
<productname>Mandos</productname>
16
<productnumber>&version;</productnumber>
15
<productnumber>&VERSION;</productnumber>
17
16
<date>&TIMESTAMP;</date>
37
35
<holder>Teddy Hogeborn</holder>
38
36
<holder>Björn Påhlsson</holder>
40
<xi:include href="legalnotice.xml"/>
40
This manual page is free software: you can redistribute it
41
and/or modify it under the terms of the GNU General Public
42
License as published by the Free Software Foundation,
43
either version 3 of the License, or (at your option) any
48
This manual page is distributed in the hope that it will
49
be useful, but WITHOUT ANY WARRANTY; without even the
50
implied warranty of MERCHANTABILITY or FITNESS FOR A
51
PARTICULAR PURPOSE. See the GNU General Public License
56
You should have received a copy of the GNU General Public
57
License along with this program; If not, see
58
<ulink url="http://www.gnu.org/licenses/"/>.
44
64
<refentrytitle>&CONFNAME;</refentrytitle>
45
65
<manvolnum>5</manvolnum>
95
117
start time expansion, see <xref linkend="expansion"/>.
98
Unknown options are ignored. The used options are as follows:
120
Uknown options are ignored. The used options are as follows:
104
<term><option>timeout<literal> = </literal><replaceable
105
>TIME</replaceable></option></term>
126
<term><literal><varname>timeout</varname></literal></term>
108
This option is <emphasis>optional</emphasis>.
111
The timeout is how long the server will wait (for either a
112
successful checker run or a client receiving its secret)
113
until a client is considered invalid - that is, ineligible
114
to get the data this server holds. By default Mandos will
128
<synopsis><literal>timeout = </literal><replaceable
132
The timeout is how long the server will wait for a
133
successful checker run until a client is considered
134
invalid - that is, ineligible to get the data this server
135
holds. By default Mandos will use 1 hour.
118
138
The <replaceable>TIME</replaceable> is specified as a
134
<term><option>interval<literal> = </literal><replaceable
135
>TIME</replaceable></option></term>
154
<term><literal><varname>interval</varname></literal></term>
138
This option is <emphasis>optional</emphasis>.
156
<synopsis><literal>interval = </literal><replaceable
141
160
How often to run the checker to confirm that a client is
142
161
still up. <emphasis>Note:</emphasis> a new checker will
157
<term><option>checker<literal> = </literal><replaceable
158
>COMMAND</replaceable></option></term>
176
<term><literal>checker</literal></term>
161
This option is <emphasis>optional</emphasis>.
178
<synopsis><literal>checker = </literal><replaceable
179
>COMMAND</replaceable>
164
182
This option allows you to override the default shell
165
183
command that the server will use to check if the client is
171
189
<varname>PATH</varname> will be searched. The default
172
190
value for the checker command is <quote><literal
173
191
><command>fping</command> <option>-q</option> <option
174
>--</option> %%(host)s</literal></quote>.
192
>--</option> %(host)s</literal></quote>.
177
195
In addition to normal start time expansion, this option
185
<term><option>fingerprint<literal> = </literal
186
><replaceable>HEXSTRING</replaceable></option></term>
203
<term><literal>fingerprint</literal></term>
189
This option is <emphasis>required</emphasis>.
205
<synopsis><literal>fingerprint = </literal><replaceable
206
>HEXSTRING</replaceable>
192
209
This option sets the OpenPGP fingerprint that identifies
193
210
the public key that clients authenticate themselves with
201
<term><option>secret<literal> = </literal><replaceable
202
>BASE64_ENCODED_DATA</replaceable></option></term>
218
<term><literal>secret</literal></term>
205
If this option is not specified, the <option
206
>secfile</option> option is <emphasis>required</emphasis>
220
<synopsis><literal>secret = </literal><replaceable
221
>BASE64_ENCODED_DATA</replaceable>
210
224
If present, this option must be set to a string of
211
225
base64-encoded binary data. It will be decoded and sent
224
238
lines is that a line beginning with white space adds to
225
239
the value of the previous line, RFC 822-style.
231
<term><option>secfile<literal> = </literal><replaceable
232
>FILENAME</replaceable></option></term>
235
This option is only used if <option>secret</option> is not
236
specified, in which case this option is
237
<emphasis>required</emphasis>.
240
Similar to the <option>secret</option>, except the secret
241
data is in an external file. The contents of the file
242
should <emphasis>not</emphasis> be base64-encoded, but
243
will be sent to clients verbatim.
246
File names of the form <filename>~user/foo/bar</filename>
247
and <filename>$<envar>ENVVAR</envar>/foo/bar</filename>
254
<term><option><literal>host = </literal><replaceable
255
>STRING</replaceable></option></term>
258
This option is <emphasis>optional</emphasis>, but highly
259
<emphasis>recommended</emphasis> unless the
260
<option>checker</option> option is modified to a
261
non-standard value without <quote>%%(host)s</quote> in it.
242
If this option is not specified, the <option
243
>secfile</option> option is used instead, but one of them
244
<emphasis>must</emphasis> be present.
250
<term><literal>secfile</literal></term>
252
<synopsis><literal>secfile = </literal><replaceable
253
>FILENAME</replaceable>
256
The same as <option>secret</option>, but the secret data
257
is in an external file. The contents of the file should
258
<emphasis>not</emphasis> be base64-encoded, but will be
259
sent to clients verbatim.
262
This option is only used, and <emphasis>must</emphasis> be
263
present, if <option>secret</option> is not specified.
269
<term><literal>host</literal></term>
271
<synopsis><literal>host = </literal><replaceable
272
>STRING</replaceable>
264
275
Host name for this client. This is not used by the server
265
276
directly, but can be, and is by default, used by the
318
329
percent characters in a row (<quote>%%%%</quote>) must be
319
330
entered. Also, a bad format here will lead to an immediate
320
331
but <emphasis>silent</emphasis> run-time fatal exit; debug
321
mode is needed to expose an error of this kind.
332
mode is needed to track down an error of this kind.
327
338
<refsect1 id="files">
added
removed
mandos-clients.conf.xml
