/mandos/trunk

To get this branch, use:
bzr branch http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos.xml

  • Committer: Teddy Hogeborn
  • Date: 2008-08-30 18:45:41 UTC
  • Revision ID: teddy@fukt.bsnet.se-20080830184541-j8zru4q0rlz5a0hw
* mandos-clients.conf.xml (SYNOPSIS): Remove line breaks.
  (OPTIONS): Add <option> tags.  Moved option name to outside
             <literal>.  Moved synopsis to inside <term> tags.
             Removed <synopsis> tags.  Improve wording of "secfile"
             option.
  (EXPANSION): Improved wording slightly.

* mandos-options.xml (interface): Improve wording.

* mandos.conf.xml (SYNOPSIS): Remove line breaks.
  (OPTIONS): Add <option> tags.  Moved option name to outside
             <literal>.  Moved synopsis to inside <term> tags.
             Removed <synopsis> tags.

Show diffs side-by-side

added added

removed removed

Lines of Context:
3
3
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4
4
<!ENTITY VERSION "1.0">
5
5
<!ENTITY COMMANDNAME "mandos">
6
 
<!ENTITY TIMESTAMP "2008-09-06">
 
6
<!ENTITY TIMESTAMP "2008-08-30">
7
7
]>
8
8
 
9
9
<refentry xmlns:xi="http://www.w3.org/2001/XInclude">
34
34
      <holder>Teddy Hogeborn</holder>
35
35
      <holder>Björn Påhlsson</holder>
36
36
    </copyright>
37
 
    <xi:include href="legalnotice.xml"/>
 
37
    <legalnotice>
 
38
      <para>
 
39
        This manual page is free software: you can redistribute it
 
40
        and/or modify it under the terms of the GNU General Public
 
41
        License as published by the Free Software Foundation,
 
42
        either version 3 of the License, or (at your option) any
 
43
        later version.
 
44
      </para>
 
45
 
 
46
      <para>
 
47
        This manual page is distributed in the hope that it will
 
48
        be useful, but WITHOUT ANY WARRANTY; without even the
 
49
        implied warranty of MERCHANTABILITY or FITNESS FOR A
 
50
        PARTICULAR PURPOSE.  See the GNU General Public License
 
51
        for more details.
 
52
      </para>
 
53
 
 
54
      <para>
 
55
        You should have received a copy of the GNU General Public
 
56
        License along with this program; If not, see
 
57
        <ulink url="http://www.gnu.org/licenses/"/>.
 
58
      </para>
 
59
    </legalnotice>
38
60
  </refentryinfo>
39
61
 
40
62
  <refmeta>
52
74
  <refsynopsisdiv>
53
75
    <cmdsynopsis>
54
76
      <command>&COMMANDNAME;</command>
55
 
      <group>
56
 
        <arg choice="plain"><option>--interface
57
 
        <replaceable>NAME</replaceable></option></arg>
58
 
        <arg choice="plain"><option>-i
59
 
        <replaceable>NAME</replaceable></option></arg>
60
 
      </group>
61
 
      <sbr/>
62
 
      <group>
63
 
        <arg choice="plain"><option>--address
64
 
        <replaceable>ADDRESS</replaceable></option></arg>
65
 
        <arg choice="plain"><option>-a
66
 
        <replaceable>ADDRESS</replaceable></option></arg>
67
 
      </group>
68
 
      <sbr/>
69
 
      <group>
70
 
        <arg choice="plain"><option>--port
71
 
        <replaceable>PORT</replaceable></option></arg>
72
 
        <arg choice="plain"><option>-p
73
 
        <replaceable>PORT</replaceable></option></arg>
74
 
      </group>
75
 
      <sbr/>
76
 
      <arg><option>--priority
77
 
      <replaceable>PRIORITY</replaceable></option></arg>
78
 
      <sbr/>
79
 
      <arg><option>--servicename
80
 
      <replaceable>NAME</replaceable></option></arg>
81
 
      <sbr/>
82
 
      <arg><option>--configdir
83
 
      <replaceable>DIRECTORY</replaceable></option></arg>
84
 
      <sbr/>
85
 
      <arg><option>--debug</option></arg>
 
77
      <arg>--interface<arg choice="plain">NAME</arg></arg>
 
78
      <arg>--address<arg choice="plain">ADDRESS</arg></arg>
 
79
      <arg>--port<arg choice="plain">PORT</arg></arg>
 
80
      <arg>--priority<arg choice="plain">PRIORITY</arg></arg>
 
81
      <arg>--servicename<arg choice="plain">NAME</arg></arg>
 
82
      <arg>--configdir<arg choice="plain">DIRECTORY</arg></arg>
 
83
      <arg>--debug</arg>
 
84
    </cmdsynopsis>
 
85
    <cmdsynopsis>
 
86
      <command>&COMMANDNAME;</command>
 
87
      <arg>-i<arg choice="plain">NAME</arg></arg>
 
88
      <arg>-a<arg choice="plain">ADDRESS</arg></arg>
 
89
      <arg>-p<arg choice="plain">PORT</arg></arg>
 
90
      <arg>--priority<arg choice="plain">PRIORITY</arg></arg>
 
91
      <arg>--servicename<arg choice="plain">NAME</arg></arg>
 
92
      <arg>--configdir<arg choice="plain">DIRECTORY</arg></arg>
 
93
      <arg>--debug</arg>
86
94
    </cmdsynopsis>
87
95
    <cmdsynopsis>
88
96
      <command>&COMMANDNAME;</command>
89
97
      <group choice="req">
90
 
        <arg choice="plain"><option>--help</option></arg>
91
 
        <arg choice="plain"><option>-h</option></arg>
 
98
        <arg choice="plain">-h</arg>
 
99
        <arg choice="plain">--help</arg>
92
100
      </group>
93
101
    </cmdsynopsis>
94
102
    <cmdsynopsis>
95
103
      <command>&COMMANDNAME;</command>
96
 
      <arg choice="plain"><option>--version</option></arg>
 
104
      <arg choice="plain">--version</arg>
97
105
    </cmdsynopsis>
98
106
    <cmdsynopsis>
99
107
      <command>&COMMANDNAME;</command>
100
 
      <arg choice="plain"><option>--check</option></arg>
 
108
      <arg choice="plain">--check</arg>
101
109
    </cmdsynopsis>
102
110
  </refsynopsisdiv>
103
111
 
115
123
      Any authenticated client is then given the stored pre-encrypted
116
124
      password for that specific client.
117
125
    </para>
 
126
 
118
127
  </refsect1>
119
128
  
120
129
  <refsect1 id="purpose">
121
130
    <title>PURPOSE</title>
 
131
 
122
132
    <para>
123
133
      The purpose of this is to enable <emphasis>remote and unattended
124
134
      rebooting</emphasis> of client host computer with an
125
135
      <emphasis>encrypted root file system</emphasis>.  See <xref
126
136
      linkend="overview"/> for details.
127
137
    </para>
 
138
 
128
139
  </refsect1>
129
140
  
130
141
  <refsect1 id="options">
131
142
    <title>OPTIONS</title>
 
143
 
132
144
    <variablelist>
133
145
      <varlistentry>
 
146
        <term><option>-h</option></term>
134
147
        <term><option>--help</option></term>
135
 
        <term><option>-h</option></term>
136
148
        <listitem>
137
149
          <para>
138
150
            Show a help message and exit
139
151
          </para>
140
152
        </listitem>
141
153
      </varlistentry>
142
 
      
 
154
 
143
155
      <varlistentry>
 
156
        <term><option>-i</option>
 
157
        <replaceable>NAME</replaceable></term>
144
158
        <term><option>--interface</option>
145
159
        <replaceable>NAME</replaceable></term>
146
 
        <term><option>-i</option>
147
 
        <replaceable>NAME</replaceable></term>
148
160
        <listitem>
149
161
          <xi:include href="mandos-options.xml" xpointer="interface"/>
150
162
        </listitem>
151
163
      </varlistentry>
152
 
      
 
164
 
153
165
      <varlistentry>
154
 
        <term><option>--address
155
 
        <replaceable>ADDRESS</replaceable></option></term>
156
 
        <term><option>-a
157
 
        <replaceable>ADDRESS</replaceable></option></term>
 
166
        <term><literal>-a</literal>, <literal>--address <replaceable>
 
167
        ADDRESS</replaceable></literal></term>
158
168
        <listitem>
159
169
          <xi:include href="mandos-options.xml" xpointer="address"/>
160
170
        </listitem>
161
171
      </varlistentry>
162
 
      
 
172
 
163
173
      <varlistentry>
164
 
        <term><option>--port
165
 
        <replaceable>PORT</replaceable></option></term>
166
 
        <term><option>-p
167
 
        <replaceable>PORT</replaceable></option></term>
 
174
        <term><literal>-p</literal>, <literal>--port <replaceable>
 
175
        PORT</replaceable></literal></term>
168
176
        <listitem>
169
177
          <xi:include href="mandos-options.xml" xpointer="port"/>
170
178
        </listitem>
171
179
      </varlistentry>
172
 
      
 
180
 
173
181
      <varlistentry>
174
 
        <term><option>--check</option></term>
 
182
        <term><literal>--check</literal></term>
175
183
        <listitem>
176
184
          <para>
177
185
            Run the server’s self-tests.  This includes any unit
179
187
          </para>
180
188
        </listitem>
181
189
      </varlistentry>
182
 
      
 
190
 
183
191
      <varlistentry>
184
 
        <term><option>--debug</option></term>
 
192
        <term><literal>--debug</literal></term>
185
193
        <listitem>
186
194
          <xi:include href="mandos-options.xml" xpointer="debug"/>
187
195
        </listitem>
188
196
      </varlistentry>
189
197
 
190
198
      <varlistentry>
191
 
        <term><option>--priority <replaceable>
192
 
        PRIORITY</replaceable></option></term>
 
199
        <term><literal>--priority <replaceable>
 
200
        PRIORITY</replaceable></literal></term>
193
201
        <listitem>
194
202
          <xi:include href="mandos-options.xml" xpointer="priority"/>
195
203
        </listitem>
196
204
      </varlistentry>
197
205
 
198
206
      <varlistentry>
199
 
        <term><option>--servicename
200
 
        <replaceable>NAME</replaceable></option></term>
 
207
        <term><literal>--servicename <replaceable>NAME</replaceable>
 
208
        </literal></term>
201
209
        <listitem>
202
210
          <xi:include href="mandos-options.xml"
203
211
                      xpointer="servicename"/>
205
213
      </varlistentry>
206
214
 
207
215
      <varlistentry>
208
 
        <term><option>--configdir
209
 
        <replaceable>DIRECTORY</replaceable></option></term>
 
216
        <term><literal>--configdir <replaceable>DIR</replaceable>
 
217
        </literal></term>
210
218
        <listitem>
211
219
          <para>
212
220
            Directory to search for configuration files.  Default is
220
228
      </varlistentry>
221
229
 
222
230
      <varlistentry>
223
 
        <term><option>--version</option></term>
 
231
        <term><literal>--version</literal></term>
224
232
        <listitem>
225
233
          <para>
226
234
            Prints the program version and exit.
236
244
    <para>
237
245
      This program is the server part.  It is a normal server program
238
246
      and will run in a normal system environment, not in an initial
239
 
      <acronym>RAM</acronym> disk environment.
 
247
      RAM disk environment.
240
248
    </para>
241
249
  </refsect1>
242
250
 
379
387
        </listitem>
380
388
      </varlistentry>
381
389
      <varlistentry>
382
 
        <term><filename>/var/run/mandos.pid</filename></term>
 
390
        <term><filename>/var/run/mandos/mandos.pid</filename></term>
383
391
        <listitem>
384
392
          <para>
385
393
            The file containing the process id of
434
442
      Debug mode is conflated with running in the foreground.
435
443
    </para>
436
444
    <para>
437
 
      The console log messages does not show a time stamp.
438
 
    </para>
439
 
    <para>
440
 
      This server does not check the expire time of clients’ OpenPGP
441
 
      keys.
 
445
      The console log messages does not show a timestamp.
442
446
    </para>
443
447
  </refsect1>
444
448
  
487
491
      <para>
488
492
        Running this <command>&COMMANDNAME;</command> server program
489
493
        should not in itself present any security risk to the host
490
 
        computer running it.  The program switches to a non-root user
491
 
        soon after startup.
 
494
        computer running it.  The program does not need any special
 
495
        privileges to run, and is designed to run as a non-root user.
492
496
      </para>
493
497
    </refsect2>
494
498
    <refsect2 id="CLIENTS">
521
525
        restarting servers if it is suspected that a client has, in
522
526
        fact, been compromised by parties who may now be running a
523
527
        fake Mandos client with the keys from the non-encrypted
524
 
        initial <acronym>RAM</acronym> image of the client host.  What
525
 
        should be done in that case (if restarting the server program
526
 
        really is necessary) is to stop the server program, edit the
 
528
        initial RAM image of the client host.  What should be done in
 
529
        that case (if restarting the server program really is
 
530
        necessary) is to stop the server program, edit the
527
531
        configuration file to omit any suspect clients, and restart
528
532
        the server program.
529
533
      </para>
530
534
      <para>
531
535
        For more details on client-side security, see
532
 
        <citerefentry><refentrytitle>mandos-client</refentrytitle>
 
536
        <citerefentry><refentrytitle>password-request</refentrytitle>
533
537
        <manvolnum>8mandos</manvolnum></citerefentry>.
534
538
      </para>
535
539
    </refsect2>
543
547
        <manvolnum>5</manvolnum></citerefentry>, <citerefentry>
544
548
        <refentrytitle>mandos.conf</refentrytitle>
545
549
        <manvolnum>5</manvolnum></citerefentry>, <citerefentry>
546
 
        <refentrytitle>mandos-client</refentrytitle>
 
550
        <refentrytitle>password-request</refentrytitle>
547
551
        <manvolnum>8mandos</manvolnum></citerefentry>, <citerefentry>
548
552
        <refentrytitle>sh</refentrytitle><manvolnum>1</manvolnum>
549
553
      </citerefentry>