/mandos/trunk : revision 121

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos-clients.conf.xml

Committer: Teddy Hogeborn
Date: 2008-08-30 19:49:24 UTC
Revision ID: teddy@fukt.bsnet.se-20080830194924-f4liqq8wxajlbshn

* plugin-runner.xml (NAME): Improved wording.
  (SYNOPSIS): Use <option> and <replaceable> tags.  Unify short and
              long options.  Add "--global-envs" and "--envs-for"
              options.

files added:
.bzrignore

files modified:
Makefile

TODO

clients.conf

initramfs-tools-hook

mandos

mandos-clients.conf.xml

mandos-keygen

mandos-keygen.xml

mandos-options.xml

mandos.conf.xml

mandos.xml

overview.xml

plugin-runner.c

plugin-runner.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

plugins.d/password-request.c

plugins.d/password-request.xml

Show diffs side-by-side

added added

removed removed

mandos-clients.conf.xml

<!ENTITY VERSION "1.0">

<!ENTITY CONFNAME "mandos-clients.conf">

<!ENTITY CONFPATH "<filename>/etc/mandos/clients.conf</filename>">

<!ENTITY TIMESTAMP "2008-08-30">

<title>&CONFNAME;</title>

<title>Mandos Manual</title>

<productname>&CONFNAME;</productname>

<productname>Mandos</productname>

<productnumber>&VERSION;</productnumber>

<date>&TIMESTAMP;</date>

<firstname>Björn</firstname>

</refnamediv>

&CONFPATH;

</synopsis>

<synopsis>&CONFPATH;</synopsis>

</refsynopsisdiv>

<title>DESCRIPTION</title>

<para>

The file &CONFPATH; is the configuration file for <citerefentry

The file &CONFPATH; is a configuration file for <citerefentry

><refentrytitle>mandos</refentrytitle>

<manvolnum>8</manvolnum></citerefentry>, read by it at startup,

where each client that will be able to use the service needs to

be listed. All clients listed will be regarded as valid, even

<manvolnum>8</manvolnum></citerefentry>, read by it at startup.

The file needs to list all clients that should be able to use

the service. All clients listed will be regarded as valid, even

if a client was declared invalid in a previous run of the

server.

</para>

<para>

The format starts with a section under [] which is either

The format starts with a <literal>[<replaceable>section

header</replaceable>]</literal> which is either

<literal>[DEFAULT]</literal> or <literal>[<replaceable>client

name</replaceable>]</literal>. Following the section is any

number of <quote><varname><replaceable>option</replaceable

name</replaceable>]</literal>. The <replaceable>client

name</replaceable> can be anything, and is not tied to a host

name. Following the section header is any number of

<quote><varname><replaceable>option</replaceable

></varname>=<replaceable>value</replaceable></quote> entries,

with continuations in the style of RFC 822. <quote><varname

100

><replaceable>option</replaceable></varname>: <replaceable

101

>value</replaceable></quote> is also accepted. Note that

102

leading whitespace is removed from values. Values can contain

100

103

format strings which refer to other values in the same section,

101

or values in the <quote>DEFAULT</quote> section. Lines

102

beginning with <quote>#</quote> or <quote>;</quote> are ignored

103

and may be used to provide comments.

104

or values in the <quote>DEFAULT</quote> section (see <xref

105

linkend="expansion"/>). Lines beginning with <quote>#</quote>

106

or <quote>;</quote> are ignored and may be used to provide

107

comments.

104

108

</para>

105

109

</refsect1>

106

110

107

111

108

112

<title>OPTIONS</title>

109

113

<para>

110

The possible options are:

114

<emphasis>Note:</emphasis> all option values are subject to

115

start time expansion, see <xref linkend="expansion"/>.

116

</para>

117

<para>

118

Uknown options are ignored. The used options are as follows:

111

119

</para>

112

120

113

121

114

122

115

123

116

<term><literal><varname>timeout</varname></literal></term>

124

<term><option>timeout<literal> = </literal><replaceable

125

>TIME</replaceable></option></term>

117

126

118

<synopsis><literal>timeout = </literal><replaceable

119

>TIME</replaceable>

120

</synopsis>

121

127

<para>

122

128

The timeout is how long the server will wait for a

123

129

successful checker run until a client is considered

141

147

</varlistentry>

142

148

143

149

144

<term><literal><varname>interval</varname></literal></term>

150

<term><option>interval<literal> = </literal><replaceable

151

>TIME</replaceable></option></term>

145

152

146

<synopsis><literal>interval = </literal><replaceable

147

>TIME</replaceable>

148

</synopsis>

149

153

<para>

150

154

How often to run the checker to confirm that a client is

151

155

still up. <emphasis>Note:</emphasis> a new checker will

160

164

as for <varname>timeout</varname> above.

161

165

</para>

162

166

</listitem>

163

</varlistentry>

167

</varlistentry>

164

168

165

169

166

<term><literal>checker</literal></term>

170

<term><option>checker<literal> = </literal><replaceable

171

>COMMAND</replaceable></option></term>

167

172

168

173

<para>

169

174

This option allows you to override the default shell

170

command that the server will use to check up if the client

171

is still up. By default mandos will "fping -q -- %%(host)s"

172

</para>

173

</listitem>

174

</varlistentry>

175

176

177

<term><literal>fingerprint</literal></term>

178

179

<para>

180

This option sets the openpgp fingerprint that identifies

181

the public certificate that clients authenticates themself

182

through gnutls. The string need to be in hex-decimal form.

183

</para>

184

</listitem>

185

</varlistentry>

186

187

188

<term><literal>secret</literal></term>

189

190

<para>

191

Base 64 encoded OpenPGP encrypted password encrypted by

192

the clients openpgp certificate.

193

</para>

194

</listitem>

195

</varlistentry>

196

197

198

<term><literal>secfile</literal></term>

199

200

<para>

201

Base 64 encoded OpenPGP encrypted password encrypted by

202

the clients openpgp certificate as a binary file.

203

</para>

204

</listitem>

205

</varlistentry>

206

207

208

209

210

<para>

211

Host name that can be used in for checking that the client is up.

212

</para>

213

</listitem>

214

</varlistentry>

215

216

217

<term><literal>checker</literal></term>

218

219

<para>

220

Shell command that the server will use to check up if a

221

client is still up.

222

</para>

223

</listitem>

224

</varlistentry>

225

226

227

<term><literal>timeout</literal></term>

228

229

<para>

230

Duration that a client can be down whitout be removed from

231

the client list.

232

</para>

233

</listitem>

234

</varlistentry>

175

command that the server will use to check if the client is

176

still up. Any output of the command will be ignored, only

177

the exit code is checked: If the exit code of the command

178

is zero, the client is considered up. The command will be

179

run using <quote><command><filename>/bin/sh</filename>

180

<option>-c</option></command></quote>, so

181

<varname>PATH</varname> will be searched. The default

182

value for the checker command is <quote><literal

183

><command>fping</command> <option>-q</option> <option

184

>--</option> %(host)s</literal></quote>.

185

</para>

186

<para>

187

In addition to normal start time expansion, this option

188

will also be subject to runtime expansion; see <xref

189

linkend="expansion"/>.

190

</para>

191

</listitem>

192

</varlistentry>

193

194

195

<term><option>fingerprint<literal> = </literal

196

><replaceable>HEXSTRING</replaceable></option></term>

197

198

<para>

199

This option sets the OpenPGP fingerprint that identifies

200

the public key that clients authenticate themselves with

201

through TLS. The string needs to be in hexidecimal form,

202

but spaces or upper/lower case are not significant.

203

</para>

204

</listitem>

205

</varlistentry>

206

207

208

<term><option>secret<literal> = </literal><replaceable

209

>BASE64_ENCODED_DATA</replaceable></option></term>

210

211

<para>

212

If present, this option must be set to a string of

213

base64-encoded binary data. It will be decoded and sent

214

to the client matching the above

215

<option>fingerprint</option>. This should, of course, be

216

OpenPGP encrypted data, decryptable only by the client.

217

The program <citerefentry><refentrytitle><command

218

>mandos-keygen</command></refentrytitle><manvolnum

219

>8</manvolnum></citerefentry> can, using its

220

<option>--password</option> option, be used to generate

221

this, if desired.

222

</para>

223

<para>

224

Note: this value of this option will probably be very

225

long. A useful feature to avoid having unreadably-long

226

lines is that a line beginning with white space adds to

227

the value of the previous line, RFC 822-style.

228

</para>

229

<para>

230

If this option is not specified, the <option

231

>secfile</option> option is used instead, but one of them

232

<emphasis>must</emphasis> be present.

233

</para>

234

</listitem>

235

</varlistentry>

236

237

238

<term><option>secfile<literal> = </literal><replaceable

239

>FILENAME</replaceable></option></term>

240

241

<para>

242

Similar to the <option>secret</option>, except the secret

243

data is in an external file. The contents of the file

244

should <emphasis>not</emphasis> be base64-encoded, but

245

will be sent to clients verbatim.

246

</para>

247

<para>

248

This option is only used, and <emphasis>must</emphasis> be

249

present, if <option>secret</option> is not specified.

250

</para>

251

</listitem>

252

</varlistentry>

253

254

255

<term><option><literal>host = </literal><replaceable

256

>STRING</replaceable></option></term>

257

258

<para>

259

Host name for this client. This is not used by the server

260

directly, but can be, and is by default, used by the

261

checker. See the <option>checker</option> option.

262

</para>

263

</listitem>

264

</varlistentry>

235

265

236

266

</variablelist>

237

</refsect1>

267

</refsect1>

238

268

239

269

240

270

<title>EXPANSION</title>

242

272

There are two forms of expansion: Start time expansion and

243

273

runtime expansion.

244

274

</para>

245

275

246

276

<title>START TIME EXPANSION</title>

247

277

<para>

248

278

Any string in an option value of the form

260

290

entered.

261

291

</para>

262

292

</refsect2>

263

293

264

294

<title>RUNTIME EXPANSION</title>

265

295

<para>

266

296

This is currently only done for the <varname>checker</varname>

279

309

<para>

280

310

Note that this means that, in order to include an actual

281

311

percent character (<quote>%</quote>) in a

282

<varname>checker</varname> options, <emphasis>four</emphasis>

312

<varname>checker</varname> option, <emphasis>four</emphasis>

283

313

percent characters in a row (<quote>%%%%</quote>) must be

284

314

entered. Also, a bad format here will lead to an immediate

285

315

but <emphasis>silent</emphasis> run-time fatal exit; debug

286

mode is needed to track down an error of this kind.

316

mode is needed to expose an error of this kind.

287

317

</para>

288

318

</refsect2>

289

319

290

</refsect1>

320

</refsect1>

291

321

292

322

293

323

<title>FILES</title>

317

347

[DEFAULT]

318

348

timeout = 1h

319

349

interval = 5m

320

checker = fping -q -- %%(host)s

350

checker = fping -q -- %(host)s

321

351

322

352

# Client "foo"

323

353

[foo]

338

368

5MHdW9AYsNJZAQSOpirE4Xi31CSlWAi9KV+cUCmWF5zOFy1x23P6PjdaRm

339

369

4T2zw4dxS5NswXWU0sVEXxjs6PYxuIiCTL7vdpx8QjBkrPWDrAbcMyBr2O

340

370

QlnHIvPzEArRQLo=

341

=iHhv

342

371

host = foo.example.org

343

interval = 5m

372

interval = 1m

344

373

345

374

# Client "bar"

346

375

[bar]

347

376

fingerprint = 3e393aeaefb84c7e89e2f547b3a107558fca3a27

348

secfile = /etc/mandos/bar-secret.txt.asc

377

secfile = /etc/mandos/bar-secret

378

timeout = 15m

349

379

350

380

</programlisting>

351

381

</informalexample>

352

</refsect1>

353

382

</refsect1>

383

384

385

386

<para>

387

<citerefentry><refentrytitle>mandos-keygen</refentrytitle>

388

<manvolnum>8</manvolnum></citerefentry>,

389

<citerefentry><refentrytitle>mandos.conf</refentrytitle>

390

<manvolnum>5</manvolnum></citerefentry>,

391

<citerefentry><refentrytitle>mandos</refentrytitle>

392

393

</para>

394

</refsect1>

354

395

</refentry>

396

397

398

399

400

Older »