To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to mandos.xml
- browse files at revision 122
- compare with another revision
- download diff
- download tarball
- view history from revision 122
- Committer: Teddy Hogeborn
- Date: 2008-08-31 07:32:05 UTC
- Revision ID: teddy@fukt.bsnet.se-20080831073205-9hggg03i1iird264
* mandos-keygen.xml (SYNOPSIS): Put long options before short.
* mandos.xml (SYNOPSIS): - '' -
* plugins.d/password-prompt.xml (SYNOPSIS): - '' -
* plugins.d/password-request.xml (SYNOPSIS): - '' -
* mandos.xml (SYNOPSIS): - '' -
* plugins.d/password-prompt.xml (SYNOPSIS): - '' -
* plugins.d/password-request.xml (SYNOPSIS): - '' -
- files added:
- plugins.d/usplash
- files removed:
- .bzr-builddeb
- debian
- debian/po
- files renamed:
- plugins.d/mandos-client.c => plugins.d/password-request.c
- plugins.d/mandos-client.xml => plugins.d/password-request.xml
- files modified:
- .bzrignore
added
removed
mandos.xml
1
1
<?xml version="1.0" encoding="UTF-8"?>
2
2
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3
3
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4
<!ENTITY VERSION "1.0">
4
5
<!ENTITY COMMANDNAME "mandos">
5
<!ENTITY TIMESTAMP "2008-12-28">
6
<!ENTITY % common SYSTEM "common.ent">
7
%common;
6
<!ENTITY TIMESTAMP "2008-08-31">
8
7
]>
9
8
10
9
<refentry xmlns:xi="http://www.w3.org/2001/XInclude">
11
<refentryinfo>
10
<refentryinfo>
12
11
<title>Mandos Manual</title>
13
12
<!-- NWalsh’s docbook scripts use this to generate the footer: -->
14
13
<productname>Mandos</productname>
15
<productnumber>&version;</productnumber>
14
<productnumber>&VERSION;</productnumber>
16
15
<date>&TIMESTAMP;</date>
17
16
<authorgroup>
18
17
<author>
35
34
<holder>Teddy Hogeborn</holder>
36
35
<holder>Björn Påhlsson</holder>
37
36
</copyright>
38
<xi:include href="legalnotice.xml"/>
37
<legalnotice>
38
<para>
39
This manual page is free software: you can redistribute it
40
and/or modify it under the terms of the GNU General Public
41
License as published by the Free Software Foundation,
42
either version 3 of the License, or (at your option) any
43
later version.
44
</para>
45
46
<para>
47
This manual page is distributed in the hope that it will
48
be useful, but WITHOUT ANY WARRANTY; without even the
49
implied warranty of MERCHANTABILITY or FITNESS FOR A
50
PARTICULAR PURPOSE. See the GNU General Public License
51
for more details.
52
</para>
53
54
<para>
55
You should have received a copy of the GNU General Public
56
License along with this program; If not, see
57
<ulink url="http://www.gnu.org/licenses/"/>.
58
</para>
59
</legalnotice>
39
60
</refentryinfo>
40
61
41
62
<refmeta>
42
63
<refentrytitle>&COMMANDNAME;</refentrytitle>
43
64
<manvolnum>8</manvolnum>
49
70
Gives encrypted passwords to authenticated Mandos clients
50
71
</refpurpose>
51
72
</refnamediv>
52
73
53
74
<refsynopsisdiv>
54
75
<cmdsynopsis>
55
76
<command>&COMMANDNAME;</command>
84
105
<replaceable>DIRECTORY</replaceable></option></arg>
85
106
<sbr/>
86
107
<arg><option>--debug</option></arg>
87
<sbr/>
88
<arg><option>--no-dbus</option></arg>
89
108
</cmdsynopsis>
90
109
<cmdsynopsis>
91
110
<command>&COMMANDNAME;</command>
103
122
<arg choice="plain"><option>--check</option></arg>
104
123
</cmdsynopsis>
105
124
</refsynopsisdiv>
106
125
107
126
<refsect1 id="description">
108
127
<title>DESCRIPTION</title>
109
128
<para>
118
137
Any authenticated client is then given the stored pre-encrypted
119
138
password for that specific client.
120
139
</para>
140
121
141
</refsect1>
122
142
123
143
<refsect1 id="purpose">
124
144
<title>PURPOSE</title>
145
125
146
<para>
126
147
The purpose of this is to enable <emphasis>remote and unattended
127
148
rebooting</emphasis> of client host computer with an
128
149
<emphasis>encrypted root file system</emphasis>. See <xref
129
150
linkend="overview"/> for details.
130
151
</para>
152
131
153
</refsect1>
132
154
133
155
<refsect1 id="options">
134
156
<title>OPTIONS</title>
157
135
158
<variablelist>
136
159
<varlistentry>
160
<term><option>-h</option></term>
137
161
<term><option>--help</option></term>
138
<term><option>-h</option></term>
139
162
<listitem>
140
163
<para>
141
164
Show a help message and exit
142
165
</para>
143
166
</listitem>
144
167
</varlistentry>
145
168
146
169
<varlistentry>
170
<term><option>-i</option>
171
<replaceable>NAME</replaceable></term>
147
172
<term><option>--interface</option>
148
173
<replaceable>NAME</replaceable></term>
149
<term><option>-i</option>
150
<replaceable>NAME</replaceable></term>
151
174
<listitem>
152
175
<xi:include href="mandos-options.xml" xpointer="interface"/>
153
176
</listitem>
154
177
</varlistentry>
155
178
156
179
<varlistentry>
157
<term><option>--address
158
<replaceable>ADDRESS</replaceable></option></term>
159
<term><option>-a
160
<replaceable>ADDRESS</replaceable></option></term>
180
<term><literal>-a</literal>, <literal>--address <replaceable>
181
ADDRESS</replaceable></literal></term>
161
182
<listitem>
162
183
<xi:include href="mandos-options.xml" xpointer="address"/>
163
184
</listitem>
164
185
</varlistentry>
165
186
166
187
<varlistentry>
167
<term><option>--port
168
<replaceable>PORT</replaceable></option></term>
169
<term><option>-p
170
<replaceable>PORT</replaceable></option></term>
188
<term><literal>-p</literal>, <literal>--port <replaceable>
189
PORT</replaceable></literal></term>
171
190
<listitem>
172
191
<xi:include href="mandos-options.xml" xpointer="port"/>
173
192
</listitem>
174
193
</varlistentry>
175
194
176
195
<varlistentry>
177
<term><option>--check</option></term>
196
<term><literal>--check</literal></term>
178
197
<listitem>
179
198
<para>
180
199
Run the server’s self-tests. This includes any unit
182
201
</para>
183
202
</listitem>
184
203
</varlistentry>
185
204
186
205
<varlistentry>
187
<term><option>--debug</option></term>
206
<term><literal>--debug</literal></term>
188
207
<listitem>
189
208
<xi:include href="mandos-options.xml" xpointer="debug"/>
190
209
</listitem>
191
210
</varlistentry>
192
211
193
212
<varlistentry>
194
<term><option>--priority <replaceable>
195
PRIORITY</replaceable></option></term>
213
<term><literal>--priority <replaceable>
214
PRIORITY</replaceable></literal></term>
196
215
<listitem>
197
216
<xi:include href="mandos-options.xml" xpointer="priority"/>
198
217
</listitem>
199
218
</varlistentry>
200
219
201
220
<varlistentry>
202
<term><option>--servicename
203
<replaceable>NAME</replaceable></option></term>
221
<term><literal>--servicename <replaceable>NAME</replaceable>
222
</literal></term>
204
223
<listitem>
205
224
<xi:include href="mandos-options.xml"
206
225
xpointer="servicename"/>
207
226
</listitem>
208
227
</varlistentry>
209
228
210
229
<varlistentry>
211
<term><option>--configdir
212
<replaceable>DIRECTORY</replaceable></option></term>
230
<term><literal>--configdir <replaceable>DIR</replaceable>
231
</literal></term>
213
232
<listitem>
214
233
<para>
215
234
Directory to search for configuration files. Default is
221
240
</para>
222
241
</listitem>
223
242
</varlistentry>
224
243
225
244
<varlistentry>
226
<term><option>--version</option></term>
245
<term><literal>--version</literal></term>
227
246
<listitem>
228
247
<para>
229
248
Prints the program version and exit.
230
249
</para>
231
250
</listitem>
232
251
</varlistentry>
233
234
<varlistentry>
235
<term><option>--no-dbus</option></term>
236
<listitem>
237
<xi:include href="mandos-options.xml" xpointer="dbus"/>
238
<para>
239
See also <xref linkend="dbus"/>.
240
</listitem>
241
</varlistentry>
242
252
</variablelist>
243
253
</refsect1>
244
254
245
255
<refsect1 id="overview">
246
256
<title>OVERVIEW</title>
247
257
<xi:include href="overview.xml"/>
248
258
<para>
249
259
This program is the server part. It is a normal server program
250
260
and will run in a normal system environment, not in an initial
251
<acronym>RAM</acronym> disk environment.
261
RAM disk environment.
252
262
</para>
253
263
</refsect1>
254
264
255
265
<refsect1 id="protocol">
256
266
<title>NETWORK PROTOCOL</title>
257
267
<para>
309
319
</row>
310
320
</tbody></tgroup></table>
311
321
</refsect1>
312
322
313
323
<refsect1 id="checking">
314
324
<title>CHECKING</title>
315
325
<para>
323
333
<manvolnum>5</manvolnum></citerefentry>.
324
334
</para>
325
335
</refsect1>
326
336
327
337
<refsect1 id="logging">
328
338
<title>LOGGING</title>
329
339
<para>
333
343
and also show them on the console.
334
344
</para>
335
345
</refsect1>
336
337
<refsect1 id="dbus">
338
<title>D-BUS INTERFACE</title>
339
<para>
340
The server will by default provide a D-Bus system bus interface.
341
This interface will only be accessible by the root user or a
342
Mandos-specific user, if such a user exists.
343
<!-- XXX -->
344
</para>
345
</refsect1>
346
346
347
347
<refsect1 id="exit_status">
348
348
<title>EXIT STATUS</title>
351
351
critical error is encountered.
352
352
</para>
353
353
</refsect1>
354
354
355
355
<refsect1 id="environment">
356
356
<title>ENVIRONMENT</title>
357
357
<variablelist>
371
371
</varlistentry>
372
372
</variablelist>
373
373
</refsect1>
374
375
<refsect1 id="files">
374
375
<refsect1 id="file">
376
376
<title>FILES</title>
377
377
<para>
378
378
Use the <option>--configdir</option> option to change where
401
401
</listitem>
402
402
</varlistentry>
403
403
<varlistentry>
404
<term><filename>/var/run/mandos.pid</filename></term>
404
<term><filename>/var/run/mandos/mandos.pid</filename></term>
405
405
<listitem>
406
406
<para>
407
407
The file containing the process id of
442
442
Currently, if a client is declared <quote>invalid</quote> due to
443
443
having timed out, the server does not record this fact onto
444
444
permanent storage. This has some security implications, see
445
<xref linkend="clients"/>.
445
<xref linkend="CLIENTS"/>.
446
446
</para>
447
447
<para>
448
448
There is currently no way of querying the server of the current
456
456
Debug mode is conflated with running in the foreground.
457
457
</para>
458
458
<para>
459
The console log messages does not show a time stamp.
460
</para>
461
<para>
462
This server does not check the expire time of clients’ OpenPGP
463
keys.
459
The console log messages does not show a timestamp.
464
460
</para>
465
461
</refsect1>
466
462
501
497
</para>
502
498
</informalexample>
503
499
</refsect1>
504
500
505
501
<refsect1 id="security">
506
502
<title>SECURITY</title>
507
<refsect2 id="server">
503
<refsect2 id="SERVER">
508
504
<title>SERVER</title>
509
505
<para>
510
506
Running this <command>&COMMANDNAME;</command> server program
511
507
should not in itself present any security risk to the host
512
computer running it. The program switches to a non-root user
513
soon after startup.
508
computer running it. The program does not need any special
509
privileges to run, and is designed to run as a non-root user.
514
510
</para>
515
511
</refsect2>
516
<refsect2 id="clients">
512
<refsect2 id="CLIENTS">
517
513
<title>CLIENTS</title>
518
514
<para>
519
515
The server only gives out its stored data to clients which
526
522
<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>
527
523
<manvolnum>5</manvolnum></citerefentry>)
528
524
<emphasis>must</emphasis> be made non-readable by anyone
529
except the user starting the server (usually root).
525
except the user running the server.
530
526
</para>
531
527
<para>
532
528
As detailed in <xref linkend="checking"/>, the status of all
543
539
restarting servers if it is suspected that a client has, in
544
540
fact, been compromised by parties who may now be running a
545
541
fake Mandos client with the keys from the non-encrypted
546
initial <acronym>RAM</acronym> image of the client host. What
547
should be done in that case (if restarting the server program
548
really is necessary) is to stop the server program, edit the
542
initial RAM image of the client host. What should be done in
543
that case (if restarting the server program really is
544
necessary) is to stop the server program, edit the
549
545
configuration file to omit any suspect clients, and restart
550
546
the server program.
551
547
</para>
552
548
<para>
553
549
For more details on client-side security, see
554
<citerefentry><refentrytitle>mandos-client</refentrytitle>
550
<citerefentry><refentrytitle>password-request</refentrytitle>
555
551
<manvolnum>8mandos</manvolnum></citerefentry>.
556
552
</para>
557
553
</refsect2>
558
554
</refsect1>
559
555
560
556
<refsect1 id="see_also">
561
557
<title>SEE ALSO</title>
562
558
<para>
565
561
<manvolnum>5</manvolnum></citerefentry>, <citerefentry>
566
562
<refentrytitle>mandos.conf</refentrytitle>
567
563
<manvolnum>5</manvolnum></citerefentry>, <citerefentry>
568
<refentrytitle>mandos-client</refentrytitle>
564
<refentrytitle>password-request</refentrytitle>
569
565
<manvolnum>8mandos</manvolnum></citerefentry>, <citerefentry>
570
566
<refentrytitle>sh</refentrytitle><manvolnum>1</manvolnum>
571
567
</citerefentry>
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0