/mandos/trunk : revision 1237

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos.conf.xml

Committer: Teddy Hogeborn
Date: 2021-02-03 23:10:42 UTC
Revision ID: teddy@recompile.se-20210203231042-2z3egrvpo1zt7nej

mandos-ctl: Fix bad test for command.Remove and related minor issues

The test for command.Remove removes all clients from the spy server,
and then loops over all clients, looking for the corresponding Remove
command as recorded by the spy server.  But since since there aren't
any clients left after they were removed, no assertions are made, and
the test therefore does nothing.  Fix this.

In tests for command.Approve and command.Deny, add checks that clients
were not somehow removed by the command (in which case, likewise, no
assertions are made).

Add related checks to TestPropertySetterCmd.runTest; i.e. test that a
sequence is not empty before looping over it and making assertions.

* mandos-ctl (TestBaseCommands.test_Remove): Save a copy of the
  original "clients" dict, and loop over those instead.  Add assertion
  that all clients were indeed removed.  Also fix the code which looks
  for the Remove command, which now needs to actually work.
  (TestBaseCommands.test_Approve, TestBaseCommands.test_Deny): Add
  assertion that there are still clients before looping over them.
  (TestPropertySetterCmd.runTest): Add assertion that the list of
  values to get is not empty before looping over them.  Also add check
  that there are still clients before looping over clients.

files added:
.bzr-builddeb

.bzr-builddeb/default.conf

.bzrignore

DBUS-API

INSTALL

NEWS

README

bugs.xml

common.ent

dbus-mandos.conf

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.examples

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos-client.templates

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/mandos.templates

debian/po

debian/po/POTFILES.in

debian/po/de.po

debian/po/en_US.po

debian/po/fr.po

debian/po/nl.po

debian/po/pt.po

debian/po/sv.po

debian/po/templates.pot

debian/rules

debian/source

debian/source/format

debian/source/lintian-overrides

debian/source/local-options

debian/tests

debian/tests/control

debian/upstream

debian/upstream/metadata

debian/upstream/signing-key.asc

debian/watch

default-mandos

dracut-module

dracut-module/ask-password-mandos.path

dracut-module/ask-password-mandos.service

dracut-module/cmdline-mandos.sh

dracut-module/module-setup.sh

dracut-module/password-agent.c

dracut-module/password-agent.xml

init.d-mandos

initramfs-tools-conf

initramfs-tools-conf-hook

initramfs-tools-script-stop

initramfs-unpack

intro.xml

legalnotice.xml

mandos-ctl

mandos-ctl.xml

mandos-monitor

mandos-monitor.xml

mandos-options.xml

mandos-to-cryptroot-unlock

mandos.lsm

mandos.service

network-hooks.d

network-hooks.d/bridge

network-hooks.d/bridge.conf

network-hooks.d/openvpn

network-hooks.d/openvpn.conf

network-hooks.d/wireless

network-hooks.d/wireless.conf

plugin-helpers

plugin-helpers/mandos-client-iprouteadddel.c

plugin-runner.conf

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

sysusers.d-mandos.conf

tmpfiles.d-mandos.conf

files removed:
initramfs-tools-hook-conf

plugins.d/usplash

files renamed:
plugins.d/password-request.c => plugins.d/mandos-client.c

plugins.d/password-request.xml => plugins.d/mandos-client.xml

files modified:
Makefile

TODO

clients.conf

initramfs-tools-hook

initramfs-tools-script

mandos

mandos-clients.conf.xml

mandos-keygen

mandos-keygen.xml

mandos.conf

mandos.conf.xml

mandos.xml

overview.xml

plugin-runner.c

plugin-runner.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

Show diffs side-by-side

added added

removed removed

mandos.conf.xml

<?xml version='1.0' encoding='UTF-8'?>

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY VERSION "1.0">

<!ENTITY CONFNAME "mandos.conf">

<!ENTITY CONFPATH "<filename>/etc/mandos/mandos.conf</filename>">

<!ENTITY OVERVIEW SYSTEM "overview.xml">

<!ENTITY TIMESTAMP "2019-06-20">

<!ENTITY % common SYSTEM "common.ent">

%common;

<title>&CONFNAME;</title>

<title>Mandos Manual</title>

<productname>&CONFNAME;</productname>

<productnumber>&VERSION;</productnumber>

<productname>Mandos</productname>

<productnumber>&version;</productnumber>

<date>&TIMESTAMP;</date>

<firstname>Björn</firstname>

<surname>Påhlsson</surname>

<email>belorn@fukt.bsnet.se</email>

<email>belorn@recompile.se</email>

</address>

</author>

<firstname>Teddy</firstname>

<surname>Hogeborn</surname>

<email>teddy@fukt.bsnet.se</email>

<email>teddy@recompile.se</email>

</address>

</author>

</authorgroup>

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

<para>

This manual page is free software: you can redistribute it

and/or modify it under the terms of the GNU General Public

License as published by the Free Software Foundation,

either version 3 of the License, or (at your option) any

later version.

</para>

<para>

This manual page is distributed in the hope that it will

be useful, but WITHOUT ANY WARRANTY; without even the

implied warranty of MERCHANTABILITY or FITNESS FOR A

PARTICULAR PURPOSE. See the GNU General Public License

for more details.

</para>

<para>

You should have received a copy of the GNU General Public

License along with this program; If not, see

<ulink url="http://www.gnu.org/licenses/"/>.

</para>

</legalnotice>

<xi:include href="legalnotice.xml"/>

</refentryinfo>

<refentrytitle>&CONFNAME;</refentrytitle>

Configuration file for the Mandos server

</refpurpose>

</refnamediv>

&CONFPATH;

</synopsis>

<synopsis>&CONFPATH;</synopsis>

</refsynopsisdiv>

<title>DESCRIPTION</title>

<para>

The file &CONFPATH; is a simple configuration file for

<citerefentry><refentrytitle>mandos</refentrytitle>

<manvolnum>8</manvolnum></citerefentry>, and is read by it at

startup. The configuration file starts with

<quote><literal>[DEFAULT]</literal></quote> on a line by itself,

followed by any number of

<quote><varname><replaceable>option</replaceable></varname>=<replaceable>value</replaceable></quote>

entries, with continuations in the style of RFC 822.

<quote><varname><replaceable>option</replaceable></varname>:

<replaceable>value</replaceable></quote> is also accepted. Note

that leading whitespace is removed from values. Lines beginning

with <quote>#</quote> or <quote>;</quote> are ignored and may be

used to provide comments.

</para>

<para>

The options are:

100

</para>

101

startup. The configuration file starts with <quote><literal

>[DEFAULT]</literal></quote> on a line by itself, followed by

any number of <quote><varname><replaceable>option</replaceable

></varname>=<replaceable>value</replaceable></quote> entries,

with continuations in the style of RFC 822. <quote><varname

><replaceable>option</replaceable></varname>: <replaceable

>value</replaceable></quote> is also accepted. Note that

leading whitespace is removed from values. Lines beginning with

<quote>#</quote> or <quote>;</quote> are ignored and may be used

to provide comments.

</para>

</refsect1>

<title>OPTIONS</title>

102

103

104

<term><literal><varname>interface</varname></literal></term>

105

106

<para>

107

This option allows you to override the default network

108

interfaces. By default mandos will not bind to any

109

specific interface but instead use default avahi-server

110

behaviour.

111

</para>

112

</listitem>

113

</varlistentry>

114

115

116

<term><literal><varname>address</varname></literal></term>

117

118

<para>

119

This option allows you to override the default network

120

address. By default mandos will not bind to any

121

specific address but instead use default avahi-server

122

behaviour.

123

</para>

124

</listitem>

125

</varlistentry>

126

127

128

129

130

<para>

131

This option allows you to override the default port to

132

listen on. By default mandos will not specify any specific

133

port and instead use a random port given by the OS from

134

the use of INADDR_ANY.

135

</para>

136

</listitem>

137

</varlistentry>

138

139

140

<term><literal><varname>debug</varname></literal></term>

141

142

<para>

143

This option allows you to modify debug mode with a true/false

144

boolean value. By default is debug set to <literal>false</literal>.

145

</para>

146

</listitem>

147

</varlistentry>

148

149

150

<term><literal><varname>priority</varname></literal></term>

151

152

<para>

153

This option allows you to override the default gnutls

154

priority that will be used in gnutls session. See

155

<citerefentry><refentrytitle>gnutls_priority_init

156

</refentrytitle><manvolnum>3</manvolnum></citerefentry>for

157

more information on gnutls priority strings.

158

</para>

159

</listitem>

160

</varlistentry>

161

162

163

<term><literal><varname>servicename</varname></literal></term>

164

165

<para>

166

This option allows you to override the default Zeroconf

167

service name use to announce mandos as a avahi service. By

168

default mandos will use "Mandos".

169

</para>

<term><option>interface<literal> = </literal><replaceable

>NAME</replaceable></option></term>

<xi:include href="mandos-options.xml" xpointer="interface"/>

</listitem>

</varlistentry>

100

101

<term><option>address<literal> = </literal><replaceable

102

>ADDRESS</replaceable></option></term>

103

104

<xi:include href="mandos-options.xml" xpointer="address"/>

105

</listitem>

106

</varlistentry>

107

108

109

<term><option>port<literal> = </literal><replaceable

110

>NUMBER</replaceable></option></term>

111

112

<xi:include href="mandos-options.xml" xpointer="port"/>

113

</listitem>

114

</varlistentry>

115

116

117

<term><option>debug<literal> = </literal>{ <literal

118

>1</literal> | <literal>yes</literal> | <literal

119

>true</literal> | <literal>on</literal> | <literal

120

>0</literal> | <literal>no</literal> | <literal

121

>false</literal> | <literal>off</literal> }</option></term>

122

123

<xi:include href="mandos-options.xml" xpointer="debug"/>

124

</listitem>

125

</varlistentry>

126

127

128

<term><option>priority<literal> = </literal><replaceable

129

>STRING</replaceable></option></term>

130

131

<xi:include href="mandos-options.xml" xpointer="priority"/>

132

</listitem>

133

</varlistentry>

134

135

136

<term><option>servicename<literal> = </literal

137

><replaceable>NAME</replaceable></option></term>

138

139

<xi:include href="mandos-options.xml"

140

xpointer="servicename"/>

141

</listitem>

142

</varlistentry>

143

144

145

<term><option>use_dbus<literal> = </literal>{ <literal

146

>1</literal> | <literal>yes</literal> | <literal

147

>true</literal> | <literal>on</literal> | <literal

148

>0</literal> | <literal>no</literal> | <literal

149

>false</literal> | <literal>off</literal> }</option></term>

150

151

<xi:include href="mandos-options.xml" xpointer="dbus"/>

152

</listitem>

153

</varlistentry>

154

155

156

<term><option>use_ipv6<literal> = </literal>{ <literal

157

>1</literal> | <literal>yes</literal> | <literal

158

>true</literal> | <literal>on</literal> | <literal

159

>0</literal> | <literal>no</literal> | <literal

160

>false</literal> | <literal>off</literal> }</option></term>

161

162

<xi:include href="mandos-options.xml" xpointer="ipv6"/>

163

</listitem>

164

</varlistentry>

165

166

167

<term><option>restore<literal> = </literal>{ <literal

168

>1</literal> | <literal>yes</literal> | <literal

169

>true</literal> | <literal>on</literal> | <literal

170

>0</literal> | <literal>no</literal> | <literal

171

>false</literal> | <literal>off</literal> }</option></term>

172

173

<xi:include href="mandos-options.xml" xpointer="restore"/>

174

</listitem>

175

</varlistentry>

176

177

178

<term><option>statedir<literal> = </literal><replaceable

179

>DIRECTORY</replaceable></option></term>

180

181

<xi:include href="mandos-options.xml" xpointer="statedir"/>

182

</listitem>

183

</varlistentry>

184

185

186

<term><option>socket<literal> = </literal><replaceable

187

>NUMBER</replaceable></option></term>

188

189

<xi:include href="mandos-options.xml" xpointer="socket"/>

170

190

</listitem>

171

191

</varlistentry>

172

192

173

193

</variablelist>

174

194

</refsect1>

175

176

177

<title>EXAMPLES</title>

178

179

180

[server]

181

# A configuration example

182

interface = eth0

183

address = 2001:DB8:

184

port = 1025

185

debug = true

186

priority = SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP

187

servicename = Mandos

188

</programlisting>

189

</informalexample>

190

</refsect1>

191

195

192

196

193

197

<title>FILES</title>

195

199

The file described here is &CONFPATH;

196

200

</para>

197

201

</refsect1>

202

203

204

205

<para>

206

The <literal>[DEFAULT]</literal> is necessary because the Python

207

built-in module <systemitem class="library">ConfigParser</systemitem>

208

requires it.

209

</para>

210

<xi:include href="bugs.xml"/>

211

</refsect1>

212

213

214

<title>EXAMPLE</title>

215

216

<para>

217

No options are actually required:

218

</para>

219

220

[DEFAULT]

221

</programlisting>

222

</informalexample>

223

224

<para>

225

An example using all the options:

226

</para>

227

228

[DEFAULT]

229

# A configuration example

230

interface = enp1s0

231

address = fe80::aede:48ff:fe71:f6f2

232

port = 1025

233

debug = True

234

priority = SECURE128:!CTYPE-X.509:+CTYPE-RAWPK:!RSA:!VERS-ALL:+VERS-TLS1.3:%PROFILE_ULTRA

235

servicename = Daena

236

use_dbus = False

237

use_ipv6 = True

238

restore = True

239

statedir = /var/lib/mandos

240

</programlisting>

241

</informalexample>

242

</refsect1>

243

244

245

246

<para>

247

<citerefentry><refentrytitle>intro</refentrytitle>

248

<manvolnum>8mandos</manvolnum></citerefentry>,

249

<citerefentry><refentrytitle>gnutls_priority_init</refentrytitle

250

><manvolnum>3</manvolnum></citerefentry>,

251

<citerefentry><refentrytitle>mandos</refentrytitle>

252

<manvolnum>8</manvolnum></citerefentry>,

253

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

254

255

</para>

256

257

258

259

<term>

260

RFC 4291: <citetitle>IP Version 6 Addressing

261

Architecture</citetitle>

262

</term>

263

264

265

266

<term>Section 2.2: <citetitle>Text Representation of

267

Addresses</citetitle></term>

268

269

</varlistentry>

270

271

<term>Section 2.5.5.2: <citetitle>IPv4-Mapped IPv6

272

Address</citetitle></term>

273

274

</varlistentry>

275

276

<term>Section 2.5.6, <citetitle>Link-Local IPv6 Unicast

277

Addresses</citetitle></term>

278

279

<para>

280

The clients use IPv6 link-local addresses, which are

281

immediately usable since a link-local addresses is

282

automatically assigned to a network interface when it

283

is brought up.

284

</para>

285

</listitem>

286

</varlistentry>

287

</variablelist>

288

</listitem>

289

</varlistentry>

290

291

<term>

292

<ulink url="http://www.zeroconf.org/">Zeroconf</ulink>

293

</term>

294

295

<para>

296

Zeroconf is the network protocol standard used by clients

297

for finding the Mandos server on the local network.

298

</para>

299

</listitem>

300

</varlistentry>

301

</variablelist>

302

</refsect1>

198

303

</refentry>

304

305

306

307

308

Older »