/mandos/trunk : revision 126

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos.xml

Committer: Teddy Hogeborn
Date: 2008-08-31 10:44:32 UTC
Revision ID: teddy@fukt.bsnet.se-20080831104432-9hzi47foc7tlmade

* plugins.d/password-prompt.xml (OPTIONS): Move <replaceable> tags to
                                           inside <option> tags.
                                           Moved long options before
                                           short.

files removed:
INSTALL

README

debian

default-mandos

etc-plugins.d-README

init.d-mandos

legalnotice.xml

plugin-runner.conf

files renamed:
plugins.d/mandos-client.c => plugins.d/password-request.c

plugins.d/mandos-client.xml => plugins.d/password-request.xml

files modified:
.bzrignore

Makefile

TODO

initramfs-tools-hook

initramfs-tools-script

mandos

mandos-clients.conf.xml

mandos-keygen

mandos-keygen.xml

mandos-options.xml

mandos.conf.xml

mandos.xml

overview.xml

plugin-runner.c

plugin-runner.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

Show diffs side-by-side

added added

removed removed

mandos.xml

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY VERSION "1.0">

<!ENTITY COMMANDNAME "mandos">

<!ENTITY TIMESTAMP "2008-09-12">

<!ENTITY TIMESTAMP "2008-08-31">

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

<xi:include href="legalnotice.xml"/>

<para>

This manual page is free software: you can redistribute it

and/or modify it under the terms of the GNU General Public

License as published by the Free Software Foundation,

either version 3 of the License, or (at your option) any

later version.

</para>

<para>

This manual page is distributed in the hope that it will

be useful, but WITHOUT ANY WARRANTY; without even the

implied warranty of MERCHANTABILITY or FITNESS FOR A

PARTICULAR PURPOSE. See the GNU General Public License

for more details.

</para>

<para>

You should have received a copy of the GNU General Public

License along with this program; If not, see

<ulink url="http://www.gnu.org/licenses/"/>.

</para>

</legalnotice>

</refentryinfo>

<refentrytitle>&COMMANDNAME;</refentrytitle>

Gives encrypted passwords to authenticated Mandos clients

</refpurpose>

</refnamediv>

<command>&COMMANDNAME;</command>

100

122

<arg choice="plain"><option>--check</option></arg>

101

123

</cmdsynopsis>

102

124

</refsynopsisdiv>

103

125

104

126

105

127

<title>DESCRIPTION</title>

106

128

<para>

115

137

Any authenticated client is then given the stored pre-encrypted

116

138

password for that specific client.

117

139

</para>

140

118

141

</refsect1>

119

142

120

143

121

144

<title>PURPOSE</title>

145

122

146

<para>

123

147

The purpose of this is to enable <emphasis>remote and unattended

124

148

rebooting</emphasis> of client host computer with an

125

149

<emphasis>encrypted root file system</emphasis>. See <xref

126

150

linkend="overview"/> for details.

127

151

</para>

152

128

153

</refsect1>

129

154

130

155

131

156

<title>OPTIONS</title>

157

132

158

133

159

134

160

186

212

<xi:include href="mandos-options.xml" xpointer="debug"/>

187

213

</listitem>

188

214

</varlistentry>

189

215

190

216

191

217

<term><option>--priority <replaceable>

192

218

PRIORITY</replaceable></option></term>

194

220

<xi:include href="mandos-options.xml" xpointer="priority"/>

195

221

</listitem>

196

222

</varlistentry>

197

223

198

224

199

225

<term><option>--servicename

200

226

203

229

xpointer="servicename"/>

204

230

</listitem>

205

231

</varlistentry>

206

232

207

233

208

234

<term><option>--configdir

209

235

<replaceable>DIRECTORY</replaceable></option></term>

218

244

</para>

219

245

</listitem>

220

246

</varlistentry>

221

247

222

248

223

249

<term><option>--version</option></term>

224

250

229

255

</varlistentry>

230

256

</variablelist>

231

257

</refsect1>

232

258

233

259

234

260

<title>OVERVIEW</title>

235

261

<xi:include href="overview.xml"/>

236

262

<para>

237

263

This program is the server part. It is a normal server program

238

264

and will run in a normal system environment, not in an initial

239

<acronym>RAM</acronym> disk environment.

265

RAM disk environment.

240

266

</para>

241

267

</refsect1>

242

268

243

269

244

270

<title>NETWORK PROTOCOL</title>

245

271

<para>

297

323

</row>

298

324

</tbody></tgroup></table>

299

325

</refsect1>

300

326

301

327

302

328

<title>CHECKING</title>

303

329

<para>

311

337

<manvolnum>5</manvolnum></citerefentry>.

312

338

</para>

313

339

</refsect1>

314

340

315

341

316

342

<title>LOGGING</title>

317

343

<para>

321

347

and also show them on the console.

322

348

</para>

323

349

</refsect1>

324

350

325

351

326

352

<title>EXIT STATUS</title>

327

353

<para>

329

355

critical error is encountered.

330

356

</para>

331

357

</refsect1>

332

358

333

359

334

360

<title>ENVIRONMENT</title>

335

361

349

375

</varlistentry>

350

376

</variablelist>

351

377

</refsect1>

352

378

353

379

354

380

<title>FILES</title>

355

381

<para>

379

405

</listitem>

380

406

</varlistentry>

381

407

382

<term><filename>/var/run/mandos.pid</filename></term>

408

<term><filename>/var/run/mandos/mandos.pid</filename></term>

383

409

384

410

<para>

385

411

The file containing the process id of

434

460

Debug mode is conflated with running in the foreground.

435

461

</para>

436

462

<para>

437

The console log messages does not show a time stamp.

438

</para>

439

<para>

440

This server does not check the expire time of clients’ OpenPGP

441

keys.

463

The console log messages does not show a timestamp.

442

464

</para>

443

465

</refsect1>

444

466

479

501

</para>

480

502

</informalexample>

481

503

</refsect1>

482

504

483

505

484

506

<title>SECURITY</title>

485

507

487

509

<para>

488

510

Running this <command>&COMMANDNAME;</command> server program

489

511

should not in itself present any security risk to the host

490

computer running it. The program switches to a non-root user

491

soon after startup.

512

computer running it. The program does not need any special

513

privileges to run, and is designed to run as a non-root user.

492

514

</para>

493

515

</refsect2>

494

516

521

543

restarting servers if it is suspected that a client has, in

522

544

fact, been compromised by parties who may now be running a

523

545

fake Mandos client with the keys from the non-encrypted

524

initial <acronym>RAM</acronym> image of the client host. What

525

should be done in that case (if restarting the server program

526

really is necessary) is to stop the server program, edit the

546

initial RAM image of the client host. What should be done in

547

that case (if restarting the server program really is

548

necessary) is to stop the server program, edit the

527

549

configuration file to omit any suspect clients, and restart

528

550

the server program.

529

551

</para>

530

552

<para>

531

553

For more details on client-side security, see

532

<citerefentry><refentrytitle>mandos-client</refentrytitle>

554

<citerefentry><refentrytitle>password-request</refentrytitle>

533

555

<manvolnum>8mandos</manvolnum></citerefentry>.

534

556

</para>

535

557

</refsect2>

536

558

</refsect1>

537

559

538

560

539

561

540

562

<para>

543

565

544

566

<refentrytitle>mandos.conf</refentrytitle>

545

567

546

<refentrytitle>mandos-client</refentrytitle>

568

<refentrytitle>password-request</refentrytitle>

547

569

<manvolnum>8mandos</manvolnum></citerefentry>, <citerefentry>

548

570

549

571

</citerefentry>

Older »