/mandos/trunk : revision 13

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos-ctl.xml

Committer: Björn Påhlsson
Date: 2008-07-20 02:52:20 UTC
Revision ID: belorn@braxen-20080720025220-r5u0388uy9iu23h6

Added following support:
Pluginbased client handler
rewritten Mandos client
Avahi instead of udp server discovery
openpgp encrypted key support
Passprompt stand alone application for direct console input
Added logging for Mandos server

files added:
ca.pem

cert.pem

client-cert.pem

client-key.pem

crl.pem

key.pem

plugins.d/Makefile

files removed:
.bzr-builddeb

.bzr-builddeb/default.conf

.bzrignore

COPYING

DBUS-API

INSTALL

NEWS

README

bugs.xml

common.ent

dbus-mandos.conf

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.examples

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos-client.templates

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/mandos.templates

debian/po

debian/rules

debian/source

debian/source/format

debian/source/local-options

debian/upstream

debian/upstream/signing-key.asc

debian/watch

default-mandos

init.d-mandos

initramfs-tools-conf

initramfs-tools-hook

initramfs-tools-script

initramfs-tools-script-stop

initramfs-unpack

intro.xml

legalnotice.xml

mandos-clients.conf.xml

mandos-ctl

mandos-ctl.xml

mandos-keygen

mandos-keygen.xml

mandos-monitor

mandos-monitor.xml

mandos-options.xml

mandos-to-cryptroot-unlock

mandos.conf

mandos.conf.xml

mandos.lsm

mandos.service

mandos.xml

network-hooks.d

network-hooks.d/bridge

network-hooks.d/bridge.conf

network-hooks.d/openvpn

network-hooks.d/openvpn.conf

network-hooks.d/wireless

network-hooks.d/wireless.conf

overview.xml

plugin-helpers

plugin-helpers/mandos-client-iprouteadddel.c

plugin-runner.conf

plugin-runner.xml

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/mandos-client.xml

plugins.d/password-prompt.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

tmpfiles.d-mandos.conf

files renamed:
clients.conf => mandos-clients.conf

plugin-runner.c => plugbasedclient.c

plugins.d/mandos-client.c => plugins.d/mandosclient.c

plugins.d/password-prompt.c => plugins.d/passprompt.c

mandos => server.py

files modified:
Makefile

TODO

Show diffs side-by-side

added added

removed removed

mandos-ctl.xml

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY COMMANDNAME "mandos-ctl">

<!ENTITY TIMESTAMP "2019-03-06">

<!ENTITY % common SYSTEM "common.ent">

%common;

<title>Mandos Manual</title>

<productname>Mandos</productname>

<productnumber>&version;</productnumber>

<date>&TIMESTAMP;</date>

<firstname>Björn</firstname>

<surname>Påhlsson</surname>

<email>belorn@recompile.se</email>

</address>

</author>

<firstname>Teddy</firstname>

<surname>Hogeborn</surname>

<email>teddy@recompile.se</email>

</address>

</author>

</authorgroup>

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

<xi:include href="legalnotice.xml"/>

</refentryinfo>

<refentrytitle>&COMMANDNAME;</refentrytitle>

</refmeta>

<refname><command>&COMMANDNAME;</command></refname>

Control or query the operation of the Mandos server

</refpurpose>

</refnamediv>

<command>&COMMANDNAME;</command>

<group>

<arg choice="plain"><option>--enable</option></arg>

<sbr/>

<arg choice="plain"><option>--disable</option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--bump-timeout</option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--start-checker</option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--stop-checker</option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--remove</option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--checker

<replaceable>COMMAND</replaceable></option></arg>

<arg choice="plain"><option>-c

<replaceable>COMMAND</replaceable></option></arg>

</group>

<sbr/>

<group>

100

<arg choice="plain"><option>--timeout

101

102

<arg choice="plain"><option>-t

103

104

</group>

105

<sbr/>

106

<group>

107

<arg choice="plain"><option>--extended-timeout

108

109

</group>

110

<sbr/>

111

<group>

112

<arg choice="plain"><option>--interval

113

114

<arg choice="plain"><option>-i

115

116

</group>

117

<sbr/>

118

<group>

119

<arg choice="plain"><option>--approve-by-default</option

120

></arg>

121

<sbr/>

122

<arg choice="plain"><option>--deny-by-default</option></arg>

123

</group>

124

<sbr/>

125

<group>

126

<arg choice="plain"><option>--approval-delay

127

128

</group>

129

<sbr/>

130

<group>

131

<arg choice="plain"><option>--approval-duration

132

133

</group>

134

<sbr/>

135

<group>

136

<arg choice="plain"><option>--host

137

<replaceable>STRING</replaceable></option></arg>

138

<arg choice="plain"><option>-H

139

<replaceable>STRING</replaceable></option></arg>

140

</group>

141

<sbr/>

142

<group>

143

<arg choice="plain"><option>--secret

144

<replaceable>FILENAME</replaceable></option></arg>

145

<arg choice="plain"><option>-s

146

<replaceable>FILENAME</replaceable></option></arg>

147

</group>

148

<sbr/>

149

<group>

150

<arg choice="plain"><option>--approve</option></arg>

151

152

<sbr/>

153

154

155

</group>

156

</group>

157

<sbr/>

158

159

160

161

162

<replaceable>CLIENT</replaceable>

163

</arg>

164

</group>

165

</cmdsynopsis>

166

167

<command>&COMMANDNAME;</command>

168

<group>

169

<arg choice="plain"><option>--verbose</option></arg>

170

171

<sbr/>

172

173

174

</group>

175

<group>

176

177

<replaceable>CLIENT</replaceable>

178

</arg>

179

</group>

180

</cmdsynopsis>

181

182

<command>&COMMANDNAME;</command>

183

184

<arg choice="plain"><option>--is-enabled</option></arg>

185

186

</group>

187

<arg choice='plain'><replaceable>CLIENT</replaceable></arg>

188

</cmdsynopsis>

189

190

<command>&COMMANDNAME;</command>

191

192

193

194

</group>

195

</cmdsynopsis>

196

197

<command>&COMMANDNAME;</command>

198

199

<arg choice="plain"><option>--version</option></arg>

200

201

</group>

202

</cmdsynopsis>

203

204

<command>&COMMANDNAME;</command>

205

<arg choice="plain"><option>--check</option></arg>

206

</cmdsynopsis>

207

</refsynopsisdiv>

208

209

210

<title>DESCRIPTION</title>

211

<para>

212

<command>&COMMANDNAME;</command> is a program to control or

213

query the operation of the Mandos server

214

<citerefentry><refentrytitle>mandos</refentrytitle><manvolnum

215

>8</manvolnum></citerefentry>.

216

</para>

217

<para>

218

This program can be used to change client settings, approve or

219

deny client requests, and to remove clients from the server.

220

</para>

221

</refsect1>

222

223

224

<title>PURPOSE</title>

225

<para>

226

The purpose of this is to enable <emphasis>remote and unattended

227

rebooting</emphasis> of client host computer with an

228

<emphasis>encrypted root file system</emphasis>. See <xref

229

linkend="overview"/> for details.

230

</para>

231

</refsect1>

232

233

234

<title>OPTIONS</title>

235

236

237

238

239

240

241

<para>

242

Show a help message and exit

243

</para>

244

</listitem>

245

</varlistentry>

246

247

248

<term><option>--enable</option></term>

249

250

251

<para>

252

Enable client(s). An enabled client will be eligble to

253

receive its secret.

254

</para>

255

</listitem>

256

</varlistentry>

257

258

259

<term><option>--disable</option></term>

260

261

262

<para>

263

Disable client(s). A disabled client will not be eligble

264

to receive its secret, and no checkers will be started for

265

it.

266

</para>

267

</listitem>

268

</varlistentry>

269

270

271

<term><option>--bump-timeout</option></term>

272

273

<para>

274

Bump the timeout of the specified client(s), just as if a

275

checker had completed successfully for it/them.

276

</para>

277

</listitem>

278

</varlistentry>

279

280

281

<term><option>--start-checker</option></term>

282

283

<para>

284

Start a new checker now for the specified client(s).

285

</para>

286

</listitem>

287

</varlistentry>

288

289

290

<term><option>--stop-checker</option></term>

291

292

<para>

293

Stop any running checker for the specified client(s).

294

</para>

295

</listitem>

296

</varlistentry>

297

298

299

<term><option>--remove</option></term>

300

301

302

<para>

303

Remove the specified client(s) from the server.

304

</para>

305

</listitem>

306

</varlistentry>

307

308

309

<term><option>--checker

310

<replaceable>COMMAND</replaceable></option></term>

311

<term><option>-c

312

<replaceable>COMMAND</replaceable></option></term>

313

314

<para>

315

Set the <varname>checker</varname> option of the specified

316

client(s); see <citerefentry><refentrytitle

317

>mandos-clients.conf</refentrytitle><manvolnum

318

>5</manvolnum></citerefentry>.

319

</para>

320

</listitem>

321

</varlistentry>

322

323

324

<term><option>--timeout

325

326

<term><option>-t

327

328

329

<para>

330

Set the <varname>timeout</varname> option of the specified

331

client(s); see <citerefentry><refentrytitle

332

>mandos-clients.conf</refentrytitle><manvolnum

333

>5</manvolnum></citerefentry>.

334

</para>

335

</listitem>

336

</varlistentry>

337

338

339

<term><option>--extended-timeout

340

341

342

<para>

343

Set the <varname>extended_timeout</varname> option of the

344

specified client(s); see <citerefentry><refentrytitle

345

>mandos-clients.conf</refentrytitle><manvolnum

346

>5</manvolnum></citerefentry>.

347

</para>

348

</listitem>

349

</varlistentry>

350

351

352

<term><option>--interval

353

354

<term><option>-i

355

356

357

<para>

358

Set the <varname>interval</varname> option of the

359

specified client(s); see <citerefentry><refentrytitle

360

>mandos-clients.conf</refentrytitle><manvolnum

361

>5</manvolnum></citerefentry>.

362

</para>

363

</listitem>

364

</varlistentry>

365

366

367

<term><option>--approve-by-default</option></term>

368

<term><option>--deny-by-default</option></term>

369

370

<para>

371

Set the <varname>approved_by_default</varname> option of

372

the specified client(s) to <literal>True</literal> or

373

<literal>False</literal>, respectively; see

374

<citerefentry><refentrytitle

375

>mandos-clients.conf</refentrytitle><manvolnum

376

>5</manvolnum></citerefentry>.

377

</para>

378

</listitem>

379

</varlistentry>

380

381

382

<term><option>--approval-delay

383

384

385

<para>

386

Set the <varname>approval_delay</varname> option of the

387

specified client(s); see <citerefentry><refentrytitle

388

>mandos-clients.conf</refentrytitle><manvolnum

389

>5</manvolnum></citerefentry>.

390

</para>

391

</listitem>

392

</varlistentry>

393

394

395

<term><option>--approval-duration

396

397

398

<para>

399

Set the <varname>approval_duration</varname> option of the

400

specified client(s); see <citerefentry><refentrytitle

401

>mandos-clients.conf</refentrytitle><manvolnum

402

>5</manvolnum></citerefentry>.

403

</para>

404

</listitem>

405

</varlistentry>

406

407

408

<term><option>--host

409

<replaceable>STRING</replaceable></option></term>

410

<term><option>-H

411

<replaceable>STRING</replaceable></option></term>

412

413

<para>

414

Set the <varname>host</varname> option of the specified

415

client(s); see <citerefentry><refentrytitle

416

>mandos-clients.conf</refentrytitle><manvolnum

417

>5</manvolnum></citerefentry>.

418

</para>

419

</listitem>

420

</varlistentry>

421

422

423

<term><option>--secret

424

<replaceable>FILENAME</replaceable></option></term>

425

<term><option>-s

426

<replaceable>FILENAME</replaceable></option></term>

427

428

<para>

429

Set the <varname>secfile</varname> option of the specified

430

client(s); see <citerefentry><refentrytitle

431

>mandos-clients.conf</refentrytitle><manvolnum

432

>5</manvolnum></citerefentry>.

433

</para>

434

</listitem>

435

</varlistentry>

436

437

438

<term><option>--approve</option></term>

439

440

441

<para>

442

Approve client(s) if currently waiting for approval.

443

</para>

444

</listitem>

445

</varlistentry>

446

447

448

449

450

451

<para>

452

Deny client(s) if currently waiting for approval.

453

</para>

454

</listitem>

455

</varlistentry>

456

457

458

459

460

461

<para>

462

Make the client-modifying options modify <emphasis

463

>all</emphasis> clients.

464

</para>

465

</listitem>

466

</varlistentry>

467

468

469

<term><option>--verbose</option></term>

470

471

472

<para>

473

Show all client settings, not just a subset.

474

</para>

475

</listitem>

476

</varlistentry>

477

478

479

480

481

482

<para>

483

Dump client settings as JSON to standard output.

484

</para>

485

</listitem>

486

</varlistentry>

487

488

489

<term><option>--is-enabled</option></term>

490

491

492

<para>

493

Check if a single client is enabled or not, and exit with

494

a successful exit status only if the client is enabled.

495

</para>

496

</listitem>

497

</varlistentry>

498

499

500

<term><option>--check</option></term>

501

502

<para>

503

Run self-tests. This includes any unit tests, etc.

504

</para>

505

</listitem>

506

</varlistentry>

507

508

</variablelist>

509

</refsect1>

510

511

512

<title>OVERVIEW</title>

513

<xi:include href="overview.xml"/>

514

<para>

515

This program is a small utility to generate new OpenPGP keys for

516

new Mandos clients, and to generate sections for inclusion in

517

<filename>clients.conf</filename> on the server.

518

</para>

519

</refsect1>

520

521

522

<title>EXIT STATUS</title>

523

<para>

524

If the <option>--is-enabled</option> option is used, the exit

525

status will be 0 only if the specified client is enabled.

526

</para>

527

</refsect1>

528

529

530

531

<xi:include href="bugs.xml"/>

532

</refsect1>

533

534

535

<title>EXAMPLE</title>

536

537

<para>

538

To list all clients:

539

</para>

540

<para>

541

<userinput>&COMMANDNAME;</userinput>

542

</para>

543

</informalexample>

544

545

546

<para>

547

To list <emphasis>all</emphasis> settings for the clients

548

named <quote>foo1.example.org</quote> and <quote

549

>foo2.example.org</quote>:

550

</para>

551

<para>

552

553

554

<userinput>&COMMANDNAME; --verbose foo1.example.org foo2.example.org</userinput>

555

556

</para>

557

</informalexample>

558

559

560

<para>

561

To enable all clients:

562

</para>

563

<para>

564

<userinput>&COMMANDNAME; --enable --all</userinput>

565

</para>

566

</informalexample>

567

568

569

<para>

570

To change timeout and interval value for the clients

571

named <quote>foo1.example.org</quote> and <quote

572

>foo2.example.org</quote>:

573

</para>

574

<para>

575

576

577

<userinput>&COMMANDNAME; --timeout="5m" --interval="1m" foo1.example.org foo2.example.org</userinput>

578

579

</para>

580

</informalexample>

581

582

583

<para>

584

To approve all clients currently waiting for it:

585

</para>

586

<para>

587

<userinput>&COMMANDNAME; --approve --all</userinput>

588

</para>

589

</informalexample>

590

</refsect1>

591

592

593

<title>SECURITY</title>

594

<para>

595

This program must be permitted to access the Mandos server via

596

the D-Bus interface. This normally requires the root user, but

597

could be configured otherwise by reconfiguring the D-Bus server.

598

</para>

599

</refsect1>

600

601

602

603

<para>

604

<citerefentry><refentrytitle>intro</refentrytitle>

605

<manvolnum>8mandos</manvolnum></citerefentry>,

606

<citerefentry><refentrytitle>mandos</refentrytitle>

607

<manvolnum>8</manvolnum></citerefentry>,

608

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

609

<manvolnum>5</manvolnum></citerefentry>,

610

<citerefentry><refentrytitle>mandos-monitor</refentrytitle>

611

612

</para>

613

</refsect1>

614

615

</refentry>

616

617

618

619

620

Older »