/mandos/trunk : revision 13

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos-ctl.xml

Committer: Björn Påhlsson
Date: 2008-07-20 02:52:20 UTC
Revision ID: belorn@braxen-20080720025220-r5u0388uy9iu23h6

Added following support:
Pluginbased client handler
rewritten Mandos client
Avahi instead of udp server discovery
openpgp encrypted key support
Passprompt stand alone application for direct console input
Added logging for Mandos server

files added:
ca.pem

cert.pem

client-cert.pem

client-key.pem

crl.pem

key.pem

plugins.d/Makefile

files removed:
.bzr-builddeb

.bzr-builddeb/default.conf

.bzrignore

COPYING

DBUS-API

INSTALL

NEWS

README

common.ent

dbus-mandos.conf

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.examples

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/po

debian/rules

debian/source

debian/source/format

debian/source/local-options

debian/upstream

debian/upstream/signing-key.asc

debian/watch

default-mandos

init.d-mandos

initramfs-tools-hook

initramfs-tools-hook-conf

initramfs-tools-script

initramfs-unpack

intro.xml

legalnotice.xml

mandos-clients.conf.xml

mandos-ctl

mandos-ctl.xml

mandos-keygen

mandos-keygen.xml

mandos-monitor

mandos-monitor.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.lsm

mandos.service

mandos.xml

network-hooks.d

network-hooks.d/bridge

network-hooks.d/bridge.conf

network-hooks.d/openvpn

network-hooks.d/openvpn.conf

network-hooks.d/wireless

network-hooks.d/wireless.conf

overview.xml

plugin-helpers

plugin-helpers/mandos-client-iprouteadddel.c

plugin-runner.conf

plugin-runner.xml

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/mandos-client.xml

plugins.d/password-prompt.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

files renamed:
clients.conf => mandos-clients.conf

plugin-runner.c => plugbasedclient.c

plugins.d/mandos-client.c => plugins.d/mandosclient.c

plugins.d/password-prompt.c => plugins.d/passprompt.c

mandos => server.py

files modified:
Makefile

TODO

Show diffs side-by-side

added added

removed removed

mandos-ctl.xml

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY COMMANDNAME "mandos-ctl">

<!ENTITY TIMESTAMP "2015-07-20">

<!ENTITY % common SYSTEM "common.ent">

%common;

<title>Mandos Manual</title>

<productname>Mandos</productname>

<productnumber>&version;</productnumber>

<date>&TIMESTAMP;</date>

<firstname>Björn</firstname>

<surname>Påhlsson</surname>

<email>belorn@recompile.se</email>

</address>

</author>

<firstname>Teddy</firstname>

<surname>Hogeborn</surname>

<email>teddy@recompile.se</email>

</address>

</author>

</authorgroup>

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

<xi:include href="legalnotice.xml"/>

</refentryinfo>

<refentrytitle>&COMMANDNAME;</refentrytitle>

</refmeta>

<refname><command>&COMMANDNAME;</command></refname>

Control the operation of the Mandos server

</refpurpose>

</refnamediv>

<command>&COMMANDNAME;</command>

<group>

<arg choice="plain"><option>--enable</option></arg>

<sbr/>

<arg choice="plain"><option>--disable</option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--bump-timeout</option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--start-checker</option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--stop-checker</option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--remove</option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--checker

<replaceable>COMMAND</replaceable></option></arg>

<arg choice="plain"><option>-c

<replaceable>COMMAND</replaceable></option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--timeout

<arg choice="plain"><option>-t

</group>

100

<sbr/>

101

<group>

102

<arg choice="plain"><option>--extended-timeout

103

104

</group>

105

<sbr/>

106

<group>

107

<arg choice="plain"><option>--interval

108

109

<arg choice="plain"><option>-i

110

111

</group>

112

<sbr/>

113

<group>

114

<arg choice="plain"><option>--approve-by-default</option

115

></arg>

116

<sbr/>

117

<arg choice="plain"><option>--deny-by-default</option></arg>

118

</group>

119

<sbr/>

120

<group>

121

<arg choice="plain"><option>--approval-delay

122

123

</group>

124

<sbr/>

125

<group>

126

<arg choice="plain"><option>--approval-duration

127

128

</group>

129

<sbr/>

130

<group>

131

<arg choice="plain"><option>--interval

132

133

<arg choice="plain"><option>-i

134

135

</group>

136

<sbr/>

137

<group>

138

<arg choice="plain"><option>--host

139

<replaceable>STRING</replaceable></option></arg>

140

<arg choice="plain"><option>-H

141

<replaceable>STRING</replaceable></option></arg>

142

</group>

143

<sbr/>

144

<group>

145

<arg choice="plain"><option>--secret

146

<replaceable>FILENAME</replaceable></option></arg>

147

<arg choice="plain"><option>-s

148

<replaceable>FILENAME</replaceable></option></arg>

149

</group>

150

<sbr/>

151

<group>

152

<arg choice="plain"><option>--approve</option></arg>

153

154

<sbr/>

155

156

157

</group>

158

<sbr/>

159

160

161

162

163

<replaceable>CLIENT</replaceable>

164

</arg>

165

</group>

166

</cmdsynopsis>

167

168

<command>&COMMANDNAME;</command>

169

<group>

170

<arg choice="plain"><option>--verbose</option></arg>

171

172

</group>

173

<group>

174

175

<replaceable>CLIENT</replaceable>

176

</arg>

177

</group>

178

</cmdsynopsis>

179

180

<command>&COMMANDNAME;</command>

181

182

<arg choice="plain"><option>--is-enabled</option></arg>

183

184

</group>

185

<arg choice='plain'><replaceable>CLIENT</replaceable></arg>

186

</cmdsynopsis>

187

188

<command>&COMMANDNAME;</command>

189

190

191

192

</group>

193

</cmdsynopsis>

194

195

<command>&COMMANDNAME;</command>

196

197

<arg choice="plain"><option>--version</option></arg>

198

199

</group>

200

</cmdsynopsis>

201

202

<command>&COMMANDNAME;</command>

203

<arg choice="plain"><option>--check</option></arg>

204

</cmdsynopsis>

205

</refsynopsisdiv>

206

207

208

<title>DESCRIPTION</title>

209

<para>

210

<command>&COMMANDNAME;</command> is a program to control the

211

operation of the Mandos server <citerefentry><refentrytitle

212

>mandos</refentrytitle><manvolnum>8</manvolnum></citerefentry>.

213

</para>

214

<para>

215

This program can be used to change client settings, approve or

216

deny client requests, and to remove clients from the server.

217

</para>

218

</refsect1>

219

220

221

<title>PURPOSE</title>

222

<para>

223

The purpose of this is to enable <emphasis>remote and unattended

224

rebooting</emphasis> of client host computer with an

225

<emphasis>encrypted root file system</emphasis>. See <xref

226

linkend="overview"/> for details.

227

</para>

228

</refsect1>

229

230

231

<title>OPTIONS</title>

232

233

234

235

236

237

238

<para>

239

Show a help message and exit

240

</para>

241

</listitem>

242

</varlistentry>

243

244

245

<term><option>--enable</option></term>

246

247

248

<para>

249

Enable client(s). An enabled client will be eligble to

250

receive its secret.

251

</para>

252

</listitem>

253

</varlistentry>

254

255

256

<term><option>--disable</option></term>

257

258

259

<para>

260

Disable client(s). A disabled client will not be eligble

261

to receive its secret, and no checkers will be started for

262

it.

263

</para>

264

</listitem>

265

</varlistentry>

266

267

268

<term><option>--bump-timeout</option></term>

269

270

<para>

271

Bump the timeout of the specified client(s), just as if a

272

checker had completed successfully for it/them.

273

</para>

274

</listitem>

275

</varlistentry>

276

277

278

<term><option>--start-checker</option></term>

279

280

<para>

281

Start a new checker now for the specified client(s).

282

</para>

283

</listitem>

284

</varlistentry>

285

286

287

<term><option>--stop-checker</option></term>

288

289

<para>

290

Stop any running checker for the specified client(s).

291

</para>

292

</listitem>

293

</varlistentry>

294

295

296

<term><option>--remove</option></term>

297

298

299

<para>

300

Remove the specified client(s) from the server.

301

</para>

302

</listitem>

303

</varlistentry>

304

305

306

<term><option>--checker

307

<replaceable>COMMAND</replaceable></option></term>

308

<term><option>-c

309

<replaceable>COMMAND</replaceable></option></term>

310

311

<para>

312

Set the <varname>checker</varname> option of the specified

313

client(s); see <citerefentry><refentrytitle

314

>mandos-clients.conf</refentrytitle><manvolnum

315

>5</manvolnum></citerefentry>.

316

</para>

317

</listitem>

318

</varlistentry>

319

320

321

<term><option>--timeout

322

323

<term><option>-t

324

325

326

<para>

327

Set the <varname>timeout</varname> option of the specified

328

client(s); see <citerefentry><refentrytitle

329

>mandos-clients.conf</refentrytitle><manvolnum

330

>5</manvolnum></citerefentry>.

331

</para>

332

</listitem>

333

</varlistentry>

334

335

336

<term><option>--extended-timeout

337

338

339

<para>

340

Set the <varname>extended_timeout</varname> option of the

341

specified client(s); see <citerefentry><refentrytitle

342

>mandos-clients.conf</refentrytitle><manvolnum

343

>5</manvolnum></citerefentry>.

344

</para>

345

</listitem>

346

</varlistentry>

347

348

349

<term><option>--interval

350

351

<term><option>-i

352

353

354

<para>

355

Set the <varname>interval</varname> option of the

356

specified client(s); see <citerefentry><refentrytitle

357

>mandos-clients.conf</refentrytitle><manvolnum

358

>5</manvolnum></citerefentry>.

359

</para>

360

</listitem>

361

</varlistentry>

362

363

364

<term><option>--approve-by-default</option></term>

365

<term><option>--deny-by-default</option></term>

366

367

<para>

368

Set the <varname>approved_by_default</varname> option of

369

the specified client(s) to <literal>True</literal> or

370

<literal>False</literal>, respectively; see

371

<citerefentry><refentrytitle

372

>mandos-clients.conf</refentrytitle><manvolnum

373

>5</manvolnum></citerefentry>.

374

</para>

375

</listitem>

376

</varlistentry>

377

378

379

<term><option>--approval-delay

380

381

382

<para>

383

Set the <varname>approval_delay</varname> option of the

384

specified client(s); see <citerefentry><refentrytitle

385

>mandos-clients.conf</refentrytitle><manvolnum

386

>5</manvolnum></citerefentry>.

387

</para>

388

</listitem>

389

</varlistentry>

390

391

392

<term><option>--approval-duration

393

394

395

<para>

396

Set the <varname>approval_duration</varname> option of the

397

specified client(s); see <citerefentry><refentrytitle

398

>mandos-clients.conf</refentrytitle><manvolnum

399

>5</manvolnum></citerefentry>.

400

</para>

401

</listitem>

402

</varlistentry>

403

404

405

<term><option>--host

406

<replaceable>STRING</replaceable></option></term>

407

<term><option>-H

408

<replaceable>STRING</replaceable></option></term>

409

410

<para>

411

Set the <varname>host</varname> option of the specified

412

client(s); see <citerefentry><refentrytitle

413

>mandos-clients.conf</refentrytitle><manvolnum

414

>5</manvolnum></citerefentry>.

415

</para>

416

</listitem>

417

</varlistentry>

418

419

420

<term><option>--secret

421

<replaceable>FILENAME</replaceable></option></term>

422

<term><option>-s

423

<replaceable>FILENAME</replaceable></option></term>

424

425

<para>

426

Set the <varname>secfile</varname> option of the specified

427

client(s); see <citerefentry><refentrytitle

428

>mandos-clients.conf</refentrytitle><manvolnum

429

>5</manvolnum></citerefentry>.

430

</para>

431

</listitem>

432

</varlistentry>

433

434

435

<term><option>--approve</option></term>

436

437

438

<para>

439

Approve client(s) if currently waiting for approval.

440

</para>

441

</listitem>

442

</varlistentry>

443

444

445

446

447

448

<para>

449

Deny client(s) if currently waiting for approval.

450

</para>

451

</listitem>

452

</varlistentry>

453

454

455

456

457

458

<para>

459

Make the client-modifying options modify <emphasis

460

>all</emphasis> clients.

461

</para>

462

</listitem>

463

</varlistentry>

464

465

466

<term><option>--verbose</option></term>

467

468

469

<para>

470

Show all client settings, not just a subset.

471

</para>

472

</listitem>

473

</varlistentry>

474

475

476

<term><option>--is-enabled</option></term>

477

478

479

<para>

480

Check if a single client is enabled or not, and exit with

481

a successful exit status only if the client is enabled.

482

</para>

483

</listitem>

484

</varlistentry>

485

486

487

<term><option>--check</option></term>

488

489

<para>

490

Run self-tests. This includes any unit tests, etc.

491

</para>

492

</listitem>

493

</varlistentry>

494

495

</variablelist>

496

</refsect1>

497

498

499

<title>OVERVIEW</title>

500

<xi:include href="overview.xml"/>

501

<para>

502

This program is a small utility to generate new OpenPGP keys for

503

new Mandos clients, and to generate sections for inclusion in

504

<filename>clients.conf</filename> on the server.

505

</para>

506

</refsect1>

507

508

509

<title>EXIT STATUS</title>

510

<para>

511

If the <option>--is-enabled</option> option is used, the exit

512

status will be 0 only if the specified client is enabled.

513

</para>

514

</refsect1>

515

516

517

518

519

520

521

522

523

<title>EXAMPLE</title>

524

525

<para>

526

To list all clients:

527

</para>

528

<para>

529

<userinput>&COMMANDNAME;</userinput>

530

</para>

531

</informalexample>

532

533

534

<para>

535

To list <emphasis>all</emphasis> settings for the clients

536

named <quote>foo1.example.org</quote> and <quote

537

>foo2.example.org</quote>:

538

</para>

539

<para>

540

541

542

<userinput>&COMMANDNAME; --verbose foo1.example.org foo2.example.org</userinput>

543

544

</para>

545

</informalexample>

546

547

548

<para>

549

To enable all clients:

550

</para>

551

<para>

552

<userinput>&COMMANDNAME; --enable --all</userinput>

553

</para>

554

</informalexample>

555

556

557

<para>

558

To change timeout and interval value for the clients

559

named <quote>foo1.example.org</quote> and <quote

560

>foo2.example.org</quote>:

561

</para>

562

<para>

563

564

565

<userinput>&COMMANDNAME; --timeout="5m" --interval="1m" foo1.example.org foo2.example.org</userinput>

566

567

</para>

568

</informalexample>

569

570

571

<para>

572

To approve all clients currently waiting for it:

573

</para>

574

<para>

575

<userinput>&COMMANDNAME; --approve --all</userinput>

576

</para>

577

</informalexample>

578

</refsect1>

579

580

581

<title>SECURITY</title>

582

<para>

583

This program must be permitted to access the Mandos server via

584

the D-Bus interface. This normally requires the root user, but

585

could be configured otherwise by reconfiguring the D-Bus server.

586

</para>

587

</refsect1>

588

589

590

591

<para>

592

<citerefentry><refentrytitle>intro</refentrytitle>

593

<manvolnum>8mandos</manvolnum></citerefentry>,

594

<citerefentry><refentrytitle>mandos</refentrytitle>

595

<manvolnum>8</manvolnum></citerefentry>,

596

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

597

<manvolnum>5</manvolnum></citerefentry>,

598

<citerefentry><refentrytitle>mandos-monitor</refentrytitle>

599

600

</para>

601

</refsect1>

602

603

</refentry>

604

605

606

607

608

Older »