/mandos/trunk : revision 13

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos-ctl.xml

Committer: Björn Påhlsson
Date: 2008-07-20 02:52:20 UTC
Revision ID: belorn@braxen-20080720025220-r5u0388uy9iu23h6

Added following support:
Pluginbased client handler
rewritten Mandos client
Avahi instead of udp server discovery
openpgp encrypted key support
Passprompt stand alone application for direct console input
Added logging for Mandos server

files added:
ca.pem

cert.pem

client-cert.pem

client-key.pem

crl.pem

key.pem

plugins.d/Makefile

files removed:
.bzr-builddeb

.bzr-builddeb/default.conf

.bzrignore

COPYING

DBUS-API

INSTALL

NEWS

README

common.ent

dbus-mandos.conf

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.examples

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/po

debian/rules

debian/source

debian/source/format

debian/source/local-options

debian/upstream

debian/upstream/signing-key.asc

debian/watch

default-mandos

init.d-mandos

initramfs-tools-hook

initramfs-tools-hook-conf

initramfs-tools-script

initramfs-unpack

intro.xml

legalnotice.xml

mandos-clients.conf.xml

mandos-ctl

mandos-ctl.xml

mandos-keygen

mandos-keygen.xml

mandos-monitor

mandos-monitor.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.lsm

mandos.service

mandos.xml

network-hooks.d

network-hooks.d/bridge

network-hooks.d/bridge.conf

network-hooks.d/openvpn

network-hooks.d/openvpn.conf

network-hooks.d/wireless

network-hooks.d/wireless.conf

overview.xml

plugin-helpers

plugin-helpers/mandos-client-iprouteadddel.c

plugin-runner.conf

plugin-runner.xml

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/mandos-client.xml

plugins.d/password-prompt.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

files renamed:
clients.conf => mandos-clients.conf

plugin-runner.c => plugbasedclient.c

plugins.d/mandos-client.c => plugins.d/mandosclient.c

plugins.d/password-prompt.c => plugins.d/passprompt.c

mandos => server.py

files modified:
Makefile

TODO

Show diffs side-by-side

added added

removed removed

mandos-ctl.xml

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY COMMANDNAME "mandos-ctl">

<!ENTITY TIMESTAMP "2012-06-22">

<!ENTITY % common SYSTEM "common.ent">

%common;

<title>Mandos Manual</title>

<productname>Mandos</productname>

<productnumber>&version;</productnumber>

<date>&TIMESTAMP;</date>

<firstname>Björn</firstname>

<surname>Påhlsson</surname>

<email>belorn@recompile.se</email>

</address>

</author>

<firstname>Teddy</firstname>

<surname>Hogeborn</surname>

<email>teddy@recompile.se</email>

</address>

</author>

</authorgroup>

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

<xi:include href="legalnotice.xml"/>

</refentryinfo>

<refentrytitle>&COMMANDNAME;</refentrytitle>

</refmeta>

<refname><command>&COMMANDNAME;</command></refname>

Control the operation of the Mandos server

</refpurpose>

</refnamediv>

<command>&COMMANDNAME;</command>

<group>

<arg choice="plain"><option>--enable</option></arg>

<sbr/>

<arg choice="plain"><option>--disable</option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--bump-timeout</option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--start-checker</option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--stop-checker</option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--remove</option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--checker

<replaceable>COMMAND</replaceable></option></arg>

<arg choice="plain"><option>-c

<replaceable>COMMAND</replaceable></option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--timeout

<arg choice="plain"><option>-t

</group>

<sbr/>

<group>

<arg choice="plain"><option>--extended-timeout

100

101

</group>

102

<sbr/>

103

<group>

104

<arg choice="plain"><option>--interval

105

106

<arg choice="plain"><option>-i

107

108

</group>

109

<sbr/>

110

<group>

111

<arg choice="plain"><option>--approve-by-default</option

112

></arg>

113

<sbr/>

114

<arg choice="plain"><option>--deny-by-default</option></arg>

115

</group>

116

<sbr/>

117

<group>

118

<arg choice="plain"><option>--approval-delay

119

120

</group>

121

<sbr/>

122

<group>

123

<arg choice="plain"><option>--approval-duration

124

125

</group>

126

<sbr/>

127

<group>

128

<arg choice="plain"><option>--interval

129

130

<arg choice="plain"><option>-i

131

132

</group>

133

<sbr/>

134

<group>

135

<arg choice="plain"><option>--host

136

<replaceable>STRING</replaceable></option></arg>

137

<arg choice="plain"><option>-H

138

<replaceable>STRING</replaceable></option></arg>

139

</group>

140

<sbr/>

141

<group>

142

<arg choice="plain"><option>--secret

143

<replaceable>FILENAME</replaceable></option></arg>

144

<arg choice="plain"><option>-s

145

<replaceable>FILENAME</replaceable></option></arg>

146

</group>

147

<sbr/>

148

<group>

149

<arg choice="plain"><option>--approve</option></arg>

150

151

<sbr/>

152

153

154

</group>

155

<sbr/>

156

157

158

159

160

<replaceable>CLIENT</replaceable>

161

</arg>

162

</group>

163

</cmdsynopsis>

164

165

<command>&COMMANDNAME;</command>

166

<group>

167

<arg choice="plain"><option>--verbose</option></arg>

168

169

</group>

170

<group>

171

172

<replaceable>CLIENT</replaceable>

173

</arg>

174

</group>

175

</cmdsynopsis>

176

177

<command>&COMMANDNAME;</command>

178

179

<arg choice="plain"><option>--is-enabled</option></arg>

180

181

</group>

182

<arg choice='plain'><replaceable>CLIENT</replaceable></arg>

183

</cmdsynopsis>

184

185

<command>&COMMANDNAME;</command>

186

187

188

189

</group>

190

</cmdsynopsis>

191

192

<command>&COMMANDNAME;</command>

193

194

<arg choice="plain"><option>--version</option></arg>

195

196

</group>

197

</cmdsynopsis>

198

199

<command>&COMMANDNAME;</command>

200

<arg choice="plain"><option>--check</option></arg>

201

</cmdsynopsis>

202

</refsynopsisdiv>

203

204

205

<title>DESCRIPTION</title>

206

<para>

207

<command>&COMMANDNAME;</command> is a program to control the

208

operation of the Mandos server <citerefentry><refentrytitle

209

>mandos</refentrytitle><manvolnum>8</manvolnum></citerefentry>.

210

</para>

211

<para>

212

This program can be used to change client settings, approve or

213

deny client requests, and to remove clients from the server.

214

</para>

215

</refsect1>

216

217

218

<title>PURPOSE</title>

219

<para>

220

The purpose of this is to enable <emphasis>remote and unattended

221

rebooting</emphasis> of client host computer with an

222

<emphasis>encrypted root file system</emphasis>. See <xref

223

linkend="overview"/> for details.

224

</para>

225

</refsect1>

226

227

228

<title>OPTIONS</title>

229

230

231

232

233

234

235

<para>

236

Show a help message and exit

237

</para>

238

</listitem>

239

</varlistentry>

240

241

242

<term><option>--enable</option></term>

243

244

245

<para>

246

Enable client(s). An enabled client will be eligble to

247

receive its secret.

248

</para>

249

</listitem>

250

</varlistentry>

251

252

253

<term><option>--disable</option></term>

254

255

256

<para>

257

Disable client(s). A disabled client will not be eligble

258

to receive its secret, and no checkers will be started for

259

it.

260

</para>

261

</listitem>

262

</varlistentry>

263

264

265

<term><option>--bump-timeout</option></term>

266

267

<para>

268

Bump the timeout of the specified client(s), just as if a

269

checker had completed successfully for it/them.

270

</para>

271

</listitem>

272

</varlistentry>

273

274

275

<term><option>--start-checker</option></term>

276

277

<para>

278

Start a new checker now for the specified client(s).

279

</para>

280

</listitem>

281

</varlistentry>

282

283

284

<term><option>--stop-checker</option></term>

285

286

<para>

287

Stop any running checker for the specified client(s).

288

</para>

289

</listitem>

290

</varlistentry>

291

292

293

<term><option>--remove</option></term>

294

295

296

<para>

297

Remove the specified client(s) from the server.

298

</para>

299

</listitem>

300

</varlistentry>

301

302

303

<term><option>--checker

304

<replaceable>COMMAND</replaceable></option></term>

305

<term><option>-c

306

<replaceable>COMMAND</replaceable></option></term>

307

308

<para>

309

Set the <varname>checker</varname> option of the specified

310

client(s); see <citerefentry><refentrytitle

311

>mandos-clients.conf</refentrytitle><manvolnum

312

>5</manvolnum></citerefentry>.

313

</para>

314

</listitem>

315

</varlistentry>

316

317

318

<term><option>--timeout

319

320

<term><option>-t

321

322

323

<para>

324

Set the <varname>timeout</varname> option of the specified

325

client(s); see <citerefentry><refentrytitle

326

>mandos-clients.conf</refentrytitle><manvolnum

327

>5</manvolnum></citerefentry>.

328

</para>

329

</listitem>

330

</varlistentry>

331

332

333

<term><option>--extended-timeout

334

335

336

<para>

337

Set the <varname>extended_timeout</varname> option of the

338

specified client(s); see <citerefentry><refentrytitle

339

>mandos-clients.conf</refentrytitle><manvolnum

340

>5</manvolnum></citerefentry>.

341

</para>

342

</listitem>

343

</varlistentry>

344

345

346

<term><option>--interval

347

348

<term><option>-i

349

350

351

<para>

352

Set the <varname>interval</varname> option of the

353

specified client(s); see <citerefentry><refentrytitle

354

>mandos-clients.conf</refentrytitle><manvolnum

355

>5</manvolnum></citerefentry>.

356

</para>

357

</listitem>

358

</varlistentry>

359

360

361

<term><option>--approve-by-default</option></term>

362

<term><option>--deny-by-default</option></term>

363

364

<para>

365

Set the <varname>approved_by_default</varname> option of

366

the specified client(s) to <literal>True</literal> or

367

<literal>False</literal>, respectively; see

368

<citerefentry><refentrytitle

369

>mandos-clients.conf</refentrytitle><manvolnum

370

>5</manvolnum></citerefentry>.

371

</para>

372

</listitem>

373

</varlistentry>

374

375

376

<term><option>--approval-delay

377

378

379

<para>

380

Set the <varname>approval_delay</varname> option of the

381

specified client(s); see <citerefentry><refentrytitle

382

>mandos-clients.conf</refentrytitle><manvolnum

383

>5</manvolnum></citerefentry>.

384

</para>

385

</listitem>

386

</varlistentry>

387

388

389

<term><option>--approval-duration

390

391

392

<para>

393

Set the <varname>approval_duration</varname> option of the

394

specified client(s); see <citerefentry><refentrytitle

395

>mandos-clients.conf</refentrytitle><manvolnum

396

>5</manvolnum></citerefentry>.

397

</para>

398

</listitem>

399

</varlistentry>

400

401

402

<term><option>--host

403

<replaceable>STRING</replaceable></option></term>

404

<term><option>-H

405

<replaceable>STRING</replaceable></option></term>

406

407

<para>

408

Set the <varname>host</varname> option of the specified

409

client(s); see <citerefentry><refentrytitle

410

>mandos-clients.conf</refentrytitle><manvolnum

411

>5</manvolnum></citerefentry>.

412

</para>

413

</listitem>

414

</varlistentry>

415

416

417

<term><option>--secret

418

<replaceable>FILENAME</replaceable></option></term>

419

<term><option>-s

420

<replaceable>FILENAME</replaceable></option></term>

421

422

<para>

423

Set the <varname>secfile</varname> option of the specified

424

client(s); see <citerefentry><refentrytitle

425

>mandos-clients.conf</refentrytitle><manvolnum

426

>5</manvolnum></citerefentry>.

427

</para>

428

</listitem>

429

</varlistentry>

430

431

432

<term><option>--approve</option></term>

433

434

435

<para>

436

Approve client(s) if currently waiting for approval.

437

</para>

438

</listitem>

439

</varlistentry>

440

441

442

443

444

445

<para>

446

Deny client(s) if currently waiting for approval.

447

</para>

448

</listitem>

449

</varlistentry>

450

451

452

453

454

455

<para>

456

Make the client-modifying options modify <emphasis

457

>all</emphasis> clients.

458

</para>

459

</listitem>

460

</varlistentry>

461

462

463

<term><option>--verbose</option></term>

464

465

466

<para>

467

Show all client settings, not just a subset.

468

</para>

469

</listitem>

470

</varlistentry>

471

472

473

<term><option>--is-enabled</option></term>

474

475

476

<para>

477

Check if a single client is enabled or not, and exit with

478

a successful exit status only if the client is enabled.

479

</para>

480

</listitem>

481

</varlistentry>

482

483

484

<term><option>--check</option></term>

485

486

<para>

487

Run self-tests. This includes any unit tests, etc.

488

</para>

489

</listitem>

490

</varlistentry>

491

492

</variablelist>

493

</refsect1>

494

495

496

<title>OVERVIEW</title>

497

<xi:include href="overview.xml"/>

498

<para>

499

This program is a small utility to generate new OpenPGP keys for

500

new Mandos clients, and to generate sections for inclusion in

501

<filename>clients.conf</filename> on the server.

502

</para>

503

</refsect1>

504

505

506

<title>EXIT STATUS</title>

507

<para>

508

If the <option>--is-enabled</option> option is used, the exit

509

status will be 0 only if the specified client is enabled.

510

</para>

511

</refsect1>

512

513

514

515

516

517

518

519

520

<title>EXAMPLE</title>

521

522

<para>

523

To list all clients:

524

</para>

525

<para>

526

<userinput>&COMMANDNAME;</userinput>

527

</para>

528

</informalexample>

529

530

531

<para>

532

To list <emphasis>all</emphasis> settings for the clients

533

named <quote>foo1.example.org</quote> and <quote

534

>foo2.example.org</quote>:

535

</para>

536

<para>

537

538

539

<userinput>&COMMANDNAME; --verbose foo1.example.org foo2.example.org</userinput>

540

541

</para>

542

</informalexample>

543

544

545

<para>

546

To enable all clients:

547

</para>

548

<para>

549

<userinput>&COMMANDNAME; --enable --all</userinput>

550

</para>

551

</informalexample>

552

553

554

<para>

555

To change timeout and interval value for the clients

556

named <quote>foo1.example.org</quote> and <quote

557

>foo2.example.org</quote>:

558

</para>

559

<para>

560

561

562

<userinput>&COMMANDNAME; --timeout="5m" --interval="1m" foo1.example.org foo2.example.org</userinput>

563

564

</para>

565

</informalexample>

566

567

568

<para>

569

To approve all clients currently waiting for it:

570

</para>

571

<para>

572

<userinput>&COMMANDNAME; --approve --all</userinput>

573

</para>

574

</informalexample>

575

</refsect1>

576

577

578

<title>SECURITY</title>

579

<para>

580

This program must be permitted to access the Mandos server via

581

the D-Bus interface. This normally requires the root user, but

582

could be configured otherwise by reconfiguring the D-Bus server.

583

</para>

584

</refsect1>

585

586

587

588

<para>

589

<citerefentry><refentrytitle>intro</refentrytitle>

590

<manvolnum>8mandos</manvolnum></citerefentry>,

591

<citerefentry><refentrytitle>mandos</refentrytitle>

592

<manvolnum>8</manvolnum></citerefentry>,

593

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

594

<manvolnum>5</manvolnum></citerefentry>,

595

<citerefentry><refentrytitle>mandos-monitor</refentrytitle>

596

597

</para>

598

</refsect1>

599

600

</refentry>

601

602

603

604

605

Older »