/mandos/trunk

To get this branch, use:
bzr branch http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos.xml

  • Committer: Teddy Hogeborn
  • Date: 2008-09-03 17:11:32 UTC
  • Revision ID: teddy@fukt.bsnet.se-20080903171132-usevhlf0gi9rxqc3
* plugins.d/password-request.c (init_gnutls_global): Improved wording
                                                     in debug message.
                                                     Bug fix: Make
                                                     debug message
                                                     print to stderr,
                                                     not stdout.

* plugins.d/password-request.xml (SECURITY): Add text.

Show diffs side-by-side

added added

removed removed

Lines of Context:
mandos.xml
1
1
<?xml version="1.0" encoding="UTF-8"?>
2
2
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3
3
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
 
4
<!ENTITY VERSION "1.0">
4
5
<!ENTITY COMMANDNAME "mandos">
5
 
<!ENTITY TIMESTAMP "2009-09-17">
6
 
<!ENTITY % common SYSTEM "common.ent">
7
 
%common;
 
6
<!ENTITY TIMESTAMP "2008-09-02">
8
7
]>
9
8
 
10
9
<refentry xmlns:xi="http://www.w3.org/2001/XInclude">
11
 
   <refentryinfo>
 
10
  <refentryinfo>
12
11
    <title>Mandos Manual</title>
13
12
    <!-- NWalsh’s docbook scripts use this to generate the footer: -->
14
13
    <productname>Mandos</productname>
15
 
    <productnumber>&version;</productnumber>
 
14
    <productnumber>&VERSION;</productnumber>
16
15
    <date>&TIMESTAMP;</date>
17
16
    <authorgroup>
18
17
      <author>
32
31
    </authorgroup>
33
32
    <copyright>
34
33
      <year>2008</year>
35
 
      <year>2009</year>
36
34
      <holder>Teddy Hogeborn</holder>
37
35
      <holder>Björn Påhlsson</holder>
38
36
    </copyright>
39
37
    <xi:include href="legalnotice.xml"/>
40
38
  </refentryinfo>
41
 
  
 
39
 
42
40
  <refmeta>
43
41
    <refentrytitle>&COMMANDNAME;</refentrytitle>
44
42
    <manvolnum>8</manvolnum>
50
48
      Gives encrypted passwords to authenticated Mandos clients
51
49
    </refpurpose>
52
50
  </refnamediv>
53
 
  
 
51
 
54
52
  <refsynopsisdiv>
55
53
    <cmdsynopsis>
56
54
      <command>&COMMANDNAME;</command>
85
83
      <replaceable>DIRECTORY</replaceable></option></arg>
86
84
      <sbr/>
87
85
      <arg><option>--debug</option></arg>
88
 
      <sbr/>
89
 
      <arg><option>--no-ipv6</option></arg>
90
86
    </cmdsynopsis>
91
87
    <cmdsynopsis>
92
88
      <command>&COMMANDNAME;</command>
104
100
      <arg choice="plain"><option>--check</option></arg>
105
101
    </cmdsynopsis>
106
102
  </refsynopsisdiv>
107
 
  
 
103
 
108
104
  <refsect1 id="description">
109
105
    <title>DESCRIPTION</title>
110
106
    <para>
190
186
          <xi:include href="mandos-options.xml" xpointer="debug"/>
191
187
        </listitem>
192
188
      </varlistentry>
193
 
      
 
189
 
194
190
      <varlistentry>
195
191
        <term><option>--priority <replaceable>
196
192
        PRIORITY</replaceable></option></term>
198
194
          <xi:include href="mandos-options.xml" xpointer="priority"/>
199
195
        </listitem>
200
196
      </varlistentry>
201
 
      
 
197
 
202
198
      <varlistentry>
203
199
        <term><option>--servicename
204
200
        <replaceable>NAME</replaceable></option></term>
207
203
                      xpointer="servicename"/>
208
204
        </listitem>
209
205
      </varlistentry>
210
 
      
 
206
 
211
207
      <varlistentry>
212
208
        <term><option>--configdir
213
209
        <replaceable>DIRECTORY</replaceable></option></term>
222
218
          </para>
223
219
        </listitem>
224
220
      </varlistentry>
225
 
      
 
221
 
226
222
      <varlistentry>
227
223
        <term><option>--version</option></term>
228
224
        <listitem>
231
227
          </para>
232
228
        </listitem>
233
229
      </varlistentry>
234
 
      
235
 
      <varlistentry>
236
 
        <term><option>--no-ipv6</option></term>
237
 
        <listitem>
238
 
          <xi:include href="mandos-options.xml" xpointer="ipv6"/>
239
 
        </listitem>
240
 
      </varlistentry>
241
230
    </variablelist>
242
231
  </refsect1>
243
 
  
 
232
 
244
233
  <refsect1 id="overview">
245
234
    <title>OVERVIEW</title>
246
235
    <xi:include href="overview.xml"/>
250
239
      <acronym>RAM</acronym> disk environment.
251
240
    </para>
252
241
  </refsect1>
253
 
  
 
242
 
254
243
  <refsect1 id="protocol">
255
244
    <title>NETWORK PROTOCOL</title>
256
245
    <para>
308
297
      </row>
309
298
    </tbody></tgroup></table>
310
299
  </refsect1>
311
 
  
 
300
 
312
301
  <refsect1 id="checking">
313
302
    <title>CHECKING</title>
314
303
    <para>
315
304
      The server will, by default, continually check that the clients
316
305
      are still up.  If a client has not been confirmed as being up
317
306
      for some time, the client is assumed to be compromised and is no
318
 
      longer eligible to receive the encrypted password.  (Manual
319
 
      intervention is required to re-enable a client.)  The timeout,
 
307
      longer eligible to receive the encrypted password.  The timeout,
320
308
      checker program, and interval between checks can be configured
321
309
      both globally and per client; see <citerefentry>
322
310
      <refentrytitle>mandos-clients.conf</refentrytitle>
323
 
      <manvolnum>5</manvolnum></citerefentry>.  A client successfully
324
 
      receiving its password will also be treated as a successful
325
 
      checker run.
 
311
      <manvolnum>5</manvolnum></citerefentry>.
326
312
    </para>
327
313
  </refsect1>
328
 
  
 
314
 
329
315
  <refsect1 id="logging">
330
316
    <title>LOGGING</title>
331
317
    <para>
335
321
      and also show them on the console.
336
322
    </para>
337
323
  </refsect1>
338
 
  
 
324
 
339
325
  <refsect1 id="exit_status">
340
326
    <title>EXIT STATUS</title>
341
327
    <para>
343
329
      critical error is encountered.
344
330
    </para>
345
331
  </refsect1>
346
 
  
 
332
 
347
333
  <refsect1 id="environment">
348
334
    <title>ENVIRONMENT</title>
349
335
    <variablelist>
363
349
      </varlistentry>
364
350
    </variablelist>
365
351
  </refsect1>
366
 
  
367
 
  <refsect1 id="files">
 
352
 
 
353
  <refsect1 id="file">
368
354
    <title>FILES</title>
369
355
    <para>
370
356
      Use the <option>--configdir</option> option to change where
393
379
        </listitem>
394
380
      </varlistentry>
395
381
      <varlistentry>
396
 
        <term><filename>/var/run/mandos.pid</filename></term>
 
382
        <term><filename>/var/run/mandos/mandos.pid</filename></term>
397
383
        <listitem>
398
384
          <para>
399
385
            The file containing the process id of
434
420
      Currently, if a client is declared <quote>invalid</quote> due to
435
421
      having timed out, the server does not record this fact onto
436
422
      permanent storage.  This has some security implications, see
437
 
      <xref linkend="clients"/>.
 
423
      <xref linkend="CLIENTS"/>.
438
424
    </para>
439
425
    <para>
440
426
      There is currently no way of querying the server of the current
448
434
      Debug mode is conflated with running in the foreground.
449
435
    </para>
450
436
    <para>
451
 
      The console log messages do not show a time stamp.
452
 
    </para>
453
 
    <para>
454
 
      This server does not check the expire time of clients’ OpenPGP
455
 
      keys.
 
437
      The console log messages does not show a timestamp.
456
438
    </para>
457
439
  </refsect1>
458
440
  
493
475
      </para>
494
476
    </informalexample>
495
477
  </refsect1>
496
 
  
 
478
 
497
479
  <refsect1 id="security">
498
480
    <title>SECURITY</title>
499
 
    <refsect2 id="server">
 
481
    <refsect2 id="SERVER">
500
482
      <title>SERVER</title>
501
483
      <para>
502
484
        Running this <command>&COMMANDNAME;</command> server program
503
485
        should not in itself present any security risk to the host
504
 
        computer running it.  The program switches to a non-root user
505
 
        soon after startup.
 
486
        computer running it.  The program does not need any special
 
487
        privileges to run, and is designed to run as a non-root user.
506
488
      </para>
507
489
    </refsect2>
508
 
    <refsect2 id="clients">
 
490
    <refsect2 id="CLIENTS">
509
491
      <title>CLIENTS</title>
510
492
      <para>
511
493
        The server only gives out its stored data to clients which
518
500
        <citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>
519
501
        <manvolnum>5</manvolnum></citerefentry>)
520
502
        <emphasis>must</emphasis> be made non-readable by anyone
521
 
        except the user starting the server (usually root).
 
503
        except the user running the server.
522
504
      </para>
523
505
      <para>
524
506
        As detailed in <xref linkend="checking"/>, the status of all
543
525
      </para>
544
526
      <para>
545
527
        For more details on client-side security, see
546
 
        <citerefentry><refentrytitle>mandos-client</refentrytitle>
 
528
        <citerefentry><refentrytitle>password-request</refentrytitle>
547
529
        <manvolnum>8mandos</manvolnum></citerefentry>.
548
530
      </para>
549
531
    </refsect2>
550
532
  </refsect1>
551
 
  
 
533
 
552
534
  <refsect1 id="see_also">
553
535
    <title>SEE ALSO</title>
554
536
    <para>
557
539
        <manvolnum>5</manvolnum></citerefentry>, <citerefentry>
558
540
        <refentrytitle>mandos.conf</refentrytitle>
559
541
        <manvolnum>5</manvolnum></citerefentry>, <citerefentry>
560
 
        <refentrytitle>mandos-client</refentrytitle>
 
542
        <refentrytitle>password-request</refentrytitle>
561
543
        <manvolnum>8mandos</manvolnum></citerefentry>, <citerefentry>
562
544
        <refentrytitle>sh</refentrytitle><manvolnum>1</manvolnum>
563
545
      </citerefentry>