/mandos/trunk

To get this branch, use:
bzr branch http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos.xml

  • Committer: Teddy Hogeborn
  • Date: 2008-09-05 16:24:33 UTC
  • Revision ID: teddy@fukt.bsnet.se-20080905162433-58fgx91ae9foxlh1
* Makefile (PIDDIR, USER, GROUP): Removed.
  (install-server): Do not create $(PIDDIR).
  (uninstall-server): Do not remove $(PIDDIR).

* init.d-mandos (PIDFILE): Changed to "/var/run/$NAME.pid".

* mandos (IPv6_TCPServer.enabled): New attribute.
  (IPv6_TCPServer.server_activate): Only call method of superclass if
                                    "self.enabled".
  (IPv6_TCPServer.enable): Set "self.enabled" to True.
  (main): Create client Set() early.  Create IPv6_TCPServer object
          early.  Switch to user and group "mandos", "nobody" or
          65534, if possible.  Enable IPv6_TCPServer *after* switching
          user.

* mandos-keygen (KEYDIR): Changed to "/etc/keys/mandos".

* mandos.xml (FILES): Changed PID file.
  (SECURITY): The server does need to be privileged, but switches to a
              non-privileged user.

* plugin-runner.xml (EXAMPLE): Changed long example to something more
                               realistic.

Show diffs side-by-side

added added

removed removed

Lines of Context:
1
1
<?xml version="1.0" encoding="UTF-8"?>
2
2
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3
3
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
 
4
<!ENTITY VERSION "1.0">
4
5
<!ENTITY COMMANDNAME "mandos">
5
 
<!ENTITY TIMESTAMP "2009-09-17">
6
 
<!ENTITY % common SYSTEM "common.ent">
7
 
%common;
 
6
<!ENTITY TIMESTAMP "2008-09-05">
8
7
]>
9
8
 
10
9
<refentry xmlns:xi="http://www.w3.org/2001/XInclude">
11
 
   <refentryinfo>
 
10
  <refentryinfo>
12
11
    <title>Mandos Manual</title>
13
12
    <!-- NWalsh’s docbook scripts use this to generate the footer: -->
14
13
    <productname>Mandos</productname>
15
 
    <productnumber>&version;</productnumber>
 
14
    <productnumber>&VERSION;</productnumber>
16
15
    <date>&TIMESTAMP;</date>
17
16
    <authorgroup>
18
17
      <author>
32
31
    </authorgroup>
33
32
    <copyright>
34
33
      <year>2008</year>
35
 
      <year>2009</year>
36
34
      <holder>Teddy Hogeborn</holder>
37
35
      <holder>Björn Påhlsson</holder>
38
36
    </copyright>
39
37
    <xi:include href="legalnotice.xml"/>
40
38
  </refentryinfo>
41
 
  
 
39
 
42
40
  <refmeta>
43
41
    <refentrytitle>&COMMANDNAME;</refentrytitle>
44
42
    <manvolnum>8</manvolnum>
50
48
      Gives encrypted passwords to authenticated Mandos clients
51
49
    </refpurpose>
52
50
  </refnamediv>
53
 
  
 
51
 
54
52
  <refsynopsisdiv>
55
53
    <cmdsynopsis>
56
54
      <command>&COMMANDNAME;</command>
85
83
      <replaceable>DIRECTORY</replaceable></option></arg>
86
84
      <sbr/>
87
85
      <arg><option>--debug</option></arg>
88
 
      <sbr/>
89
 
      <arg><option>--no-ipv6</option></arg>
90
86
    </cmdsynopsis>
91
87
    <cmdsynopsis>
92
88
      <command>&COMMANDNAME;</command>
104
100
      <arg choice="plain"><option>--check</option></arg>
105
101
    </cmdsynopsis>
106
102
  </refsynopsisdiv>
107
 
  
 
103
 
108
104
  <refsect1 id="description">
109
105
    <title>DESCRIPTION</title>
110
106
    <para>
190
186
          <xi:include href="mandos-options.xml" xpointer="debug"/>
191
187
        </listitem>
192
188
      </varlistentry>
193
 
      
 
189
 
194
190
      <varlistentry>
195
191
        <term><option>--priority <replaceable>
196
192
        PRIORITY</replaceable></option></term>
198
194
          <xi:include href="mandos-options.xml" xpointer="priority"/>
199
195
        </listitem>
200
196
      </varlistentry>
201
 
      
 
197
 
202
198
      <varlistentry>
203
199
        <term><option>--servicename
204
200
        <replaceable>NAME</replaceable></option></term>
207
203
                      xpointer="servicename"/>
208
204
        </listitem>
209
205
      </varlistentry>
210
 
      
 
206
 
211
207
      <varlistentry>
212
208
        <term><option>--configdir
213
209
        <replaceable>DIRECTORY</replaceable></option></term>
222
218
          </para>
223
219
        </listitem>
224
220
      </varlistentry>
225
 
      
 
221
 
226
222
      <varlistentry>
227
223
        <term><option>--version</option></term>
228
224
        <listitem>
231
227
          </para>
232
228
        </listitem>
233
229
      </varlistentry>
234
 
      
235
 
      <varlistentry>
236
 
        <term><option>--no-ipv6</option></term>
237
 
        <listitem>
238
 
          <xi:include href="mandos-options.xml" xpointer="ipv6"/>
239
 
        </listitem>
240
 
      </varlistentry>
241
230
    </variablelist>
242
231
  </refsect1>
243
 
  
 
232
 
244
233
  <refsect1 id="overview">
245
234
    <title>OVERVIEW</title>
246
235
    <xi:include href="overview.xml"/>
250
239
      <acronym>RAM</acronym> disk environment.
251
240
    </para>
252
241
  </refsect1>
253
 
  
 
242
 
254
243
  <refsect1 id="protocol">
255
244
    <title>NETWORK PROTOCOL</title>
256
245
    <para>
308
297
      </row>
309
298
    </tbody></tgroup></table>
310
299
  </refsect1>
311
 
  
 
300
 
312
301
  <refsect1 id="checking">
313
302
    <title>CHECKING</title>
314
303
    <para>
315
304
      The server will, by default, continually check that the clients
316
305
      are still up.  If a client has not been confirmed as being up
317
306
      for some time, the client is assumed to be compromised and is no
318
 
      longer eligible to receive the encrypted password.  (Manual
319
 
      intervention is required to re-enable a client.)  The timeout,
 
307
      longer eligible to receive the encrypted password.  The timeout,
320
308
      checker program, and interval between checks can be configured
321
309
      both globally and per client; see <citerefentry>
322
310
      <refentrytitle>mandos-clients.conf</refentrytitle>
323
 
      <manvolnum>5</manvolnum></citerefentry>.  A client successfully
324
 
      receiving its password will also be treated as a successful
325
 
      checker run.
 
311
      <manvolnum>5</manvolnum></citerefentry>.
326
312
    </para>
327
313
  </refsect1>
328
 
  
 
314
 
329
315
  <refsect1 id="logging">
330
316
    <title>LOGGING</title>
331
317
    <para>
335
321
      and also show them on the console.
336
322
    </para>
337
323
  </refsect1>
338
 
  
 
324
 
339
325
  <refsect1 id="exit_status">
340
326
    <title>EXIT STATUS</title>
341
327
    <para>
343
329
      critical error is encountered.
344
330
    </para>
345
331
  </refsect1>
346
 
  
 
332
 
347
333
  <refsect1 id="environment">
348
334
    <title>ENVIRONMENT</title>
349
335
    <variablelist>
363
349
      </varlistentry>
364
350
    </variablelist>
365
351
  </refsect1>
366
 
  
367
 
  <refsect1 id="files">
 
352
 
 
353
  <refsect1 id="file">
368
354
    <title>FILES</title>
369
355
    <para>
370
356
      Use the <option>--configdir</option> option to change where
434
420
      Currently, if a client is declared <quote>invalid</quote> due to
435
421
      having timed out, the server does not record this fact onto
436
422
      permanent storage.  This has some security implications, see
437
 
      <xref linkend="clients"/>.
 
423
      <xref linkend="CLIENTS"/>.
438
424
    </para>
439
425
    <para>
440
426
      There is currently no way of querying the server of the current
448
434
      Debug mode is conflated with running in the foreground.
449
435
    </para>
450
436
    <para>
451
 
      The console log messages do not show a time stamp.
 
437
      The console log messages does not show a time stamp.
452
438
    </para>
453
439
    <para>
454
440
      This server does not check the expire time of clients’ OpenPGP
493
479
      </para>
494
480
    </informalexample>
495
481
  </refsect1>
496
 
  
 
482
 
497
483
  <refsect1 id="security">
498
484
    <title>SECURITY</title>
499
 
    <refsect2 id="server">
 
485
    <refsect2 id="SERVER">
500
486
      <title>SERVER</title>
501
487
      <para>
502
488
        Running this <command>&COMMANDNAME;</command> server program
505
491
        soon after startup.
506
492
      </para>
507
493
    </refsect2>
508
 
    <refsect2 id="clients">
 
494
    <refsect2 id="CLIENTS">
509
495
      <title>CLIENTS</title>
510
496
      <para>
511
497
        The server only gives out its stored data to clients which
518
504
        <citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>
519
505
        <manvolnum>5</manvolnum></citerefentry>)
520
506
        <emphasis>must</emphasis> be made non-readable by anyone
521
 
        except the user starting the server (usually root).
 
507
        except the user running the server.
522
508
      </para>
523
509
      <para>
524
510
        As detailed in <xref linkend="checking"/>, the status of all
543
529
      </para>
544
530
      <para>
545
531
        For more details on client-side security, see
546
 
        <citerefentry><refentrytitle>mandos-client</refentrytitle>
 
532
        <citerefentry><refentrytitle>password-request</refentrytitle>
547
533
        <manvolnum>8mandos</manvolnum></citerefentry>.
548
534
      </para>
549
535
    </refsect2>
550
536
  </refsect1>
551
 
  
 
537
 
552
538
  <refsect1 id="see_also">
553
539
    <title>SEE ALSO</title>
554
540
    <para>
557
543
        <manvolnum>5</manvolnum></citerefentry>, <citerefentry>
558
544
        <refentrytitle>mandos.conf</refentrytitle>
559
545
        <manvolnum>5</manvolnum></citerefentry>, <citerefentry>
560
 
        <refentrytitle>mandos-client</refentrytitle>
 
546
        <refentrytitle>password-request</refentrytitle>
561
547
        <manvolnum>8mandos</manvolnum></citerefentry>, <citerefentry>
562
548
        <refentrytitle>sh</refentrytitle><manvolnum>1</manvolnum>
563
549
      </citerefentry>