/mandos/trunk : revision 167

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos.xml

Committer: Teddy Hogeborn
Date: 2008-09-06 00:19:53 UTC
Revision ID: teddy@fukt.bsnet.se-20080906001953-5nk5uti6shzuyqdr

* plugins.d/password-prompt.c (main): If successful, output an extra
                                      newline to the console before
                                      exiting, to change to a new line
                                      away from the prompt.

* plugins.d/password-request.c (main): Bug fix: Moved calls to
                                       "init_gnutls_global()",
                                       "mkdtemp()", and "init_gpgme()"
                                       to *after* changing user &
                                       group.

Show diffs side-by-side

added added

removed removed

mandos.xml

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY VERSION "1.0">

<!ENTITY COMMANDNAME "mandos">

<!ENTITY TIMESTAMP "2008-08-29">

<!ENTITY TIMESTAMP "2008-09-05">

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

<para>

This manual page is free software: you can redistribute it

and/or modify it under the terms of the GNU General Public

License as published by the Free Software Foundation,

either version 3 of the License, or (at your option) any

later version.

</para>

<para>

This manual page is distributed in the hope that it will

be useful, but WITHOUT ANY WARRANTY; without even the

implied warranty of MERCHANTABILITY or FITNESS FOR A

PARTICULAR PURPOSE. See the GNU General Public License

for more details.

</para>

<para>

You should have received a copy of the GNU General Public

License along with this program; If not, see

<ulink url="http://www.gnu.org/licenses/"/>.

</para>

</legalnotice>

<xi:include href="legalnotice.xml"/>

</refentryinfo>

<refname><command>&COMMANDNAME;</command></refname>

Sends encrypted passwords to authenticated Mandos clients

Gives encrypted passwords to authenticated Mandos clients

</refpurpose>

</refnamediv>

<command>&COMMANDNAME;</command>

<arg>--interface<arg choice="plain">NAME</arg></arg>

<arg>--address<arg choice="plain">ADDRESS</arg></arg>

<arg>--priority<arg choice="plain">PRIORITY</arg></arg>

<arg>--servicename<arg choice="plain">NAME</arg></arg>

<arg>--configdir<arg choice="plain">DIRECTORY</arg></arg>

<arg>--debug</arg>

</cmdsynopsis>

<command>&COMMANDNAME;</command>

<arg>-a<arg choice="plain">ADDRESS</arg></arg>

<arg>--priority<arg choice="plain">PRIORITY</arg></arg>

<arg>--servicename<arg choice="plain">NAME</arg></arg>

<arg>--configdir<arg choice="plain">DIRECTORY</arg></arg>

<arg>--debug</arg>

<group>

<arg choice="plain"><option>--interface

<arg choice="plain"><option>-i

</group>

<sbr/>

<group>

<arg choice="plain"><option>--address

<replaceable>ADDRESS</replaceable></option></arg>

<arg choice="plain"><option>-a

<replaceable>ADDRESS</replaceable></option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--port

<arg choice="plain"><option>-p

</group>

<sbr/>

<arg><option>--priority

<replaceable>PRIORITY</replaceable></option></arg>

<sbr/>

<arg><option>--servicename

<sbr/>

<arg><option>--configdir

<replaceable>DIRECTORY</replaceable></option></arg>

<sbr/>

<arg><option>--debug</option></arg>

</cmdsynopsis>

<command>&COMMANDNAME;</command>

100

</group>

101

</cmdsynopsis>

102

103

<command>&COMMANDNAME;</command>

104

<arg choice="plain">--version</arg>

<arg choice="plain"><option>--version</option></arg>

105

</cmdsynopsis>

106

107

<command>&COMMANDNAME;</command>

108

<arg choice="plain">--check</arg>

100

<arg choice="plain"><option>--check</option></arg>

109

101

</cmdsynopsis>

110

102

</refsynopsisdiv>

111

103

123

115

Any authenticated client is then given the stored pre-encrypted

124

116

password for that specific client.

125

117

</para>

126

127

118

</refsect1>

128

119

129

120

130

121

<title>PURPOSE</title>

131

132

122

<para>

133

123

The purpose of this is to enable <emphasis>remote and unattended

134

124

rebooting</emphasis> of client host computer with an

135

125

<emphasis>encrypted root file system</emphasis>. See <xref

136

126

linkend="overview"/> for details.

137

127

</para>

138

139

128

</refsect1>

140

129

141

130

142

131

<title>OPTIONS</title>

143

144

132

145

133

134

146

135

147

148

136

149

137

<para>

150

138

Show a help message and exit

151

139

</para>

152

140

</listitem>

153

141

</varlistentry>

154

142

155

143

144

<term><option>--interface</option>

145

156

146

157

147

158

<term><option>--interface</option>

159

160

148

161

149

<xi:include href="mandos-options.xml" xpointer="interface"/>

162

150

</listitem>

163

151

</varlistentry>

164

152

165

153

166

<term><literal>-a</literal>, <literal>--address <replaceable>

167

ADDRESS</replaceable></literal></term>

154

<term><option>--address

155

<replaceable>ADDRESS</replaceable></option></term>

156

<term><option>-a

157

<replaceable>ADDRESS</replaceable></option></term>

168

158

169

159

<xi:include href="mandos-options.xml" xpointer="address"/>

170

160

</listitem>

171

161

</varlistentry>

172

162

173

163

174

175

PORT</replaceable></literal></term>

164

<term><option>--port

165

166

<term><option>-p

167

176

168

177

169

<xi:include href="mandos-options.xml" xpointer="port"/>

178

170

</listitem>

179

171

</varlistentry>

180

172

181

173

182

<term><literal>--check</literal></term>

174

<term><option>--check</option></term>

183

175

184

176

<para>

185

177

Run the server’s self-tests. This includes any unit

187

179

</para>

188

180

</listitem>

189

181

</varlistentry>

190

182

191

183

192

<term><literal>--debug</literal></term>

184

<term><option>--debug</option></term>

193

185

194

186

<xi:include href="mandos-options.xml" xpointer="debug"/>

195

187

</listitem>

196

188

</varlistentry>

197

189

198

190

199

<term><literal>--priority <replaceable>

200

PRIORITY</replaceable></literal></term>

191

<term><option>--priority <replaceable>

192

PRIORITY</replaceable></option></term>

201

193

202

194

<xi:include href="mandos-options.xml" xpointer="priority"/>

203

195

</listitem>

204

196

</varlistentry>

205

197

206

198

207

<term><literal>--servicename <replaceable>NAME</replaceable>

208

</literal></term>

199

<term><option>--servicename

200

209

201

210

202

<xi:include href="mandos-options.xml"

211

203

xpointer="servicename"/>

213

205

</varlistentry>

214

206

215

207

216

<term><literal>--configdir <replaceable>DIR</replaceable>

217

</literal></term>

208

<term><option>--configdir

209

<replaceable>DIRECTORY</replaceable></option></term>

218

210

219

211

<para>

220

212

Directory to search for configuration files. Default is

228

220

</varlistentry>

229

221

230

222

231

<term><literal>--version</literal></term>

223

<term><option>--version</option></term>

232

224

233

225

<para>

234

226

Prints the program version and exit.

244

236

<para>

245

237

This program is the server part. It is a normal server program

246

238

and will run in a normal system environment, not in an initial

247

RAM disk environment.

239

<acronym>RAM</acronym> disk environment.

248

240

</para>

249

241

</refsect1>

250

242

342

334

<title>ENVIRONMENT</title>

343

335

344

336

345

337

346

338

347

339

<para>

348

340

To start the configured checker (see <xref

387

379

</listitem>

388

380

</varlistentry>

389

381

390

<term><filename>/var/run/mandos/mandos.pid</filename></term>

382

<term><filename>/var/run/mandos.pid</filename></term>

391

383

392

384

<para>

393

385

The file containing the process id of

442

434

Debug mode is conflated with running in the foreground.

443

435

</para>

444

436

<para>

445

The console log messages does not show a timestamp.

437

The console log messages does not show a time stamp.

438

</para>

439

<para>

440

This server does not check the expire time of clients’ OpenPGP

441

keys.

446

442

</para>

447

443

</refsect1>

448

444

491

487

<para>

492

488

Running this <command>&COMMANDNAME;</command> server program

493

489

should not in itself present any security risk to the host

494

computer running it. The program does not need any special

495

privileges to run, and is designed to run as a non-root user.

490

computer running it. The program switches to a non-root user

491

soon after startup.

496

492

</para>

497

493

</refsect2>

498

494

525

521

restarting servers if it is suspected that a client has, in

526

522

fact, been compromised by parties who may now be running a

527

523

fake Mandos client with the keys from the non-encrypted

528

initial RAM image of the client host. What should be done in

529

that case (if restarting the server program really is

530

necessary) is to stop the server program, edit the

524

initial <acronym>RAM</acronym> image of the client host. What

525

should be done in that case (if restarting the server program

526

really is necessary) is to stop the server program, edit the

531

527

configuration file to omit any suspect clients, and restart

532

528

the server program.

533

529

</para>

Older »