/mandos/trunk : revision 174

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos-ctl.xml

Committer: Teddy Hogeborn
Date: 2008-09-06 17:24:58 UTC
Revision ID: teddy@fukt.bsnet.se-20080906172458-2x5wlfkn7oqckt1y

* legalnotice.xml: Copy DocBook 4.4-formatted text from
<http://www.gnu.org/licenses/gpl-3.0.dbk>.

files added:
etc-plugins.d-README

initramfs-tools-hook-conf

plugins.d/usplash

files removed:
.bzr-builddeb

.bzr-builddeb/default.conf

DBUS-API

INSTALL

NEWS

bugs.xml

common.ent

dbus-mandos.conf

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.examples

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos-client.templates

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/mandos.templates

debian/po

debian/po/POTFILES.in

debian/po/de.po

debian/po/en_US.po

debian/po/fr.po

debian/po/nl.po

debian/po/pt.po

debian/po/sv.po

debian/po/templates.pot

debian/rules

debian/source

debian/source/format

debian/source/lintian-overrides

debian/source/local-options

debian/tests

debian/tests/control

debian/upstream

debian/upstream/metadata

debian/upstream/signing-key.asc

debian/watch

dracut-module

dracut-module/ask-password-mandos.path

dracut-module/ask-password-mandos.service

dracut-module/cmdline-mandos.sh

dracut-module/module-setup.sh

dracut-module/password-agent.c

dracut-module/password-agent.xml

initramfs-tools-conf

initramfs-tools-conf-hook

initramfs-tools-script-stop

initramfs-unpack

intro.xml

mandos-ctl

mandos-ctl.xml

mandos-monitor

mandos-monitor.xml

mandos-to-cryptroot-unlock

mandos.lsm

mandos.service

network-hooks.d

network-hooks.d/bridge

network-hooks.d/bridge.conf

network-hooks.d/openvpn

network-hooks.d/openvpn.conf

network-hooks.d/wireless

network-hooks.d/wireless.conf

plugin-helpers

plugin-helpers/mandos-client-iprouteadddel.c

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

sysusers.d-mandos.conf

tmpfiles.d-mandos.conf

files modified:
.bzrignore

Makefile

README

TODO

clients.conf

default-mandos

init.d-mandos

initramfs-tools-hook

initramfs-tools-script

legalnotice.xml

mandos

mandos-clients.conf.xml

mandos-keygen

mandos-keygen.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.xml

overview.xml

plugin-runner.c

plugin-runner.conf

plugin-runner.xml

plugins.d/mandos-client.c

plugins.d/mandos-client.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

Show diffs side-by-side

added added

removed removed

mandos-ctl.xml

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY COMMANDNAME "mandos-ctl">

<!ENTITY TIMESTAMP "2019-07-29">

<!ENTITY % common SYSTEM "common.ent">

%common;

<title>Mandos Manual</title>

<productname>Mandos</productname>

<productnumber>&version;</productnumber>

<date>&TIMESTAMP;</date>

<firstname>Björn</firstname>

<surname>Påhlsson</surname>

<email>belorn@recompile.se</email>

</address>

</author>

<firstname>Teddy</firstname>

<surname>Hogeborn</surname>

<email>teddy@recompile.se</email>

</address>

</author>

</authorgroup>

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

<xi:include href="legalnotice.xml"/>

</refentryinfo>

<refentrytitle>&COMMANDNAME;</refentrytitle>

</refmeta>

<refname><command>&COMMANDNAME;</command></refname>

Control or query the operation of the Mandos server

</refpurpose>

</refnamediv>

<command>&COMMANDNAME;</command>

<group>

<arg choice="plain"><option>--verbose</option></arg>

<sbr/>

</group>

<arg><option>--debug</option></arg>

<group>

<replaceable>CLIENT</replaceable>

</arg>

</group>

</cmdsynopsis>

<command>&COMMANDNAME;</command>

<group>

<arg choice="plain"><option>--enable</option></arg>

<sbr/>

<arg choice="plain"><option>--disable</option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--bump-timeout</option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--start-checker</option></arg>

<arg choice="plain"><option>--stop-checker</option></arg>

</group>

<sbr/>

100

<group>

101

<arg choice="plain"><option>--checker

102

<replaceable>COMMAND</replaceable></option></arg>

103

<arg choice="plain"><option>-c

104

<replaceable>COMMAND</replaceable></option></arg>

105

</group>

106

<sbr/>

107

<group>

108

<arg choice="plain"><option>--timeout

109

110

<arg choice="plain"><option>-t

111

112

</group>

113

<sbr/>

114

<group>

115

<arg choice="plain"><option>--extended-timeout

116

117

</group>

118

<sbr/>

119

<group>

120

<arg choice="plain"><option>--interval

121

122

<arg choice="plain"><option>-i

123

124

</group>

125

<sbr/>

126

<group>

127

<arg choice="plain"><option>--approve-by-default</option

128

></arg>

129

<sbr/>

130

<arg choice="plain"><option>--deny-by-default</option></arg>

131

</group>

132

<sbr/>

133

<group>

134

<arg choice="plain"><option>--approval-delay

135

136

</group>

137

<sbr/>

138

<group>

139

<arg choice="plain"><option>--approval-duration

140

141

</group>

142

<sbr/>

143

<group>

144

<arg choice="plain"><option>--host

145

<replaceable>STRING</replaceable></option></arg>

146

<arg choice="plain"><option>-H

147

<replaceable>STRING</replaceable></option></arg>

148

</group>

149

<sbr/>

150

<group>

151

<arg choice="plain"><option>--secret

152

<replaceable>FILENAME</replaceable></option></arg>

153

<arg choice="plain"><option>-s

154

<replaceable>FILENAME</replaceable></option></arg>

155

</group>

156

<sbr/>

157

<group>

158

<arg choice="plain"><option>--approve</option></arg>

159

160

<sbr/>

161

162

163

</group>

164

</group>

165

<sbr/>

166

<arg><option>--debug</option></arg>

167

168

169

170

171

<replaceable>CLIENT</replaceable>

172

</arg>

173

</group>

174

</cmdsynopsis>

175

176

<command>&COMMANDNAME;</command>

177

<group>

178

179

180

</group>

181

182

<arg choice="plain"><option>--remove</option></arg>

183

184

</group>

185

<sbr/>

186

<arg><option>--debug</option></arg>

187

188

189

190

191

<replaceable>CLIENT</replaceable>

192

</arg>

193

</group>

194

</cmdsynopsis>

195

196

<command>&COMMANDNAME;</command>

197

198

<arg choice="plain"><option>--is-enabled</option></arg>

199

200

</group>

201

<arg><option>--debug</option></arg>

202

<arg choice='plain'><replaceable>CLIENT</replaceable></arg>

203

</cmdsynopsis>

204

205

<command>&COMMANDNAME;</command>

206

207

208

209

</group>

210

</cmdsynopsis>

211

212

<command>&COMMANDNAME;</command>

213

214

<arg choice="plain"><option>--version</option></arg>

215

216

</group>

217

</cmdsynopsis>

218

219

<command>&COMMANDNAME;</command>

220

<arg choice="plain"><option>--check</option></arg>

221

</cmdsynopsis>

222

</refsynopsisdiv>

223

224

225

<title>DESCRIPTION</title>

226

<para>

227

<command>&COMMANDNAME;</command> is a program to control or

228

query the operation of the Mandos server

229

<citerefentry><refentrytitle>mandos</refentrytitle><manvolnum

230

>8</manvolnum></citerefentry>.

231

</para>

232

<para>

233

This program can be used to change client settings, approve or

234

deny client requests, and to remove clients from the server.

235

</para>

236

</refsect1>

237

238

239

<title>PURPOSE</title>

240

<para>

241

The purpose of this is to enable <emphasis>remote and unattended

242

rebooting</emphasis> of client host computer with an

243

<emphasis>encrypted root file system</emphasis>. See <xref

244

linkend="overview"/> for details.

245

</para>

246

</refsect1>

247

248

249

<title>OPTIONS</title>

250

251

252

253

254

255

256

<para>

257

Show a help message and exit

258

</para>

259

</listitem>

260

</varlistentry>

261

262

263

<term><option>--enable</option></term>

264

265

266

<para>

267

Enable client(s). An enabled client will be eligble to

268

receive its secret.

269

</para>

270

</listitem>

271

</varlistentry>

272

273

274

<term><option>--disable</option></term>

275

276

277

<para>

278

Disable client(s). A disabled client will not be eligble

279

to receive its secret, and no checkers will be started for

280

it.

281

</para>

282

</listitem>

283

</varlistentry>

284

285

286

<term><option>--bump-timeout</option></term>

287

288

<para>

289

Bump the timeout of the specified client(s), just as if a

290

checker had completed successfully for it/them.

291

</para>

292

</listitem>

293

</varlistentry>

294

295

296

<term><option>--start-checker</option></term>

297

298

<para>

299

Start a new checker now for the specified client(s).

300

</para>

301

</listitem>

302

</varlistentry>

303

304

305

<term><option>--stop-checker</option></term>

306

307

<para>

308

Stop any running checker for the specified client(s).

309

</para>

310

</listitem>

311

</varlistentry>

312

313

314

<term><option>--remove</option></term>

315

316

317

<para>

318

Remove the specified client(s) from the server.

319

</para>

320

</listitem>

321

</varlistentry>

322

323

324

<term><option>--checker

325

<replaceable>COMMAND</replaceable></option></term>

326

<term><option>-c

327

<replaceable>COMMAND</replaceable></option></term>

328

329

<para>

330

Set the <varname>checker</varname> option of the specified

331

client(s); see <citerefentry><refentrytitle

332

>mandos-clients.conf</refentrytitle><manvolnum

333

>5</manvolnum></citerefentry>.

334

</para>

335

</listitem>

336

</varlistentry>

337

338

339

<term><option>--timeout

340

341

<term><option>-t

342

343

344

<para>

345

Set the <varname>timeout</varname> option of the specified

346

client(s); see <citerefentry><refentrytitle

347

>mandos-clients.conf</refentrytitle><manvolnum

348

>5</manvolnum></citerefentry>.

349

</para>

350

</listitem>

351

</varlistentry>

352

353

354

<term><option>--extended-timeout

355

356

357

<para>

358

Set the <varname>extended_timeout</varname> option of the

359

specified client(s); see <citerefentry><refentrytitle

360

>mandos-clients.conf</refentrytitle><manvolnum

361

>5</manvolnum></citerefentry>.

362

</para>

363

</listitem>

364

</varlistentry>

365

366

367

<term><option>--interval

368

369

<term><option>-i

370

371

372

<para>

373

Set the <varname>interval</varname> option of the

374

specified client(s); see <citerefentry><refentrytitle

375

>mandos-clients.conf</refentrytitle><manvolnum

376

>5</manvolnum></citerefentry>.

377

</para>

378

</listitem>

379

</varlistentry>

380

381

382

<term><option>--approve-by-default</option></term>

383

<term><option>--deny-by-default</option></term>

384

385

<para>

386

Set the <varname>approved_by_default</varname> option of

387

the specified client(s) to <literal>True</literal> or

388

<literal>False</literal>, respectively; see

389

<citerefentry><refentrytitle

390

>mandos-clients.conf</refentrytitle><manvolnum

391

>5</manvolnum></citerefentry>.

392

</para>

393

</listitem>

394

</varlistentry>

395

396

397

<term><option>--approval-delay

398

399

400

<para>

401

Set the <varname>approval_delay</varname> option of the

402

specified client(s); see <citerefentry><refentrytitle

403

>mandos-clients.conf</refentrytitle><manvolnum

404

>5</manvolnum></citerefentry>.

405

</para>

406

</listitem>

407

</varlistentry>

408

409

410

<term><option>--approval-duration

411

412

413

<para>

414

Set the <varname>approval_duration</varname> option of the

415

specified client(s); see <citerefentry><refentrytitle

416

>mandos-clients.conf</refentrytitle><manvolnum

417

>5</manvolnum></citerefentry>.

418

</para>

419

</listitem>

420

</varlistentry>

421

422

423

<term><option>--host

424

<replaceable>STRING</replaceable></option></term>

425

<term><option>-H

426

<replaceable>STRING</replaceable></option></term>

427

428

<para>

429

Set the <varname>host</varname> option of the specified

430

client(s); see <citerefentry><refentrytitle

431

>mandos-clients.conf</refentrytitle><manvolnum

432

>5</manvolnum></citerefentry>.

433

</para>

434

</listitem>

435

</varlistentry>

436

437

438

<term><option>--secret

439

<replaceable>FILENAME</replaceable></option></term>

440

<term><option>-s

441

<replaceable>FILENAME</replaceable></option></term>

442

443

<para>

444

Set the <varname>secfile</varname> option of the specified

445

client(s); see <citerefentry><refentrytitle

446

>mandos-clients.conf</refentrytitle><manvolnum

447

>5</manvolnum></citerefentry>.

448

</para>

449

</listitem>

450

</varlistentry>

451

452

453

<term><option>--approve</option></term>

454

455

456

<para>

457

Approve client(s) if currently waiting for approval.

458

</para>

459

</listitem>

460

</varlistentry>

461

462

463

464

465

466

<para>

467

Deny client(s) if currently waiting for approval.

468

</para>

469

</listitem>

470

</varlistentry>

471

472

473

474

475

476

<para>

477

Make the client-modifying options modify <emphasis

478

>all</emphasis> clients.

479

</para>

480

</listitem>

481

</varlistentry>

482

483

484

<term><option>--verbose</option></term>

485

486

487

<para>

488

Show all client settings, not just a subset.

489

</para>

490

</listitem>

491

</varlistentry>

492

493

494

495

496

497

<para>

498

Dump client settings as JSON to standard output.

499

</para>

500

</listitem>

501

</varlistentry>

502

503

504

<term><option>--is-enabled</option></term>

505

506

507

<para>

508

Check if a single client is enabled or not, and exit with

509

a successful exit status only if the client is enabled.

510

</para>

511

</listitem>

512

</varlistentry>

513

514

515

<term><option>--debug</option></term>

516

517

<para>

518

Show debug output; currently, this means show D-Bus calls.

519

</para>

520

</listitem>

521

</varlistentry>

522

523

524

<term><option>--check</option></term>

525

526

<para>

527

Run self-tests. This includes any unit tests, etc.

528

</para>

529

</listitem>

530

</varlistentry>

531

532

</variablelist>

533

</refsect1>

534

535

536

<title>OVERVIEW</title>

537

<xi:include href="overview.xml"/>

538

<para>

539

This program is a small utility to generate new OpenPGP keys for

540

new Mandos clients, and to generate sections for inclusion in

541

<filename>clients.conf</filename> on the server.

542

</para>

543

</refsect1>

544

545

546

<title>EXIT STATUS</title>

547

<para>

548

If the <option>--is-enabled</option> option is used, the exit

549

status will be 0 only if the specified client is enabled.

550

</para>

551

</refsect1>

552

553

554

555

<xi:include href="bugs.xml"/>

556

</refsect1>

557

558

559

<title>EXAMPLE</title>

560

<!-- Name of test methods in class Test_commands_from_options are

561

written in comments below. When adding an example, add a

562

test too which tests the documented behavior. -->

563

564

565

<para>

566

To list all clients:

567

</para>

568

<para>

569

<userinput>&COMMANDNAME;</userinput>

570

</para>

571

</informalexample>

572

573

574

575

<para>

576

To list <emphasis>all</emphasis> settings for the clients

577

named <quote>foo1.example.org</quote> and <quote

578

>foo2.example.org</quote>:

579

</para>

580

<para>

581

582

583

<userinput>&COMMANDNAME; --verbose foo1.example.org foo2.example.org</userinput>

584

585

</para>

586

</informalexample>

587

588

589

590

<para>

591

To enable all clients:

592

</para>

593

<para>

594

<userinput>&COMMANDNAME; --enable --all</userinput>

595

</para>

596

</informalexample>

597

598

599

600

<para>

601

To change timeout and interval value for the clients

602

named <quote>foo1.example.org</quote> and <quote

603

>foo2.example.org</quote>:

604

</para>

605

<para>

606

607

608

<userinput>&COMMANDNAME; --timeout=PT5M --interval=PT1M foo1.example.org foo2.example.org</userinput>

609

610

</para>

611

</informalexample>

612

613

614

615

<para>

616

To approve all clients currently waiting for approval:

617

</para>

618

<para>

619

<userinput>&COMMANDNAME; --approve --all</userinput>

620

</para>

621

</informalexample>

622

</refsect1>

623

624

625

<title>SECURITY</title>

626

<para>

627

This program must be permitted to access the Mandos server via

628

the D-Bus interface. This normally requires the root user, but

629

could be configured otherwise by reconfiguring the D-Bus server.

630

</para>

631

</refsect1>

632

633

634

635

<para>

636

<citerefentry><refentrytitle>intro</refentrytitle>

637

<manvolnum>8mandos</manvolnum></citerefentry>,

638

<citerefentry><refentrytitle>mandos</refentrytitle>

639

<manvolnum>8</manvolnum></citerefentry>,

640

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

641

<manvolnum>5</manvolnum></citerefentry>,

642

<citerefentry><refentrytitle>mandos-monitor</refentrytitle>

643

644

</para>

645

</refsect1>

646

647

</refentry>

648

649

650

651

652

Older »