/mandos/trunk : revision 184

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos.xml

Committer: Teddy Hogeborn
Date: 2008-09-13 19:20:50 UTC
Revision ID: teddy@fukt.bsnet.se-20080913192050-gxuo0jv4o25jn848

* TODO: Minor changes.

files added:
INSTALL

README

default-mandos

etc-plugins.d-README

init.d-mandos

legalnotice.xml

plugin-runner.conf

files renamed:
plugins.d/password-request.c => plugins.d/mandos-client.c

plugins.d/password-request.xml => plugins.d/mandos-client.xml

files modified:
.bzrignore

Makefile

TODO

initramfs-tools-hook

initramfs-tools-script

mandos

mandos-clients.conf.xml

mandos-keygen

mandos-keygen.xml

mandos-options.xml

mandos.conf.xml

mandos.xml

overview.xml

plugin-runner.c

plugin-runner.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

Show diffs side-by-side

added added

removed removed

mandos.xml

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY VERSION "1.0">

<!ENTITY COMMANDNAME "mandos">

<!ENTITY TIMESTAMP "2008-08-30">

<!ENTITY TIMESTAMP "2008-09-12">

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

<para>

This manual page is free software: you can redistribute it

and/or modify it under the terms of the GNU General Public

License as published by the Free Software Foundation,

either version 3 of the License, or (at your option) any

later version.

</para>

<para>

This manual page is distributed in the hope that it will

be useful, but WITHOUT ANY WARRANTY; without even the

implied warranty of MERCHANTABILITY or FITNESS FOR A

PARTICULAR PURPOSE. See the GNU General Public License

for more details.

</para>

<para>

You should have received a copy of the GNU General Public

License along with this program; If not, see

<ulink url="http://www.gnu.org/licenses/"/>.

</para>

</legalnotice>

<xi:include href="legalnotice.xml"/>

</refentryinfo>

<refentrytitle>&COMMANDNAME;</refentrytitle>

Gives encrypted passwords to authenticated Mandos clients

</refpurpose>

</refnamediv>

<command>&COMMANDNAME;</command>

109

110

<command>&COMMANDNAME;</command>

111

112

113

114

</group>

115

</cmdsynopsis>

116

122

100

<arg choice="plain"><option>--check</option></arg>

123

101

</cmdsynopsis>

124

102

</refsynopsisdiv>

125

103

126

104

127

105

<title>DESCRIPTION</title>

128

106

<para>

137

115

Any authenticated client is then given the stored pre-encrypted

138

116

password for that specific client.

139

117

</para>

140

141

118

</refsect1>

142

119

143

120

144

121

<title>PURPOSE</title>

145

146

122

<para>

147

123

The purpose of this is to enable <emphasis>remote and unattended

148

124

rebooting</emphasis> of client host computer with an

149

125

<emphasis>encrypted root file system</emphasis>. See <xref

150

126

linkend="overview"/> for details.

151

127

</para>

152

153

128

</refsect1>

154

129

155

130

156

131

<title>OPTIONS</title>

157

158

132

159

133

134

160

135

161

162

136

163

137

<para>

164

138

Show a help message and exit

165

139

</para>

166

140

</listitem>

167

141

</varlistentry>

168

142

169

143

144

<term><option>--interface</option>

145

170

146

171

147

172

<term><option>--interface</option>

173

174

148

175

149

<xi:include href="mandos-options.xml" xpointer="interface"/>

176

150

</listitem>

177

151

</varlistentry>

178

152

179

153

180

<term><literal>-a</literal>, <literal>--address <replaceable>

181

ADDRESS</replaceable></literal></term>

154

<term><option>--address

155

<replaceable>ADDRESS</replaceable></option></term>

156

<term><option>-a

157

<replaceable>ADDRESS</replaceable></option></term>

182

158

183

159

<xi:include href="mandos-options.xml" xpointer="address"/>

184

160

</listitem>

185

161

</varlistentry>

186

162

187

163

188

189

PORT</replaceable></literal></term>

164

<term><option>--port

165

166

<term><option>-p

167

190

168

191

169

<xi:include href="mandos-options.xml" xpointer="port"/>

192

170

</listitem>

193

171

</varlistentry>

194

172

195

173

196

<term><literal>--check</literal></term>

174

<term><option>--check</option></term>

197

175

198

176

<para>

199

177

Run the server’s self-tests. This includes any unit

201

179

</para>

202

180

</listitem>

203

181

</varlistentry>

204

182

205

183

206

<term><literal>--debug</literal></term>

184

<term><option>--debug</option></term>

207

185

208

186

<xi:include href="mandos-options.xml" xpointer="debug"/>

209

187

</listitem>

210

188

</varlistentry>

211

189

212

190

213

<term><literal>--priority <replaceable>

214

PRIORITY</replaceable></literal></term>

191

<term><option>--priority <replaceable>

192

PRIORITY</replaceable></option></term>

215

193

216

194

<xi:include href="mandos-options.xml" xpointer="priority"/>

217

195

</listitem>

218

196

</varlistentry>

219

197

220

198

221

<term><literal>--servicename <replaceable>NAME</replaceable>

222

</literal></term>

199

<term><option>--servicename

200

223

201

224

202

<xi:include href="mandos-options.xml"

225

203

xpointer="servicename"/>

226

204

</listitem>

227

205

</varlistentry>

228

206

229

207

230

<term><literal>--configdir <replaceable>DIR</replaceable>

231

</literal></term>

208

<term><option>--configdir

209

<replaceable>DIRECTORY</replaceable></option></term>

232

210

233

211

<para>

234

212

Directory to search for configuration files. Default is

240

218

</para>

241

219

</listitem>

242

220

</varlistentry>

243

221

244

222

245

<term><literal>--version</literal></term>

223

<term><option>--version</option></term>

246

224

247

225

<para>

248

226

Prints the program version and exit.

251

229

</varlistentry>

252

230

</variablelist>

253

231

</refsect1>

254

232

255

233

256

234

<title>OVERVIEW</title>

257

235

<xi:include href="overview.xml"/>

258

236

<para>

259

237

This program is the server part. It is a normal server program

260

238

and will run in a normal system environment, not in an initial

261

RAM disk environment.

239

<acronym>RAM</acronym> disk environment.

262

240

</para>

263

241

</refsect1>

264

242

265

243

266

244

<title>NETWORK PROTOCOL</title>

267

245

<para>

319

297

</row>

320

298

</tbody></tgroup></table>

321

299

</refsect1>

322

300

323

301

324

302

<title>CHECKING</title>

325

303

<para>

333

311

<manvolnum>5</manvolnum></citerefentry>.

334

312

</para>

335

313

</refsect1>

336

314

337

315

338

316

<title>LOGGING</title>

339

317

<para>

343

321

and also show them on the console.

344

322

</para>

345

323

</refsect1>

346

324

347

325

348

326

<title>EXIT STATUS</title>

349

327

<para>

351

329

critical error is encountered.

352

330

</para>

353

331

</refsect1>

354

332

355

333

356

334

<title>ENVIRONMENT</title>

357

335

371

349

</varlistentry>

372

350

</variablelist>

373

351

</refsect1>

374

352

375

353

376

354

<title>FILES</title>

377

355

<para>

401

379

</listitem>

402

380

</varlistentry>

403

381

404

<term><filename>/var/run/mandos/mandos.pid</filename></term>

382

<term><filename>/var/run/mandos.pid</filename></term>

405

383

406

384

<para>

407

385

The file containing the process id of

456

434

Debug mode is conflated with running in the foreground.

457

435

</para>

458

436

<para>

459

The console log messages does not show a timestamp.

437

The console log messages does not show a time stamp.

438

</para>

439

<para>

440

This server does not check the expire time of clients’ OpenPGP

441

keys.

460

442

</para>

461

443

</refsect1>

462

444

497

479

</para>

498

480

</informalexample>

499

481

</refsect1>

500

482

501

483

502

484

<title>SECURITY</title>

503

485

505

487

<para>

506

488

Running this <command>&COMMANDNAME;</command> server program

507

489

should not in itself present any security risk to the host

508

computer running it. The program does not need any special

509

privileges to run, and is designed to run as a non-root user.

490

computer running it. The program switches to a non-root user

491

soon after startup.

510

492

</para>

511

493

</refsect2>

512

494

539

521

restarting servers if it is suspected that a client has, in

540

522

fact, been compromised by parties who may now be running a

541

523

fake Mandos client with the keys from the non-encrypted

542

initial RAM image of the client host. What should be done in

543

that case (if restarting the server program really is

544

necessary) is to stop the server program, edit the

524

initial <acronym>RAM</acronym> image of the client host. What

525

should be done in that case (if restarting the server program

526

really is necessary) is to stop the server program, edit the

545

527

configuration file to omit any suspect clients, and restart

546

528

the server program.

547

529

</para>

548

530

<para>

549

531

For more details on client-side security, see

550

<citerefentry><refentrytitle>password-request</refentrytitle>

532

<citerefentry><refentrytitle>mandos-client</refentrytitle>

551

533

<manvolnum>8mandos</manvolnum></citerefentry>.

552

534

</para>

553

535

</refsect2>

554

536

</refsect1>

555

537

556

538

557

539

558

540

<para>

561

543

562

544

<refentrytitle>mandos.conf</refentrytitle>

563

545

564

<refentrytitle>password-request</refentrytitle>

546

<refentrytitle>mandos-client</refentrytitle>

565

547

<manvolnum>8mandos</manvolnum></citerefentry>, <citerefentry>

566

548

567

549

</citerefentry>

Older »