/mandos/trunk : revision 237.2.19

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos.xml

Committer: Teddy Hogeborn
Date: 2009-05-17 00:50:09 UTC
mto: (24.1.170 mandos) (237.4.29 release)
mto: This revision was merged to the branch mainline in revision 343.
Revision ID: teddy@fukt.bsnet.se-20090517005009-c0iptxampo6nf177

* initramfs-tools-hook-conf: Security bug fix: Add code to handle
being called by "mkinitramfs-kpkg"
instead of "update-initramfs".

files added:
.bzr-builddeb

.bzr-builddeb/default.conf

INSTALL

NEWS

README

common.ent

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/po

debian/rules

debian/watch

default-mandos

init.d-mandos

mandos-ctl

mandos.lsm

plugin-runner.conf

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

files removed:
plugins.d/usplash

files renamed:
plugins.d/password-request.c => plugins.d/mandos-client.c

plugins.d/password-request.xml => plugins.d/mandos-client.xml

files modified:
.bzrignore

Makefile

TODO

clients.conf

initramfs-tools-hook

initramfs-tools-hook-conf

initramfs-tools-script

legalnotice.xml

mandos

mandos-clients.conf.xml

mandos-keygen

mandos-keygen.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.xml

overview.xml

plugin-runner.c

plugin-runner.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

Show diffs side-by-side

added added

removed removed

mandos.xml

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY VERSION "1.0">

<!ENTITY COMMANDNAME "mandos">

<!ENTITY TIMESTAMP "2008-09-03">

<!ENTITY TIMESTAMP "2009-02-24">

<!ENTITY % common SYSTEM "common.ent">

%common;

<title>Mandos Manual</title>

<productname>Mandos</productname>

<productnumber>&VERSION;</productnumber>

<productnumber>&version;</productnumber>

<date>&TIMESTAMP;</date>

</authorgroup>

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

<xi:include href="legalnotice.xml"/>

</refentryinfo>

<refentrytitle>&COMMANDNAME;</refentrytitle>

Gives encrypted passwords to authenticated Mandos clients

</refpurpose>

</refnamediv>

<command>&COMMANDNAME;</command>

<replaceable>DIRECTORY</replaceable></option></arg>

<sbr/>

<arg><option>--debug</option></arg>

<sbr/>

</cmdsynopsis>

<command>&COMMANDNAME;</command>

100

104

<arg choice="plain"><option>--check</option></arg>

101

105

</cmdsynopsis>

102

106

</refsynopsisdiv>

103

107

104

108

105

109

<title>DESCRIPTION</title>

106

110

<para>

186

190

<xi:include href="mandos-options.xml" xpointer="debug"/>

187

191

</listitem>

188

192

</varlistentry>

189

193

190

194

191

195

<term><option>--priority <replaceable>

192

196

PRIORITY</replaceable></option></term>

194

198

<xi:include href="mandos-options.xml" xpointer="priority"/>

195

199

</listitem>

196

200

</varlistentry>

197

201

198

202

199

203

<term><option>--servicename

200

204

203

207

xpointer="servicename"/>

204

208

</listitem>

205

209

</varlistentry>

206

210

207

211

208

212

<term><option>--configdir

209

213

<replaceable>DIRECTORY</replaceable></option></term>

218

222

</para>

219

223

</listitem>

220

224

</varlistentry>

221

225

222

226

223

227

<term><option>--version</option></term>

224

228

227

231

</para>

228

232

</listitem>

229

233

</varlistentry>

234

235

236

237

238

<xi:include href="mandos-options.xml" xpointer="ipv6"/>

239

</listitem>

240

</varlistentry>

230

241

</variablelist>

231

242

</refsect1>

232

243

233

244

234

245

<title>OVERVIEW</title>

235

246

<xi:include href="overview.xml"/>

239

250

<acronym>RAM</acronym> disk environment.

240

251

</para>

241

252

</refsect1>

242

253

243

254

244

255

<title>NETWORK PROTOCOL</title>

245

256

<para>

297

308

</row>

298

309

</tbody></tgroup></table>

299

310

</refsect1>

300

311

301

312

302

313

<title>CHECKING</title>

303

314

<para>

311

322

<manvolnum>5</manvolnum></citerefentry>.

312

323

</para>

313

324

</refsect1>

314

325

315

326

316

327

<title>LOGGING</title>

317

328

<para>

321

332

and also show them on the console.

322

333

</para>

323

334

</refsect1>

324

335

325

336

326

337

<title>EXIT STATUS</title>

327

338

<para>

329

340

critical error is encountered.

330

341

</para>

331

342

</refsect1>

332

343

333

344

334

345

<title>ENVIRONMENT</title>

335

346

349

360

</varlistentry>

350

361

</variablelist>

351

362

</refsect1>

352

353

363

364

354

365

<title>FILES</title>

355

366

<para>

356

367

Use the <option>--configdir</option> option to change where

379

390

</listitem>

380

391

</varlistentry>

381

392

382

<term><filename>/var/run/mandos/mandos.pid</filename></term>

393

<term><filename>/var/run/mandos.pid</filename></term>

383

394

384

395

<para>

385

396

The file containing the process id of

420

431

Currently, if a client is declared <quote>invalid</quote> due to

421

432

having timed out, the server does not record this fact onto

422

433

permanent storage. This has some security implications, see

423

<xref linkend="CLIENTS"/>.

434

<xref linkend="clients"/>.

424

435

</para>

425

436

<para>

426

437

There is currently no way of querying the server of the current

434

445

Debug mode is conflated with running in the foreground.

435

446

</para>

436

447

<para>

437

The console log messages does not show a timestamp.

448

The console log messages do not show a time stamp.

438

449

</para>

439

450

<para>

440

451

This server does not check the expire time of clients’ OpenPGP

479

490

</para>

480

491

</informalexample>

481

492

</refsect1>

482

493

483

494

484

495

<title>SECURITY</title>

485

496

486

497

<title>SERVER</title>

487

498

<para>

488

499

Running this <command>&COMMANDNAME;</command> server program

489

500

should not in itself present any security risk to the host

490

computer running it. The program does not need any special

491

privileges to run, and is designed to run as a non-root user.

501

computer running it. The program switches to a non-root user

502

soon after startup.

492

503

</para>

493

504

</refsect2>

494

505

495

506

<title>CLIENTS</title>

496

507

<para>

497

508

The server only gives out its stored data to clients which

504

515

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

505

516

<manvolnum>5</manvolnum></citerefentry>)

506

517

<emphasis>must</emphasis> be made non-readable by anyone

507

except the user running the server.

518

except the user starting the server (usually root).

508

519

</para>

509

520

<para>

510

521

As detailed in <xref linkend="checking"/>, the status of all

529

540

</para>

530

541

<para>

531

542

For more details on client-side security, see

532

<citerefentry><refentrytitle>password-request</refentrytitle>

543

<citerefentry><refentrytitle>mandos-client</refentrytitle>

533

544

<manvolnum>8mandos</manvolnum></citerefentry>.

534

545

</para>

535

546

</refsect2>

536

547

</refsect1>

537

548

538

549

539

550

540

551

<para>

543

554

544

555

<refentrytitle>mandos.conf</refentrytitle>

545

556

546

<refentrytitle>password-request</refentrytitle>

557

<refentrytitle>mandos-client</refentrytitle>

547

558

<manvolnum>8mandos</manvolnum></citerefentry>, <citerefentry>

548

559

549

560

</citerefentry>

Older »