/mandos/trunk : revision 237.4.12

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos-clients.conf.xml

Committer: Teddy Hogeborn
Date: 2010-10-11 17:45:21 UTC
mto: (237.4.29 release)
mto: This revision was merged to the branch mainline in revision 459.
Revision ID: teddy@fukt.bsnet.se-20101011174521-e8we3lh7p0ns3oba

Tags: version-1.2.3-1

* Makefile (version): Changed to "1.2.3".
* NEWS (Version 1.2.3): New entry.
* debian/changelog (1.2.3-1): - '' -

files removed:
bugs.xml

debian/mandos-client.examples

debian/source/local-options

debian/upstream

debian/upstream/signing-key.asc

initramfs-unpack

intro.xml

mandos.service

network-hooks.d

network-hooks.d/bridge

network-hooks.d/bridge.conf

network-hooks.d/openvpn

network-hooks.d/openvpn.conf

network-hooks.d/wireless

network-hooks.d/wireless.conf

plugin-helpers

plugin-helpers/mandos-client-iprouteadddel.c

tmpfiles.d-mandos.conf

files modified:
.bzrignore

DBUS-API

INSTALL

Makefile

NEWS

README

TODO

clients.conf

common.ent

dbus-mandos.conf

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/rules

debian/watch

init.d-mandos

initramfs-tools-hook

initramfs-tools-script

mandos

mandos-clients.conf.xml

mandos-ctl

mandos-ctl.xml

mandos-keygen

mandos-keygen.xml

mandos-monitor

mandos-monitor.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.lsm

mandos.xml

plugin-runner.c

plugin-runner.xml

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/mandos-client.c

plugins.d/mandos-client.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

Show diffs side-by-side

added added

removed removed

mandos-clients.conf.xml

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY CONFNAME "mandos-clients.conf">

<!ENTITY CONFPATH "<filename>/etc/mandos/clients.conf</filename>">

<!ENTITY TIMESTAMP "2017-02-23">

<!ENTITY TIMESTAMP "2010-09-26">

<!ENTITY % common SYSTEM "common.ent">

%common;

<firstname>Björn</firstname>

<surname>Påhlsson</surname>

<email>belorn@recompile.se</email>

<email>belorn@fukt.bsnet.se</email>

</address>

</author>

<firstname>Teddy</firstname>

<surname>Hogeborn</surname>

<email>teddy@recompile.se</email>

<email>teddy@fukt.bsnet.se</email>

</address>

</author>

</authorgroup>

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

><refentrytitle>mandos</refentrytitle>

<manvolnum>8</manvolnum></citerefentry>, read by it at startup.

The file needs to list all clients that should be able to use

the service. The settings in this file can be overridden by

runtime changes to the server, which it saves across restarts.

(See the section called <quote>PERSISTENT STATE</quote> in

<citerefentry><refentrytitle>mandos</refentrytitle><manvolnum

>8</manvolnum></citerefentry>.) However, any <emphasis

>changes</emphasis> to this file (including adding and removing

clients) will, at startup, override changes done during runtime.

the service. All clients listed will be regarded as enabled,

even if a client was disabled in a previous run of the server.

</para>

<para>

The format starts with a <literal>[<replaceable>section

122

110

<para>

123

111

How long to wait for external approval before resorting to

124

112

use the <option>approved_by_default</option> value. The

125

default is <quote>PT0S</quote>, i.e. not to wait.

113

default is <quote>0s</quote>, i.e. not to wait.

126

114

</para>

127

115

<para>

128

116

The format of <replaceable>TIME</replaceable> is the same

172

160

This option is <emphasis>optional</emphasis>.

173

161

</para>

174

162

<para>

175

This option overrides the default shell command that the

176

server will use to check if the client is still up. Any

177

output of the command will be ignored, only the exit code

178

is checked: If the exit code of the command is zero, the

179

client is considered up. The command will be run using

180

163

This option allows you to override the default shell

164

command that the server will use to check if the client is

165

still up. Any output of the command will be ignored, only

166

the exit code is checked: If the exit code of the command

167

is zero, the client is considered up. The command will be

168

run using <quote><command><filename>/bin/sh</filename>

181

169

<option>-c</option></command></quote>, so

182

170

<varname>PATH</varname> will be searched. The default

183

171

value for the checker command is <quote><literal

184

172

><command>fping</command> <option>-q</option> <option

185

>--</option> %%(host)s</literal></quote>. Note that

186

<command>mandos-keygen</command>, when generating output

187

to be inserted into this file, normally looks for an SSH

188

server on the Mandos client, and, if it find one, outputs

189

a <option>checker</option> option to check for the

190

client’s key fingerprint – this is more secure against

191

spoofing.

173

>--</option> %%(host)s</literal></quote>.

192

174

</para>

193

175

<para>

194

176

In addition to normal start time expansion, this option

199

181

</varlistentry>

200

182

201

183

202

<term><option>extended_timeout<literal> = </literal><replaceable

203

>TIME</replaceable></option></term>

204

205

<para>

206

This option is <emphasis>optional</emphasis>.

207

</para>

208

<para>

209

Extended timeout is an added timeout that is given once

210

after a password has been sent successfully to a client.

211

The timeout is by default longer than the normal timeout,

212

and is used for handling the extra long downtime while a

213

machine is booting up. Time to take into consideration

214

when changing this value is file system checks and quota

215

checks. The default value is 15 minutes.

216

</para>

217

<para>

218

The format of <replaceable>TIME</replaceable> is the same

219

as for <varname>timeout</varname> below.

220

</para>

221

</listitem>

222

</varlistentry>

223

224

225

184

<term><option>fingerprint<literal> = </literal

226

185

><replaceable>HEXSTRING</replaceable></option></term>

227

186

231

190

<para>

232

191

This option sets the OpenPGP fingerprint that identifies

233

192

the public key that clients authenticate themselves with

234

through TLS. The string needs to be in hexadecimal form,

193

through TLS. The string needs to be in hexidecimal form,

235

194

but spaces or upper/lower case are not significant.

236

195

</para>

237

196

</listitem>

269

228

will wait for a checker to complete until the below

270

229

<quote><varname>timeout</varname></quote> occurs, at which

271

230

time the client will be disabled, and any running checker

272

killed. The default interval is 2 minutes.

231

killed. The default interval is 5 minutes.

273

232

</para>

274

233

<para>

275

234

The format of <replaceable>TIME</replaceable> is the same

339

298

This option is <emphasis>optional</emphasis>.

340

299

</para>

341

300

<para>

342

The timeout is how long the server will wait, after a

343

successful checker run, until a client is disabled and not

344

allowed to get the data this server holds. By default

345

Mandos will use 5 minutes. See also the

346

<option>extended_timeout</option> option.

347

</para>

348

<para>

349

The <replaceable>TIME</replaceable> is specified as an RFC

350

3339 duration; for example

351

<quote><literal>P1Y2M3DT4H5M6S</literal></quote> meaning

352

one year, two months, three days, four hours, five

353

minutes, and six seconds. Some values can be omitted, see

354

RFC 3339 Appendix A for details.

355

</para>

356

</listitem>

357

</varlistentry>

358

359

360

<term><option>enabled<literal> = </literal>{ <literal

361

>1</literal> | <literal>yes</literal> | <literal>true</literal

362

> | <literal >on</literal> | <literal>0</literal> | <literal

363

>no</literal> | <literal>false</literal> | <literal

364

>off</literal> }</option></term>

365

366

<para>

367

Whether this client should be enabled by default. The

368

default is <quote>true</quote>.

301

The timeout is how long the server will wait (for either a

302

successful checker run or a client receiving its secret)

303

until a client is disabled and not allowed to get the data

304

this server holds. By default Mandos will use 1 hour.

305

</para>

306

<para>

307

The <replaceable>TIME</replaceable> is specified as a

308

space-separated number of values, each of which is a

309

number and a one-character suffix. The suffix must be one

310

of <quote>d</quote>, <quote>s</quote>, <quote>m</quote>,

311

<quote>h</quote>, and <quote>w</quote> for days, seconds,

312

minutes, hours, and weeks, respectively. The values are

313

added together to give the total time value, so all of

314

<quote><literal>330s</literal></quote>,

315

<quote><literal>110s 110s 110s</literal></quote>, and

316

<quote><literal>5m 30s</literal></quote> will give a value

317

of five minutes and thirty seconds.

369

318

</para>

370

319

</listitem>

371

320

</varlistentry>

415

364

<quote><literal>approval_duration</literal></quote>,

416

365

<quote><literal>created</literal></quote>,

417

366

<quote><literal>enabled</literal></quote>,

418

<quote><literal>expires</literal></quote>,

419

367

<quote><literal>fingerprint</literal></quote>,

420

368

<quote><literal>host</literal></quote>,

421

369

<quote><literal>interval</literal></quote>,

464

412

<literal>%(<replaceable>foo</replaceable>)s</literal> is

465

413

obscure.

466

414

</para>

467

<xi:include href="bugs.xml"/>

468

415

</refsect1>

469

416

470

417

472

419

473

420

474

421

[DEFAULT]

475

timeout = PT5M

476

interval = PT2M

422

timeout = 1h

423

interval = 5m

477

424

checker = fping -q -- %%(host)s

478

425

479

426

# Client "foo"

496

443

4T2zw4dxS5NswXWU0sVEXxjs6PYxuIiCTL7vdpx8QjBkrPWDrAbcMyBr2O

497

444

QlnHIvPzEArRQLo=

498

445

host = foo.example.org

499

interval = PT1M

446

interval = 1m

500

447

501

448

# Client "bar"

502

449

[bar]

503

450

fingerprint = 3e393aeaefb84c7e89e2f547b3a107558fca3a27

504

451

secfile = /etc/mandos/bar-secret

505

timeout = PT15M

452

timeout = 15m

506

453

approved_by_default = False

507

approval_delay = PT30S

454

approval_delay = 30s

508

455

</programlisting>

509

456

</informalexample>

510

457

</refsect1>

512

459

513

460

514

461

<para>

515

<citerefentry><refentrytitle>intro</refentrytitle>

516

<manvolnum>8mandos</manvolnum></citerefentry>,

517

462

<citerefentry><refentrytitle>mandos-keygen</refentrytitle>

518

463

<manvolnum>8</manvolnum></citerefentry>,

519

464

<citerefentry><refentrytitle>mandos.conf</refentrytitle>

520

465

<manvolnum>5</manvolnum></citerefentry>,

521

466

<citerefentry><refentrytitle>mandos</refentrytitle>

522

<manvolnum>8</manvolnum></citerefentry>,

523

<citerefentry><refentrytitle>fping</refentrytitle>

524

467

525

468

</para>

526

527

528

<term>

529

RFC 3339: <citetitle>Date and Time on the Internet:

530

Timestamps</citetitle>

531

</term>

532

533

<para>

534

The time intervals are in the "duration" format, as

535

specified in ABNF in Appendix A of RFC 3339.

536

</para>

537

</listitem>

538

</varlistentry>

539

</variablelist>

540

469

</refsect1>

541

470

</refentry>

542

471

Older »