/mandos/trunk

To get this branch, use:
bzr branch http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to plugins.d/mandos-client.xml

  • Committer: Teddy Hogeborn
  • Date: 2013-10-13 16:57:10 UTC
  • mfrom: (624 trunk)
  • mto: This revision was merged to the branch mainline in revision 625.
  • Revision ID: teddy@recompile.se-20131013165710-y695wckw4jmujvma
Merge from trunk.

Show diffs side-by-side

added added

removed removed

Lines of Context:
2
2
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3
3
        "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4
4
<!ENTITY COMMANDNAME "mandos-client">
5
 
<!ENTITY TIMESTAMP "2016-07-10">
 
5
<!ENTITY TIMESTAMP "2013-06-21">
6
6
<!ENTITY % common SYSTEM "../common.ent">
7
7
%common;
8
8
]>
33
33
    <copyright>
34
34
      <year>2008</year>
35
35
      <year>2009</year>
36
 
      <year>2010</year>
37
 
      <year>2011</year>
38
36
      <year>2012</year>
39
 
      <year>2013</year>
40
 
      <year>2014</year>
41
 
      <year>2015</year>
42
 
      <year>2016</year>
43
37
      <holder>Teddy Hogeborn</holder>
44
38
      <holder>Björn Påhlsson</holder>
45
39
    </copyright>
102
96
      </arg>
103
97
      <sbr/>
104
98
      <arg>
105
 
        <option>--dh-params <replaceable>FILE</replaceable></option>
106
 
      </arg>
107
 
      <sbr/>
108
 
      <arg>
109
99
        <option>--delay <replaceable>SECONDS</replaceable></option>
110
100
      </arg>
111
101
      <sbr/>
228
218
            assumed to separate the address from the port number.
229
219
          </para>
230
220
          <para>
231
 
            Normally, Zeroconf would be used to locate Mandos servers,
232
 
            in which case this option would only be used when testing
233
 
            and debugging.
 
221
            This option is normally only useful for testing and
 
222
            debugging.
234
223
          </para>
235
224
        </listitem>
236
225
      </varlistentry>
269
258
          <para>
270
259
            <replaceable>NAME</replaceable> can be the string
271
260
            <quote><literal>none</literal></quote>; this will make
272
 
            <command>&COMMANDNAME;</command> only bring up interfaces
273
 
            specified <emphasis>before</emphasis> this string.  This
274
 
            is not recommended, and only meant for advanced users.
 
261
            <command>&COMMANDNAME;</command> not bring up
 
262
            <emphasis>any</emphasis> interfaces specified
 
263
            <emphasis>after</emphasis> this string.  This is not
 
264
            recommended, and only meant for advanced users.
275
265
          </para>
276
266
        </listitem>
277
267
      </varlistentry>
319
309
        <listitem>
320
310
          <para>
321
311
            Sets the number of bits to use for the prime number in the
322
 
            TLS Diffie-Hellman key exchange.  The default value is
323
 
            selected automatically based on the OpenPGP key.  Note
324
 
            that if the <option>--dh-params</option> option is used,
325
 
            the values from that file will be used instead.
326
 
          </para>
327
 
        </listitem>
328
 
      </varlistentry>
329
 
      
330
 
      <varlistentry>
331
 
        <term><option>--dh-params=<replaceable
332
 
        >FILE</replaceable></option></term>
333
 
        <listitem>
334
 
          <para>
335
 
            Specifies a PEM-encoded PKCS#3 file to read the parameters
336
 
            needed by the TLS Diffie-Hellman key exchange from.  If
337
 
            this option is not given, or if the file for some reason
338
 
            could not be used, the parameters will be generated on
339
 
            startup, which will take some time and processing power.
340
 
            Those using servers running under time, power or processor
341
 
            constraints may want to generate such a file in advance
342
 
            and use this option.
 
312
            TLS Diffie-Hellman key exchange.  Default is 1024.
343
313
          </para>
344
314
        </listitem>
345
315
      </varlistentry>
472
442
  
473
443
  <refsect1 id="environment">
474
444
    <title>ENVIRONMENT</title>
475
 
    <variablelist>
476
 
      <varlistentry>
477
 
        <term><envar>MANDOSPLUGINHELPERDIR</envar></term>
478
 
        <listitem>
479
 
          <para>
480
 
            This environment variable will be assumed to contain the
481
 
            directory containing any helper executables.  The use and
482
 
            nature of these helper executables, if any, is
483
 
            purposefully not documented.
484
 
        </para>
485
 
        </listitem>
486
 
      </varlistentry>
487
 
    </variablelist>
488
445
    <para>
489
 
      This program does not use any other environment variables, not
490
 
      even the ones provided by <citerefentry><refentrytitle
 
446
      This program does not use any environment variables, not even
 
447
      the ones provided by <citerefentry><refentrytitle
491
448
      >cryptsetup</refentrytitle><manvolnum>8</manvolnum>
492
449
    </citerefentry>.
493
450
    </para>
693
650
    </variablelist>
694
651
  </refsect1>
695
652
  
696
 
  <refsect1 id="bugs">
697
 
    <title>BUGS</title>
698
 
    <xi:include href="../bugs.xml"/>
699
 
  </refsect1>
 
653
<!--   <refsect1 id="bugs"> -->
 
654
<!--     <title>BUGS</title> -->
 
655
<!--     <para> -->
 
656
<!--     </para> -->
 
657
<!--   </refsect1> -->
700
658
  
701
659
  <refsect1 id="example">
702
660
    <title>EXAMPLE</title>
788
746
    <para>
789
747
      It will also help if the checker program on the server is
790
748
      configured to request something from the client which can not be
791
 
      spoofed by someone else on the network, like SSH server key
792
 
      fingerprints, and unlike unencrypted <acronym>ICMP</acronym>
793
 
      echo (<quote>ping</quote>) replies.
 
749
      spoofed by someone else on the network, unlike unencrypted
 
750
      <acronym>ICMP</acronym> echo (<quote>ping</quote>) replies.
794
751
    </para>
795
752
    <para>
796
753
      <emphasis>Note</emphasis>: This makes it completely insecure to
842
799
      </varlistentry>
843
800
      <varlistentry>
844
801
        <term>
845
 
          <ulink url="https://www.gnutls.org/">GnuTLS</ulink>
 
802
          <ulink url="http://www.gnu.org/software/gnutls/"
 
803
          >GnuTLS</ulink>
846
804
        </term>
847
805
      <listitem>
848
806
        <para>
854
812
      </varlistentry>
855
813
      <varlistentry>
856
814
        <term>
857
 
          <ulink url="https://www.gnupg.org/related_software/gpgme/"
 
815
          <ulink url="http://www.gnupg.org/related_software/gpgme/"
858
816
                 >GPGME</ulink>
859
817
        </term>
860
818
        <listitem>
898
856
      </varlistentry>
899
857
      <varlistentry>
900
858
        <term>
901
 
          RFC 5246: <citetitle>The Transport Layer Security (TLS)
902
 
          Protocol Version 1.2</citetitle>
 
859
          RFC 4346: <citetitle>The Transport Layer Security (TLS)
 
860
          Protocol Version 1.1</citetitle>
903
861
        </term>
904
862
      <listitem>
905
863
        <para>
906
 
          TLS 1.2 is the protocol implemented by GnuTLS.
 
864
          TLS 1.1 is the protocol implemented by GnuTLS.
907
865
        </para>
908
866
      </listitem>
909
867
      </varlistentry>
920
878
      </varlistentry>
921
879
      <varlistentry>
922
880
        <term>
923
 
          RFC 6091: <citetitle>Using OpenPGP Keys for Transport Layer
 
881
          RFC 5081: <citetitle>Using OpenPGP Keys for Transport Layer
924
882
          Security</citetitle>
925
883
        </term>
926
884
      <listitem>