/mandos/trunk : revision 24.1.81

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos-clients.conf.xml

Committer: Björn Påhlsson
Date: 2008-09-03 18:47:50 UTC
mto: (24.1.154 mandos) (237.4.3 mandos-release)
mto: This revision was merged to the branch mainline in revision 149.
Revision ID: belorn@braxen-20080903184750-s0k0jrrq0lxiamwh

removed keyring pre-requirement for starting password-request.
Keys will now be imported in run-time to a run-time created keyring

Changed seckey and pubkey to be paths to private and public keys of the pgp encrypted password and gnutls authentication credentials.

files added:
plugins.d/usplash

files removed:
.bzr-builddeb

.bzr-builddeb/default.conf

INSTALL

NEWS

README

common.ent

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/po

debian/rules

debian/watch

default-mandos

init.d-mandos

mandos-ctl

mandos.lsm

plugin-runner.conf

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

files renamed:
plugins.d/mandos-client.c => plugins.d/password-request.c

plugins.d/mandos-client.xml => plugins.d/password-request.xml

files modified:
.bzrignore

Makefile

TODO

clients.conf

initramfs-tools-hook

initramfs-tools-hook-conf

initramfs-tools-script

legalnotice.xml

mandos

mandos-clients.conf.xml

mandos-keygen

mandos-keygen.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.xml

overview.xml

plugin-runner.c

plugin-runner.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

Show diffs side-by-side

added added

removed removed

mandos-clients.conf.xml

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY VERSION "1.0">

<!ENTITY CONFNAME "mandos-clients.conf">

<!ENTITY CONFPATH "<filename>/etc/mandos/clients.conf</filename>">

<!ENTITY TIMESTAMP "2009-09-17">

<!ENTITY % common SYSTEM "common.ent">

%common;

<!ENTITY TIMESTAMP "2008-08-31">

<title>Mandos Manual</title>

<productname>Mandos</productname>

<productnumber>&version;</productnumber>

<productnumber>&VERSION;</productnumber>

<date>&TIMESTAMP;</date>

</authorgroup>

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

<xi:include href="legalnotice.xml"/>

</refentryinfo>

<refentrytitle>&CONFNAME;</refentrytitle>

Configuration file for the Mandos server

</refpurpose>

</refnamediv>

<synopsis>&CONFPATH;</synopsis>

</refsynopsisdiv>

<title>DESCRIPTION</title>

<para>

start time expansion, see <xref linkend="expansion"/>.

</para>

<para>

Unknown options are ignored. The used options are as follows:

Uknown options are ignored. The used options are as follows:

</para>

100

101

102

100

103

101

104

102

<term><option>timeout<literal> = </literal><replaceable

105

103

>TIME</replaceable></option></term>

106

104

107

105

<para>

108

This option is <emphasis>optional</emphasis>.

109

</para>

110

<para>

111

The timeout is how long the server will wait (for either a

112

successful checker run or a client receiving its secret)

113

until a client is considered invalid - that is, ineligible

114

to get the data this server holds. By default Mandos will

115

use 1 hour.

106

The timeout is how long the server will wait for a

107

successful checker run until a client is considered

108

invalid - that is, ineligible to get the data this server

109

holds. By default Mandos will use 1 hour.

116

110

</para>

117

111

<para>

118

112

The <replaceable>TIME</replaceable> is specified as a

129

123

</para>

130

124

</listitem>

131

125

</varlistentry>

132

126

133

127

134

128

<term><option>interval<literal> = </literal><replaceable

135

129

>TIME</replaceable></option></term>

136

130

137

131

<para>

138

This option is <emphasis>optional</emphasis>.

139

</para>

140

<para>

141

132

How often to run the checker to confirm that a client is

142

133

still up. <emphasis>Note:</emphasis> a new checker will

143

134

not be started if an old one is still running. The server

152

143

</para>

153

144

</listitem>

154

145

</varlistentry>

155

146

156

147

157

148

<term><option>checker<literal> = </literal><replaceable

158

149

>COMMAND</replaceable></option></term>

159

150

160

151

<para>

161

This option is <emphasis>optional</emphasis>.

162

</para>

163

<para>

164

152

This option allows you to override the default shell

165

153

command that the server will use to check if the client is

166

154

still up. Any output of the command will be ignored, only

171

159

<varname>PATH</varname> will be searched. The default

172

160

value for the checker command is <quote><literal

173

161

><command>fping</command> <option>-q</option> <option

174

>--</option> %%(host)s</literal></quote>.

162

>--</option> %(host)s</literal></quote>.

175

163

</para>

176

164

<para>

177

165

In addition to normal start time expansion, this option

186

174

><replaceable>HEXSTRING</replaceable></option></term>

187

175

188

176

<para>

189

This option is <emphasis>required</emphasis>.

190

</para>

191

<para>

192

177

This option sets the OpenPGP fingerprint that identifies

193

178

the public key that clients authenticate themselves with

194

179

through TLS. The string needs to be in hexidecimal form,

202

187

>BASE64_ENCODED_DATA</replaceable></option></term>

203

188

204

189

<para>

205

If this option is not specified, the <option

206

>secfile</option> option is <emphasis>required</emphasis>

207

to be present.

208

</para>

209

<para>

210

190

If present, this option must be set to a string of

211

191

base64-encoded binary data. It will be decoded and sent

212

192

to the client matching the above

224

204

lines is that a line beginning with white space adds to

225

205

the value of the previous line, RFC 822-style.

226

206

</para>

207

<para>

208

If this option is not specified, the <option

209

>secfile</option> option is used instead, but one of them

210

<emphasis>must</emphasis> be present.

211

</para>

227

212

</listitem>

228

213

</varlistentry>

229

214

230

215

231

216

<term><option>secfile<literal> = </literal><replaceable

232

217

>FILENAME</replaceable></option></term>

233

218

234

219

<para>

235

This option is only used if <option>secret</option> is not

236

specified, in which case this option is

237

<emphasis>required</emphasis>.

238

</para>

239

<para>

240

220

Similar to the <option>secret</option>, except the secret

241

221

data is in an external file. The contents of the file

242

222

should <emphasis>not</emphasis> be base64-encoded, but

243

223

will be sent to clients verbatim.

244

224

</para>

245

225

<para>

246

File names of the form <filename>~user/foo/bar</filename>

247

and <filename>$<envar>ENVVAR</envar>/foo/bar</filename>

248

are supported.

226

This option is only used, and <emphasis>must</emphasis> be

227

present, if <option>secret</option> is not specified.

249

228

</para>

250

229

</listitem>

251

230

</varlistentry>

252

231

253

232

254

233

<term><option><literal>host = </literal><replaceable

255

234

>STRING</replaceable></option></term>

256

235

257

236

<para>

258

This option is <emphasis>optional</emphasis>, but highly

259

<emphasis>recommended</emphasis> unless the

260

<option>checker</option> option is modified to a

261

non-standard value without <quote>%%(host)s</quote> in it.

262

</para>

263

<para>

264

237

Host name for this client. This is not used by the server

265

238

directly, but can be, and is by default, used by the

266

239

checker. See the <option>checker</option> option.

321

294

mode is needed to expose an error of this kind.

322

295

</para>

323

296

</refsect2>

324

297

325

298

</refsect1>

326

299

327

300

352

325

[DEFAULT]

353

326

timeout = 1h

354

327

interval = 5m

355

checker = fping -q -- %%(host)s

328

checker = fping -q -- %(host)s

356

329

357

330

# Client "foo"

358

331

[foo]

381

354

fingerprint = 3e393aeaefb84c7e89e2f547b3a107558fca3a27

382

355

secfile = /etc/mandos/bar-secret

383

356

timeout = 15m

357

384

358

</programlisting>

385

359

</informalexample>

386

360

</refsect1>

Older »