/mandos/trunk : revision 24.1.84

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos-clients.conf.xml

Committer: Björn Påhlsson
Date: 2008-09-03 19:38:55 UTC
mfrom: (150 mandos)
mto: (24.1.154 mandos) (237.4.3 mandos-release)
mto: This revision was merged to the branch mainline in revision 153.
Revision ID: belorn@braxen-20080903193855-mrw2pcz96tppt2db

merge

files added:
plugins.d/usplash

files removed:
.bzr-builddeb

.bzr-builddeb/default.conf

DBUS-API

INSTALL

NEWS

README

common.ent

dbus-mandos.conf

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/po

debian/rules

debian/watch

default-mandos

init.d-mandos

mandos-ctl

mandos-ctl.xml

mandos-monitor

mandos-monitor.xml

mandos.lsm

plugin-runner.conf

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

files renamed:
plugins.d/mandos-client.c => plugins.d/password-request.c

plugins.d/mandos-client.xml => plugins.d/password-request.xml

files modified:
.bzrignore

Makefile

TODO

clients.conf

initramfs-tools-hook

initramfs-tools-hook-conf

initramfs-tools-script

legalnotice.xml

mandos

mandos-clients.conf.xml

mandos-keygen

mandos-keygen.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.xml

overview.xml

plugin-runner.c

plugin-runner.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

Show diffs side-by-side

added added

removed removed

mandos-clients.conf.xml

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY VERSION "1.0">

<!ENTITY CONFNAME "mandos-clients.conf">

<!ENTITY CONFPATH "<filename>/etc/mandos/clients.conf</filename>">

<!ENTITY TIMESTAMP "2010-09-26">

<!ENTITY % common SYSTEM "common.ent">

%common;

<!ENTITY TIMESTAMP "2008-09-03">

<title>Mandos Manual</title>

<productname>Mandos</productname>

<productnumber>&version;</productnumber>

<productnumber>&VERSION;</productnumber>

<date>&TIMESTAMP;</date>

</authorgroup>

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

<xi:include href="legalnotice.xml"/>

</refentryinfo>

<refentrytitle>&CONFNAME;</refentrytitle>

Configuration file for the Mandos server

</refpurpose>

</refnamediv>

<synopsis>&CONFPATH;</synopsis>

</refsynopsisdiv>

<title>DESCRIPTION</title>

<para>

><refentrytitle>mandos</refentrytitle>

<manvolnum>8</manvolnum></citerefentry>, read by it at startup.

The file needs to list all clients that should be able to use

the service. All clients listed will be regarded as enabled,

even if a client was disabled in a previous run of the server.

the service. All clients listed will be regarded as valid, even

if a client was declared invalid in a previous run of the

server.

</para>

<para>

The format starts with a <literal>[<replaceable>section

start time expansion, see <xref linkend="expansion"/>.

</para>

<para>

Unknown options are ignored. The used options are as follows:

Uknown options are ignored. The used options are as follows:

</para>

100

101

102

103

104

<term><option>approval_delay<literal> = </literal><replaceable

105

>TIME</replaceable></option></term>

106

107

<para>

108

This option is <emphasis>optional</emphasis>.

109

</para>

110

<para>

111

How long to wait for external approval before resorting to

112

use the <option>approved_by_default</option> value. The

113

default is <quote>0s</quote>, i.e. not to wait.

114

</para>

115

<para>

116

The format of <replaceable>TIME</replaceable> is the same

117

as for <varname>timeout</varname> below.

118

</para>

119

</listitem>

120

</varlistentry>

121

122

123

<term><option>approval_duration<literal> = </literal

124

><replaceable>TIME</replaceable></option></term>

125

126

<para>

127

This option is <emphasis>optional</emphasis>.

128

</para>

129

<para>

130

How long an external approval lasts. The default is 1

131

second.

132

</para>

133

<para>

134

The format of <replaceable>TIME</replaceable> is the same

135

as for <varname>timeout</varname> below.

136

</para>

137

</listitem>

138

</varlistentry>

139

140

141

<term><option>approved_by_default<literal> = </literal

142

>{ <literal >1</literal> | <literal>yes</literal> | <literal

143

>true</literal> | <literal>on</literal> | <literal

144

>0</literal> | <literal>no</literal> | <literal

145

>false</literal> | <literal>off</literal> }</option></term>

146

147

<para>

148

Whether to approve a client by default after

149

the <option>approval_delay</option>. The default

150

is <quote>True</quote>.

151

</para>

152

</listitem>

153

</varlistentry>

154

100

101

102

<term><option>timeout<literal> = </literal><replaceable

103

>TIME</replaceable></option></term>

104

105

<para>

106

This option is <emphasis>optional</emphasis>.

107

</para>

108

<para>

109

The timeout is how long the server will wait for a

110

successful checker run until a client is considered

111

invalid - that is, ineligible to get the data this server

112

holds. By default Mandos will use 1 hour.

113

</para>

114

<para>

115

The <replaceable>TIME</replaceable> is specified as a

116

space-separated number of values, each of which is a

117

number and a one-character suffix. The suffix must be one

118

of <quote>d</quote>, <quote>s</quote>, <quote>m</quote>,

119

<quote>h</quote>, and <quote>w</quote> for days, seconds,

120

minutes, hours, and weeks, respectively. The values are

121

added together to give the total time value, so all of

122

<quote><literal>330s</literal></quote>,

123

<quote><literal>110s 110s 110s</literal></quote>, and

124

<quote><literal>5m 30s</literal></quote> will give a value

125

of five minutes and thirty seconds.

126

</para>

127

</listitem>

128

</varlistentry>

129

130

131

<term><option>interval<literal> = </literal><replaceable

132

>TIME</replaceable></option></term>

133

134

<para>

135

This option is <emphasis>optional</emphasis>.

136

</para>

137

<para>

138

How often to run the checker to confirm that a client is

139

still up. <emphasis>Note:</emphasis> a new checker will

140

not be started if an old one is still running. The server

141

will wait for a checker to complete until the above

142

<quote><varname>timeout</varname></quote> occurs, at which

143

time the client will be marked invalid, and any running

144

checker killed. The default interval is 5 minutes.

145

</para>

146

<para>

147

The format of <replaceable>TIME</replaceable> is the same

148

as for <varname>timeout</varname> above.

149

</para>

150

</listitem>

151

</varlistentry>

152

155

153

156

154

<term><option>checker<literal> = </literal><replaceable

157

155

>COMMAND</replaceable></option></term>

170

168

<varname>PATH</varname> will be searched. The default

171

169

value for the checker command is <quote><literal

172

170

><command>fping</command> <option>-q</option> <option

173

>--</option> %%(host)s</literal></quote>.

171

>--</option> %(host)s</literal></quote>.

174

172

</para>

175

173

<para>

176

174

In addition to normal start time expansion, this option

197

195

</varlistentry>

198

196

199

197

200

<term><option><literal>host = </literal><replaceable

201

>STRING</replaceable></option></term>

202

203

<para>

204

This option is <emphasis>optional</emphasis>, but highly

205

<emphasis>recommended</emphasis> unless the

206

<option>checker</option> option is modified to a

207

non-standard value without <quote>%%(host)s</quote> in it.

208

</para>

209

<para>

210

Host name for this client. This is not used by the server

211

directly, but can be, and is by default, used by the

212

checker. See the <option>checker</option> option.

213

</para>

214

</listitem>

215

</varlistentry>

216

217

218

<term><option>interval<literal> = </literal><replaceable

219

>TIME</replaceable></option></term>

220

221

<para>

222

This option is <emphasis>optional</emphasis>.

223

</para>

224

<para>

225

How often to run the checker to confirm that a client is

226

still up. <emphasis>Note:</emphasis> a new checker will

227

not be started if an old one is still running. The server

228

will wait for a checker to complete until the below

229

<quote><varname>timeout</varname></quote> occurs, at which

230

time the client will be disabled, and any running checker

231

killed. The default interval is 5 minutes.

232

</para>

233

<para>

234

The format of <replaceable>TIME</replaceable> is the same

235

as for <varname>timeout</varname> below.

236

</para>

237

</listitem>

238

</varlistentry>

239

240

241

<term><option>secfile<literal> = </literal><replaceable

242

>FILENAME</replaceable></option></term>

243

244

<para>

245

This option is only used if <option>secret</option> is not

246

specified, in which case this option is

247

<emphasis>required</emphasis>.

248

</para>

249

<para>

250

Similar to the <option>secret</option>, except the secret

251

data is in an external file. The contents of the file

252

should <emphasis>not</emphasis> be base64-encoded, but

253

will be sent to clients verbatim.

254

</para>

255

<para>

256

File names of the form <filename>~user/foo/bar</filename>

257

and <filename>$<envar>ENVVAR</envar>/foo/bar</filename>

258

are supported.

259

</para>

260

</listitem>

261

</varlistentry>

262

263

264

198

<term><option>secret<literal> = </literal><replaceable

265

199

>BASE64_ENCODED_DATA</replaceable></option></term>

266

200

289

223

</para>

290

224

</listitem>

291

225

</varlistentry>

292

293

294

<term><option>timeout<literal> = </literal><replaceable

295

>TIME</replaceable></option></term>

296

297

<para>

298

This option is <emphasis>optional</emphasis>.

299

</para>

300

<para>

301

The timeout is how long the server will wait (for either a

302

successful checker run or a client receiving its secret)

303

until a client is disabled and not allowed to get the data

304

this server holds. By default Mandos will use 1 hour.

305

</para>

306

<para>

307

The <replaceable>TIME</replaceable> is specified as a

308

space-separated number of values, each of which is a

309

number and a one-character suffix. The suffix must be one

310

of <quote>d</quote>, <quote>s</quote>, <quote>m</quote>,

311

<quote>h</quote>, and <quote>w</quote> for days, seconds,

312

minutes, hours, and weeks, respectively. The values are

313

added together to give the total time value, so all of

314

<quote><literal>330s</literal></quote>,

315

<quote><literal>110s 110s 110s</literal></quote>, and

316

<quote><literal>5m 30s</literal></quote> will give a value

317

of five minutes and thirty seconds.

226

227

228

<term><option>secfile<literal> = </literal><replaceable

229

>FILENAME</replaceable></option></term>

230

231

<para>

232

This option is only used if <option>secret</option> is not

233

specified, in which case this option is

234

<emphasis>required</emphasis>.

235

</para>

236

<para>

237

Similar to the <option>secret</option>, except the secret

238

data is in an external file. The contents of the file

239

should <emphasis>not</emphasis> be base64-encoded, but

240

will be sent to clients verbatim.

241

</para>

242

</listitem>

243

</varlistentry>

244

245

246

<term><option><literal>host = </literal><replaceable

247

>STRING</replaceable></option></term>

248

249

<para>

250

This option is <emphasis>optional</emphasis>, but highly

251

<emphasis>recommended</emphasis> unless the

252

<option>checker</option> option is modified to a

253

non-standard value without <quote>%(host)s</quote> in it.

254

</para>

255

<para>

256

Host name for this client. This is not used by the server

257

directly, but can be, and is by default, used by the

258

checker. See the <option>checker</option> option.

318

259

</para>

319

260

</listitem>

320

261

</varlistentry>

372

313

mode is needed to expose an error of this kind.

373

314

</para>

374

315

</refsect2>

375

316

376

317

</refsect1>

377

318

378

319

403

344

[DEFAULT]

404

345

timeout = 1h

405

346

interval = 5m

406

checker = fping -q -- %%(host)s

347

checker = fping -q -- %(host)s

407

348

408

349

# Client "foo"

409

350

[foo]

432

373

fingerprint = 3e393aeaefb84c7e89e2f547b3a107558fca3a27

433

374

secfile = /etc/mandos/bar-secret

434

375

timeout = 15m

435

approved_by_default = False

436

approval_delay = 30s

376

437

377

</programlisting>

438

378

</informalexample>

439

379

</refsect1>

Older »