/mandos/trunk : revision 257

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to plugins.d/mandos-client.xml

Committer: Teddy Hogeborn
Date: 2009-01-08 03:54:06 UTC
Revision ID: teddy@fukt.bsnet.se-20090108035406-01uqkv9xqgxlnw7c

Change the default value of the "checker" option command to make the
checker command be run-time dependent on the "host" client attribute
instead of reading it only once on startup:

* clients.conf (checker): Changed default commented-out value to
                          "fping -q -- %%(host)s".
* mandos (main): Changed default value for the "checker" config option
                 to "fping -q -- %%(host)s".
* mandos-clients.conf.xml (OPTIONS): Document changed default value.
  (EXAMPLE): Changed value of "checker".

* plugins.d/password-prompt.c: Whitespace changes only.

files added:
.bzr-builddeb

.bzr-builddeb/default.conf

INSTALL

NEWS

common.ent

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/po

debian/rules

mandos-list

mandos.lsm

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

files removed:
plugins.d/usplash

files renamed:
plugins.d/password-request.c => plugins.d/mandos-client.c

plugins.d/password-request.xml => plugins.d/mandos-client.xml

files modified:
.bzrignore

Makefile

README

TODO

clients.conf

default-mandos

init.d-mandos

initramfs-tools-hook

initramfs-tools-script

legalnotice.xml

mandos

mandos-clients.conf.xml

mandos-keygen

mandos-keygen.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.xml

overview.xml

plugin-runner.c

plugin-runner.conf

plugin-runner.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

Show diffs side-by-side

added added

removed removed

plugins.d/mandos-client.xml

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY VERSION "1.0">

<!ENTITY COMMANDNAME "password-request">

<!ENTITY TIMESTAMP "2008-09-04">

<!ENTITY COMMANDNAME "mandos-client">

<!ENTITY TIMESTAMP "2009-01-04">

<!ENTITY % common SYSTEM "../common.ent">

%common;

<title>Mandos Manual</title>

<productname>Mandos</productname>

<productnumber>&VERSION;</productnumber>

<productnumber>&version;</productnumber>

<date>&TIMESTAMP;</date>

</authorgroup>

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

<xi:include href="../legalnotice.xml"/>

</refentryinfo>

<refentrytitle>&COMMANDNAME;</refentrytitle>

<manvolnum>8mandos</manvolnum>

<refname><command>&COMMANDNAME;</command></refname>

Client for mandos

Client for <application>Mandos</application>

</refpurpose>

</refnamediv>

<command>&COMMANDNAME;</command>

113

115

</group>

114

116

</cmdsynopsis>

115

117

</refsynopsisdiv>

116

118

117

119

118

120

<title>DESCRIPTION</title>

119

121

<para>

215

217

</para>

216

218

</listitem>

217

219

</varlistentry>

218

220

219

221

220

222

<term><option>--seckey=<replaceable

221

223

>FILE</replaceable></option></term>

238

240

xpointer="priority"/>

239

241

</listitem>

240

242

</varlistentry>

241

243

242

244

243

245

<term><option>--dh-bits=<replaceable

244

246

>BITS</replaceable></option></term>

284

286

</para>

285

287

</listitem>

286

288

</varlistentry>

287

289

288

290

289

291

<term><option>--version</option></term>

290

292

296

298

</varlistentry>

297

299

</variablelist>

298

300

</refsect1>

299

301

300

302

301

303

<title>OVERVIEW</title>

302

304

<xi:include href="../overview.xml"/>

311

313

<filename>/etc/crypttab</filename>, but it would then be

312

314

impossible to enter a password for the encrypted root disk at

313

315

the console, since this program does not read from the console

314

at all. This is why a separate plugin (<citerefentry>

315

<refentrytitle>password-prompt</refentrytitle>

316

<manvolnum>8mandos</manvolnum></citerefentry>) does that, which

317

will be run in parallel to this one by the plugin runner.

316

at all. This is why a separate plugin runner (<citerefentry>

317

<refentrytitle>plugin-runner</refentrytitle>

318

<manvolnum>8mandos</manvolnum></citerefentry>) is used to run

319

both this program and others in in parallel,

320

<emphasis>one</emphasis> of which will prompt for passwords on

321

the system console.

318

322

</para>

319

323

</refsect1>

320

324

327

331

program will exit with a non-zero exit status only if a critical

328

332

error occurs. Otherwise, it will forever connect to new

329

333

<application>Mandos</application> servers as they appear, trying

330

to get a decryptable password.

334

to get a decryptable password and print it.

331

335

</para>

332

336

</refsect1>

333

337

341

345

</para>

342

346

</refsect1>

343

347

344

348

345

349

<title>FILES</title>

346

350

347

351

366

370

367

371

368

372

369

373

370

374

371

375

<title>EXAMPLE</title>

372

376

<para>

421

425

</para>

422

426

</informalexample>

423

427

</refsect1>

424

428

425

429

426

430

<title>SECURITY</title>

427

431

<para>

447

451

The only remaining weak point is that someone with physical

448

452

access to the client hard drive might turn off the client

449

453

computer, read the OpenPGP keys directly from the hard drive,

450

and communicate with the server. The defense against this is

451

that the server is supposed to notice the client disappearing

452

and will stop giving out the encrypted data. Therefore, it is

453

important to set the timeout and checker interval values tightly

454

on the server. See <citerefentry><refentrytitle

454

and communicate with the server. To safeguard against this, the

455

server is supposed to notice the client disappearing and stop

456

giving out the encrypted data. Therefore, it is important to

457

set the timeout and checker interval values tightly on the

458

server. See <citerefentry><refentrytitle

455

459

>mandos</refentrytitle><manvolnum>8</manvolnum></citerefentry>.

456

460

</para>

457

461

<para>

468

472

confidential.

469

473

</para>

470

474

</refsect1>

471

475

472

476

473

477

474

478

<para>

599

603

</varlistentry>

600

604

</variablelist>

601

605

</refsect1>

602

603

606

</refentry>

607

604

608

605

609

606

610

Older »