/mandos/trunk : revision 369

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos-ctl.xml

Committer: Teddy Hogeborn
Date: 2009-09-16 23:28:39 UTC
Revision ID: teddy@fukt.bsnet.se-20090916232839-3o7i8qmcdcz5j1ya

* init.d-mandos (Required-Start, Required-Stop): Bug fix: Added
                 "$syslog", thanks to Petter Reinholdtsen
                 <pere@hungry.com> (Debian bug #546928).

* initramfs-tools-script: Removed erroneous comment.

* plugins.d/askpass-fifo.c: Removed TEMP_FAILURE_RETRY since it is
                            not needed.

* plugins.d/mandos-client.c (main): Bug fix: Initialize
                                    "old_sigterm_action".

* plugins.d/splashy.c (main): Bug fix: really check return value from
                              "sigaddset".  Fix some warnings on
                              64-bit systems.

* plugins.d/usplash.c (termination_handler, main): Save received
                                                   signal and
                                                   re-raise it on
                                                   exit.
  (usplash_write): Do not close FIFO, instead, take an additional file
                   descriptor pointer to it and open only when needed
                   (all callers changed).  Abort immediately on EINTR.
                   Bug fix:  Add NUL byte on single-word commands.
                   Ignore "interrupted_by_signal".
  (makeprompt, find_usplash): New; broken out from "main()".
  (find_usplash): Bug fix: close /proc/<pid>/cmdline FD on error.
  (main): Reorganized to jump to a new "failure" label on any error.
          Bug fix: check return values from sigaddset.
          New variable "usplash_accessed" to flag if usplash(8) needs
          to be killed and restarted.  Removed the "an_error_occured"
          variable.

files added:
initramfs-tools-hook-conf

files removed:
DBUS-API

bugs.xml

dbus-mandos.conf

debian/mandos-client.examples

debian/mandos-client.templates

debian/mandos.templates

debian/source

debian/source/format

debian/source/local-options

debian/upstream

debian/upstream/signing-key.asc

initramfs-tools-conf

initramfs-tools-script-stop

initramfs-unpack

intro.xml

mandos-ctl.xml

mandos-monitor

mandos-monitor.xml

mandos-to-cryptroot-unlock

mandos.service

network-hooks.d

network-hooks.d/bridge

network-hooks.d/bridge.conf

network-hooks.d/openvpn

network-hooks.d/openvpn.conf

network-hooks.d/wireless

network-hooks.d/wireless.conf

plugin-helpers

plugin-helpers/mandos-client-iprouteadddel.c

plugins.d/plymouth.c

plugins.d/plymouth.xml

tmpfiles.d-mandos.conf

files modified:
.bzrignore

INSTALL

Makefile

NEWS

README

TODO

clients.conf

common.ent

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/rules

debian/watch

init.d-mandos

initramfs-tools-hook

initramfs-tools-script

legalnotice.xml

mandos

mandos-clients.conf.xml

mandos-ctl

mandos-keygen

mandos-keygen.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.lsm

mandos.xml

overview.xml

plugin-runner.c

plugin-runner.xml

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/mandos-client.c

plugins.d/mandos-client.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

Show diffs side-by-side

added added

removed removed

mandos-ctl.xml

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY COMMANDNAME "mandos-ctl">

<!ENTITY TIMESTAMP "2019-03-07">

<!ENTITY % common SYSTEM "common.ent">

%common;

<title>Mandos Manual</title>

<productname>Mandos</productname>

<productnumber>&version;</productnumber>

<date>&TIMESTAMP;</date>

<firstname>Björn</firstname>

<surname>Påhlsson</surname>

<email>belorn@recompile.se</email>

</address>

</author>

<firstname>Teddy</firstname>

<surname>Hogeborn</surname>

<email>teddy@recompile.se</email>

</address>

</author>

</authorgroup>

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

<xi:include href="legalnotice.xml"/>

</refentryinfo>

<refentrytitle>&COMMANDNAME;</refentrytitle>

</refmeta>

<refname><command>&COMMANDNAME;</command></refname>

Control or query the operation of the Mandos server

</refpurpose>

</refnamediv>

<command>&COMMANDNAME;</command>

<group>

<arg choice="plain"><option>--verbose</option></arg>

<sbr/>

</group>

<group>

<replaceable>CLIENT</replaceable>

</arg>

</group>

</cmdsynopsis>

<command>&COMMANDNAME;</command>

<group>

<arg choice="plain"><option>--enable</option></arg>

<sbr/>

<arg choice="plain"><option>--disable</option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--bump-timeout</option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--start-checker</option></arg>

<arg choice="plain"><option>--stop-checker</option></arg>

</group>

<sbr/>

<group>

100

<arg choice="plain"><option>--checker

101

<replaceable>COMMAND</replaceable></option></arg>

102

<arg choice="plain"><option>-c

103

<replaceable>COMMAND</replaceable></option></arg>

104

</group>

105

<sbr/>

106

<group>

107

<arg choice="plain"><option>--timeout

108

109

<arg choice="plain"><option>-t

110

111

</group>

112

<sbr/>

113

<group>

114

<arg choice="plain"><option>--extended-timeout

115

116

</group>

117

<sbr/>

118

<group>

119

<arg choice="plain"><option>--interval

120

121

<arg choice="plain"><option>-i

122

123

</group>

124

<sbr/>

125

<group>

126

<arg choice="plain"><option>--approve-by-default</option

127

></arg>

128

<sbr/>

129

<arg choice="plain"><option>--deny-by-default</option></arg>

130

</group>

131

<sbr/>

132

<group>

133

<arg choice="plain"><option>--approval-delay

134

135

</group>

136

<sbr/>

137

<group>

138

<arg choice="plain"><option>--approval-duration

139

140

</group>

141

<sbr/>

142

<group>

143

<arg choice="plain"><option>--host

144

<replaceable>STRING</replaceable></option></arg>

145

<arg choice="plain"><option>-H

146

<replaceable>STRING</replaceable></option></arg>

147

</group>

148

<sbr/>

149

<group>

150

<arg choice="plain"><option>--secret

151

<replaceable>FILENAME</replaceable></option></arg>

152

<arg choice="plain"><option>-s

153

<replaceable>FILENAME</replaceable></option></arg>

154

</group>

155

<sbr/>

156

<group>

157

<arg choice="plain"><option>--approve</option></arg>

158

159

<sbr/>

160

161

162

</group>

163

</group>

164

<sbr/>

165

166

167

168

169

<replaceable>CLIENT</replaceable>

170

</arg>

171

</group>

172

</cmdsynopsis>

173

174

<command>&COMMANDNAME;</command>

175

<group>

176

177

178

</group>

179

180

<arg choice="plain"><option>--remove</option></arg>

181

182

</group>

183

184

185

186

187

<replaceable>CLIENT</replaceable>

188

</arg>

189

</group>

190

</cmdsynopsis>

191

192

<command>&COMMANDNAME;</command>

193

194

<arg choice="plain"><option>--is-enabled</option></arg>

195

196

</group>

197

<arg choice='plain'><replaceable>CLIENT</replaceable></arg>

198

</cmdsynopsis>

199

200

<command>&COMMANDNAME;</command>

201

202

203

204

</group>

205

</cmdsynopsis>

206

207

<command>&COMMANDNAME;</command>

208

209

<arg choice="plain"><option>--version</option></arg>

210

211

</group>

212

</cmdsynopsis>

213

214

<command>&COMMANDNAME;</command>

215

<arg choice="plain"><option>--check</option></arg>

216

</cmdsynopsis>

217

</refsynopsisdiv>

218

219

220

<title>DESCRIPTION</title>

221

<para>

222

<command>&COMMANDNAME;</command> is a program to control or

223

query the operation of the Mandos server

224

<citerefentry><refentrytitle>mandos</refentrytitle><manvolnum

225

>8</manvolnum></citerefentry>.

226

</para>

227

<para>

228

This program can be used to change client settings, approve or

229

deny client requests, and to remove clients from the server.

230

</para>

231

</refsect1>

232

233

234

<title>PURPOSE</title>

235

<para>

236

The purpose of this is to enable <emphasis>remote and unattended

237

rebooting</emphasis> of client host computer with an

238

<emphasis>encrypted root file system</emphasis>. See <xref

239

linkend="overview"/> for details.

240

</para>

241

</refsect1>

242

243

244

<title>OPTIONS</title>

245

246

247

248

249

250

251

<para>

252

Show a help message and exit

253

</para>

254

</listitem>

255

</varlistentry>

256

257

258

<term><option>--enable</option></term>

259

260

261

<para>

262

Enable client(s). An enabled client will be eligble to

263

receive its secret.

264

</para>

265

</listitem>

266

</varlistentry>

267

268

269

<term><option>--disable</option></term>

270

271

272

<para>

273

Disable client(s). A disabled client will not be eligble

274

to receive its secret, and no checkers will be started for

275

it.

276

</para>

277

</listitem>

278

</varlistentry>

279

280

281

<term><option>--bump-timeout</option></term>

282

283

<para>

284

Bump the timeout of the specified client(s), just as if a

285

checker had completed successfully for it/them.

286

</para>

287

</listitem>

288

</varlistentry>

289

290

291

<term><option>--start-checker</option></term>

292

293

<para>

294

Start a new checker now for the specified client(s).

295

</para>

296

</listitem>

297

</varlistentry>

298

299

300

<term><option>--stop-checker</option></term>

301

302

<para>

303

Stop any running checker for the specified client(s).

304

</para>

305

</listitem>

306

</varlistentry>

307

308

309

<term><option>--remove</option></term>

310

311

312

<para>

313

Remove the specified client(s) from the server.

314

</para>

315

</listitem>

316

</varlistentry>

317

318

319

<term><option>--checker

320

<replaceable>COMMAND</replaceable></option></term>

321

<term><option>-c

322

<replaceable>COMMAND</replaceable></option></term>

323

324

<para>

325

Set the <varname>checker</varname> option of the specified

326

client(s); see <citerefentry><refentrytitle

327

>mandos-clients.conf</refentrytitle><manvolnum

328

>5</manvolnum></citerefentry>.

329

</para>

330

</listitem>

331

</varlistentry>

332

333

334

<term><option>--timeout

335

336

<term><option>-t

337

338

339

<para>

340

Set the <varname>timeout</varname> option of the specified

341

client(s); see <citerefentry><refentrytitle

342

>mandos-clients.conf</refentrytitle><manvolnum

343

>5</manvolnum></citerefentry>.

344

</para>

345

</listitem>

346

</varlistentry>

347

348

349

<term><option>--extended-timeout

350

351

352

<para>

353

Set the <varname>extended_timeout</varname> option of the

354

specified client(s); see <citerefentry><refentrytitle

355

>mandos-clients.conf</refentrytitle><manvolnum

356

>5</manvolnum></citerefentry>.

357

</para>

358

</listitem>

359

</varlistentry>

360

361

362

<term><option>--interval

363

364

<term><option>-i

365

366

367

<para>

368

Set the <varname>interval</varname> option of the

369

specified client(s); see <citerefentry><refentrytitle

370

>mandos-clients.conf</refentrytitle><manvolnum

371

>5</manvolnum></citerefentry>.

372

</para>

373

</listitem>

374

</varlistentry>

375

376

377

<term><option>--approve-by-default</option></term>

378

<term><option>--deny-by-default</option></term>

379

380

<para>

381

Set the <varname>approved_by_default</varname> option of

382

the specified client(s) to <literal>True</literal> or

383

<literal>False</literal>, respectively; see

384

<citerefentry><refentrytitle

385

>mandos-clients.conf</refentrytitle><manvolnum

386

>5</manvolnum></citerefentry>.

387

</para>

388

</listitem>

389

</varlistentry>

390

391

392

<term><option>--approval-delay

393

394

395

<para>

396

Set the <varname>approval_delay</varname> option of the

397

specified client(s); see <citerefentry><refentrytitle

398

>mandos-clients.conf</refentrytitle><manvolnum

399

>5</manvolnum></citerefentry>.

400

</para>

401

</listitem>

402

</varlistentry>

403

404

405

<term><option>--approval-duration

406

407

408

<para>

409

Set the <varname>approval_duration</varname> option of the

410

specified client(s); see <citerefentry><refentrytitle

411

>mandos-clients.conf</refentrytitle><manvolnum

412

>5</manvolnum></citerefentry>.

413

</para>

414

</listitem>

415

</varlistentry>

416

417

418

<term><option>--host

419

<replaceable>STRING</replaceable></option></term>

420

<term><option>-H

421

<replaceable>STRING</replaceable></option></term>

422

423

<para>

424

Set the <varname>host</varname> option of the specified

425

client(s); see <citerefentry><refentrytitle

426

>mandos-clients.conf</refentrytitle><manvolnum

427

>5</manvolnum></citerefentry>.

428

</para>

429

</listitem>

430

</varlistentry>

431

432

433

<term><option>--secret

434

<replaceable>FILENAME</replaceable></option></term>

435

<term><option>-s

436

<replaceable>FILENAME</replaceable></option></term>

437

438

<para>

439

Set the <varname>secfile</varname> option of the specified

440

client(s); see <citerefentry><refentrytitle

441

>mandos-clients.conf</refentrytitle><manvolnum

442

>5</manvolnum></citerefentry>.

443

</para>

444

</listitem>

445

</varlistentry>

446

447

448

<term><option>--approve</option></term>

449

450

451

<para>

452

Approve client(s) if currently waiting for approval.

453

</para>

454

</listitem>

455

</varlistentry>

456

457

458

459

460

461

<para>

462

Deny client(s) if currently waiting for approval.

463

</para>

464

</listitem>

465

</varlistentry>

466

467

468

469

470

471

<para>

472

Make the client-modifying options modify <emphasis

473

>all</emphasis> clients.

474

</para>

475

</listitem>

476

</varlistentry>

477

478

479

<term><option>--verbose</option></term>

480

481

482

<para>

483

Show all client settings, not just a subset.

484

</para>

485

</listitem>

486

</varlistentry>

487

488

489

490

491

492

<para>

493

Dump client settings as JSON to standard output.

494

</para>

495

</listitem>

496

</varlistentry>

497

498

499

<term><option>--is-enabled</option></term>

500

501

502

<para>

503

Check if a single client is enabled or not, and exit with

504

a successful exit status only if the client is enabled.

505

</para>

506

</listitem>

507

</varlistentry>

508

509

510

<term><option>--check</option></term>

511

512

<para>

513

Run self-tests. This includes any unit tests, etc.

514

</para>

515

</listitem>

516

</varlistentry>

517

518

</variablelist>

519

</refsect1>

520

521

522

<title>OVERVIEW</title>

523

<xi:include href="overview.xml"/>

524

<para>

525

This program is a small utility to generate new OpenPGP keys for

526

new Mandos clients, and to generate sections for inclusion in

527

<filename>clients.conf</filename> on the server.

528

</para>

529

</refsect1>

530

531

532

<title>EXIT STATUS</title>

533

<para>

534

If the <option>--is-enabled</option> option is used, the exit

535

status will be 0 only if the specified client is enabled.

536

</para>

537

</refsect1>

538

539

540

541

<xi:include href="bugs.xml"/>

542

</refsect1>

543

544

545

<title>EXAMPLE</title>

546

547

<para>

548

To list all clients:

549

</para>

550

<para>

551

<userinput>&COMMANDNAME;</userinput>

552

</para>

553

</informalexample>

554

555

556

<para>

557

To list <emphasis>all</emphasis> settings for the clients

558

named <quote>foo1.example.org</quote> and <quote

559

>foo2.example.org</quote>:

560

</para>

561

<para>

562

563

564

<userinput>&COMMANDNAME; --verbose foo1.example.org foo2.example.org</userinput>

565

566

</para>

567

</informalexample>

568

569

570

<para>

571

To enable all clients:

572

</para>

573

<para>

574

<userinput>&COMMANDNAME; --enable --all</userinput>

575

</para>

576

</informalexample>

577

578

579

<para>

580

To change timeout and interval value for the clients

581

named <quote>foo1.example.org</quote> and <quote

582

>foo2.example.org</quote>:

583

</para>

584

<para>

585

586

587

<userinput>&COMMANDNAME; --timeout="PT5M" --interval="PT1M" foo1.example.org foo2.example.org</userinput>

588

589

</para>

590

</informalexample>

591

592

593

<para>

594

To approve all clients currently waiting for it:

595

</para>

596

<para>

597

<userinput>&COMMANDNAME; --approve --all</userinput>

598

</para>

599

</informalexample>

600

</refsect1>

601

602

603

<title>SECURITY</title>

604

<para>

605

This program must be permitted to access the Mandos server via

606

the D-Bus interface. This normally requires the root user, but

607

could be configured otherwise by reconfiguring the D-Bus server.

608

</para>

609

</refsect1>

610

611

612

613

<para>

614

<citerefentry><refentrytitle>intro</refentrytitle>

615

<manvolnum>8mandos</manvolnum></citerefentry>,

616

<citerefentry><refentrytitle>mandos</refentrytitle>

617

<manvolnum>8</manvolnum></citerefentry>,

618

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

619

<manvolnum>5</manvolnum></citerefentry>,

620

<citerefentry><refentrytitle>mandos-monitor</refentrytitle>

621

622

</para>

623

</refsect1>

624

625

</refentry>

626

627

628

629

630

Older »