1
<?xml version='1.0' encoding='UTF-8'?>
1
<?xml version="1.0" encoding="UTF-8"?>
2
2
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3
3
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4
<!ENTITY VERSION "1.0">
5
4
<!ENTITY CONFNAME "mandos-clients.conf">
6
5
<!ENTITY CONFPATH "<filename>/etc/mandos/clients.conf</filename>">
7
<!ENTITY TIMESTAMP "2008-08-30">
6
<!ENTITY TIMESTAMP "2009-09-17">
7
<!ENTITY % common SYSTEM "common.ent">
11
<refentry xmlns:xi="http://www.w3.org/2001/XInclude">
12
13
<title>Mandos Manual</title>
13
14
<!-- NWalsh’s docbook scripts use this to generate the footer: -->
14
15
<productname>Mandos</productname>
15
<productnumber>&VERSION;</productnumber>
16
<productnumber>&version;</productnumber>
16
17
<date>&TIMESTAMP;</date>
35
37
<holder>Teddy Hogeborn</holder>
36
38
<holder>Björn Påhlsson</holder>
40
This manual page is free software: you can redistribute it
41
and/or modify it under the terms of the GNU General Public
42
License as published by the Free Software Foundation,
43
either version 3 of the License, or (at your option) any
48
This manual page is distributed in the hope that it will
49
be useful, but WITHOUT ANY WARRANTY; without even the
50
implied warranty of MERCHANTABILITY or FITNESS FOR A
51
PARTICULAR PURPOSE. See the GNU General Public License
56
You should have received a copy of the GNU General Public
57
License along with this program; If not, see
58
<ulink url="http://www.gnu.org/licenses/"/>.
40
<xi:include href="legalnotice.xml"/>
64
44
<refentrytitle>&CONFNAME;</refentrytitle>
65
45
<manvolnum>5</manvolnum>
115
95
start time expansion, see <xref linkend="expansion"/>.
118
Uknown options are ignored. The used options are as follows:
98
Unknown options are ignored. The used options are as follows:
124
104
<term><option>timeout<literal> = </literal><replaceable
125
105
>TIME</replaceable></option></term>
128
The timeout is how long the server will wait for a
129
successful checker run until a client is considered
130
invalid - that is, ineligible to get the data this server
131
holds. By default Mandos will use 1 hour.
108
This option is <emphasis>optional</emphasis>.
111
The timeout is how long the server will wait (for either a
112
successful checker run or a client receiving its secret)
113
until a client is considered invalid - that is, ineligible
114
to get the data this server holds. By default Mandos will
134
118
The <replaceable>TIME</replaceable> is specified as a
150
134
<term><option>interval<literal> = </literal><replaceable
151
135
>TIME</replaceable></option></term>
138
This option is <emphasis>optional</emphasis>.
154
141
How often to run the checker to confirm that a client is
155
142
still up. <emphasis>Note:</emphasis> a new checker will
156
143
not be started if an old one is still running. The server
170
157
<term><option>checker<literal> = </literal><replaceable
171
158
>COMMAND</replaceable></option></term>
161
This option is <emphasis>optional</emphasis>.
174
164
This option allows you to override the default shell
175
165
command that the server will use to check if the client is
176
166
still up. Any output of the command will be ignored, only
181
171
<varname>PATH</varname> will be searched. The default
182
172
value for the checker command is <quote><literal
183
173
><command>fping</command> <option>-q</option> <option
184
>--</option> %(host)s</literal></quote>.
174
>--</option> %%(host)s</literal></quote>.
187
177
In addition to normal start time expansion, this option
196
186
><replaceable>HEXSTRING</replaceable></option></term>
189
This option is <emphasis>required</emphasis>.
199
192
This option sets the OpenPGP fingerprint that identifies
200
193
the public key that clients authenticate themselves with
201
194
through TLS. The string needs to be in hexidecimal form,
209
202
>BASE64_ENCODED_DATA</replaceable></option></term>
205
If this option is not specified, the <option
206
>secfile</option> option is <emphasis>required</emphasis>
212
210
If present, this option must be set to a string of
213
211
base64-encoded binary data. It will be decoded and sent
214
212
to the client matching the above
226
224
lines is that a line beginning with white space adds to
227
225
the value of the previous line, RFC 822-style.
230
If this option is not specified, the <option
231
>secfile</option> option is used instead, but one of them
232
<emphasis>must</emphasis> be present.
238
231
<term><option>secfile<literal> = </literal><replaceable
239
232
>FILENAME</replaceable></option></term>
235
This option is only used if <option>secret</option> is not
236
specified, in which case this option is
237
<emphasis>required</emphasis>.
242
240
Similar to the <option>secret</option>, except the secret
243
241
data is in an external file. The contents of the file
244
242
should <emphasis>not</emphasis> be base64-encoded, but
245
243
will be sent to clients verbatim.
248
This option is only used, and <emphasis>must</emphasis> be
249
present, if <option>secret</option> is not specified.
246
File names of the form <filename>~user/foo/bar</filename>
247
and <filename>$<envar>ENVVAR</envar>/foo/bar</filename>
255
254
<term><option><literal>host = </literal><replaceable
256
255
>STRING</replaceable></option></term>
258
This option is <emphasis>optional</emphasis>, but highly
259
<emphasis>recommended</emphasis> unless the
260
<option>checker</option> option is modified to a
261
non-standard value without <quote>%%(host)s</quote> in it.
259
264
Host name for this client. This is not used by the server
260
265
directly, but can be, and is by default, used by the
261
266
checker. See the <option>checker</option> option.