/mandos/trunk : revision 439

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos-clients.conf.xml

Committer: Teddy Hogeborn
Date: 2010-09-25 20:09:10 UTC
Revision ID: teddy@fukt.bsnet.se-20100925200910-8bxnasqkol93sj89

* mandos: Do not write pid file if --debug is passed.
* mandos.xml (FILES): Pid file only records pid of latest server.

files added:
.bzr-builddeb

.bzr-builddeb/default.conf

DBUS-API

INSTALL

NEWS

README

common.ent

dbus-mandos.conf

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/po

debian/rules

debian/watch

default-mandos

init.d-mandos

legalnotice.xml

mandos-ctl

mandos-ctl.xml

mandos-monitor

mandos-monitor.xml

mandos.lsm

plugin-runner.conf

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

files removed:
plugins.d/usplash

files renamed:
plugins.d/password-request.c => plugins.d/mandos-client.c

plugins.d/password-request.xml => plugins.d/mandos-client.xml

files modified:
.bzrignore

Makefile

TODO

clients.conf

initramfs-tools-hook

initramfs-tools-hook-conf

initramfs-tools-script

mandos

mandos-clients.conf.xml

mandos-keygen

mandos-keygen.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.xml

overview.xml

plugin-runner.c

plugin-runner.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

Show diffs side-by-side

added added

removed removed

mandos-clients.conf.xml

<?xml version='1.0' encoding='UTF-8'?>

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY VERSION "1.0">

<!ENTITY CONFNAME "mandos-clients.conf">

<!ENTITY CONFPATH "<filename>/etc/mandos/clients.conf</filename>">

<!ENTITY TIMESTAMP "2008-08-29">

<!ENTITY TIMESTAMP "2010-09-25">

<!ENTITY % common SYSTEM "common.ent">

%common;

<title>Mandos Manual</title>

<productname>Mandos</productname>

<productnumber>&VERSION;</productnumber>

<productnumber>&version;</productnumber>

<date>&TIMESTAMP;</date>

</authorgroup>

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

<para>

This manual page is free software: you can redistribute it

and/or modify it under the terms of the GNU General Public

License as published by the Free Software Foundation,

either version 3 of the License, or (at your option) any

later version.

</para>

<para>

This manual page is distributed in the hope that it will

be useful, but WITHOUT ANY WARRANTY; without even the

implied warranty of MERCHANTABILITY or FITNESS FOR A

PARTICULAR PURPOSE. See the GNU General Public License

for more details.

</para>

<para>

You should have received a copy of the GNU General Public

License along with this program; If not, see

<ulink url="http://www.gnu.org/licenses/"/>.

</para>

</legalnotice>

<xi:include href="legalnotice.xml"/>

</refentryinfo>

<refentrytitle>&CONFNAME;</refentrytitle>

Configuration file for the Mandos server

</refpurpose>

</refnamediv>

&CONFPATH;

</synopsis>

<synopsis>&CONFPATH;</synopsis>

</refsynopsisdiv>

<title>DESCRIPTION</title>

<para>

><refentrytitle>mandos</refentrytitle>

<manvolnum>8</manvolnum></citerefentry>, read by it at startup.

The file needs to list all clients that should be able to use

the service. All clients listed will be regarded as valid, even

if a client was declared invalid in a previous run of the

server.

the service. All clients listed will be regarded as enabled,

even if a client was disabled in a previous run of the server.

</para>

<para>

The format starts with a <literal>[<replaceable>section

117

start time expansion, see <xref linkend="expansion"/>.

118

</para>

119

<para>

120

Uknown options are ignored. The used options are as follows:

Unknown options are ignored. The used options are as follows:

121

</para>

122

123

100

124

125

126

<term><literal><varname>timeout</varname></literal></term>

127

128

<synopsis><literal>timeout = </literal><replaceable

129

>TIME</replaceable>

130

</synopsis>

131

<para>

132

The timeout is how long the server will wait for a

133

successful checker run until a client is considered

134

invalid - that is, ineligible to get the data this server

135

holds. By default Mandos will use 1 hour.

136

</para>

137

<para>

138

The <replaceable>TIME</replaceable> is specified as a

139

space-separated number of values, each of which is a

140

number and a one-character suffix. The suffix must be one

141

of <quote>d</quote>, <quote>s</quote>, <quote>m</quote>,

142

<quote>h</quote>, and <quote>w</quote> for days, seconds,

143

minutes, hours, and weeks, respectively. The values are

144

added together to give the total time value, so all of

145

<quote><literal>330s</literal></quote>,

146

<quote><literal>110s 110s 110s</literal></quote>, and

147

<quote><literal>5m 30s</literal></quote> will give a value

148

of five minutes and thirty seconds.

149

</para>

150

</listitem>

151

</varlistentry>

152

153

154

<term><literal><varname>interval</varname></literal></term>

155

156

<synopsis><literal>interval = </literal><replaceable

157

>TIME</replaceable>

158

</synopsis>

159

<para>

160

How often to run the checker to confirm that a client is

161

still up. <emphasis>Note:</emphasis> a new checker will

162

not be started if an old one is still running. The server

163

will wait for a checker to complete until the above

164

<quote><varname>timeout</varname></quote> occurs, at which

165

time the client will be marked invalid, and any running

166

checker killed. The default interval is 5 minutes.

167

</para>

168

<para>

169

The format of <replaceable>TIME</replaceable> is the same

170

as for <varname>timeout</varname> above.

171

</para>

172

</listitem>

173

</varlistentry>

174

175

176

<term><literal>checker</literal></term>

177

178

<synopsis><literal>checker = </literal><replaceable

179

>COMMAND</replaceable>

180

</synopsis>

101

102

103

<term><option>approval_delay<literal> = </literal><replaceable

104

>TIME</replaceable></option></term>

105

106

<para>

107

This option is <emphasis>optional</emphasis>.

108

</para>

109

<para>

110

How long to wait for external approval before resorting to

111

use the <option>approved_by_default</option> value. The

112

default is <quote>0s</quote>, i.e. not to wait.

113

</para>

114

<para>

115

The format of <replaceable>TIME</replaceable> is the same

116

as for <varname>timeout</varname> below.

117

</para>

118

</listitem>

119

</varlistentry>

120

121

122

<term><option>approval_duration<literal> = </literal

123

><replaceable>TIME</replaceable></option></term>

124

125

<para>

126

This option is <emphasis>optional</emphasis>.

127

</para>

128

<para>

129

How long an external approval lasts. The default is 1

130

second.

131

</para>

132

<para>

133

The format of <replaceable>TIME</replaceable> is the same

134

as for <varname>timeout</varname> below.

135

</para>

136

</listitem>

137

</varlistentry>

138

139

140

<term><option>approved_by_default<literal> = </literal

141

>{ <literal >1</literal> | <literal>yes</literal> | <literal

142

>true</literal> | <literal>on</literal> | <literal

143

>0</literal> | <literal>no</literal> | <literal

144

>false</literal> | <literal>off</literal> }</option></term>

145

146

<para>

147

Whether to approve a client by default after

148

the <option>approval_delay</option>. The default

149

is <quote>True</quote>.

150

</para>

151

</listitem>

152

</varlistentry>

153

154

155

<term><option>checker<literal> = </literal><replaceable

156

>COMMAND</replaceable></option></term>

157

158

<para>

159

This option is <emphasis>optional</emphasis>.

160

</para>

181

161

<para>

182

162

This option allows you to override the default shell

183

163

command that the server will use to check if the client is

189

169

<varname>PATH</varname> will be searched. The default

190

170

value for the checker command is <quote><literal

191

171

><command>fping</command> <option>-q</option> <option

192

>--</option> %(host)s</literal></quote>.

172

>--</option> %%(host)s</literal></quote>.

193

173

</para>

194

174

<para>

195

175

In addition to normal start time expansion, this option

200

180

</varlistentry>

201

181

202

182

203

<term><literal>fingerprint</literal></term>

183

<term><option>fingerprint<literal> = </literal

184

><replaceable>HEXSTRING</replaceable></option></term>

204

185

205

<synopsis><literal>fingerprint = </literal><replaceable

206

>HEXSTRING</replaceable>

207

</synopsis>

186

<para>

187

This option is <emphasis>required</emphasis>.

188

</para>

208

189

<para>

209

190

This option sets the OpenPGP fingerprint that identifies

210

191

the public key that clients authenticate themselves with

215

196

</varlistentry>

216

197

217

198

218

<term><literal>secret</literal></term>

219

220

<synopsis><literal>secret = </literal><replaceable

221

>BASE64_ENCODED_DATA</replaceable>

222

</synopsis>

199

<term><option><literal>host = </literal><replaceable

200

>STRING</replaceable></option></term>

201

202

<para>

203

This option is <emphasis>optional</emphasis>, but highly

204

<emphasis>recommended</emphasis> unless the

205

<option>checker</option> option is modified to a

206

non-standard value without <quote>%%(host)s</quote> in it.

207

</para>

208

<para>

209

Host name for this client. This is not used by the server

210

directly, but can be, and is by default, used by the

211

checker. See the <option>checker</option> option.

212

</para>

213

</listitem>

214

</varlistentry>

215

216

217

<term><option>interval<literal> = </literal><replaceable

218

>TIME</replaceable></option></term>

219

220

<para>

221

This option is <emphasis>optional</emphasis>.

222

</para>

223

<para>

224

How often to run the checker to confirm that a client is

225

still up. <emphasis>Note:</emphasis> a new checker will

226

not be started if an old one is still running. The server

227

will wait for a checker to complete until the below

228

<quote><varname>timeout</varname></quote> occurs, at which

229

time the client will be disabled, and any running checker

230

killed. The default interval is 5 minutes.

231

</para>

232

<para>

233

The format of <replaceable>TIME</replaceable> is the same

234

as for <varname>timeout</varname> below.

235

</para>

236

</listitem>

237

</varlistentry>

238

239

240

<term><option>secfile<literal> = </literal><replaceable

241

>FILENAME</replaceable></option></term>

242

243

<para>

244

This option is only used if <option>secret</option> is not

245

specified, in which case this option is

246

<emphasis>required</emphasis>.

247

</para>

248

<para>

249

Similar to the <option>secret</option>, except the secret

250

data is in an external file. The contents of the file

251

should <emphasis>not</emphasis> be base64-encoded, but

252

will be sent to clients verbatim.

253

</para>

254

<para>

255

File names of the form <filename>~user/foo/bar</filename>

256

and <filename>$<envar>ENVVAR</envar>/foo/bar</filename>

257

are supported.

258

</para>

259

</listitem>

260

</varlistentry>

261

262

263

<term><option>secret<literal> = </literal><replaceable

264

>BASE64_ENCODED_DATA</replaceable></option></term>

265

266

<para>

267

If this option is not specified, the <option

268

>secfile</option> option is <emphasis>required</emphasis>

269

to be present.

270

</para>

223

271

<para>

224

272

If present, this option must be set to a string of

225

273

base64-encoded binary data. It will be decoded and sent

238

286

lines is that a line beginning with white space adds to

239

287

the value of the previous line, RFC 822-style.

240

288

</para>

241

<para>

242

If this option is not specified, the <option

243

>secfile</option> option is used instead, but one of them

244

<emphasis>must</emphasis> be present.

245

</para>

246

</listitem>

247

</varlistentry>

248

249

250

<term><literal>secfile</literal></term>

251

252

<synopsis><literal>secfile = </literal><replaceable

253

>FILENAME</replaceable>

254

</synopsis>

255

<para>

256

The same as <option>secret</option>, but the secret data

257

is in an external file. The contents of the file should

258

<emphasis>not</emphasis> be base64-encoded, but will be

259

sent to clients verbatim.

260

</para>

261

<para>

262

This option is only used, and <emphasis>must</emphasis> be

263

present, if <option>secret</option> is not specified.

264

</para>

265

</listitem>

266

</varlistentry>

267

268

269

270

271

<synopsis><literal>host = </literal><replaceable

272

>STRING</replaceable>

273

</synopsis>

274

<para>

275

Host name for this client. This is not used by the server

276

directly, but can be, and is by default, used by the

277

checker. See the <option>checker</option> option.

289

</listitem>

290

</varlistentry>

291

292

293

<term><option>timeout<literal> = </literal><replaceable

294

>TIME</replaceable></option></term>

295

296

<para>

297

This option is <emphasis>optional</emphasis>.

298

</para>

299

<para>

300

The timeout is how long the server will wait (for either a

301

successful checker run or a client receiving its secret)

302

until a client is disabled and not allowed to get the data

303

this server holds. By default Mandos will use 1 hour.

304

</para>

305

<para>

306

The <replaceable>TIME</replaceable> is specified as a

307

space-separated number of values, each of which is a

308

number and a one-character suffix. The suffix must be one

309

of <quote>d</quote>, <quote>s</quote>, <quote>m</quote>,

310

<quote>h</quote>, and <quote>w</quote> for days, seconds,

311

minutes, hours, and weeks, respectively. The values are

312

added together to give the total time value, so all of

313

<quote><literal>330s</literal></quote>,

314

<quote><literal>110s 110s 110s</literal></quote>, and

315

<quote><literal>5m 30s</literal></quote> will give a value

316

of five minutes and thirty seconds.

278

317

</para>

279

318

</listitem>

280

319

</varlistentry>

281

320

282

321

</variablelist>

283

</refsect1>

322

</refsect1>

284

323

285

324

286

325

<title>EXPANSION</title>

329

368

percent characters in a row (<quote>%%%%</quote>) must be

330

369

entered. Also, a bad format here will lead to an immediate

331

370

but <emphasis>silent</emphasis> run-time fatal exit; debug

332

mode is needed to track down an error of this kind.

371

mode is needed to expose an error of this kind.

333

372

</para>

334

373

</refsect2>

335

336

</refsect1>

374

375

</refsect1>

337

376

338

377

339

378

<title>FILES</title>

363

402

[DEFAULT]

364

403

timeout = 1h

365

404

interval = 5m

366

checker = fping -q -- %(host)s

405

checker = fping -q -- %%(host)s

367

406

368

407

# Client "foo"

369

408

[foo]

392

431

fingerprint = 3e393aeaefb84c7e89e2f547b3a107558fca3a27

393

432

secfile = /etc/mandos/bar-secret

394

433

timeout = 15m

395

434

approved_by_default = False

435

approval_delay = 30s

396

436

</programlisting>

397

437

</informalexample>

398

</refsect1>

438

</refsect1>

399

439

400

440

401

441

Older »