To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to mandos.xml
- browse files at revision 481
- compare with another revision
- download diff
- download tarball
- view history from revision 481
- Committer: teddy at bsnet
- Date: 2011-03-21 19:34:39 UTC
- Revision ID: teddy@fukt.bsnet.se-20110321193439-lkj3kwvhmujd8lwv
* plugins.d/mandos-client.c (good_interface): Reject non-ARP
interfaces.
interfaces.
- files added:
- .bzr-builddeb
- debian
- debian/po
- debian/source
- files removed:
- plugins.d/usplash
- files renamed:
- plugins.d/password-request.c => plugins.d/mandos-client.c
- plugins.d/password-request.xml => plugins.d/mandos-client.xml
- files modified:
- Makefile
added
removed
mandos.xml
1
1
<?xml version="1.0" encoding="UTF-8"?>
2
2
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3
3
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4
<!ENTITY VERSION "1.0">
5
4
<!ENTITY COMMANDNAME "mandos">
6
<!ENTITY OVERVIEW SYSTEM "overview.xml">
5
<!ENTITY TIMESTAMP "2011-02-27">
6
<!ENTITY % common SYSTEM "common.ent">
7
%common;
7
8
]>
8
9
9
<refentry>
10
<refentryinfo>
11
<title>&COMMANDNAME;</title>
10
<refentry xmlns:xi="http://www.w3.org/2001/XInclude">
11
<refentryinfo>
12
<title>Mandos Manual</title>
12
13
<!-- NWalsh’s docbook scripts use this to generate the footer: -->
13
<productname>&COMMANDNAME;</productname>
14
<productnumber>&VERSION;</productnumber>
14
<productname>Mandos</productname>
15
<productnumber>&version;</productnumber>
16
<date>&TIMESTAMP;</date>
15
17
<authorgroup>
16
18
<author>
17
19
<firstname>Björn</firstname>
30
32
</authorgroup>
31
33
<copyright>
32
34
<year>2008</year>
35
<year>2009</year>
36
<year>2010</year>
37
<year>2011</year>
33
38
<holder>Teddy Hogeborn</holder>
34
39
<holder>Björn Påhlsson</holder>
35
40
</copyright>
36
<legalnotice>
37
<para>
38
This manual page is free software: you can redistribute it
39
and/or modify it under the terms of the GNU General Public
40
License as published by the Free Software Foundation,
41
either version 3 of the License, or (at your option) any
42
later version.
43
</para>
44
45
<para>
46
This manual page is distributed in the hope that it will
47
be useful, but WITHOUT ANY WARRANTY; without even the
48
implied warranty of MERCHANTABILITY or FITNESS FOR A
49
PARTICULAR PURPOSE. See the GNU General Public License
50
for more details.
51
</para>
52
53
<para>
54
You should have received a copy of the GNU General Public
55
License along with this program; If not, see
56
<ulink url="http://www.gnu.org/licenses/"/>.
57
</para>
58
</legalnotice>
41
<xi:include href="legalnotice.xml"/>
59
42
</refentryinfo>
60
43
61
44
<refmeta>
62
45
<refentrytitle>&COMMANDNAME;</refentrytitle>
63
46
<manvolnum>8</manvolnum>
66
49
<refnamediv>
67
50
<refname><command>&COMMANDNAME;</command></refname>
68
51
<refpurpose>
69
Sends encrypted passwords to authenticated Mandos clients
52
Gives encrypted passwords to authenticated Mandos clients
70
53
</refpurpose>
71
54
</refnamediv>
72
55
73
56
<refsynopsisdiv>
74
57
<cmdsynopsis>
75
58
<command>&COMMANDNAME;</command>
76
<arg>--interface<arg choice="plain">IF</arg></arg>
77
<arg>--address<arg choice="plain">ADDRESS</arg></arg>
78
<arg>--port<arg choice="plain">PORT</arg></arg>
79
<arg>--priority<arg choice="plain">PRIORITY</arg></arg>
80
<arg>--servicename<arg choice="plain">NAME</arg></arg>
81
<arg>--configdir<arg choice="plain">DIRECTORY</arg></arg>
82
<arg>--debug</arg>
83
</cmdsynopsis>
84
<cmdsynopsis>
85
<command>&COMMANDNAME;</command>
86
<arg>-i<arg choice="plain">IF</arg></arg>
87
<arg>-a<arg choice="plain">ADDRESS</arg></arg>
88
<arg>-p<arg choice="plain">PORT</arg></arg>
89
<arg>--priority<arg choice="plain">PRIORITY</arg></arg>
90
<arg>--servicename<arg choice="plain">NAME</arg></arg>
91
<arg>--configdir<arg choice="plain">DIRECTORY</arg></arg>
92
<arg>--debug</arg>
59
<group>
60
<arg choice="plain"><option>--interface
61
<replaceable>NAME</replaceable></option></arg>
62
<arg choice="plain"><option>-i
63
<replaceable>NAME</replaceable></option></arg>
64
</group>
65
<sbr/>
66
<group>
67
<arg choice="plain"><option>--address
68
<replaceable>ADDRESS</replaceable></option></arg>
69
<arg choice="plain"><option>-a
70
<replaceable>ADDRESS</replaceable></option></arg>
71
</group>
72
<sbr/>
73
<group>
74
<arg choice="plain"><option>--port
75
<replaceable>PORT</replaceable></option></arg>
76
<arg choice="plain"><option>-p
77
<replaceable>PORT</replaceable></option></arg>
78
</group>
79
<sbr/>
80
<arg><option>--priority
81
<replaceable>PRIORITY</replaceable></option></arg>
82
<sbr/>
83
<arg><option>--servicename
84
<replaceable>NAME</replaceable></option></arg>
85
<sbr/>
86
<arg><option>--configdir
87
<replaceable>DIRECTORY</replaceable></option></arg>
88
<sbr/>
89
<arg><option>--debug</option></arg>
90
<sbr/>
91
<arg><option>--debuglevel
92
<replaceable>LEVEL</replaceable></option></arg>
93
<sbr/>
94
<arg><option>--no-dbus</option></arg>
95
<sbr/>
96
<arg><option>--no-ipv6</option></arg>
93
97
</cmdsynopsis>
94
98
<cmdsynopsis>
95
99
<command>&COMMANDNAME;</command>
96
100
<group choice="req">
97
<arg choice="plain">-h</arg>
98
<arg choice="plain">--help</arg>
101
<arg choice="plain"><option>--help</option></arg>
102
<arg choice="plain"><option>-h</option></arg>
99
103
</group>
100
104
</cmdsynopsis>
101
105
<cmdsynopsis>
102
106
<command>&COMMANDNAME;</command>
103
<arg choice="plain">--version</arg>
107
<arg choice="plain"><option>--version</option></arg>
104
108
</cmdsynopsis>
105
109
<cmdsynopsis>
106
110
<command>&COMMANDNAME;</command>
107
<arg choice="plain">--check</arg>
111
<arg choice="plain"><option>--check</option></arg>
108
112
</cmdsynopsis>
109
113
</refsynopsisdiv>
110
114
111
115
<refsect1 id="description">
112
116
<title>DESCRIPTION</title>
113
117
<para>
122
126
Any authenticated client is then given the stored pre-encrypted
123
127
password for that specific client.
124
128
</para>
125
126
129
</refsect1>
127
130
128
131
<refsect1 id="purpose">
129
132
<title>PURPOSE</title>
130
131
133
<para>
132
134
The purpose of this is to enable <emphasis>remote and unattended
133
135
rebooting</emphasis> of client host computer with an
134
136
<emphasis>encrypted root file system</emphasis>. See <xref
135
137
linkend="overview"/> for details.
136
138
</para>
137
138
139
</refsect1>
139
140
140
141
<refsect1 id="options">
141
142
<title>OPTIONS</title>
142
143
143
<variablelist>
144
144
<varlistentry>
145
<term><literal>-h</literal>, <literal>--help</literal></term>
145
<term><option>--help</option></term>
146
<term><option>-h</option></term>
146
147
<listitem>
147
148
<para>
148
149
Show a help message and exit
149
150
</para>
150
151
</listitem>
151
152
</varlistentry>
152
153
<varlistentry>
154
<term><literal>-i</literal>, <literal>--interface <replaceable>
155
IF</replaceable></literal></term>
156
<listitem>
157
<para>
158
Only announce the server and listen to requests on network
159
interface <replaceable>IF</replaceable>. Default is to
160
use all available interfaces. <emphasis>Note:</emphasis>
161
a failure to bind to the specified interface is not
162
considered critical, and the server does not exit.
163
</para>
164
</listitem>
165
</varlistentry>
166
167
<varlistentry>
168
<term><literal>-a</literal>, <literal>--address <replaceable>
169
ADDRESS</replaceable></literal></term>
170
<listitem>
171
<para>
172
If this option is used, the server will only listen to a
173
specific address. This must currently be an IPv6 address;
174
an IPv4 address can be specified using the
175
<quote><literal>::FFFF:192.0.2.3</literal></quote> syntax.
176
Also, if a link-local address is specified, an interface
177
should be set, since a link-local address is only valid on
178
a single interface. By default, the server will listen to
179
all available addresses.
180
</para>
181
</listitem>
182
</varlistentry>
183
184
<varlistentry>
185
<term><literal>-p</literal>, <literal>--port <replaceable>
186
PORT</replaceable></literal></term>
187
<listitem>
188
<para>
189
If this option is used, the server to bind to that
190
port. By default, the server will listen to an arbitrary
191
port given by the operating system.
192
</para>
193
</listitem>
194
</varlistentry>
195
196
<varlistentry>
197
<term><literal>--check</literal></term>
153
154
<varlistentry>
155
<term><option>--interface</option>
156
<replaceable>NAME</replaceable></term>
157
<term><option>-i</option>
158
<replaceable>NAME</replaceable></term>
159
<listitem>
160
<xi:include href="mandos-options.xml" xpointer="interface"/>
161
</listitem>
162
</varlistentry>
163
164
<varlistentry>
165
<term><option>--address
166
<replaceable>ADDRESS</replaceable></option></term>
167
<term><option>-a
168
<replaceable>ADDRESS</replaceable></option></term>
169
<listitem>
170
<xi:include href="mandos-options.xml" xpointer="address"/>
171
</listitem>
172
</varlistentry>
173
174
<varlistentry>
175
<term><option>--port
176
<replaceable>PORT</replaceable></option></term>
177
<term><option>-p
178
<replaceable>PORT</replaceable></option></term>
179
<listitem>
180
<xi:include href="mandos-options.xml" xpointer="port"/>
181
</listitem>
182
</varlistentry>
183
184
<varlistentry>
185
<term><option>--check</option></term>
198
186
<listitem>
199
187
<para>
200
188
Run the server’s self-tests. This includes any unit
202
190
</para>
203
191
</listitem>
204
192
</varlistentry>
205
206
<varlistentry>
207
<term><literal>--debug</literal></term>
208
<listitem>
209
<para>
210
If the server is run in debug mode, it will run in the
211
foreground and print a lot of debugging information. The
212
default is <emphasis>not</emphasis> to run in debug mode.
213
</para>
214
</listitem>
215
</varlistentry>
216
217
<varlistentry>
218
<term><literal>--priority <replaceable>
219
PRIORITY</replaceable></literal></term>
220
<listitem>
221
<para>
222
GnuTLS priority string for the TLS handshake with the
223
clients. The default is
224
<quote><literal>SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP</literal></quote>.
225
See <citerefentry><refentrytitle>gnutls_priority_init
226
</refentrytitle><manvolnum>3</manvolnum></citerefentry>
227
for the syntax. <emphasis>Warning</emphasis>: changing
228
this may make the TLS handshake fail, making communication
229
with clients impossible.
230
</para>
231
</listitem>
232
</varlistentry>
233
234
<varlistentry>
235
<term><literal>--servicename <replaceable>NAME</replaceable>
236
</literal></term>
237
<listitem>
238
<para>
239
Zeroconf service name. The default is
240
<quote><literal>Mandos</literal></quote>. You only need
241
to change this if you for some reason want to run more
242
than one server on the same <emphasis>host</emphasis>,
243
which would not normally be useful. If there are name
244
collisions on the same <emphasis>network</emphasis>, the
245
newer server will automatically rename itself to
246
<quote><literal>Mandos #2</literal></quote>, and so on;
247
therefore, this option is not needed in that case.
248
</para>
249
</listitem>
250
</varlistentry>
251
252
<varlistentry>
253
<term><literal>--configdir <replaceable>DIR</replaceable>
254
</literal></term>
193
194
<varlistentry>
195
<term><option>--debug</option></term>
196
<listitem>
197
<xi:include href="mandos-options.xml" xpointer="debug"/>
198
</listitem>
199
</varlistentry>
200
201
<varlistentry>
202
<term><option>--debuglevel
203
<replaceable>LEVEL</replaceable></option></term>
204
<listitem>
205
<para>
206
Set the debugging log level.
207
<replaceable>LEVEL</replaceable> is a string, one of
208
<quote><literal>CRITICAL</literal></quote>,
209
<quote><literal>ERROR</literal></quote>,
210
<quote><literal>WARNING</literal></quote>,
211
<quote><literal>INFO</literal></quote>, or
212
<quote><literal>DEBUG</literal></quote>, in order of
213
increasing verbosity. The default level is
214
<quote><literal>WARNING</literal></quote>.
215
</para>
216
</listitem>
217
</varlistentry>
218
219
<varlistentry>
220
<term><option>--priority <replaceable>
221
PRIORITY</replaceable></option></term>
222
<listitem>
223
<xi:include href="mandos-options.xml" xpointer="priority"/>
224
</listitem>
225
</varlistentry>
226
227
<varlistentry>
228
<term><option>--servicename
229
<replaceable>NAME</replaceable></option></term>
230
<listitem>
231
<xi:include href="mandos-options.xml"
232
xpointer="servicename"/>
233
</listitem>
234
</varlistentry>
235
236
<varlistentry>
237
<term><option>--configdir
238
<replaceable>DIRECTORY</replaceable></option></term>
255
239
<listitem>
256
240
<para>
257
241
Directory to search for configuration files. Default is
263
247
</para>
264
248
</listitem>
265
249
</varlistentry>
266
250
267
251
<varlistentry>
268
<term><literal>--version</literal></term>
252
<term><option>--version</option></term>
269
253
<listitem>
270
254
<para>
271
255
Prints the program version and exit.
272
256
</para>
273
257
</listitem>
274
258
</varlistentry>
259
260
<varlistentry>
261
<term><option>--no-dbus</option></term>
262
<listitem>
263
<xi:include href="mandos-options.xml" xpointer="dbus"/>
264
<para>
265
See also <xref linkend="dbus_interface"/>.
266
</para>
267
</listitem>
268
</varlistentry>
269
270
<varlistentry>
271
<term><option>--no-ipv6</option></term>
272
<listitem>
273
<xi:include href="mandos-options.xml" xpointer="ipv6"/>
274
</listitem>
275
</varlistentry>
275
276
</variablelist>
276
277
</refsect1>
277
278
278
279
<refsect1 id="overview">
279
280
<title>OVERVIEW</title>
280
&OVERVIEW;
281
<xi:include href="overview.xml"/>
281
282
<para>
282
283
This program is the server part. It is a normal server program
283
284
and will run in a normal system environment, not in an initial
284
RAM disk environment.
285
<acronym>RAM</acronym> disk environment.
285
286
</para>
286
287
</refsect1>
287
288
288
289
<refsect1 id="protocol">
289
290
<title>NETWORK PROTOCOL</title>
290
291
<para>
316
317
<entry>-><!-- → --></entry>
317
318
</row>
318
319
<row>
319
<entry><quote><literal>1\r\en</literal></quote></entry>
320
<entry><quote><literal>1\r\n</literal></quote></entry>
320
321
<entry>-><!-- → --></entry>
321
322
</row>
322
323
<row>
342
343
</row>
343
344
</tbody></tgroup></table>
344
345
</refsect1>
345
346
346
347
<refsect1 id="checking">
347
348
<title>CHECKING</title>
348
349
<para>
349
350
The server will, by default, continually check that the clients
350
351
are still up. If a client has not been confirmed as being up
351
352
for some time, the client is assumed to be compromised and is no
352
longer eligible to receive the encrypted password. The timeout,
353
longer eligible to receive the encrypted password. (Manual
354
intervention is required to re-enable a client.) The timeout,
353
355
checker program, and interval between checks can be configured
354
356
both globally and per client; see <citerefentry>
355
<refentrytitle>mandos.conf</refentrytitle>
356
<manvolnum>5</manvolnum></citerefentry> and <citerefentry>
357
<refentrytitle>mandos-clients.conf</refentrytitle>
358
<manvolnum>5</manvolnum></citerefentry>.
359
</para>
360
</refsect1>
361
357
<refentrytitle>mandos-clients.conf</refentrytitle>
358
<manvolnum>5</manvolnum></citerefentry>. A client successfully
359
receiving its password will also be treated as a successful
360
checker run.
361
</para>
362
</refsect1>
363
364
<refsect1 id="approval">
365
<title>APPROVAL</title>
366
<para>
367
The server can be configured to require manual approval for a
368
client before it is sent its secret. The delay to wait for such
369
approval and the default action (approve or deny) can be
370
configured both globally and per client; see <citerefentry>
371
<refentrytitle>mandos-clients.conf</refentrytitle>
372
<manvolnum>5</manvolnum></citerefentry>. By default all clients
373
will be approved immediately without delay.
374
</para>
375
<para>
376
This can be used to deny a client its secret if not manually
377
approved within a specified time. It can also be used to make
378
the server delay before giving a client its secret, allowing
379
optional manual denying of this specific client.
380
</para>
381
382
</refsect1>
383
362
384
<refsect1 id="logging">
363
385
<title>LOGGING</title>
364
386
<para>
365
The server will send log messaged with various severity levels
366
to <filename>/dev/log</filename>. With the
387
The server will send log message with various severity levels to
388
<filename>/dev/log</filename>. With the
367
389
<option>--debug</option> option, it will log even more messages,
368
390
and also show them on the console.
369
391
</para>
370
392
</refsect1>
371
393
394
<refsect1 id="dbus_interface">
395
<title>D-BUS INTERFACE</title>
396
<para>
397
The server will by default provide a D-Bus system bus interface.
398
This interface will only be accessible by the root user or a
399
Mandos-specific user, if such a user exists. For documentation
400
of the D-Bus API, see the file <filename>DBUS-API</filename>.
401
</para>
402
</refsect1>
403
372
404
<refsect1 id="exit_status">
373
405
<title>EXIT STATUS</title>
374
406
<para>
376
408
critical error is encountered.
377
409
</para>
378
410
</refsect1>
379
411
380
412
<refsect1 id="environment">
381
413
<title>ENVIRONMENT</title>
382
414
<variablelist>
383
415
<varlistentry>
384
<term><varname>PATH</varname></term>
416
<term><envar>PATH</envar></term>
385
417
<listitem>
386
418
<para>
387
419
To start the configured checker (see <xref
390
422
<varname>PATH</varname> to search for matching commands if
391
423
an absolute path is not given. See <citerefentry>
392
424
<refentrytitle>sh</refentrytitle><manvolnum>1</manvolnum>
393
</citerefentry>
425
</citerefentry>.
394
426
</para>
395
427
</listitem>
396
428
</varlistentry>
397
429
</variablelist>
398
430
</refsect1>
399
400
<refsect1 id="file">
431
432
<refsect1 id="files">
401
433
<title>FILES</title>
402
434
<para>
403
435
Use the <option>--configdir</option> option to change where
426
458
</listitem>
427
459
</varlistentry>
428
460
<varlistentry>
429
<term><filename>/var/run/mandos/mandos.pid</filename></term>
461
<term><filename>/var/run/mandos.pid</filename></term>
430
462
<listitem>
431
463
<para>
432
The file containing the process id of
433
<command>&COMMANDNAME;</command>.
464
The file containing the process id of the
465
<command>&COMMANDNAME;</command> process started last.
434
466
</para>
435
467
</listitem>
436
468
</varlistentry>
464
496
backtrace. This could be considered a feature.
465
497
</para>
466
498
<para>
467
Currently, if a client is declared <quote>invalid</quote> due to
468
having timed out, the server does not record this fact onto
469
permanent storage. This has some security implications, see
470
<xref linkend="CLIENTS"/>.
471
</para>
472
<para>
473
There is currently no way of querying the server of the current
474
status of clients, other than analyzing its <systemitem
475
class="service">syslog</systemitem> output.
499
Currently, if a client is disabled due to having timed out, the
500
server does not record this fact onto permanent storage. This
501
has some security implications, see <xref linkend="clients"/>.
476
502
</para>
477
503
<para>
478
504
There is no fine-grained control over logging and debug output.
481
507
Debug mode is conflated with running in the foreground.
482
508
</para>
483
509
<para>
484
The console log messages does not show a timestamp.
510
The console log messages do not show a time stamp.
511
</para>
512
<para>
513
This server does not check the expire time of clients’ OpenPGP
514
keys.
485
515
</para>
486
516
</refsect1>
487
517
492
522
Normal invocation needs no options:
493
523
</para>
494
524
<para>
495
<userinput>mandos</userinput>
525
<userinput>&COMMANDNAME;</userinput>
496
526
</para>
497
527
</informalexample>
498
528
<informalexample>
505
535
<para>
506
536
507
537
<!-- do not wrap this line -->
508
<userinput>mandos --debug --configdir ~/mandos --servicename Test</userinput>
538
<userinput>&COMMANDNAME; --debug --configdir ~/mandos --servicename Test</userinput>
509
539
510
540
</para>
511
541
</informalexample>
517
547
<para>
518
548
519
549
<!-- do not wrap this line -->
520
<userinput>mandos --interface eth7 --address fe80::aede:48ff:fe71:f6f2</userinput>
550
<userinput>&COMMANDNAME; --interface eth7 --address fe80::aede:48ff:fe71:f6f2</userinput>
521
551
522
552
</para>
523
553
</informalexample>
524
554
</refsect1>
525
555
526
556
<refsect1 id="security">
527
557
<title>SECURITY</title>
528
<refsect2 id="SERVER">
558
<refsect2 id="server">
529
559
<title>SERVER</title>
530
560
<para>
531
561
Running this <command>&COMMANDNAME;</command> server program
532
562
should not in itself present any security risk to the host
533
computer running it. The program does not need any special
534
privileges to run, and is designed to run as a non-root user.
563
computer running it. The program switches to a non-root user
564
soon after startup.
535
565
</para>
536
566
</refsect2>
537
<refsect2 id="CLIENTS">
567
<refsect2 id="clients">
538
568
<title>CLIENTS</title>
539
569
<para>
540
570
The server only gives out its stored data to clients which
547
577
<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>
548
578
<manvolnum>5</manvolnum></citerefentry>)
549
579
<emphasis>must</emphasis> be made non-readable by anyone
550
except the user running the server.
580
except the user starting the server (usually root).
551
581
</para>
552
582
<para>
553
583
As detailed in <xref linkend="checking"/>, the status of all
556
586
</para>
557
587
<para>
558
588
If a client is compromised, its downtime should be duly noted
559
by the server which would therefore declare the client
560
invalid. But if the server was ever restarted, it would
561
re-read its client list from its configuration file and again
562
regard all clients therein as valid, and hence eligible to
563
receive their passwords. Therefore, be careful when
564
restarting servers if you suspect that a client has, in fact,
565
been compromised by parties who may now be running a fake
566
Mandos client with the keys from the non-encrypted initial RAM
589
by the server which would therefore disable the client. But
590
if the server was ever restarted, it would re-read its client
591
list from its configuration file and again regard all clients
592
therein as enabled, and hence eligible to receive their
593
passwords. Therefore, be careful when restarting servers if
594
it is suspected that a client has, in fact, been compromised
595
by parties who may now be running a fake Mandos client with
596
the keys from the non-encrypted initial <acronym>RAM</acronym>
567
597
image of the client host. What should be done in that case
568
598
(if restarting the server program really is necessary) is to
569
599
stop the server program, edit the configuration file to omit
571
601
</para>
572
602
<para>
573
603
For more details on client-side security, see
574
<citerefentry><refentrytitle>password-request</refentrytitle>
604
<citerefentry><refentrytitle>mandos-client</refentrytitle>
575
605
<manvolnum>8mandos</manvolnum></citerefentry>.
576
606
</para>
577
607
</refsect2>
578
608
</refsect1>
579
609
580
610
<refsect1 id="see_also">
581
611
<title>SEE ALSO</title>
612
<para>
613
<citerefentry>
614
<refentrytitle>mandos-clients.conf</refentrytitle>
615
<manvolnum>5</manvolnum></citerefentry>, <citerefentry>
616
<refentrytitle>mandos.conf</refentrytitle>
617
<manvolnum>5</manvolnum></citerefentry>, <citerefentry>
618
<refentrytitle>mandos-client</refentrytitle>
619
<manvolnum>8mandos</manvolnum></citerefentry>, <citerefentry>
620
<refentrytitle>sh</refentrytitle><manvolnum>1</manvolnum>
621
</citerefentry>
622
</para>
582
623
<variablelist>
583
624
<varlistentry>
584
625
<term>
585
<citerefentry>
586
<refentrytitle>password-request</refentrytitle>
587
<manvolnum>8mandos</manvolnum>
588
</citerefentry>
589
</term>
590
<listitem>
591
<para>
592
This is the actual program which talks to this server.
593
Note that it is normally not invoked directly, and is only
594
run in the initial RAM disk environment, and not on a
595
fully started system.
596
</para>
597
</listitem>
598
</varlistentry>
599
<varlistentry>
600
<term>
601
626
<ulink url="http://www.zeroconf.org/">Zeroconf</ulink>
602
627
</term>
603
628
<listitem>
620
645
</varlistentry>
621
646
<varlistentry>
622
647
<term>
623
<ulink
624
url="http://www.gnu.org/software/gnutls/">GnuTLS</ulink>
648
<ulink url="http://www.gnu.org/software/gnutls/"
649
>GnuTLS</ulink>
625
650
</term>
626
651
<listitem>
627
652
<para>
633
658
</varlistentry>
634
659
<varlistentry>
635
660
<term>
636
<citation>RFC 4291: <citetitle>IP Version 6 Addressing
637
Architecture</citetitle>, section 2.5.6, Link-Local IPv6
638
Unicast Addresses</citation>
661
RFC 4291: <citetitle>IP Version 6 Addressing
662
Architecture</citetitle>
639
663
</term>
640
664
<listitem>
641
<para>
642
The clients use IPv6 link-local addresses, which are
643
immediately usable since a link-local addresses is
644
automatically assigned to a network interfaces when it is
645
brought up.
646
</para>
665
<variablelist>
666
<varlistentry>
667
<term>Section 2.2: <citetitle>Text Representation of
668
Addresses</citetitle></term>
669
<listitem><para/></listitem>
670
</varlistentry>
671
<varlistentry>
672
<term>Section 2.5.5.2: <citetitle>IPv4-Mapped IPv6
673
Address</citetitle></term>
674
<listitem><para/></listitem>
675
</varlistentry>
676
<varlistentry>
677
<term>Section 2.5.6, <citetitle>Link-Local IPv6 Unicast
678
Addresses</citetitle></term>
679
<listitem>
680
<para>
681
The clients use IPv6 link-local addresses, which are
682
immediately usable since a link-local addresses is
683
automatically assigned to a network interfaces when it
684
is brought up.
685
</para>
686
</listitem>
687
</varlistentry>
688
</variablelist>
647
689
</listitem>
648
690
</varlistentry>
649
691
<varlistentry>
650
692
<term>
651
<citation>RFC 4346: <citetitle>The Transport Layer Security
652
(TLS) Protocol Version 1.1</citetitle></citation>
693
RFC 4346: <citetitle>The Transport Layer Security (TLS)
694
Protocol Version 1.1</citetitle>
653
695
</term>
654
696
<listitem>
655
697
<para>
659
701
</varlistentry>
660
702
<varlistentry>
661
703
<term>
662
<citation>RFC 4880: <citetitle>OpenPGP Message
663
Format</citetitle></citation>
704
RFC 4880: <citetitle>OpenPGP Message Format</citetitle>
664
705
</term>
665
706
<listitem>
666
707
<para>
670
711
</varlistentry>
671
712
<varlistentry>
672
713
<term>
673
<citation>RFC 5081: <citetitle>Using OpenPGP Keys for
674
Transport Layer Security</citetitle></citation>
714
RFC 5081: <citetitle>Using OpenPGP Keys for Transport Layer
715
Security</citetitle>
675
716
</term>
676
717
<listitem>
677
718
<para>
683
724
</variablelist>
684
725
</refsect1>
685
726
</refentry>
727
<!-- Local Variables: -->
728
<!-- time-stamp-start: "<!ENTITY TIMESTAMP [\"']" -->
729
<!-- time-stamp-end: "[\"']>" -->
730
<!-- time-stamp-format: "%:y-%02m-%02d" -->
731
<!-- End: -->
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0