/mandos/trunk : revision 519

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos.xml

Committer: Teddy Hogeborn
Date: 2011-10-22 00:47:58 UTC
mfrom: (505.1.20 teddy)
Revision ID: teddy@recompile.se-20111022004758-cypxz7o293e6rvc4

Clean up logging.

files removed:
debian/mandos-client.examples

debian/upstream

debian/upstream/signing-key.asc

initramfs-unpack

mandos.service

network-hooks.d

network-hooks.d/bridge

network-hooks.d/bridge.conf

network-hooks.d/openvpn

network-hooks.d/openvpn.conf

network-hooks.d/wireless

network-hooks.d/wireless.conf

plugin-helpers

plugin-helpers/mandos-client-iprouteadddel.c

files modified:
.bzrignore

DBUS-API

INSTALL

Makefile

NEWS

README

TODO

clients.conf

common.ent

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.dirs

debian/mandos.postinst

debian/mandos.prerm

debian/rules

debian/watch

init.d-mandos

initramfs-tools-hook

intro.xml

mandos

mandos-clients.conf.xml

mandos-ctl

mandos-ctl.xml

mandos-keygen

mandos-keygen.xml

mandos-monitor

mandos-monitor.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.lsm

mandos.xml

plugin-runner.c

plugin-runner.xml

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/mandos-client.c

plugins.d/mandos-client.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

Show diffs side-by-side

added added

removed removed

mandos.xml

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY COMMANDNAME "mandos">

<!ENTITY TIMESTAMP "2015-12-06">

<!ENTITY TIMESTAMP "2011-10-22">

<!ENTITY % common SYSTEM "common.ent">

%common;

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

<sbr/>

100

101

<sbr/>

102

<arg><option>--no-restore</option></arg>

103

<sbr/>

104

<arg><option>--statedir

105

<replaceable>DIRECTORY</replaceable></option></arg>

106

<sbr/>

107

<arg><option>--socket

108

109

<sbr/>

110

<arg><option>--foreground</option></arg>

111

<sbr/>

112

<arg><option>--no-zeroconf</option></arg>

113

</cmdsynopsis>

114

115

<command>&COMMANDNAME;</command>

291

275

<xi:include href="mandos-options.xml" xpointer="ipv6"/>

292

276

</listitem>

293

277

</varlistentry>

294

295

296

<term><option>--no-restore</option></term>

297

298

<xi:include href="mandos-options.xml" xpointer="restore"/>

299

<para>

300

See also <xref linkend="persistent_state"/>.

301

</para>

302

</listitem>

303

</varlistentry>

304

305

306

<term><option>--statedir

307

<replaceable>DIRECTORY</replaceable></option></term>

308

309

<xi:include href="mandos-options.xml" xpointer="statedir"/>

310

</listitem>

311

</varlistentry>

312

313

314

<term><option>--socket

315

316

317

<xi:include href="mandos-options.xml" xpointer="socket"/>

318

</listitem>

319

</varlistentry>

320

321

322

<term><option>--foreground</option></term>

323

324

<xi:include href="mandos-options.xml"

325

xpointer="foreground"/>

326

</listitem>

327

</varlistentry>

328

329

330

<term><option>--no-zeroconf</option></term>

331

332

<xi:include href="mandos-options.xml" xpointer="zeroconf"/>

333

</listitem>

334

</varlistentry>

335

336

278

</variablelist>

337

279

</refsect1>

338

280

415

357

extended timeout, checker program, and interval between checks

416

358

can be configured both globally and per client; see

417

359

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

418

<manvolnum>5</manvolnum></citerefentry>.

360

<manvolnum>5</manvolnum></citerefentry>. A client successfully

361

receiving its password will also be treated as a successful

362

checker run.

419

363

</para>

420

364

</refsect1>

421

365

443

387

<title>LOGGING</title>

444

388

<para>

445

389

The server will send log message with various severity levels to

446

<filename class="devicefile">/dev/log</filename>. With the

390

<filename>/dev/log</filename>. With the

447

391

<option>--debug</option> option, it will log even more messages,

448

392

and also show them on the console.

449

393

</para>

450

394

</refsect1>

451

395

452

453

<title>PERSISTENT STATE</title>

454

<para>

455

Client settings, initially read from

456

<filename>clients.conf</filename>, are persistent across

457

restarts, and run-time changes will override settings in

458

<filename>clients.conf</filename>. However, if a setting is

459

<emphasis>changed</emphasis> (or a client added, or removed) in

460

<filename>clients.conf</filename>, this will take precedence.

461

</para>

462

</refsect1>

463

464

396

465

397

<title>D-BUS INTERFACE</title>

466

398

<para>

528

460

</listitem>

529

461

</varlistentry>

530

462

531

<term><filename>/run/mandos.pid</filename></term>

463

<term><filename>/var/run/mandos.pid</filename></term>

532

464

533

465

<para>

534

466

The file containing the process id of the

535

467

<command>&COMMANDNAME;</command> process started last.

536

<emphasis >Note:</emphasis> If the <filename

537

class="directory">/run</filename> directory does not

538

exist, <filename>/var/run/mandos.pid</filename> will be

539

used instead.

540

</para>

541

</listitem>

542

</varlistentry>

543

544

<term><filename

545

class="directory">/var/lib/mandos</filename></term>

546

547

<para>

548

Directory where persistent state will be saved. Change

549

this with the <option>--statedir</option> option. See

550

also the <option>--no-restore</option> option.

551

</para>

552

</listitem>

553

</varlistentry>

554

555

468

</para>

469

</listitem>

470

</varlistentry>

471

472

556

473

557

474

<para>

558

475

The Unix domain socket to where local syslog messages are

581

498

backtrace. This could be considered a feature.

582

499

</para>

583

500

<para>

501

Currently, if a client is disabled due to having timed out, the

502

server does not record this fact onto permanent storage. This

503

has some security implications, see <xref linkend="clients"/>.

504

</para>

505

<para>

584

506

There is no fine-grained control over logging and debug output.

585

507

</para>

586

508

<para>

509

Debug mode is conflated with running in the foreground.

510

</para>

511

<para>

587

512

This server does not check the expire time of clients’ OpenPGP

588

513

keys.

589

514

</para>

602

527

603

528

<para>

604

529

Run the server in debug mode, read configuration files from

605

the <filename class="directory">~/mandos</filename> directory,

606

and use the Zeroconf service name <quote>Test</quote> to not

607

collide with any other official Mandos server on this host:

530

the <filename>~/mandos</filename> directory, and use the

531

Zeroconf service name <quote>Test</quote> to not collide with

532

any other official Mandos server on this host:

608

533

</para>

609

534

<para>

610

535

659

584

compromised if they are gone for too long.

660

585

</para>

661

586

<para>

587

If a client is compromised, its downtime should be duly noted

588

by the server which would therefore disable the client. But

589

if the server was ever restarted, it would re-read its client

590

list from its configuration file and again regard all clients

591

therein as enabled, and hence eligible to receive their

592

passwords. Therefore, be careful when restarting servers if

593

it is suspected that a client has, in fact, been compromised

594

by parties who may now be running a fake Mandos client with

595

the keys from the non-encrypted initial <acronym>RAM</acronym>

596

image of the client host. What should be done in that case

597

(if restarting the server program really is necessary) is to

598

stop the server program, edit the configuration file to omit

599

any suspect clients, and restart the server program.

600

</para>

601

<para>

662

602

For more details on client-side security, see

663

603

<citerefentry><refentrytitle>mandos-client</refentrytitle>

664

604

<manvolnum>8mandos</manvolnum></citerefentry>.

705

645

</varlistentry>

706

646

707

647

<term>

708

<ulink url="http://gnutls.org/">GnuTLS</ulink>

648

<ulink url="http://www.gnu.org/software/gnutls/"

649

>GnuTLS</ulink>

709

650

</term>

710

651

711

652

<para>

749

690

</varlistentry>

750

691

751

692

<term>

752

RFC 5246: <citetitle>The Transport Layer Security (TLS)

753

Protocol Version 1.2</citetitle>

693

RFC 4346: <citetitle>The Transport Layer Security (TLS)

694

Protocol Version 1.1</citetitle>

754

695

</term>

755

696

756

697

<para>

757

TLS 1.2 is the protocol implemented by GnuTLS.

698

TLS 1.1 is the protocol implemented by GnuTLS.

758

699

</para>

759

700

</listitem>

760

701

</varlistentry>

770

711

</varlistentry>

771

712

772

713

<term>

773

RFC 6091: <citetitle>Using OpenPGP Keys for Transport Layer

774

Security (TLS) Authentication</citetitle>

714

RFC 5081: <citetitle>Using OpenPGP Keys for Transport Layer

715

Security</citetitle>

775

716

</term>

776

717

777

718

<para>

Older »