/mandos/trunk : revision 535.1.8

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos-clients.conf.xml

Committer: teddy at recompile
Date: 2011-12-31 13:25:58 UTC
mto: This revision was merged to the branch mainline in revision 541.
Revision ID: teddy@recompile.se-20111231132558-z0dh7qgofgctmgri

* network-hooks.s/bridge: Don't use interface names directly; search
                          for interface names using their address.
  (addrtoif): New function.
* network-hooks.s/bridge.conf (PORTS): Removed.
  (PORT_ADDRESSES): New.
* network-hooks.s/wireless: Don't use interface names directly; search
                            for interface names using their address.
  (addrtoif): New function.
* network-hooks.s/wireless.conf: Specify address.

files added:
initramfs-tools-hook-conf

files removed:
bugs.xml

debian/mandos-client.examples

debian/mandos-client.templates

debian/mandos.templates

debian/po/POTFILES.in

debian/po/de.po

debian/po/en_US.po

debian/po/es.po

debian/po/fr.po

debian/po/nl.po

debian/po/pt.po

debian/po/pt_BR.po

debian/po/sv.po

debian/po/templates.pot

debian/source/lintian-overrides

debian/tests

debian/tests/control

debian/upstream

debian/upstream/metadata

debian/upstream/signing-key.asc

dracut-module

dracut-module/ask-password-mandos.path

dracut-module/ask-password-mandos.service

dracut-module/cmdline-mandos.sh

dracut-module/module-setup.sh

dracut-module/password-agent.c

dracut-module/password-agent.xml

initramfs-tools-conf

initramfs-tools-conf-hook

initramfs-tools-script-stop

initramfs-unpack

mandos-to-cryptroot-unlock

mandos.service

plugin-helpers

plugin-helpers/mandos-client-iprouteadddel.c

sysusers.d-mandos.conf

tmpfiles.d-mandos.conf

files modified:
.bzrignore

DBUS-API

INSTALL

Makefile

NEWS

README

TODO

clients.conf

common.ent

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.dirs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/rules

debian/watch

init.d-mandos

initramfs-tools-hook

initramfs-tools-script

intro.xml

legalnotice.xml

mandos

mandos-clients.conf.xml

mandos-ctl

mandos-ctl.xml

mandos-keygen

mandos-keygen.xml

mandos-monitor

mandos-monitor.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.lsm

mandos.xml

network-hooks.d/bridge

network-hooks.d/openvpn

network-hooks.d/wireless

overview.xml

plugin-runner.c

plugin-runner.xml

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/mandos-client.c

plugins.d/mandos-client.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

Show diffs side-by-side

added added

removed removed

mandos-clients.conf.xml

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY CONFNAME "mandos-clients.conf">

<!ENTITY CONFPATH "<filename>/etc/mandos/clients.conf</filename>">

<!ENTITY TIMESTAMP "2019-02-10">

<!ENTITY TIMESTAMP "2011-11-26">

<!ENTITY % common SYSTEM "common.ent">

%common;

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

><refentrytitle>mandos</refentrytitle>

<manvolnum>8</manvolnum></citerefentry>, read by it at startup.

The file needs to list all clients that should be able to use

the service. The settings in this file can be overridden by

runtime changes to the server, which it saves across restarts.

(See the section called <quote>PERSISTENT STATE</quote> in

<citerefentry><refentrytitle>mandos</refentrytitle><manvolnum

>8</manvolnum></citerefentry>.) However, any <emphasis

>changes</emphasis> to this file (including adding and removing

clients) will, at startup, override changes done during runtime.

the service. All clients listed will be regarded as enabled,

even if a client was disabled in a previous run of the server.

</para>

<para>

The format starts with a <literal>[<replaceable>section

124

111

<para>

125

112

How long to wait for external approval before resorting to

126

113

use the <option>approved_by_default</option> value. The

127

default is <quote>PT0S</quote>, i.e. not to wait.

114

default is <quote>0s</quote>, i.e. not to wait.

128

115

</para>

129

116

<para>

130

117

The format of <replaceable>TIME</replaceable> is the same

174

161

This option is <emphasis>optional</emphasis>.

175

162

</para>

176

163

<para>

177

This option overrides the default shell command that the

178

server will use to check if the client is still up. Any

179

output of the command will be ignored, only the exit code

180

is checked: If the exit code of the command is zero, the

181

client is considered up. The command will be run using

182

164

This option allows you to override the default shell

165

command that the server will use to check if the client is

166

still up. Any output of the command will be ignored, only

167

the exit code is checked: If the exit code of the command

168

is zero, the client is considered up. The command will be

169

run using <quote><command><filename>/bin/sh</filename>

183

170

<option>-c</option></command></quote>, so

184

171

<varname>PATH</varname> will be searched. The default

185

172

value for the checker command is <quote><literal

186

173

><command>fping</command> <option>-q</option> <option

187

>--</option> %%(host)s</literal></quote>. Note that

188

<command>mandos-keygen</command>, when generating output

189

to be inserted into this file, normally looks for an SSH

190

server on the Mandos client, and, if it finds one, outputs

191

a <option>checker</option> option to check for the

192

client’s SSH key fingerprint – this is more secure against

193

spoofing.

174

>--</option> %%(host)s</literal></quote>.

194

175

</para>

195

176

<para>

196

177

In addition to normal start time expansion, this option

228

209

><replaceable>HEXSTRING</replaceable></option></term>

229

210

230

211

<para>

231

This option is <emphasis>required</emphasis> if the

232

<option>key_id</option> is not set, and

233

<emphasis>optional</emphasis> otherwise.

234

</para>

235

<para>

236

This option sets the OpenPGP fingerprint that (before

237

GnuTLS 3.6.0) identified the public key that clients

238

authenticate themselves with through TLS. The string

239

needs to be in hexadecimal form, but spaces or upper/lower

240

case are not significant.

241

</para>

242

</listitem>

243

</varlistentry>

244

245

246

<term><option>key_id<literal> = </literal

247

><replaceable>HEXSTRING</replaceable></option></term>

248

249

<para>

250

This option is <emphasis>required</emphasis> if the

251

<option>fingerprint</option> is not set, and

252

<emphasis>optional</emphasis> otherwise.

253

</para>

254

<para>

255

This option sets the certificate key ID that (with GnuTLS

256

3.6.6 or later) identifies the public key that clients

257

authenticate themselves with through TLS. The string

258

needs to be in hexadecimal form, but spaces or upper/lower

259

case are not significant.

212

This option is <emphasis>required</emphasis>.

213

</para>

214

<para>

215

This option sets the OpenPGP fingerprint that identifies

216

the public key that clients authenticate themselves with

217

through TLS. The string needs to be in hexidecimal form,

218

but spaces or upper/lower case are not significant.

260

219

</para>

261

220

</listitem>

262

221

</varlistentry>

337

296

<para>

338

297

If present, this option must be set to a string of

339

298

base64-encoded binary data. It will be decoded and sent

340

to the client matching the above <option>key_id</option>

341

or <option>fingerprint</option>. This should, of course,

342

be OpenPGP encrypted data, decryptable only by the client.

299

to the client matching the above

300

<option>fingerprint</option>. This should, of course, be

301

OpenPGP encrypted data, decryptable only by the client.

343

302

The program <citerefentry><refentrytitle><command

344

303

>mandos-keygen</command></refentrytitle><manvolnum

345

304

>8</manvolnum></citerefentry> can, using its

370

329

<option>extended_timeout</option> option.

371

330

</para>

372

331

<para>

373

The <replaceable>TIME</replaceable> is specified as an RFC

374

3339 duration; for example

375

<quote><literal>P1Y2M3DT4H5M6S</literal></quote> meaning

376

one year, two months, three days, four hours, five

377

minutes, and six seconds. Some values can be omitted, see

378

RFC 3339 Appendix A for details.

332

The <replaceable>TIME</replaceable> is specified as a

333

space-separated number of values, each of which is a

334

number and a one-character suffix. The suffix must be one

335

of <quote>d</quote>, <quote>s</quote>, <quote>m</quote>,

336

<quote>h</quote>, and <quote>w</quote> for days, seconds,

337

minutes, hours, and weeks, respectively. The values are

338

added together to give the total time value, so all of

339

<quote><literal>330s</literal></quote>,

340

<quote><literal>110s 110s 110s</literal></quote>, and

341

<quote><literal>5m 30s</literal></quote> will give a value

342

of five minutes and thirty seconds.

379

343

</para>

380

344

</listitem>

381

345

</varlistentry>

439

403

<quote><literal>approval_duration</literal></quote>,

440

404

<quote><literal>created</literal></quote>,

441

405

<quote><literal>enabled</literal></quote>,

442

<quote><literal>expires</literal></quote>,

443

<quote><literal>key_id</literal></quote>,

444

406

<quote><literal>fingerprint</literal></quote>,

445

407

<quote><literal>host</literal></quote>,

446

408

<quote><literal>interval</literal></quote>,

489

451

<literal>%(<replaceable>foo</replaceable>)s</literal> is

490

452

obscure.

491

453

</para>

492

<xi:include href="bugs.xml"/>

493

454

</refsect1>

494

455

495

456

497

458

498

459

499

460

[DEFAULT]

500

timeout = PT5M

501

interval = PT2M

461

timeout = 5m

462

interval = 2m

502

463

checker = fping -q -- %%(host)s

503

464

504

465

# Client "foo"

505

466

[foo]

506

key_id = 788cd77115cd0bb7b2d5e0ae8496f6b48149d5e712c652076b1fd2d957ef7c1f

507

467

fingerprint = 7788 2722 5BA7 DE53 9C5A 7CFA 59CF F7CD BD9A 5920

508

468

secret =

509

469

hQIOA6QdEjBs2L/HEAf/TCyrDe5Xnm9esa+Pb/vWF9CUqfn4srzVgSu234

522

482

4T2zw4dxS5NswXWU0sVEXxjs6PYxuIiCTL7vdpx8QjBkrPWDrAbcMyBr2O

523

483

QlnHIvPzEArRQLo=

524

484

host = foo.example.org

525

interval = PT1M

485

interval = 1m

526

486

527

487

# Client "bar"

528

488

[bar]

529

key_id = F90C7A81D72D1EA69A51031A91FF8885F36C8B46D155C8C58709A4C99AE9E361

530

489

fingerprint = 3e393aeaefb84c7e89e2f547b3a107558fca3a27

531

490

secfile = /etc/mandos/bar-secret

532

timeout = PT15M

491

timeout = 15m

533

492

approved_by_default = False

534

approval_delay = PT30S

493

approval_delay = 30s

535

494

</programlisting>

536

495

</informalexample>

537

496

</refsect1>

546

505

<citerefentry><refentrytitle>mandos.conf</refentrytitle>

547

506

<manvolnum>5</manvolnum></citerefentry>,

548

507

<citerefentry><refentrytitle>mandos</refentrytitle>

549

<manvolnum>8</manvolnum></citerefentry>,

550

<citerefentry><refentrytitle>fping</refentrytitle>

551

508

552

509

</para>

553

554

555

<term>

556

RFC 3339: <citetitle>Date and Time on the Internet:

557

Timestamps</citetitle>

558

</term>

559

560

<para>

561

The time intervals are in the "duration" format, as

562

specified in ABNF in Appendix A of RFC 3339.

563

</para>

564

</listitem>

565

</varlistentry>

566

</variablelist>

567

510

</refsect1>

568

511

</refentry>

569

512

Older »