/mandos/trunk

To get this branch, use:
bzr branch http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to plugins.d/mandos-client.xml

  • Committer: Teddy Hogeborn
  • Date: 2012-06-13 22:06:57 UTC
  • mto: This revision was merged to the branch mainline in revision 596.
  • Revision ID: teddy@recompile.se-20120613220657-qvq7c7nrndl3t413
* plugins.d/mandos-client.c (get_flags): Don't clobber errno.
  (up_interface): Removed; replaced with "interface_is_up".
  (interface_is_up, interface_is_running,
   lower_privileges_permanently, take_down_interface): New.
  (bring_up_interface): Return "error_t".  Use new functions
                        "interface_is_up", "get_flags", and
                        "interface_is_running".
  (main): Save all interfaces either autodetected or specified with
          --interface in argz vector "interfaces".  Save interfaces to
          take down on exit in argz vector "interfaces_to_take_down".
          Save interface names for DEVICE variable to network hooks as
          argz_vector "interfaces_hooks".  Bug fix: Be privileged
          while stopping network hooks.
* plugins.d/mandos-client.xml (SYNOPSIS): Changed --interface synopsis.
  (DESCRIPTION): Updated to document use of all interfaces.
  (OPTIONS): Updated description of "--interface".
* network-hooks.d/bridge: Parse comma-separated DEVICE environment
                          variable.
* network-hooks.d/openvpn: - '' -
* network-hooks.d/wireless: - '' -

Show diffs side-by-side

added added

removed removed

Lines of Context:
2
2
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3
3
        "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4
4
<!ENTITY COMMANDNAME "mandos-client">
5
 
<!ENTITY TIMESTAMP "2015-03-08">
 
5
<!ENTITY TIMESTAMP "2012-06-13">
6
6
<!ENTITY % common SYSTEM "../common.ent">
7
7
%common;
8
8
]>
34
34
      <year>2008</year>
35
35
      <year>2009</year>
36
36
      <year>2012</year>
37
 
      <year>2013</year>
38
 
      <year>2014</year>
39
37
      <holder>Teddy Hogeborn</holder>
40
38
      <holder>Björn Påhlsson</holder>
41
39
    </copyright>
220
218
            assumed to separate the address from the port number.
221
219
          </para>
222
220
          <para>
223
 
            Normally, Zeroconf would be used to locate Mandos servers,
224
 
            in which case this option would only be used when testing
225
 
            and debugging.
 
221
            This option is normally only useful for testing and
 
222
            debugging.
226
223
          </para>
227
224
        </listitem>
228
225
      </varlistentry>
229
226
      
230
227
      <varlistentry>
231
228
        <term><option>--interface=<replaceable
232
 
        >NAME</replaceable><arg rep='repeat'>,<replaceable
233
 
        >NAME</replaceable></arg></option></term>
 
229
        >NAME</replaceable></option></term>
234
230
        <term><option>-i
235
 
        <replaceable>NAME</replaceable><arg rep='repeat'>,<replaceable
236
 
        >NAME</replaceable></arg></option></term>
 
231
        <replaceable>NAME</replaceable></option></term>
237
232
        <listitem>
238
233
          <para>
239
234
            Comma separated list of network interfaces that will be
242
237
            use all appropriate interfaces.
243
238
          </para>
244
239
          <para>
245
 
            If the <option>--connect</option> option is used, and
246
 
            exactly one interface name is specified (except
247
 
            <quote><literal>none</literal></quote>), this specifies
248
 
            the interface to use to connect to the address given.
 
240
            If the <option>--connect</option> option is used, this
 
241
            specifies the interface to use to connect to the address
 
242
            given.
249
243
          </para>
250
244
          <para>
251
245
            Note that since this program will normally run in the
260
254
          </para>
261
255
          <para>
262
256
            <replaceable>NAME</replaceable> can be the string
263
 
            <quote><literal>none</literal></quote>; this will make
264
 
            <command>&COMMANDNAME;</command> only bring up interfaces
265
 
            specified <emphasis>before</emphasis> this string.  This
266
 
            is not recommended, and only meant for advanced users.
 
257
            <quote><literal>none</literal></quote>; this will not use
 
258
            any specific interface, and will not bring up an interface
 
259
            on startup.  This is not recommended, and only meant for
 
260
            advanced users.
267
261
          </para>
268
262
        </listitem>
269
263
      </varlistentry>
311
305
        <listitem>
312
306
          <para>
313
307
            Sets the number of bits to use for the prime number in the
314
 
            TLS Diffie-Hellman key exchange.  The default value is
315
 
            selected automatically based on the OpenPGP key.
 
308
            TLS Diffie-Hellman key exchange.  Default is 1024.
316
309
          </para>
317
310
        </listitem>
318
311
      </varlistentry>
515
508
              It is not necessary to print any non-executable files
516
509
              already in the network hook directory, these will be
517
510
              copied implicitly if they otherwise satisfy the name
518
 
              requirements.
 
511
              requirement.
519
512
            </para>
520
513
          </listitem>
521
514
        </varlistentry>
669
662
    </para>
670
663
    <informalexample>
671
664
      <para>
672
 
        Normal invocation needs no options, if the network interfaces
 
665
        Normal invocation needs no options, if the network interface
673
666
        can be automatically determined:
674
667
      </para>
675
668
      <para>
678
671
    </informalexample>
679
672
    <informalexample>
680
673
      <para>
681
 
        Search for Mandos servers (and connect to them) using one
682
 
        specific interface:
 
674
        Search for Mandos servers (and connect to them) using another
 
675
        interface:
683
676
      </para>
684
677
      <para>
685
678
        <!-- do not wrap this line -->
749
742
    <para>
750
743
      It will also help if the checker program on the server is
751
744
      configured to request something from the client which can not be
752
 
      spoofed by someone else on the network, like SSH server key
753
 
      fingerprints, and unlike unencrypted <acronym>ICMP</acronym>
754
 
      echo (<quote>ping</quote>) replies.
 
745
      spoofed by someone else on the network, unlike unencrypted
 
746
      <acronym>ICMP</acronym> echo (<quote>ping</quote>) replies.
755
747
    </para>
756
748
    <para>
757
749
      <emphasis>Note</emphasis>: This makes it completely insecure to
850
842
              <para>
851
843
                This client uses IPv6 link-local addresses, which are
852
844
                immediately usable since a link-local addresses is
853
 
                automatically assigned to a network interface when it
 
845
                automatically assigned to a network interfaces when it
854
846
                is brought up.
855
847
              </para>
856
848
            </listitem>