/mandos/trunk

To get this branch, use:
bzr branch http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to plugins.d/mandos-client.xml

  • Committer: Teddy Hogeborn
  • Date: 2012-06-17 02:30:59 UTC
  • Revision ID: teddy@recompile.se-20120617023059-em4nfnxg1tsn64xj
* plugins.d/mandos-client (start_mandos_communication): Bug fix; skip
                                                        non-specified
                                                        interfaces.
  (main): Use lower_privileges() consistently.  Bug fix: Don't remove
          "none" from list of interfaces.  Make --interface=none work
          again by not bringing up interfaces specified after "none".
* plugins.d/mandos-client.xml (OPTIONS): Document new meaning of
                                         specifying --interface=none
                                         together with other
                                         interface names,

Show diffs side-by-side

added added

removed removed

Lines of Context:
plugins.d/mandos-client.xml
2
2
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3
3
        "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4
4
<!ENTITY COMMANDNAME "mandos-client">
5
 
<!ENTITY TIMESTAMP "2015-03-08">
 
5
<!ENTITY TIMESTAMP "2012-06-17">
6
6
<!ENTITY % common SYSTEM "../common.ent">
7
7
%common;
8
8
]>
34
34
      <year>2008</year>
35
35
      <year>2009</year>
36
36
      <year>2012</year>
37
 
      <year>2013</year>
38
 
      <year>2014</year>
39
37
      <holder>Teddy Hogeborn</holder>
40
38
      <holder>Björn Påhlsson</holder>
41
39
    </copyright>
220
218
            assumed to separate the address from the port number.
221
219
          </para>
222
220
          <para>
223
 
            Normally, Zeroconf would be used to locate Mandos servers,
224
 
            in which case this option would only be used when testing
225
 
            and debugging.
 
221
            This option is normally only useful for testing and
 
222
            debugging.
226
223
          </para>
227
224
        </listitem>
228
225
      </varlistentry>
261
258
          <para>
262
259
            <replaceable>NAME</replaceable> can be the string
263
260
            <quote><literal>none</literal></quote>; this will make
264
 
            <command>&COMMANDNAME;</command> only bring up interfaces
265
 
            specified <emphasis>before</emphasis> this string.  This
266
 
            is not recommended, and only meant for advanced users.
 
261
            <command>&COMMANDNAME;</command> not bring up
 
262
            <emphasis>any</emphasis> interfaces specified
 
263
            <emphasis>after</emphasis> this string.  This is not
 
264
            recommended, and only meant for advanced users.
267
265
          </para>
268
266
        </listitem>
269
267
      </varlistentry>
311
309
        <listitem>
312
310
          <para>
313
311
            Sets the number of bits to use for the prime number in the
314
 
            TLS Diffie-Hellman key exchange.  The default value is
315
 
            selected automatically based on the OpenPGP key.
 
312
            TLS Diffie-Hellman key exchange.  Default is 1024.
316
313
          </para>
317
314
        </listitem>
318
315
      </varlistentry>
515
512
              It is not necessary to print any non-executable files
516
513
              already in the network hook directory, these will be
517
514
              copied implicitly if they otherwise satisfy the name
518
 
              requirements.
 
515
              requirement.
519
516
            </para>
520
517
          </listitem>
521
518
        </varlistentry>
669
666
    </para>
670
667
    <informalexample>
671
668
      <para>
672
 
        Normal invocation needs no options, if the network interfaces
 
669
        Normal invocation needs no options, if the network interface
673
670
        can be automatically determined:
674
671
      </para>
675
672
      <para>
678
675
    </informalexample>
679
676
    <informalexample>
680
677
      <para>
681
 
        Search for Mandos servers (and connect to them) using one
682
 
        specific interface:
 
678
        Search for Mandos servers (and connect to them) using another
 
679
        interface:
683
680
      </para>
684
681
      <para>
685
682
        <!-- do not wrap this line -->
749
746
    <para>
750
747
      It will also help if the checker program on the server is
751
748
      configured to request something from the client which can not be
752
 
      spoofed by someone else on the network, like SSH server key
753
 
      fingerprints, and unlike unencrypted <acronym>ICMP</acronym>
754
 
      echo (<quote>ping</quote>) replies.
 
749
      spoofed by someone else on the network, unlike unencrypted
 
750
      <acronym>ICMP</acronym> echo (<quote>ping</quote>) replies.
755
751
    </para>
756
752
    <para>
757
753
      <emphasis>Note</emphasis>: This makes it completely insecure to
850
846
              <para>
851
847
                This client uses IPv6 link-local addresses, which are
852
848
                immediately usable since a link-local addresses is
853
 
                automatically assigned to a network interface when it
 
849
                automatically assigned to a network interfaces when it
854
850
                is brought up.
855
851
              </para>
856
852
            </listitem>