/mandos/trunk

To get this branch, use:
bzr branch http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to plugins.d/mandos-client.xml

  • Committer: Teddy Hogeborn
  • Date: 2012-06-17 02:30:59 UTC
  • Revision ID: teddy@recompile.se-20120617023059-em4nfnxg1tsn64xj
* plugins.d/mandos-client (start_mandos_communication): Bug fix; skip
                                                        non-specified
                                                        interfaces.
  (main): Use lower_privileges() consistently.  Bug fix: Don't remove
          "none" from list of interfaces.  Make --interface=none work
          again by not bringing up interfaces specified after "none".
* plugins.d/mandos-client.xml (OPTIONS): Document new meaning of
                                         specifying --interface=none
                                         together with other
                                         interface names,

Show diffs side-by-side

added added

removed removed

Lines of Context:
2
2
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3
3
        "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4
4
<!ENTITY COMMANDNAME "mandos-client">
5
 
<!ENTITY TIMESTAMP "2018-02-08">
 
5
<!ENTITY TIMESTAMP "2012-06-17">
6
6
<!ENTITY % common SYSTEM "../common.ent">
7
7
%common;
8
8
]>
33
33
    <copyright>
34
34
      <year>2008</year>
35
35
      <year>2009</year>
36
 
      <year>2010</year>
37
 
      <year>2011</year>
38
36
      <year>2012</year>
39
 
      <year>2013</year>
40
 
      <year>2014</year>
41
 
      <year>2015</year>
42
 
      <year>2016</year>
43
 
      <year>2017</year>
44
 
      <year>2018</year>
45
37
      <holder>Teddy Hogeborn</holder>
46
38
      <holder>Björn Påhlsson</holder>
47
39
    </copyright>
104
96
      </arg>
105
97
      <sbr/>
106
98
      <arg>
107
 
        <option>--dh-params <replaceable>FILE</replaceable></option>
108
 
      </arg>
109
 
      <sbr/>
110
 
      <arg>
111
99
        <option>--delay <replaceable>SECONDS</replaceable></option>
112
100
      </arg>
113
101
      <sbr/>
230
218
            assumed to separate the address from the port number.
231
219
          </para>
232
220
          <para>
233
 
            Normally, Zeroconf would be used to locate Mandos servers,
234
 
            in which case this option would only be used when testing
235
 
            and debugging.
 
221
            This option is normally only useful for testing and
 
222
            debugging.
236
223
          </para>
237
224
        </listitem>
238
225
      </varlistentry>
271
258
          <para>
272
259
            <replaceable>NAME</replaceable> can be the string
273
260
            <quote><literal>none</literal></quote>; this will make
274
 
            <command>&COMMANDNAME;</command> only bring up interfaces
275
 
            specified <emphasis>before</emphasis> this string.  This
276
 
            is not recommended, and only meant for advanced users.
 
261
            <command>&COMMANDNAME;</command> not bring up
 
262
            <emphasis>any</emphasis> interfaces specified
 
263
            <emphasis>after</emphasis> this string.  This is not
 
264
            recommended, and only meant for advanced users.
277
265
          </para>
278
266
        </listitem>
279
267
      </varlistentry>
321
309
        <listitem>
322
310
          <para>
323
311
            Sets the number of bits to use for the prime number in the
324
 
            TLS Diffie-Hellman key exchange.  The default value is
325
 
            selected automatically based on the OpenPGP key.  Note
326
 
            that if the <option>--dh-params</option> option is used,
327
 
            the values from that file will be used instead.
328
 
          </para>
329
 
        </listitem>
330
 
      </varlistentry>
331
 
      
332
 
      <varlistentry>
333
 
        <term><option>--dh-params=<replaceable
334
 
        >FILE</replaceable></option></term>
335
 
        <listitem>
336
 
          <para>
337
 
            Specifies a PEM-encoded PKCS#3 file to read the parameters
338
 
            needed by the TLS Diffie-Hellman key exchange from.  If
339
 
            this option is not given, or if the file for some reason
340
 
            could not be used, the parameters will be generated on
341
 
            startup, which will take some time and processing power.
342
 
            Those using servers running under time, power or processor
343
 
            constraints may want to generate such a file in advance
344
 
            and use this option.
 
312
            TLS Diffie-Hellman key exchange.  Default is 1024.
345
313
          </para>
346
314
        </listitem>
347
315
      </varlistentry>
474
442
  
475
443
  <refsect1 id="environment">
476
444
    <title>ENVIRONMENT</title>
477
 
    <variablelist>
478
 
      <varlistentry>
479
 
        <term><envar>MANDOSPLUGINHELPERDIR</envar></term>
480
 
        <listitem>
481
 
          <para>
482
 
            This environment variable will be assumed to contain the
483
 
            directory containing any helper executables.  The use and
484
 
            nature of these helper executables, if any, is
485
 
            purposefully not documented.
486
 
        </para>
487
 
        </listitem>
488
 
      </varlistentry>
489
 
    </variablelist>
490
445
    <para>
491
 
      This program does not use any other environment variables, not
492
 
      even the ones provided by <citerefentry><refentrytitle
 
446
      This program does not use any environment variables, not even
 
447
      the ones provided by <citerefentry><refentrytitle
493
448
      >cryptsetup</refentrytitle><manvolnum>8</manvolnum>
494
449
    </citerefentry>.
495
450
    </para>
557
512
              It is not necessary to print any non-executable files
558
513
              already in the network hook directory, these will be
559
514
              copied implicitly if they otherwise satisfy the name
560
 
              requirements.
 
515
              requirement.
561
516
            </para>
562
517
          </listitem>
563
518
        </varlistentry>
695
650
    </variablelist>
696
651
  </refsect1>
697
652
  
698
 
  <refsect1 id="bugs">
699
 
    <title>BUGS</title>
700
 
    <xi:include href="../bugs.xml"/>
701
 
  </refsect1>
 
653
<!--   <refsect1 id="bugs"> -->
 
654
<!--     <title>BUGS</title> -->
 
655
<!--     <para> -->
 
656
<!--     </para> -->
 
657
<!--   </refsect1> -->
702
658
  
703
659
  <refsect1 id="example">
704
660
    <title>EXAMPLE</title>
710
666
    </para>
711
667
    <informalexample>
712
668
      <para>
713
 
        Normal invocation needs no options, if the network interfaces
 
669
        Normal invocation needs no options, if the network interface
714
670
        can be automatically determined:
715
671
      </para>
716
672
      <para>
719
675
    </informalexample>
720
676
    <informalexample>
721
677
      <para>
722
 
        Search for Mandos servers (and connect to them) using one
723
 
        specific interface:
 
678
        Search for Mandos servers (and connect to them) using another
 
679
        interface:
724
680
      </para>
725
681
      <para>
726
682
        <!-- do not wrap this line -->
790
746
    <para>
791
747
      It will also help if the checker program on the server is
792
748
      configured to request something from the client which can not be
793
 
      spoofed by someone else on the network, like SSH server key
794
 
      fingerprints, and unlike unencrypted <acronym>ICMP</acronym>
795
 
      echo (<quote>ping</quote>) replies.
 
749
      spoofed by someone else on the network, unlike unencrypted
 
750
      <acronym>ICMP</acronym> echo (<quote>ping</quote>) replies.
796
751
    </para>
797
752
    <para>
798
753
      <emphasis>Note</emphasis>: This makes it completely insecure to
844
799
      </varlistentry>
845
800
      <varlistentry>
846
801
        <term>
847
 
          <ulink url="https://www.gnutls.org/">GnuTLS</ulink>
 
802
          <ulink url="http://www.gnu.org/software/gnutls/"
 
803
          >GnuTLS</ulink>
848
804
        </term>
849
805
      <listitem>
850
806
        <para>
856
812
      </varlistentry>
857
813
      <varlistentry>
858
814
        <term>
859
 
          <ulink url="https://www.gnupg.org/related_software/gpgme/"
 
815
          <ulink url="http://www.gnupg.org/related_software/gpgme/"
860
816
                 >GPGME</ulink>
861
817
        </term>
862
818
        <listitem>
890
846
              <para>
891
847
                This client uses IPv6 link-local addresses, which are
892
848
                immediately usable since a link-local addresses is
893
 
                automatically assigned to a network interface when it
 
849
                automatically assigned to a network interfaces when it
894
850
                is brought up.
895
851
              </para>
896
852
            </listitem>
900
856
      </varlistentry>
901
857
      <varlistentry>
902
858
        <term>
903
 
          RFC 5246: <citetitle>The Transport Layer Security (TLS)
904
 
          Protocol Version 1.2</citetitle>
 
859
          RFC 4346: <citetitle>The Transport Layer Security (TLS)
 
860
          Protocol Version 1.1</citetitle>
905
861
        </term>
906
862
      <listitem>
907
863
        <para>
908
 
          TLS 1.2 is the protocol implemented by GnuTLS.
 
864
          TLS 1.1 is the protocol implemented by GnuTLS.
909
865
        </para>
910
866
      </listitem>
911
867
      </varlistentry>
922
878
      </varlistentry>
923
879
      <varlistentry>
924
880
        <term>
925
 
          RFC 6091: <citetitle>Using OpenPGP Keys for Transport Layer
 
881
          RFC 5081: <citetitle>Using OpenPGP Keys for Transport Layer
926
882
          Security</citetitle>
927
883
        </term>
928
884
      <listitem>