/mandos/trunk : revision 68

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos-clients.conf.xml

Committer: Teddy Hogeborn
Date: 2008-08-12 19:22:34 UTC
Revision ID: teddy@fukt.bsnet.se-20080812192234-8bm17713ltih9ud1

* initramfs-tools-hook: New.
* initramfs-tools-hook-conf: New.

files added:
network-protocol.txt

files removed:
COPYING

initramfs-tools-script

mandos-keygen.xml

mandos-options.xml

overview.xml

plugins.d/usplash

files renamed:
plugin-runner.c => mandos-client.c

plugin-runner.xml => mandos-client.xml

files modified:
Makefile

TODO

clients.conf

initramfs-tools-hook

mandos

mandos-clients.conf.xml

mandos-keygen

mandos.conf

mandos.conf.xml

mandos.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

plugins.d/password-request.c

plugins.d/password-request.xml

Show diffs side-by-side

added added

removed removed

mandos-clients.conf.xml

<?xml version='1.0' encoding='UTF-8'?>

<?xml-stylesheet type="text/xsl"

href="http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl"?>

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY VERSION "1.0">

<title>&CONFNAME;</title>

<productname>&CONFNAME;</productname>

<productnumber>&VERSION;</productnumber>

</authorgroup>

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

<holder>Teddy Hogeborn & Björn Påhlsson</holder>

</copyright>

<para>

<refname><filename>&CONFNAME;</filename></refname>

Configuration file for the Mandos server

Configuration file for Mandos clients

</refpurpose>

</refnamediv>

<title>DESCRIPTION</title>

<para>

The file &CONFPATH; is the configuration file for <citerefentry

><refentrytitle>mandos</refentrytitle>

<manvolnum>8</manvolnum></citerefentry>, read by it at startup,

where each client that will be able to use the service needs to

be listed. All clients listed will be regarded as valid, even

if a client was declared invalid in a previous run of the

server.

</para>

<para>

The format starts with a section under [] which is either

<literal>[DEFAULT]</literal> or <literal>[<replaceable>client

name</replaceable>]</literal>. Following the section is any

number of <quote><varname><replaceable>option</replaceable

></varname>=<replaceable>value</replaceable></quote> entries,

with continuations in the style of RFC 822. <quote><varname

><replaceable>option</replaceable></varname>: <replaceable

>value</replaceable></quote> is also accepted. Note that

leading whitespace is removed from values. Values can contain

100

format strings which refer to other values in the same section,

101

or values in the <quote>DEFAULT</quote> section. Lines

102

beginning with <quote>#</quote> or <quote>;</quote> are ignored

103

and may be used to provide comments.

The file &CONFPATH; is the configuration file for mandos where

each client that will be abel to use the service need to be

specified. The configuration file is looked on at the startup of

the service, so to reenable timedout clients one need to only

restart the server. The format starts with a section under []

which is eather <literal>[DEFAULT]</literal> or a client

name. Values is set through the use of VAR = VALUE pair. Values

may not be empty.

104

</para>

105

</refsect1>

106

107

108

<title>OPTIONS</title>

<title>DEFAULTS</title>

109

<para>

110

The possible options are:

The paramters for <literal>[DEFAULT]</literal> are:

111

</para>

112

113

100

114

101

115

102

116

<term><literal><varname>timeout</varname></literal></term>

103

<term><literal>timeout</literal></term>

117

104

118

<synopsis><literal>timeout = </literal><replaceable

119

>TIME</replaceable>

120

</synopsis>

121

<para>

122

The timeout is how long the server will wait for a

123

successful checker run until a client is considered

124

invalid - that is, ineligible to get the data this server

125

holds. By default Mandos will use 1 hour.

126

</para>

127

<para>

128

The <replaceable>TIME</replaceable> is specified as a

129

space-separated number of values, each of which is a

130

number and a one-character suffix. The suffix must be one

131

of <quote>d</quote>, <quote>s</quote>, <quote>m</quote>,

132

<quote>h</quote>, and <quote>w</quote> for days, seconds,

133

minutes, hours, and weeks, respectively. The values are

134

added together to give the total time value, so all of

135

<quote><literal>330s</literal></quote>,

136

<quote><literal>110s 110s 110s</literal></quote>, and

137

<quote><literal>5m 30s</literal></quote> will give a value

138

of five minutes and thirty seconds.

105

<para>

106

This option allows you to override the default timeout

107

that clients will get. By default mandos will use 1hr.

139

108

</para>

140

109

</listitem>

141

110

</varlistentry>

142

111

143

112

144

<term><literal><varname>interval</varname></literal></term>

113

<term><literal>interval</literal></term>

145

114

146

<synopsis><literal>interval = </literal><replaceable

147

>TIME</replaceable>

148

</synopsis>

149

<para>

150

How often to run the checker to confirm that a client is

151

still up. <emphasis>Note:</emphasis> a new checker will

152

not be started if an old one is still running. The server

153

will wait for a checker to complete until the above

154

<quote><varname>timeout</varname></quote> occurs, at which

155

time the client will be marked invalid, and any running

156

checker killed. The default interval is 5 minutes.

157

</para>

158

<para>

159

The format of <replaceable>TIME</replaceable> is the same

160

as for <varname>timeout</varname> above.

115

<para>

116

This option allows you to override the default interval

117

used between checkups for disconnected clients. By default

118

mandos will use 5m.

161

119

</para>

162

120

</listitem>

163

121

</varlistentry>

173

131

</listitem>

174

132

</varlistentry>

175

133

134

</variablelist>

135

</refsect1>

136

137

138

<title>CLIENTS</title>

139

<para>

140

The paramters for clients are:

141

</para>

142

143

144

176

145

177

146

<term><literal>fingerprint</literal></term>

178

147

235

204

236

205

</variablelist>

237

206

</refsect1>

238

239

240

<title>EXPANSION</title>

241

<para>

242

There are two forms of expansion: Start time expansion and

243

runtime expansion.

244

</para>

245

246

<title>START TIME EXPANSION</title>

247

<para>

248

Any string in an option value of the form

249

<quote><literal>%(<replaceable>foo</replaceable>)s</literal

250

></quote> will be replaced by the value of the option

251

<varname>foo</varname> either in the same section, or, if it

252

does not exist there, the <literal>[DEFAULT]</literal>

253

section. This is done at start time, when the configuration

254

file is read.

255

</para>

256

<para>

257

Note that this means that, in order to include an actual

258

percent character (<quote>%</quote>) in an option value, two

259

percent characters in a row (<quote>%%</quote>) must be

260

entered.

261

</para>

262

</refsect2>

263

264

<title>RUNTIME EXPANSION</title>

265

<para>

266

This is currently only done for the <varname>checker</varname>

267

option.

268

</para>

269

<para>

270

Any string in an option value of the form

271

<quote><literal>%%(<replaceable>foo</replaceable>)s</literal

272

></quote> will be replaced by the value of the attribute

273

<varname>foo</varname> of the internal

274

<quote><classname>Client</classname></quote> object. See the

275

source code for details, and let the authors know of any

276

attributes that are useful so they may be preserved to any new

277

versions of this software.

278

</para>

279

<para>

280

Note that this means that, in order to include an actual

281

percent character (<quote>%</quote>) in a

282

<varname>checker</varname> options, <emphasis>four</emphasis>

283

percent characters in a row (<quote>%%%%</quote>) must be

284

entered. Also, a bad format here will lead to an immediate

285

but <emphasis>silent</emphasis> run-time fatal exit; debug

286

mode is needed to track down an error of this kind.

287

</para>

288

</refsect2>

289

207

290

</refsect1>

291

292

293

<title>FILES</title>

294

<para>

295

The file described here is &CONFPATH;

296

</para>

297

</refsect1>

298

299

300

301

<para>

302

The format for specifying times for <varname>timeout</varname>

303

and <varname>interval</varname> is not very good.

304

</para>

305

<para>

306

The difference between

307

<literal>%%(<replaceable>foo</replaceable>)s</literal> and

308

<literal>%(<replaceable>foo</replaceable>)s</literal> is

309

obscure.

310

</para>

311

</refsect1>

312

313

314

<title>EXAMPLE</title>

208

209

<title>EXAMPLES</title>

315

210

316

211

317

212

[DEFAULT]

319

214

interval = 5m

320

215

checker = fping -q -- %%(host)s

321

216

322

# Client "foo"

323

[foo]

217

[example_client]

324

218

fingerprint = 7788 2722 5BA7 DE53 9C5A 7CFA 59CF F7CD BD9A 5920

219

325

220

secret =

326

221

hQIOA6QdEjBs2L/HEAf/TCyrDe5Xnm9esa+Pb/vWF9CUqfn4srzVgSu234

327

222

REJMVv7lBSrPE2132Lmd2gqF1HeLKDJRSVxJpt6xoWOChGHg+TMyXDxK+N

339

234

4T2zw4dxS5NswXWU0sVEXxjs6PYxuIiCTL7vdpx8QjBkrPWDrAbcMyBr2O

340

235

QlnHIvPzEArRQLo=

341

236

=iHhv

342

host = foo.example.org

237

238

host = localhost

343

239

interval = 5m

344

345

# Client "bar"

346

[bar]

347

fingerprint = 3e393aeaefb84c7e89e2f547b3a107558fca3a27

348

secfile = /etc/mandos/bar-secret.txt.asc

349

350

240

</programlisting>

351

241

</informalexample>

352

242

</refsect1>

353

243

244

245

<title>FILES</title>

246

<para>

247

The file described here is &CONFPATH;

248

</para>

249

</refsect1>

354

250

</refentry>

Older »