1
<?xml version="1.0" encoding="UTF-8"?>
2
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4
<!ENTITY COMMANDNAME "mandos-ctl">
5
<!ENTITY TIMESTAMP "2016-03-05">
6
<!ENTITY % common SYSTEM "common.ent">
10
<refentry xmlns:xi="http://www.w3.org/2001/XInclude">
12
<title>Mandos Manual</title>
13
<!-- NWalsh’s docbook scripts use this to generate the footer: -->
14
<productname>Mandos</productname>
15
<productnumber>&version;</productnumber>
16
<date>&TIMESTAMP;</date>
19
<firstname>Björn</firstname>
20
<surname>Påhlsson</surname>
22
<email>belorn@recompile.se</email>
26
<firstname>Teddy</firstname>
27
<surname>Hogeborn</surname>
29
<email>teddy@recompile.se</email>
41
<holder>Teddy Hogeborn</holder>
42
<holder>Björn Påhlsson</holder>
44
<xi:include href="legalnotice.xml"/>
48
<refentrytitle>&COMMANDNAME;</refentrytitle>
49
<manvolnum>8</manvolnum>
53
<refname><command>&COMMANDNAME;</command></refname>
55
Control the operation of the Mandos server
61
<command>&COMMANDNAME;</command>
63
<arg choice="plain"><option>--enable</option></arg>
64
<arg choice="plain"><option>-e</option></arg>
66
<arg choice="plain"><option>--disable</option></arg>
67
<arg choice="plain"><option>-d</option></arg>
71
<arg choice="plain"><option>--bump-timeout</option></arg>
72
<arg choice="plain"><option>-b</option></arg>
76
<arg choice="plain"><option>--start-checker</option></arg>
80
<arg choice="plain"><option>--stop-checker</option></arg>
84
<arg choice="plain"><option>--remove</option></arg>
85
<arg choice="plain"><option>-r</option></arg>
89
<arg choice="plain"><option>--checker
90
<replaceable>COMMAND</replaceable></option></arg>
91
<arg choice="plain"><option>-c
92
<replaceable>COMMAND</replaceable></option></arg>
96
<arg choice="plain"><option>--timeout
97
<replaceable>TIME</replaceable></option></arg>
98
<arg choice="plain"><option>-t
99
<replaceable>TIME</replaceable></option></arg>
103
<arg choice="plain"><option>--extended-timeout
104
<replaceable>TIME</replaceable></option></arg>
108
<arg choice="plain"><option>--interval
109
<replaceable>TIME</replaceable></option></arg>
110
<arg choice="plain"><option>-i
111
<replaceable>TIME</replaceable></option></arg>
115
<arg choice="plain"><option>--approve-by-default</option
118
<arg choice="plain"><option>--deny-by-default</option></arg>
122
<arg choice="plain"><option>--approval-delay
123
<replaceable>TIME</replaceable></option></arg>
127
<arg choice="plain"><option>--approval-duration
128
<replaceable>TIME</replaceable></option></arg>
132
<arg choice="plain"><option>--interval
133
<replaceable>TIME</replaceable></option></arg>
134
<arg choice="plain"><option>-i
135
<replaceable>TIME</replaceable></option></arg>
139
<arg choice="plain"><option>--host
140
<replaceable>STRING</replaceable></option></arg>
141
<arg choice="plain"><option>-H
142
<replaceable>STRING</replaceable></option></arg>
146
<arg choice="plain"><option>--secret
147
<replaceable>FILENAME</replaceable></option></arg>
148
<arg choice="plain"><option>-s
149
<replaceable>FILENAME</replaceable></option></arg>
153
<arg choice="plain"><option>--approve</option></arg>
154
<arg choice="plain"><option>-A</option></arg>
156
<arg choice="plain"><option>--deny</option></arg>
157
<arg choice="plain"><option>-D</option></arg>
161
<arg choice="plain"><option>--all</option></arg>
162
<arg choice="plain"><option>-a</option></arg>
163
<arg rep='repeat' choice='plain'>
164
<replaceable>CLIENT</replaceable>
169
<command>&COMMANDNAME;</command>
171
<arg choice="plain"><option>--verbose</option></arg>
172
<arg choice="plain"><option>-v</option></arg>
175
<arg rep='repeat' choice='plain'>
176
<replaceable>CLIENT</replaceable>
181
<command>&COMMANDNAME;</command>
183
<arg choice="plain"><option>--is-enabled</option></arg>
184
<arg choice="plain"><option>-V</option></arg>
186
<arg choice='plain'><replaceable>CLIENT</replaceable></arg>
189
<command>&COMMANDNAME;</command>
191
<arg choice="plain"><option>--help</option></arg>
192
<arg choice="plain"><option>-h</option></arg>
196
<command>&COMMANDNAME;</command>
198
<arg choice="plain"><option>--version</option></arg>
199
<arg choice="plain"><option>-v</option></arg>
203
<command>&COMMANDNAME;</command>
204
<arg choice="plain"><option>--check</option></arg>
208
<refsect1 id="description">
209
<title>DESCRIPTION</title>
211
<command>&COMMANDNAME;</command> is a program to control the
212
operation of the Mandos server <citerefentry><refentrytitle
213
>mandos</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
216
This program can be used to change client settings, approve or
217
deny client requests, and to remove clients from the server.
221
<refsect1 id="purpose">
222
<title>PURPOSE</title>
224
The purpose of this is to enable <emphasis>remote and unattended
225
rebooting</emphasis> of client host computer with an
226
<emphasis>encrypted root file system</emphasis>. See <xref
227
linkend="overview"/> for details.
231
<refsect1 id="options">
232
<title>OPTIONS</title>
236
<term><option>--help</option></term>
237
<term><option>-h</option></term>
240
Show a help message and exit
246
<term><option>--enable</option></term>
247
<term><option>-e</option></term>
250
Enable client(s). An enabled client will be eligble to
257
<term><option>--disable</option></term>
258
<term><option>-d</option></term>
261
Disable client(s). A disabled client will not be eligble
262
to receive its secret, and no checkers will be started for
269
<term><option>--bump-timeout</option></term>
272
Bump the timeout of the specified client(s), just as if a
273
checker had completed successfully for it/them.
279
<term><option>--start-checker</option></term>
282
Start a new checker now for the specified client(s).
288
<term><option>--stop-checker</option></term>
291
Stop any running checker for the specified client(s).
297
<term><option>--remove</option></term>
298
<term><option>-r</option></term>
301
Remove the specified client(s) from the server.
307
<term><option>--checker
308
<replaceable>COMMAND</replaceable></option></term>
310
<replaceable>COMMAND</replaceable></option></term>
313
Set the <varname>checker</varname> option of the specified
314
client(s); see <citerefentry><refentrytitle
315
>mandos-clients.conf</refentrytitle><manvolnum
316
>5</manvolnum></citerefentry>.
322
<term><option>--timeout
323
<replaceable>TIME</replaceable></option></term>
325
<replaceable>TIME</replaceable></option></term>
328
Set the <varname>timeout</varname> option of the specified
329
client(s); see <citerefentry><refentrytitle
330
>mandos-clients.conf</refentrytitle><manvolnum
331
>5</manvolnum></citerefentry>.
337
<term><option>--extended-timeout
338
<replaceable>TIME</replaceable></option></term>
341
Set the <varname>extended_timeout</varname> option of the
342
specified client(s); see <citerefentry><refentrytitle
343
>mandos-clients.conf</refentrytitle><manvolnum
344
>5</manvolnum></citerefentry>.
350
<term><option>--interval
351
<replaceable>TIME</replaceable></option></term>
353
<replaceable>TIME</replaceable></option></term>
356
Set the <varname>interval</varname> option of the
357
specified client(s); see <citerefentry><refentrytitle
358
>mandos-clients.conf</refentrytitle><manvolnum
359
>5</manvolnum></citerefentry>.
365
<term><option>--approve-by-default</option></term>
366
<term><option>--deny-by-default</option></term>
369
Set the <varname>approved_by_default</varname> option of
370
the specified client(s) to <literal>True</literal> or
371
<literal>False</literal>, respectively; see
372
<citerefentry><refentrytitle
373
>mandos-clients.conf</refentrytitle><manvolnum
374
>5</manvolnum></citerefentry>.
380
<term><option>--approval-delay
381
<replaceable>TIME</replaceable></option></term>
384
Set the <varname>approval_delay</varname> option of the
385
specified client(s); see <citerefentry><refentrytitle
386
>mandos-clients.conf</refentrytitle><manvolnum
387
>5</manvolnum></citerefentry>.
393
<term><option>--approval-duration
394
<replaceable>TIME</replaceable></option></term>
397
Set the <varname>approval_duration</varname> option of the
398
specified client(s); see <citerefentry><refentrytitle
399
>mandos-clients.conf</refentrytitle><manvolnum
400
>5</manvolnum></citerefentry>.
407
<replaceable>STRING</replaceable></option></term>
409
<replaceable>STRING</replaceable></option></term>
412
Set the <varname>host</varname> option of the specified
413
client(s); see <citerefentry><refentrytitle
414
>mandos-clients.conf</refentrytitle><manvolnum
415
>5</manvolnum></citerefentry>.
421
<term><option>--secret
422
<replaceable>FILENAME</replaceable></option></term>
424
<replaceable>FILENAME</replaceable></option></term>
427
Set the <varname>secfile</varname> option of the specified
428
client(s); see <citerefentry><refentrytitle
429
>mandos-clients.conf</refentrytitle><manvolnum
430
>5</manvolnum></citerefentry>.
436
<term><option>--approve</option></term>
437
<term><option>-A</option></term>
440
Approve client(s) if currently waiting for approval.
446
<term><option>--deny</option></term>
447
<term><option>-D</option></term>
450
Deny client(s) if currently waiting for approval.
456
<term><option>--all</option></term>
457
<term><option>-a</option></term>
460
Make the client-modifying options modify <emphasis
461
>all</emphasis> clients.
467
<term><option>--verbose</option></term>
468
<term><option>-v</option></term>
471
Show all client settings, not just a subset.
477
<term><option>--is-enabled</option></term>
478
<term><option>-V</option></term>
481
Check if a single client is enabled or not, and exit with
482
a successful exit status only if the client is enabled.
488
<term><option>--check</option></term>
491
Run self-tests. This includes any unit tests, etc.
499
<refsect1 id="overview">
500
<title>OVERVIEW</title>
501
<xi:include href="overview.xml"/>
503
This program is a small utility to generate new OpenPGP keys for
504
new Mandos clients, and to generate sections for inclusion in
505
<filename>clients.conf</filename> on the server.
509
<refsect1 id="exit_status">
510
<title>EXIT STATUS</title>
512
If the <option>--is-enabled</option> option is used, the exit
513
status will be 0 only if the specified client is enabled.
519
<xi:include href="bugs.xml"/>
522
<refsect1 id="example">
523
<title>EXAMPLE</title>
529
<userinput>&COMMANDNAME;</userinput>
535
To list <emphasis>all</emphasis> settings for the clients
536
named <quote>foo1.example.org</quote> and <quote
537
>foo2.example.org</quote>:
541
<!-- do not wrap this line -->
542
<userinput>&COMMANDNAME; --verbose foo1.example.org foo2.example.org</userinput>
549
To enable all clients:
552
<userinput>&COMMANDNAME; --enable --all</userinput>
558
To change timeout and interval value for the clients
559
named <quote>foo1.example.org</quote> and <quote
560
>foo2.example.org</quote>:
564
<!-- do not wrap this line -->
565
<userinput>&COMMANDNAME; --timeout="5m" --interval="1m" foo1.example.org foo2.example.org</userinput>
572
To approve all clients currently waiting for it:
575
<userinput>&COMMANDNAME; --approve --all</userinput>
580
<refsect1 id="security">
581
<title>SECURITY</title>
583
This program must be permitted to access the Mandos server via
584
the D-Bus interface. This normally requires the root user, but
585
could be configured otherwise by reconfiguring the D-Bus server.
589
<refsect1 id="see_also">
590
<title>SEE ALSO</title>
592
<citerefentry><refentrytitle>intro</refentrytitle>
593
<manvolnum>8mandos</manvolnum></citerefentry>,
594
<citerefentry><refentrytitle>mandos</refentrytitle>
595
<manvolnum>8</manvolnum></citerefentry>,
596
<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>
597
<manvolnum>5</manvolnum></citerefentry>,
598
<citerefentry><refentrytitle>mandos-monitor</refentrytitle>
599
<manvolnum>8</manvolnum></citerefentry>
604
<!-- Local Variables: -->
605
<!-- time-stamp-start: "<!ENTITY TIMESTAMP [\"']" -->
606
<!-- time-stamp-end: "[\"']>" -->
607
<!-- time-stamp-format: "%:y-%02m-%02d" -->