/mandos/trunk : revision 708

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos-clients.conf.xml

Committer: Teddy Hogeborn
Date: 2014-06-22 02:19:30 UTC
Revision ID: teddy@recompile.se-20140622021930-icl7h4cm97blhjml

mandos-keygen: Generate "checker" option to use SSH fingerprints.

To turn this off, use a new "--no-ssh" option to mandos-keygen.

* INSTALL (Mandos Server, Mandos Client): Document new suggested
                                          installation of SSH.
* Makefile (confdir/clients.conf): Use new "--no-ssh" option to
                                   "mandos-keygen".
* debian/control (mandos/Depends): Changed to "fping | ssh-client".
  (mandos-client/Recommends): New; set to "ssh".
* intro.xml (FREQUENTLY ASKED QUESTIONS): Rename and rewrite section
                                          called "Faking ping
                                          replies?" to address new
                                          default behavior.
* mandos-clients.conf.xml (OPTIONS/checker): Briefly discuss new
                                             behavior of
                                             mandos-keygen.
* mandos-keygen: Bug fix: Suppress failure output of "shred" to remove
                 "sec*", since no such files may exist.
(password mode): Scan for SSH key fingerprints and output as new
                  "checker" and "ssh_fingerprint" options, unless new
                  "--no-ssh" option is given.
* mandos-keygen.xml (SYNOPSIS/--force): Bug fix: Document short form.
  (OPTIONS/--no-ssh): New.
  (SEE ALSO): Add reference "ssh-keyscan(1)".
* plugins.d/mandos-client.xml (SECURITY): Briefly mention the
                                          possibility of using SSH key
                                          fingerprints for checking.

files added:
debian/mandos-client.examples

debian/source/local-options

debian/upstream

debian/upstream/signing-key.asc

initramfs-unpack

intro.xml

mandos.service

network-hooks.d

network-hooks.d/bridge

network-hooks.d/bridge.conf

network-hooks.d/openvpn

network-hooks.d/openvpn.conf

network-hooks.d/wireless

network-hooks.d/wireless.conf

files modified:
.bzrignore

DBUS-API

INSTALL

Makefile

NEWS

README

TODO

clients.conf

common.ent

dbus-mandos.conf

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.postinst

debian/mandos.prerm

debian/rules

debian/watch

init.d-mandos

initramfs-tools-hook

mandos

mandos-clients.conf.xml

mandos-ctl

mandos-ctl.xml

mandos-keygen

mandos-keygen.xml

mandos-monitor

mandos-monitor.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.lsm

mandos.xml

plugin-runner.c

plugin-runner.xml

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/mandos-client.c

plugins.d/mandos-client.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

Show diffs side-by-side

added added

removed removed

mandos-clients.conf.xml

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY CONFNAME "mandos-clients.conf">

<!ENTITY CONFPATH "<filename>/etc/mandos/clients.conf</filename>">

<!ENTITY TIMESTAMP "2011-02-27">

<!ENTITY TIMESTAMP "2014-06-22">

<!ENTITY % common SYSTEM "common.ent">

%common;

<firstname>Björn</firstname>

<surname>Påhlsson</surname>

<email>belorn@fukt.bsnet.se</email>

<email>belorn@recompile.se</email>

</address>

</author>

<firstname>Teddy</firstname>

<surname>Hogeborn</surname>

<email>teddy@fukt.bsnet.se</email>

<email>teddy@recompile.se</email>

</address>

</author>

</authorgroup>

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

><refentrytitle>mandos</refentrytitle>

<manvolnum>8</manvolnum></citerefentry>, read by it at startup.

The file needs to list all clients that should be able to use

the service. All clients listed will be regarded as enabled,

even if a client was disabled in a previous run of the server.

the service. The settings in this file can be overridden by

runtime changes to the server, which it saves across restarts.

(See the section called <quote>PERSISTENT STATE</quote> in

<citerefentry><refentrytitle>mandos</refentrytitle><manvolnum

>8</manvolnum></citerefentry>.) However, any <emphasis

>changes</emphasis> to this file (including adding and removing

clients) will, at startup, override changes done during runtime.

</para>

<para>

The format starts with a <literal>[<replaceable>section

111

117

<para>

112

118

How long to wait for external approval before resorting to

113

119

use the <option>approved_by_default</option> value. The

114

default is <quote>0s</quote>, i.e. not to wait.

120

default is <quote>PT0S</quote>, i.e. not to wait.

115

121

</para>

116

122

<para>

117

123

The format of <replaceable>TIME</replaceable> is the same

161

167

This option is <emphasis>optional</emphasis>.

162

168

</para>

163

169

<para>

164

This option allows you to override the default shell

165

command that the server will use to check if the client is

166

still up. Any output of the command will be ignored, only

167

the exit code is checked: If the exit code of the command

168

is zero, the client is considered up. The command will be

169

run using <quote><command><filename>/bin/sh</filename>

170

This option overrides the default shell command that the

171

server will use to check if the client is still up. Any

172

output of the command will be ignored, only the exit code

173

is checked: If the exit code of the command is zero, the

174

client is considered up. The command will be run using

175

170

176

<option>-c</option></command></quote>, so

171

177

<varname>PATH</varname> will be searched. The default

172

178

value for the checker command is <quote><literal

173

179

><command>fping</command> <option>-q</option> <option

174

>--</option> %%(host)s</literal></quote>.

180

>--</option> %%(host)s</literal></quote>. Note that

181

<command>mandos-keygen</command>, when generating output

182

to be inserted into this file, normally looks for an SSH

183

server on the Mandos client, and, if it find one, outputs

184

a <option>checker</option> option to check for the

185

client’s key fingerprint – this is more secure against

186

spoofing.

175

187

</para>

176

188

<para>

177

189

In addition to normal start time expansion, this option

182

194

</varlistentry>

183

195

184

196

197

<term><option>extended_timeout<literal> = </literal><replaceable

198

>TIME</replaceable></option></term>

199

200

<para>

201

This option is <emphasis>optional</emphasis>.

202

</para>

203

<para>

204

Extended timeout is an added timeout that is given once

205

after a password has been sent successfully to a client.

206

The timeout is by default longer than the normal timeout,

207

and is used for handling the extra long downtime while a

208

machine is booting up. Time to take into consideration

209

when changing this value is file system checks and quota

210

checks. The default value is 15 minutes.

211

</para>

212

<para>

213

The format of <replaceable>TIME</replaceable> is the same

214

as for <varname>timeout</varname> below.

215

</para>

216

</listitem>

217

</varlistentry>

218

219

185

220

<term><option>fingerprint<literal> = </literal

186

221

><replaceable>HEXSTRING</replaceable></option></term>

187

222

229

264

will wait for a checker to complete until the below

230

265

<quote><varname>timeout</varname></quote> occurs, at which

231

266

time the client will be disabled, and any running checker

232

killed. The default interval is 5 minutes.

267

killed. The default interval is 2 minutes.

233

268

</para>

234

269

<para>

235

270

The format of <replaceable>TIME</replaceable> is the same

299

334

This option is <emphasis>optional</emphasis>.

300

335

</para>

301

336

<para>

302

The timeout is how long the server will wait (for either a

303

successful checker run or a client receiving its secret)

304

until a client is disabled and not allowed to get the data

305

this server holds. By default Mandos will use 1 hour.

306

</para>

307

<para>

308

The <replaceable>TIME</replaceable> is specified as a

309

space-separated number of values, each of which is a

310

number and a one-character suffix. The suffix must be one

311

of <quote>d</quote>, <quote>s</quote>, <quote>m</quote>,

312

<quote>h</quote>, and <quote>w</quote> for days, seconds,

313

minutes, hours, and weeks, respectively. The values are

314

added together to give the total time value, so all of

315

<quote><literal>330s</literal></quote>,

316

<quote><literal>110s 110s 110s</literal></quote>, and

317

<quote><literal>5m 30s</literal></quote> will give a value

318

of five minutes and thirty seconds.

337

The timeout is how long the server will wait, after a

338

successful checker run, until a client is disabled and not

339

allowed to get the data this server holds. By default

340

Mandos will use 5 minutes. See also the

341

<option>extended_timeout</option> option.

342

</para>

343

<para>

344

The <replaceable>TIME</replaceable> is specified as an RFC

345

3339 duration; for example

346

<quote><literal>P1Y2M3DT4H5M6S</literal></quote> meaning

347

one year, two months, three days, four hours, five

348

minutes, and six seconds. Some values can be omitted, see

349

RFC 3339 Appendix A for details.

350

</para>

351

</listitem>

352

</varlistentry>

353

354

355

<term><option>enabled<literal> = </literal>{ <literal

356

>1</literal> | <literal>yes</literal> | <literal>true</literal

357

> | <literal >on</literal> | <literal>0</literal> | <literal

358

>no</literal> | <literal>false</literal> | <literal

359

>off</literal> }</option></term>

360

361

<para>

362

Whether this client should be enabled by default. The

363

default is <quote>true</quote>.

319

364

</para>

320

365

</listitem>

321

366

</varlistentry>

365

410

<quote><literal>approval_duration</literal></quote>,

366

411

<quote><literal>created</literal></quote>,

367

412

<quote><literal>enabled</literal></quote>,

413

<quote><literal>expires</literal></quote>,

368

414

<quote><literal>fingerprint</literal></quote>,

369

415

<quote><literal>host</literal></quote>,

370

416

<quote><literal>interval</literal></quote>,

420

466

421

467

422

468

[DEFAULT]

423

timeout = 1h

424

interval = 5m

469

timeout = PT5M

470

interval = PT2M

425

471

checker = fping -q -- %%(host)s

426

472

427

473

# Client "foo"

444

490

4T2zw4dxS5NswXWU0sVEXxjs6PYxuIiCTL7vdpx8QjBkrPWDrAbcMyBr2O

445

491

QlnHIvPzEArRQLo=

446

492

host = foo.example.org

447

interval = 1m

493

interval = PT1M

448

494

449

495

# Client "bar"

450

496

[bar]

451

497

fingerprint = 3e393aeaefb84c7e89e2f547b3a107558fca3a27

452

498

secfile = /etc/mandos/bar-secret

453

timeout = 15m

499

timeout = PT15M

454

500

approved_by_default = False

455

approval_delay = 30s

501

approval_delay = PT30S

456

502

</programlisting>

457

503

</informalexample>

458

504

</refsect1>

460

506

461

507

462

508

<para>

509

<citerefentry><refentrytitle>intro</refentrytitle>

510

<manvolnum>8mandos</manvolnum></citerefentry>,

463

511

<citerefentry><refentrytitle>mandos-keygen</refentrytitle>

464

512

<manvolnum>8</manvolnum></citerefentry>,

465

513

<citerefentry><refentrytitle>mandos.conf</refentrytitle>

466

514

<manvolnum>5</manvolnum></citerefentry>,

467

515

<citerefentry><refentrytitle>mandos</refentrytitle>

516

<manvolnum>8</manvolnum></citerefentry>,

517

<citerefentry><refentrytitle>fping</refentrytitle>

468

518

469

519

</para>

520

521

522

<term>

523

RFC 3339: <citetitle>Date and Time on the Internet:

524

Timestamps</citetitle>

525

</term>

526

527

<para>

528

The time intervals are in the "duration" format, as

529

specified in ABNF in Appendix A of RFC 3339.

530

</para>

531

</listitem>

532

</varlistentry>

533

</variablelist>

470

534

</refsect1>

471

535

</refentry>

472

536

Older »