/mandos/trunk

To get this branch, use:
bzr branch http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos.service

  • Committer: Teddy Hogeborn
  • Date: 2014-06-22 02:19:30 UTC
  • Revision ID: teddy@recompile.se-20140622021930-icl7h4cm97blhjml
mandos-keygen: Generate "checker" option to use SSH fingerprints.

To turn this off, use a new "--no-ssh" option to mandos-keygen.

* INSTALL (Mandos Server, Mandos Client): Document new suggested
                                          installation of SSH.
* Makefile (confdir/clients.conf): Use new "--no-ssh" option to
                                   "mandos-keygen".
* debian/control (mandos/Depends): Changed to "fping | ssh-client".
  (mandos-client/Recommends): New; set to "ssh".
* intro.xml (FREQUENTLY ASKED QUESTIONS): Rename and rewrite section
                                          called "Faking ping
                                          replies?" to address new
                                          default behavior.
* mandos-clients.conf.xml (OPTIONS/checker): Briefly discuss new
                                             behavior of
                                             mandos-keygen.
* mandos-keygen: Bug fix: Suppress failure output of "shred" to remove
                 "sec*", since no such files may exist.
 (password mode): Scan for SSH key fingerprints and output as new
                  "checker" and "ssh_fingerprint" options, unless new
                  "--no-ssh" option is given.
* mandos-keygen.xml (SYNOPSIS/--force): Bug fix: Document short form.
  (OPTIONS/--no-ssh): New.
  (SEE ALSO): Add reference "ssh-keyscan(1)".
* plugins.d/mandos-client.xml (SECURITY): Briefly mention the
                                          possibility of using SSH key
                                          fingerprints for checking.

Show diffs side-by-side

added added

removed removed

Lines of Context:
mandos.service
1
1
[Unit]
2
2
Description=Server of encrypted passwords to Mandos clients
3
 
Documentation=man:intro(8mandos) man:mandos(8)
4
 
## If the server is configured to listen to a specific IP or network
5
 
## interface, it may be necessary to change "network.target" to
6
 
## "network-online.target".
7
 
After=network.target
8
 
## If the server is configured to not use ZeroConf, these two lines
9
 
## become unnecessary and should be removed or commented out.
10
 
After=avahi-daemon.service
11
 
Requisite=avahi-daemon.service
12
3
 
13
4
[Service]
14
 
## If the server's D-Bus interface is disabled, the "BusName" setting
15
 
## should be removed or commented out.
 
5
Type=simple
 
6
## Type=dbus is not appropriate, because Mandos also needs to announce
 
7
## its ZeroConf service and be reachable on the network.
 
8
#Type=dbus
16
9
BusName=se.recompile.Mandos
17
 
EnvironmentFile=/etc/default/mandos
18
 
ExecStart=/usr/sbin/mandos --foreground $DAEMON_ARGS
 
10
# If you add --no-dbus, also comment out BusName above, and vice versa
 
11
ExecStart=/usr/sbin/mandos --foreground
19
12
Restart=always
20
 
KillMode=mixed
21
 
## Using socket activation won't work, because systemd always does
22
 
## bind() on the socket, and also won't announce the ZeroConf service.
 
13
KillMode=process
 
14
## Using socket activation won't work either, because systemd always
 
15
## does bind() on the socket, and also won't announce the ZeroConf
 
16
## service.
23
17
#ExecStart=/usr/sbin/mandos --foreground --socket=0
24
18
#StandardInput=socket
25
 
# Restrict what the Mandos daemon can do.  Note that this also affects
26
 
# "checker" programs!
27
 
PrivateTmp=yes
28
 
PrivateDevices=yes
29
 
ProtectSystem=full
30
 
ProtectHome=yes
31
 
CapabilityBoundingSet=CAP_KILL CAP_SETGID CAP_SETUID CAP_DAC_OVERRIDE CAP_NET_RAW
32
 
ProtectKernelTunables=yes
33
 
ProtectControlGroups=yes
34
19
 
35
20
[Install]
36
21
WantedBy=multi-user.target