/mandos/trunk

To get this branch, use:
bzr branch http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to plugins.d/mandos-client.xml

  • Committer: Teddy Hogeborn
  • Date: 2014-06-22 02:19:30 UTC
  • Revision ID: teddy@recompile.se-20140622021930-icl7h4cm97blhjml
mandos-keygen: Generate "checker" option to use SSH fingerprints.

To turn this off, use a new "--no-ssh" option to mandos-keygen.

* INSTALL (Mandos Server, Mandos Client): Document new suggested
                                          installation of SSH.
* Makefile (confdir/clients.conf): Use new "--no-ssh" option to
                                   "mandos-keygen".
* debian/control (mandos/Depends): Changed to "fping | ssh-client".
  (mandos-client/Recommends): New; set to "ssh".
* intro.xml (FREQUENTLY ASKED QUESTIONS): Rename and rewrite section
                                          called "Faking ping
                                          replies?" to address new
                                          default behavior.
* mandos-clients.conf.xml (OPTIONS/checker): Briefly discuss new
                                             behavior of
                                             mandos-keygen.
* mandos-keygen: Bug fix: Suppress failure output of "shred" to remove
                 "sec*", since no such files may exist.
 (password mode): Scan for SSH key fingerprints and output as new
                  "checker" and "ssh_fingerprint" options, unless new
                  "--no-ssh" option is given.
* mandos-keygen.xml (SYNOPSIS/--force): Bug fix: Document short form.
  (OPTIONS/--no-ssh): New.
  (SEE ALSO): Add reference "ssh-keyscan(1)".
* plugins.d/mandos-client.xml (SECURITY): Briefly mention the
                                          possibility of using SSH key
                                          fingerprints for checking.

Show diffs side-by-side

added added

removed removed

Lines of Context:
plugins.d/mandos-client.xml
2
2
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3
3
        "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4
4
<!ENTITY COMMANDNAME "mandos-client">
5
 
<!ENTITY TIMESTAMP "2012-06-17">
 
5
<!ENTITY TIMESTAMP "2014-06-22">
6
6
<!ENTITY % common SYSTEM "../common.ent">
7
7
%common;
8
8
]>
34
34
      <year>2008</year>
35
35
      <year>2009</year>
36
36
      <year>2012</year>
 
37
      <year>2013</year>
 
38
      <year>2014</year>
37
39
      <holder>Teddy Hogeborn</holder>
38
40
      <holder>Björn Påhlsson</holder>
39
41
    </copyright>
218
220
            assumed to separate the address from the port number.
219
221
          </para>
220
222
          <para>
221
 
            This option is normally only useful for testing and
222
 
            debugging.
 
223
            Normally, Zeroconf would be used to locate Mandos servers,
 
224
            in which case this option would only be used when testing
 
225
            and debugging.
223
226
          </para>
224
227
        </listitem>
225
228
      </varlistentry>
258
261
          <para>
259
262
            <replaceable>NAME</replaceable> can be the string
260
263
            <quote><literal>none</literal></quote>; this will make
261
 
            <command>&COMMANDNAME;</command> not bring up
262
 
            <emphasis>any</emphasis> interfaces specified
263
 
            <emphasis>after</emphasis> this string.  This is not
264
 
            recommended, and only meant for advanced users.
 
264
            <command>&COMMANDNAME;</command> only bring up interfaces
 
265
            specified <emphasis>before</emphasis> this string.  This
 
266
            is not recommended, and only meant for advanced users.
265
267
          </para>
266
268
        </listitem>
267
269
      </varlistentry>
512
514
              It is not necessary to print any non-executable files
513
515
              already in the network hook directory, these will be
514
516
              copied implicitly if they otherwise satisfy the name
515
 
              requirement.
 
517
              requirements.
516
518
            </para>
517
519
          </listitem>
518
520
        </varlistentry>
666
668
    </para>
667
669
    <informalexample>
668
670
      <para>
669
 
        Normal invocation needs no options, if the network interface
 
671
        Normal invocation needs no options, if the network interfaces
670
672
        can be automatically determined:
671
673
      </para>
672
674
      <para>
675
677
    </informalexample>
676
678
    <informalexample>
677
679
      <para>
678
 
        Search for Mandos servers (and connect to them) using another
679
 
        interface:
 
680
        Search for Mandos servers (and connect to them) using one
 
681
        specific interface:
680
682
      </para>
681
683
      <para>
682
684
        <!-- do not wrap this line -->
746
748
    <para>
747
749
      It will also help if the checker program on the server is
748
750
      configured to request something from the client which can not be
749
 
      spoofed by someone else on the network, unlike unencrypted
750
 
      <acronym>ICMP</acronym> echo (<quote>ping</quote>) replies.
 
751
      spoofed by someone else on the network, like SSH server key
 
752
      fingerprints, and unlike unencrypted <acronym>ICMP</acronym>
 
753
      echo (<quote>ping</quote>) replies.
751
754
    </para>
752
755
    <para>
753
756
      <emphasis>Note</emphasis>: This makes it completely insecure to
846
849
              <para>
847
850
                This client uses IPv6 link-local addresses, which are
848
851
                immediately usable since a link-local addresses is
849
 
                automatically assigned to a network interfaces when it
 
852
                automatically assigned to a network interface when it
850
853
                is brought up.
851
854
              </para>
852
855
            </listitem>