/mandos/trunk

To get this branch, use:
bzr branch http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to plugins.d/mandos-client.xml

  • Committer: Teddy Hogeborn
  • Date: 2014-06-22 02:19:30 UTC
  • Revision ID: teddy@recompile.se-20140622021930-icl7h4cm97blhjml
mandos-keygen: Generate "checker" option to use SSH fingerprints.

To turn this off, use a new "--no-ssh" option to mandos-keygen.

* INSTALL (Mandos Server, Mandos Client): Document new suggested
                                          installation of SSH.
* Makefile (confdir/clients.conf): Use new "--no-ssh" option to
                                   "mandos-keygen".
* debian/control (mandos/Depends): Changed to "fping | ssh-client".
  (mandos-client/Recommends): New; set to "ssh".
* intro.xml (FREQUENTLY ASKED QUESTIONS): Rename and rewrite section
                                          called "Faking ping
                                          replies?" to address new
                                          default behavior.
* mandos-clients.conf.xml (OPTIONS/checker): Briefly discuss new
                                             behavior of
                                             mandos-keygen.
* mandos-keygen: Bug fix: Suppress failure output of "shred" to remove
                 "sec*", since no such files may exist.
 (password mode): Scan for SSH key fingerprints and output as new
                  "checker" and "ssh_fingerprint" options, unless new
                  "--no-ssh" option is given.
* mandos-keygen.xml (SYNOPSIS/--force): Bug fix: Document short form.
  (OPTIONS/--no-ssh): New.
  (SEE ALSO): Add reference "ssh-keyscan(1)".
* plugins.d/mandos-client.xml (SECURITY): Briefly mention the
                                          possibility of using SSH key
                                          fingerprints for checking.

Show diffs side-by-side

added added

removed removed

Lines of Context:
2
2
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3
3
        "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4
4
<!ENTITY COMMANDNAME "mandos-client">
5
 
<!ENTITY TIMESTAMP "2013-10-20">
 
5
<!ENTITY TIMESTAMP "2014-06-22">
6
6
<!ENTITY % common SYSTEM "../common.ent">
7
7
%common;
8
8
]>
35
35
      <year>2009</year>
36
36
      <year>2012</year>
37
37
      <year>2013</year>
 
38
      <year>2014</year>
38
39
      <holder>Teddy Hogeborn</holder>
39
40
      <holder>Björn Påhlsson</holder>
40
41
    </copyright>
219
220
            assumed to separate the address from the port number.
220
221
          </para>
221
222
          <para>
222
 
            This option is normally only useful for testing and
223
 
            debugging.
 
223
            Normally, Zeroconf would be used to locate Mandos servers,
 
224
            in which case this option would only be used when testing
 
225
            and debugging.
224
226
          </para>
225
227
        </listitem>
226
228
      </varlistentry>
259
261
          <para>
260
262
            <replaceable>NAME</replaceable> can be the string
261
263
            <quote><literal>none</literal></quote>; this will make
262
 
            <command>&COMMANDNAME;</command> not bring up
263
 
            <emphasis>any</emphasis> interfaces specified
264
 
            <emphasis>after</emphasis> this string.  This is not
265
 
            recommended, and only meant for advanced users.
 
264
            <command>&COMMANDNAME;</command> only bring up interfaces
 
265
            specified <emphasis>before</emphasis> this string.  This
 
266
            is not recommended, and only meant for advanced users.
266
267
          </para>
267
268
        </listitem>
268
269
      </varlistentry>
747
748
    <para>
748
749
      It will also help if the checker program on the server is
749
750
      configured to request something from the client which can not be
750
 
      spoofed by someone else on the network, unlike unencrypted
751
 
      <acronym>ICMP</acronym> echo (<quote>ping</quote>) replies.
 
751
      spoofed by someone else on the network, like SSH server key
 
752
      fingerprints, and unlike unencrypted <acronym>ICMP</acronym>
 
753
      echo (<quote>ping</quote>) replies.
752
754
    </para>
753
755
    <para>
754
756
      <emphasis>Note</emphasis>: This makes it completely insecure to