/mandos/trunk : revision 742

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos-ctl.xml

Committer: Teddy Hogeborn
Date: 2015-03-10 18:03:38 UTC
Revision ID: teddy@recompile.se-20150310180338-pcxw6r2qmw9k6br9

Add ":!RSA" to GnuTLS priority string, to disallow non-DHE kx.

If Mandos was somehow made to use a non-ephemeral Diffie-Hellman key
exchange algorithm in the TLS handshake, any saved network traffic
could then be decrypted later if the Mandos client key was obtained.
By default, Mandos uses ephemeral DH key exchanges which does not have
this problem, but a non-ephemeral key exchange algorithm was still
enabled by default. The simplest solution is to simply turn that off,
which ensures that Mandos will always use ephemeral DH key exchanges.

There is a "PFS" priority string specifier, but we can't use it because:

1. Security-wise, it is a mix between "NORMAL" and "SECURE128" - it
enables a lot more algorithms than "SECURE256".

2. It is only available since GnuTLS 3.2.4.

Thanks to Andreas Fischer <af@bantuX.org> for reporting this issue.

files added:
debian/mandos-client.examples

debian/source

debian/source/format

debian/source/local-options

debian/upstream

debian/upstream/signing-key.asc

initramfs-unpack

intro.xml

mandos.service

network-hooks.d

network-hooks.d/bridge

network-hooks.d/bridge.conf

network-hooks.d/openvpn

network-hooks.d/openvpn.conf

network-hooks.d/wireless

network-hooks.d/wireless.conf

plugins.d/plymouth.xml

files modified:
.bzrignore

DBUS-API

INSTALL

Makefile

NEWS

README

TODO

clients.conf

common.ent

dbus-mandos.conf

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.postinst

debian/mandos.prerm

debian/rules

debian/watch

init.d-mandos

initramfs-tools-hook

initramfs-tools-script

mandos

mandos-clients.conf.xml

mandos-ctl

mandos-ctl.xml

mandos-keygen

mandos-keygen.xml

mandos-monitor

mandos-monitor.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.lsm

mandos.xml

plugin-runner.c

plugin-runner.xml

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/mandos-client.c

plugins.d/mandos-client.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

plugins.d/plymouth.c

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

Show diffs side-by-side

added added

removed removed

mandos-ctl.xml

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY COMMANDNAME "mandos-ctl">

<!ENTITY TIMESTAMP "2010-09-21">

<!ENTITY TIMESTAMP "2012-06-22">

<!ENTITY % common SYSTEM "common.ent">

%common;

<firstname>Björn</firstname>

<surname>Påhlsson</surname>

<email>belorn@fukt.bsnet.se</email>

<email>belorn@recompile.se</email>

</address>

</author>

<firstname>Teddy</firstname>

<surname>Hogeborn</surname>

<email>teddy@fukt.bsnet.se</email>

<email>teddy@recompile.se</email>

</address>

</author>

</authorgroup>

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--extended-timeout

100

101

</group>

102

<sbr/>

103

<group>

104

<arg choice="plain"><option>--interval

105

106

<arg choice="plain"><option>-i

107

108

</group>

109

<sbr/>

110

<group>

111

<arg choice="plain"><option>--approve-by-default</option

112

></arg>

113

<sbr/>

114

<arg choice="plain"><option>--deny-by-default</option></arg>

115

</group>

116

<sbr/>

117

<group>

118

<arg choice="plain"><option>--approval-delay

119

120

</group>

121

<sbr/>

122

<group>

123

<arg choice="plain"><option>--approval-duration

124

125

</group>

126

<sbr/>

127

<group>

128

<arg choice="plain"><option>--interval

129

130

<arg choice="plain"><option>-i

164

195

165

196

</group>

166

197

</cmdsynopsis>

198

199

<command>&COMMANDNAME;</command>

200

<arg choice="plain"><option>--check</option></arg>

201

</cmdsynopsis>

167

202

</refsynopsisdiv>

168

203

169

204

273

308

<para>

274

309

Set the <varname>checker</varname> option of the specified

275

310

client(s); see <citerefentry><refentrytitle

276

>mandos-client.conf</refentrytitle><manvolnum>5</manvolnum

277

></citerefentry>.

311

>mandos-clients.conf</refentrytitle><manvolnum

312

>5</manvolnum></citerefentry>.

278

313

</para>

279

314

</listitem>

280

315

</varlistentry>

288

323

<para>

289

324

Set the <varname>timeout</varname> option of the specified

290

325

client(s); see <citerefentry><refentrytitle

291

>mandos-client.conf</refentrytitle><manvolnum>5</manvolnum

292

></citerefentry>.

326

>mandos-clients.conf</refentrytitle><manvolnum

327

>5</manvolnum></citerefentry>.

328

</para>

329

</listitem>

330

</varlistentry>

331

332

333

<term><option>--extended-timeout

334

335

336

<para>

337

Set the <varname>extended_timeout</varname> option of the

338

specified client(s); see <citerefentry><refentrytitle

339

>mandos-clients.conf</refentrytitle><manvolnum

340

>5</manvolnum></citerefentry>.

293

341

</para>

294

342

</listitem>

295

343

</varlistentry>

301

349

302

350

303

351

<para>

304

Set the <varname>interval</varname> option of the specified

305

client(s); see <citerefentry><refentrytitle

306

>mandos-client.conf</refentrytitle><manvolnum>5</manvolnum

307

></citerefentry>.

352

Set the <varname>interval</varname> option of the

353

specified client(s); see <citerefentry><refentrytitle

354

>mandos-clients.conf</refentrytitle><manvolnum

355

>5</manvolnum></citerefentry>.

356

</para>

357

</listitem>

358

</varlistentry>

359

360

361

<term><option>--approve-by-default</option></term>

362

<term><option>--deny-by-default</option></term>

363

364

<para>

365

Set the <varname>approved_by_default</varname> option of

366

the specified client(s) to <literal>True</literal> or

367

<literal>False</literal>, respectively; see

368

<citerefentry><refentrytitle

369

>mandos-clients.conf</refentrytitle><manvolnum

370

>5</manvolnum></citerefentry>.

371

</para>

372

</listitem>

373

</varlistentry>

374

375

376

<term><option>--approval-delay

377

378

379

<para>

380

Set the <varname>approval_delay</varname> option of the

381

specified client(s); see <citerefentry><refentrytitle

382

>mandos-clients.conf</refentrytitle><manvolnum

383

>5</manvolnum></citerefentry>.

384

</para>

385

</listitem>

386

</varlistentry>

387

388

389

<term><option>--approval-duration

390

391

392

<para>

393

Set the <varname>approval_duration</varname> option of the

394

specified client(s); see <citerefentry><refentrytitle

395

>mandos-clients.conf</refentrytitle><manvolnum

396

>5</manvolnum></citerefentry>.

308

397

</para>

309

398

</listitem>

310

399

</varlistentry>

318

407

<para>

319

408

Set the <varname>host</varname> option of the specified

320

409

client(s); see <citerefentry><refentrytitle

321

>mandos-client.conf</refentrytitle><manvolnum>5</manvolnum

322

></citerefentry>.

410

>mandos-clients.conf</refentrytitle><manvolnum

411

>5</manvolnum></citerefentry>.

323

412

</para>

324

413

</listitem>

325

414

</varlistentry>

333

422

<para>

334

423

Set the <varname>secfile</varname> option of the specified

335

424

client(s); see <citerefentry><refentrytitle

336

>mandos-client.conf</refentrytitle><manvolnum>5</manvolnum

337

></citerefentry>.

425

>mandos-clients.conf</refentrytitle><manvolnum

426

>5</manvolnum></citerefentry>.

338

427

</para>

339

428

</listitem>

340

429

</varlistentry>

391

480

</listitem>

392

481

</varlistentry>

393

482

483

484

<term><option>--check</option></term>

485

486

<para>

487

Run self-tests. This includes any unit tests, etc.

488

</para>

489

</listitem>

490

</varlistentry>

491

394

492

</variablelist>

395

493

</refsect1>

396

494

422

520

<title>EXAMPLE</title>

423

521

424

522

<para>

425

List all clients with some of their settings:

523

To list all clients:

426

524

</para>

427

525

<para>

428

526

<userinput>&COMMANDNAME;</userinput>

429

527

</para>

430

528

</informalexample>

431

432

<para>

433

Show all settings for the clients named <quote>foo</quote> and

434

<quote>bar</quote>:

435

</para>

436

<para>

437

438

439

<userinput>&COMMANDNAME; --verbose foo bar</userinput>

440

529

530

531

<para>

532

To list <emphasis>all</emphasis> settings for the clients

533

named <quote>foo1.example.org</quote> and <quote

534

>foo2.example.org</quote>:

535

</para>

536

<para>

537

538

539

<userinput>&COMMANDNAME; --verbose foo1.example.org foo2.example.org</userinput>

540

541

</para>

542

</informalexample>

543

544

545

<para>

546

To enable all clients:

547

</para>

548

<para>

549

<userinput>&COMMANDNAME; --enable --all</userinput>

550

</para>

551

</informalexample>

552

553

554

<para>

555

To change timeout and interval value for the clients

556

named <quote>foo1.example.org</quote> and <quote

557

>foo2.example.org</quote>:

558

</para>

559

<para>

560

561

562

<userinput>&COMMANDNAME; --timeout="5m" --interval="1m" foo1.example.org foo2.example.org</userinput>

563

564

</para>

565

</informalexample>

566

567

568

<para>

569

To approve all clients currently waiting for it:

570

</para>

571

<para>

572

<userinput>&COMMANDNAME; --approve --all</userinput>

441

573

</para>

442

574

</informalexample>

443

575

</refsect1>

454

586

455

587

456

588

<para>

589

<citerefentry><refentrytitle>intro</refentrytitle>

590

<manvolnum>8mandos</manvolnum></citerefentry>,

457

591

<citerefentry><refentrytitle>mandos</refentrytitle>

458

592

<manvolnum>8</manvolnum></citerefentry>,

459

593

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

Older »