/mandos/trunk : revision 777

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos.conf.xml

Committer: Teddy Hogeborn
Date: 2015-07-20 03:03:33 UTC
Revision ID: teddy@recompile.se-20150720030333-203m2aeblypcsfte

Bug fix for GnuTLS 3: be compatible with old 2048-bit DSA keys.

The mandos-keygen program in Mandos version 1.6.0 and older generated
2048-bit DSA keys, and when GnuTLS uses these it has trouble
connecting using the Mandos default priority string.  This was
previously fixed in Mandos 1.6.2, but the bug reappeared when using
GnuTLS 3, so the default priority string has to change again; this
time also the Mandos client has to change its default, so now the
server and the client should use the same default priority string:

SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA:+SIGN-DSA-SHA256

* mandos (main/server_defaults): Changed default priority string.
* mandos-options.xml (/section/para[id="priority_compat"]): Removed.
  (/section/para[id="priority"]): Changed default priority string.
* mandos.conf ([DEFAULT]/priority): - '' -
* mandos.conf.xml (OPTIONS/priority): Refer to the id "priority"
                                      instead of "priority_compat".
* mandos.xml (OPTIONS/--priority): - '' -
* plugins.d/mandos-client.c (main): Changed default priority string.

files added:
.bzr-builddeb

.bzr-builddeb/default.conf

DBUS-API

INSTALL

NEWS

README

common.ent

dbus-mandos.conf

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.examples

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/po

debian/rules

debian/source

debian/source/format

debian/source/local-options

debian/upstream

debian/upstream/signing-key.asc

debian/watch

default-mandos

init.d-mandos

initramfs-unpack

intro.xml

legalnotice.xml

mandos-ctl

mandos-ctl.xml

mandos-monitor

mandos-monitor.xml

mandos.lsm

mandos.service

network-hooks.d

network-hooks.d/bridge

network-hooks.d/bridge.conf

network-hooks.d/openvpn

network-hooks.d/openvpn.conf

network-hooks.d/wireless

network-hooks.d/wireless.conf

plugin-helpers

plugin-helpers/mandos-client-iprouteadddel.c

plugin-runner.conf

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

files removed:
plugins.d/usplash

files renamed:
plugins.d/password-request.c => plugins.d/mandos-client.c

plugins.d/password-request.xml => plugins.d/mandos-client.xml

files modified:
.bzrignore

Makefile

TODO

clients.conf

initramfs-tools-hook

initramfs-tools-hook-conf

initramfs-tools-script

mandos

mandos-clients.conf.xml

mandos-keygen

mandos-keygen.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.xml

overview.xml

plugin-runner.c

plugin-runner.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

Show diffs side-by-side

added added

removed removed

mandos.conf.xml

<?xml version='1.0' encoding='UTF-8'?>

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY VERSION "1.0">

<!ENTITY CONFNAME "mandos.conf">

<!ENTITY CONFPATH "<filename>/etc/mandos/mandos.conf</filename>">

<!ENTITY TIMESTAMP "2008-08-29">

<!ENTITY TIMESTAMP "2015-07-20">

<!ENTITY % common SYSTEM "common.ent">

%common;

<title>Mandos Manual</title>

<productname>Mandos</productname>

<productnumber>&VERSION;</productnumber>

<productnumber>&version;</productnumber>

<date>&TIMESTAMP;</date>

<firstname>Björn</firstname>

<surname>Påhlsson</surname>

<email>belorn@fukt.bsnet.se</email>

<email>belorn@recompile.se</email>

</address>

</author>

<firstname>Teddy</firstname>

<surname>Hogeborn</surname>

<email>teddy@fukt.bsnet.se</email>

<email>teddy@recompile.se</email>

</address>

</author>

</authorgroup>

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

<para>

This manual page is free software: you can redistribute it

and/or modify it under the terms of the GNU General Public

License as published by the Free Software Foundation,

either version 3 of the License, or (at your option) any

later version.

</para>

<para>

This manual page is distributed in the hope that it will

be useful, but WITHOUT ANY WARRANTY; without even the

implied warranty of MERCHANTABILITY or FITNESS FOR A

PARTICULAR PURPOSE. See the GNU General Public License

for more details.

</para>

<para>

You should have received a copy of the GNU General Public

License along with this program; If not, see

<ulink url="http://www.gnu.org/licenses/"/>.

</para>

</legalnotice>

<xi:include href="legalnotice.xml"/>

</refentryinfo>

<refentrytitle>&CONFNAME;</refentrytitle>

Configuration file for the Mandos server

</refpurpose>

</refnamediv>

&CONFPATH;

</synopsis>

<synopsis>&CONFPATH;</synopsis>

</refsynopsisdiv>

<title>DESCRIPTION</title>

<para>

<quote>#</quote> or <quote>;</quote> are ignored and may be used

to provide comments.

</para>

</refsect1>

100

101

<title>OPTIONS</title>

102

103

104

105

<term><varname>interface</varname></term>

<term><option>interface<literal> = </literal><replaceable

>NAME</replaceable></option></term>

106

107

<synopsis><literal>interface = </literal><replaceable

108

>NAME</replaceable>

109

</synopsis>

110

<xi:include href="mandos-options.xml" xpointer="interface"/>

111

</listitem>

112

</varlistentry>

113

114

115

<term><varname>address</varname></term>

<term><option>address<literal> = </literal><replaceable

>ADDRESS</replaceable></option></term>

116

117

<synopsis><literal>address = </literal><replaceable

118

>ADDRESS</replaceable>

119

</synopsis>

120

<xi:include href="mandos-options.xml" xpointer="address"/>

121

</listitem>

122

</varlistentry>

123

100

124

101

125

102

<term><option>port<literal> = </literal><replaceable

103

>NUMBER</replaceable></option></term>

126

104

127

<synopsis><literal>port = </literal><replaceable

128

>NUMBER</replaceable>

129

</synopsis>

130

105

<xi:include href="mandos-options.xml" xpointer="port"/>

131

106

</listitem>

132

107

</varlistentry>

133

108

134

109

135

<term><varname>debug</varname></term>

136

137

<synopsis><literal>debug = </literal>{ <literal

110

<term><option>debug<literal> = </literal>{ <literal

138

111

>1</literal> | <literal>yes</literal> | <literal

139

112

>true</literal> | <literal>on</literal> | <literal

140

113

>0</literal> | <literal>no</literal> | <literal

141

>false</literal> | <literal>off</literal> }

142

</synopsis>

114

>false</literal> | <literal>off</literal> }</option></term>

115

143

116

<xi:include href="mandos-options.xml" xpointer="debug"/>

144

117

</listitem>

145

118

</varlistentry>

146

119

147

120

148

<term><varname>priority</varname></term>

121

<term><option>priority<literal> = </literal><replaceable

122

>STRING</replaceable></option></term>

149

123

150

<synopsis><literal>priority = </literal><replaceable

151

>STRING</replaceable>

152

</synopsis>

153

124

<xi:include href="mandos-options.xml" xpointer="priority"/>

154

125

</listitem>

155

126

</varlistentry>

156

127

157

128

158

<term><varname>servicename</varname></term>

129

<term><option>servicename<literal> = </literal

130

><replaceable>NAME</replaceable></option></term>

159

131

160

<synopsis><literal>servicename = </literal><replaceable

161

>NAME</replaceable>

162

</synopsis>

163

132

<xi:include href="mandos-options.xml"

164

133

xpointer="servicename"/>

165

134

</listitem>

166

135

</varlistentry>

167

136

137

138

<term><option>use_dbus<literal> = </literal>{ <literal

139

>1</literal> | <literal>yes</literal> | <literal

140

>true</literal> | <literal>on</literal> | <literal

141

>0</literal> | <literal>no</literal> | <literal

142

>false</literal> | <literal>off</literal> }</option></term>

143

144

<xi:include href="mandos-options.xml" xpointer="dbus"/>

145

</listitem>

146

</varlistentry>

147

148

149

<term><option>use_ipv6<literal> = </literal>{ <literal

150

>1</literal> | <literal>yes</literal> | <literal

151

>true</literal> | <literal>on</literal> | <literal

152

>0</literal> | <literal>no</literal> | <literal

153

>false</literal> | <literal>off</literal> }</option></term>

154

155

<xi:include href="mandos-options.xml" xpointer="ipv6"/>

156

</listitem>

157

</varlistentry>

158

159

160

<term><option>restore<literal> = </literal>{ <literal

161

>1</literal> | <literal>yes</literal> | <literal

162

>true</literal> | <literal>on</literal> | <literal

163

>0</literal> | <literal>no</literal> | <literal

164

>false</literal> | <literal>off</literal> }</option></term>

165

166

<xi:include href="mandos-options.xml" xpointer="restore"/>

167

</listitem>

168

</varlistentry>

169

170

171

<term><option>statedir<literal> = </literal><replaceable

172

>DIRECTORY</replaceable></option></term>

173

174

<xi:include href="mandos-options.xml" xpointer="statedir"/>

175

</listitem>

176

</varlistentry>

177

178

179

<term><option>socket<literal> = </literal><replaceable

180

>NUMBER</replaceable></option></term>

181

182

<xi:include href="mandos-options.xml" xpointer="socket"/>

183

</listitem>

184

</varlistentry>

185

168

186

</variablelist>

169

187

</refsect1>

170

188

180

198

<para>

181

199

The <literal>[DEFAULT]</literal> is necessary because the Python

182

200

built-in module <systemitem class="library">ConfigParser</systemitem>

183

requres it.

201

requires it.

184

202

</para>

185

203

</refsect1>

186

204

202

220

[DEFAULT]

203

221

# A configuration example

204

222

interface = eth0

205

address = 2001:db8:f983:bd0b:30de:ae4a:71f2:f672

223

address = fe80::aede:48ff:fe71:f6f2

206

224

port = 1025

207

debug = true

208

priority = SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP

225

debug = True

226

priority = SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA

209

227

servicename = Daena

228

use_dbus = False

229

use_ipv6 = True

230

restore = True

231

statedir = /var/lib/mandos

210

232

</programlisting>

211

233

</informalexample>

212

234

</refsect1>

214

236

215

237

216

238

<para>

239

<citerefentry><refentrytitle>intro</refentrytitle>

240

<manvolnum>8mandos</manvolnum></citerefentry>,

217

241

<citerefentry><refentrytitle>gnutls_priority_init</refentrytitle

218

242

><manvolnum>3</manvolnum></citerefentry>,

219

243

<citerefentry><refentrytitle>mandos</refentrytitle>

221

245

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

222

246

223

247

</para>

224

248

225

249

226

250

227

251

<term>

247

271

<para>

248

272

The clients use IPv6 link-local addresses, which are

249

273

immediately usable since a link-local addresses is

250

automatically assigned to a network interfaces when it

274

automatically assigned to a network interface when it

251

275

is brought up.

252

276

</para>

253

277

</listitem>

Older »