/mandos/trunk

To get this branch, use:
bzr branch http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos.conf.xml

  • Committer: Teddy Hogeborn
  • Date: 2015-07-20 03:03:33 UTC
  • Revision ID: teddy@recompile.se-20150720030333-203m2aeblypcsfte
Bug fix for GnuTLS 3: be compatible with old 2048-bit DSA keys.

The mandos-keygen program in Mandos version 1.6.0 and older generated
2048-bit DSA keys, and when GnuTLS uses these it has trouble
connecting using the Mandos default priority string.  This was
previously fixed in Mandos 1.6.2, but the bug reappeared when using
GnuTLS 3, so the default priority string has to change again; this
time also the Mandos client has to change its default, so now the
server and the client should use the same default priority string:

SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA:+SIGN-DSA-SHA256

* mandos (main/server_defaults): Changed default priority string.
* mandos-options.xml (/section/para[id="priority_compat"]): Removed.
  (/section/para[id="priority"]): Changed default priority string.
* mandos.conf ([DEFAULT]/priority): - '' -
* mandos.conf.xml (OPTIONS/priority): Refer to the id "priority"
                                      instead of "priority_compat".
* mandos.xml (OPTIONS/--priority): - '' -
* plugins.d/mandos-client.c (main): Changed default priority string.

Show diffs side-by-side

added added

removed removed

Lines of Context:
1
1
<?xml version="1.0" encoding="UTF-8"?>
2
2
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3
3
        "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4
 
<!ENTITY VERSION "1.0">
5
4
<!ENTITY CONFNAME "mandos.conf">
6
5
<!ENTITY CONFPATH "<filename>/etc/mandos/mandos.conf</filename>">
7
 
<!ENTITY TIMESTAMP "2008-08-31">
 
6
<!ENTITY TIMESTAMP "2015-07-20">
 
7
<!ENTITY % common SYSTEM "common.ent">
 
8
%common;
8
9
]>
9
10
 
10
11
<refentry xmlns:xi="http://www.w3.org/2001/XInclude">
12
13
    <title>Mandos Manual</title>
13
14
    <!-- NWalsh’s docbook scripts use this to generate the footer: -->
14
15
    <productname>Mandos</productname>
15
 
    <productnumber>&VERSION;</productnumber>
 
16
    <productnumber>&version;</productnumber>
16
17
    <date>&TIMESTAMP;</date>
17
18
    <authorgroup>
18
19
      <author>
19
20
        <firstname>Björn</firstname>
20
21
        <surname>Påhlsson</surname>
21
22
        <address>
22
 
          <email>belorn@fukt.bsnet.se</email>
 
23
          <email>belorn@recompile.se</email>
23
24
        </address>
24
25
      </author>
25
26
      <author>
26
27
        <firstname>Teddy</firstname>
27
28
        <surname>Hogeborn</surname>
28
29
        <address>
29
 
          <email>teddy@fukt.bsnet.se</email>
 
30
          <email>teddy@recompile.se</email>
30
31
        </address>
31
32
      </author>
32
33
    </authorgroup>
33
34
    <copyright>
34
35
      <year>2008</year>
 
36
      <year>2009</year>
 
37
      <year>2011</year>
 
38
      <year>2012</year>
 
39
      <year>2013</year>
35
40
      <holder>Teddy Hogeborn</holder>
36
41
      <holder>Björn Påhlsson</holder>
37
42
    </copyright>
38
43
    <xi:include href="legalnotice.xml"/>
39
44
  </refentryinfo>
40
 
 
 
45
  
41
46
  <refmeta>
42
47
    <refentrytitle>&CONFNAME;</refentrytitle>
43
48
    <manvolnum>5</manvolnum>
49
54
      Configuration file for the Mandos server
50
55
    </refpurpose>
51
56
  </refnamediv>
52
 
 
 
57
  
53
58
  <refsynopsisdiv>
54
59
    <synopsis>&CONFPATH;</synopsis>
55
60
  </refsynopsisdiv>
56
 
 
 
61
  
57
62
  <refsect1 id="description">
58
63
    <title>DESCRIPTION</title>
59
64
    <para>
71
76
      <quote>#</quote> or <quote>;</quote> are ignored and may be used
72
77
      to provide comments.
73
78
    </para>
74
 
 
 
79
    
75
80
  </refsect1>
76
81
  <refsect1>
77
82
    <title>OPTIONS</title>
84
89
          <xi:include href="mandos-options.xml" xpointer="interface"/>
85
90
        </listitem>
86
91
      </varlistentry>
87
 
 
 
92
      
88
93
      <varlistentry>
89
94
        <term><option>address<literal> = </literal><replaceable
90
95
          >ADDRESS</replaceable></option></term>
92
97
          <xi:include href="mandos-options.xml" xpointer="address"/>
93
98
        </listitem>
94
99
      </varlistentry>
95
 
 
 
100
      
96
101
      <varlistentry>
97
102
        <term><option>port<literal> = </literal><replaceable
98
103
        >NUMBER</replaceable></option></term>
100
105
          <xi:include href="mandos-options.xml" xpointer="port"/>
101
106
        </listitem>
102
107
      </varlistentry>
103
 
 
 
108
      
104
109
      <varlistentry>
105
110
        <term><option>debug<literal> = </literal>{ <literal
106
111
          >1</literal> | <literal>yes</literal> | <literal
111
116
          <xi:include href="mandos-options.xml" xpointer="debug"/>
112
117
        </listitem>
113
118
      </varlistentry>
114
 
 
 
119
      
115
120
      <varlistentry>
116
121
        <term><option>priority<literal> = </literal><replaceable
117
122
        >STRING</replaceable></option></term>
119
124
          <xi:include href="mandos-options.xml" xpointer="priority"/>
120
125
        </listitem>
121
126
      </varlistentry>
122
 
 
 
127
      
123
128
      <varlistentry>
124
129
        <term><option>servicename<literal> = </literal
125
130
        ><replaceable>NAME</replaceable></option></term>
129
134
        </listitem>
130
135
      </varlistentry>
131
136
      
 
137
      <varlistentry>
 
138
        <term><option>use_dbus<literal> = </literal>{ <literal
 
139
          >1</literal> | <literal>yes</literal> | <literal
 
140
          >true</literal> | <literal>on</literal> | <literal
 
141
          >0</literal> | <literal>no</literal> | <literal
 
142
          >false</literal> | <literal>off</literal> }</option></term>
 
143
        <listitem>
 
144
          <xi:include href="mandos-options.xml" xpointer="dbus"/>
 
145
        </listitem>
 
146
      </varlistentry>
 
147
      
 
148
      <varlistentry>
 
149
        <term><option>use_ipv6<literal> = </literal>{ <literal
 
150
          >1</literal> | <literal>yes</literal> | <literal
 
151
          >true</literal> | <literal>on</literal> | <literal
 
152
          >0</literal> | <literal>no</literal> | <literal
 
153
          >false</literal> | <literal>off</literal> }</option></term>
 
154
        <listitem>
 
155
          <xi:include href="mandos-options.xml" xpointer="ipv6"/>
 
156
        </listitem>
 
157
      </varlistentry>
 
158
      
 
159
      <varlistentry>
 
160
        <term><option>restore<literal> = </literal>{ <literal
 
161
          >1</literal> | <literal>yes</literal> | <literal
 
162
          >true</literal> | <literal>on</literal> | <literal
 
163
          >0</literal> | <literal>no</literal> | <literal
 
164
          >false</literal> | <literal>off</literal> }</option></term>
 
165
        <listitem>
 
166
          <xi:include href="mandos-options.xml" xpointer="restore"/>
 
167
        </listitem>
 
168
      </varlistentry>
 
169
      
 
170
      <varlistentry>
 
171
        <term><option>statedir<literal> = </literal><replaceable
 
172
        >DIRECTORY</replaceable></option></term>
 
173
        <listitem>
 
174
          <xi:include href="mandos-options.xml" xpointer="statedir"/>
 
175
        </listitem>
 
176
      </varlistentry>
 
177
      
 
178
      <varlistentry>
 
179
        <term><option>socket<literal> = </literal><replaceable
 
180
        >NUMBER</replaceable></option></term>
 
181
        <listitem>
 
182
          <xi:include href="mandos-options.xml" xpointer="socket"/>
 
183
        </listitem>
 
184
      </varlistentry>
 
185
      
132
186
    </variablelist>
133
187
  </refsect1>
134
188
  
144
198
    <para>
145
199
      The <literal>[DEFAULT]</literal> is necessary because the Python
146
200
      built-in module <systemitem class="library">ConfigParser</systemitem>
147
 
      requres it.
 
201
      requires it.
148
202
    </para>
149
203
  </refsect1>
150
204
  
166
220
[DEFAULT]
167
221
# A configuration example
168
222
interface = eth0
169
 
address = 2001:db8:f983:bd0b:30de:ae4a:71f2:f672
 
223
address = fe80::aede:48ff:fe71:f6f2
170
224
port = 1025
171
 
debug = true
172
 
priority = SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP
 
225
debug = True
 
226
priority = SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA
173
227
servicename = Daena
 
228
use_dbus = False
 
229
use_ipv6 = True
 
230
restore = True
 
231
statedir = /var/lib/mandos
174
232
      </programlisting>
175
233
    </informalexample>
176
234
  </refsect1>
178
236
  <refsect1 id="see_also">
179
237
    <title>SEE ALSO</title>
180
238
    <para>
 
239
      <citerefentry><refentrytitle>intro</refentrytitle>
 
240
      <manvolnum>8mandos</manvolnum></citerefentry>,
181
241
      <citerefentry><refentrytitle>gnutls_priority_init</refentrytitle
182
242
      ><manvolnum>3</manvolnum></citerefentry>,
183
243
      <citerefentry><refentrytitle>mandos</refentrytitle>
185
245
      <citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>
186
246
      <manvolnum>5</manvolnum></citerefentry>
187
247
    </para>
188
 
 
 
248
    
189
249
    <variablelist>
190
250
      <varlistentry>
191
251
        <term>
211
271
              <para>
212
272
                The clients use IPv6 link-local addresses, which are
213
273
                immediately usable since a link-local addresses is
214
 
                automatically assigned to a network interfaces when it
 
274
                automatically assigned to a network interface when it
215
275
                is brought up.
216
276
              </para>
217
277
            </listitem>