/mandos/trunk : revision 89

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos.xml

Committer: Teddy Hogeborn
Date: 2008-08-18 23:55:28 UTC
Revision ID: teddy@fukt.bsnet.se-20080818235528-dn628nlbrtzl7z4f

* Makefile: Bug fix: fixed creation of man pages for section 5 pages.

* mandos (main): Changed from requiring "[server]" in mandos.conf(5)
                 to requiring "[DEFAULT]".

* mandos.conf ([server]): Renamed to "[DEFAULT]".

* mandos.conf.xml: Removed <?xml-stylesheet>.  New entity "&OVERVIEW;"
                   referring to "overview.xml".
  (DESCRIPTION): Updated to specify the syntax more precisely.  Use
                 <varname> around the option names.

files removed:
.bzrignore

mandos-options.xml

files modified:
Makefile

TODO

clients.conf

initramfs-tools-hook

mandos

mandos-clients.conf.xml

mandos-keygen

mandos-keygen.xml

mandos.conf.xml

mandos.xml

overview.xml

plugin-runner.c

plugin-runner.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

plugins.d/password-request.c

plugins.d/password-request.xml

Show diffs side-by-side

added added

removed removed

mandos.xml

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY VERSION "1.0">

<!ENTITY COMMANDNAME "mandos">

<!ENTITY TIMESTAMP "2008-08-29">

<!ENTITY OVERVIEW SYSTEM "overview.xml">

<title>Mandos Manual</title>

<title>&COMMANDNAME;</title>

<productname>Mandos</productname>

<productname>&COMMANDNAME;</productname>

<productnumber>&VERSION;</productnumber>

<date>&TIMESTAMP;</date>

<firstname>Björn</firstname>

<command>&COMMANDNAME;</command>

<arg>--interface<arg choice="plain">NAME</arg></arg>

<arg>--interface<arg choice="plain">IF</arg></arg>

<arg>--address<arg choice="plain">ADDRESS</arg></arg>

<arg>--priority<arg choice="plain">PRIORITY</arg></arg>

</cmdsynopsis>

<command>&COMMANDNAME;</command>

<arg>-a<arg choice="plain">ADDRESS</arg></arg>

<arg>--priority<arg choice="plain">PRIORITY</arg></arg>

143

142

144

143

145

144

146

147

145

148

146

149

147

<para>

150

148

Show a help message and exit

153

151

</varlistentry>

154

152

155

153

156

157

158

<term><option>--interface</option>

159

154

<term><literal>-i</literal>, <literal>--interface <replaceable>

155

IF</replaceable></literal></term>

160

156

161

<xi:include href="mandos-options.xml" xpointer="interface"/>

157

<para>

158

Only announce the server and listen to requests on network

159

interface <replaceable>IF</replaceable>. Default is to

160

use all available interfaces. <emphasis>Note:</emphasis>

161

a failure to bind to the specified interface is not

162

considered critical, and the server does not exit.

163

</para>

162

164

</listitem>

163

165

</varlistentry>

164

166

168

<term><literal>-a</literal>, <literal>--address <replaceable>

167

169

ADDRESS</replaceable></literal></term>

168

170

169

<xi:include href="mandos-options.xml" xpointer="address"/>

171

<para>

172

If this option is used, the server will only listen to a

173

specific address. This must currently be an IPv6 address;

174

an IPv4 address can be specified using the

175

<quote><literal>::FFFF:192.0.2.3</literal></quote> syntax.

176

Also, if a link-local address is specified, an interface

177

should be set, since a link-local address is only valid on

178

a single interface. By default, the server will listen to

179

all available addresses.

180

</para>

170

181

</listitem>

171

182

</varlistentry>

172

183

174

185

175

186

PORT</replaceable></literal></term>

176

187

177

<xi:include href="mandos-options.xml" xpointer="port"/>

188

<para>

189

If this option is used, the server to bind to that

190

port. By default, the server will listen to an arbitrary

191

port given by the operating system.

192

</para>

178

193

</listitem>

179

194

</varlistentry>

180

195

191

206

192

207

<term><literal>--debug</literal></term>

193

208

194

<xi:include href="mandos-options.xml" xpointer="debug"/>

209

<para>

210

If the server is run in debug mode, it will run in the

211

foreground and print a lot of debugging information. The

212

default is <emphasis>not</emphasis> to run in debug mode.

213

</para>

195

214

</listitem>

196

215

</varlistentry>

197

216

199

218

<term><literal>--priority <replaceable>

200

219

PRIORITY</replaceable></literal></term>

201

220

202

<xi:include href="mandos-options.xml" xpointer="priority"/>

221

<para>

222

GnuTLS priority string for the TLS handshake with the

223

clients. The default is

224

<quote><literal>SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP</literal></quote>.

225

See <citerefentry><refentrytitle>gnutls_priority_init

226

</refentrytitle><manvolnum>3</manvolnum></citerefentry>

227

for the syntax. <emphasis>Warning</emphasis>: changing

228

this may make the TLS handshake fail, making communication

229

with clients impossible.

230

</para>

203

231

</listitem>

204

232

</varlistentry>

205

233

207

235

<term><literal>--servicename <replaceable>NAME</replaceable>

208

236

</literal></term>

209

237

210

<xi:include href="mandos-options.xml"

211

xpointer="servicename"/>

238

<para>

239

Zeroconf service name. The default is

240

<quote><literal>Mandos</literal></quote>. This only needs

241

to be changed this if it, for some reason, is necessary to

242

run more than one server on the same

243

<emphasis>host</emphasis>, which would not normally be

244

useful. If there are name collisions on the same

245

<emphasis>network</emphasis>, the newer server will

246

automatically rename itself to <quote><literal>Mandos

247

#2</literal></quote>, and so on; therefore, this option is

248

not needed in that case.

249

</para>

212

250

</listitem>

213

251

</varlistentry>

214

252

240

278

241

279

242

280

<title>OVERVIEW</title>

243

<xi:include href="overview.xml"/>

281

&OVERVIEW;

244

282

<para>

245

283

This program is the server part. It is a normal server program

246

284

and will run in a normal system environment, not in an initial

279

317

280

318

</row>

281

319

<row>

282

320

283

321

284

322

</row>

285

323

<row>

315

353

longer eligible to receive the encrypted password. The timeout,

316

354

checker program, and interval between checks can be configured

317

355

both globally and per client; see <citerefentry>

356

<refentrytitle>mandos.conf</refentrytitle>

357

318

358

<refentrytitle>mandos-clients.conf</refentrytitle>

319

359

<manvolnum>5</manvolnum></citerefentry>.

320

360

</para>

323

363

324

364

<title>LOGGING</title>

325

365

<para>

326

The server will send log message with various severity levels to

327

<filename>/dev/log</filename>. With the

366

The server will send log messaged with various severity levels

367

to <filename>/dev/log</filename>. With the

328

368

<option>--debug</option> option, it will log even more messages,

329

369

and also show them on the console.

330

370

</para>

351

391

<varname>PATH</varname> to search for matching commands if

352

392

an absolute path is not given. See <citerefentry>

353

393

354

</citerefentry>.

394

</citerefentry>

355

395

</para>

356

396

</listitem>

357

397

</varlistentry>

453

493

Normal invocation needs no options:

454

494

</para>

455

495

<para>

456

<userinput>&COMMANDNAME;</userinput>

496

<userinput>mandos</userinput>

457

497

</para>

458

498

</informalexample>

459

499

466

506

<para>

467

507

468

508

469

<userinput>&COMMANDNAME; --debug --configdir ~/mandos --servicename Test</userinput>

509

<userinput>mandos --debug --configdir ~/mandos --servicename Test</userinput>

470

510

471

511

</para>

472

512

</informalexample>

478

518

<para>

479

519

480

520

481

<userinput>&COMMANDNAME; --interface eth7 --address fe80::aede:48ff:fe71:f6f2</userinput>

521

<userinput>mandos --interface eth7 --address fe80::aede:48ff:fe71:f6f2</userinput>

482

522

483

523

</para>

484

524

</informalexample>

541

581

542

582

543

583

544

<para>

545

546

<refentrytitle>mandos-clients.conf</refentrytitle>

547

548

<refentrytitle>mandos.conf</refentrytitle>

549

550

<refentrytitle>password-request</refentrytitle>

551

<manvolnum>8mandos</manvolnum></citerefentry>, <citerefentry>

552

553

</citerefentry>

554

</para>

555

584

556

585

557

586

<term>

587

588

<refentrytitle>password-request</refentrytitle>

589

<manvolnum>8mandos</manvolnum>

590

</citerefentry>

591

</term>

592

593

<para>

594

This is the actual program which talks to this server.

595

Note that it is normally not invoked directly, and is only

596

run in the initial RAM disk environment, and not on a

597

fully started system.

598

</para>

599

</listitem>

600

</varlistentry>

601

602

<term>

558

603

<ulink url="http://www.zeroconf.org/">Zeroconf</ulink>

559

604

</term>

560

605

577

622

</varlistentry>

578

623

579

624

<term>

580

<ulink url="http://www.gnu.org/software/gnutls/"

581

>GnuTLS</ulink>

625

<ulink

626

url="http://www.gnu.org/software/gnutls/">GnuTLS</ulink>

582

627

</term>

583

628

584

629

<para>

590

635

</varlistentry>

591

636

592

637

<term>

593

RFC 4291: <citetitle>IP Version 6 Addressing

594

Architecture</citetitle>

638

<citation>RFC 4291: <citetitle>IP Version 6 Addressing

639

Architecture</citetitle>, section 2.5.6, Link-Local IPv6

640

Unicast Addresses</citation>

595

641

</term>

596

642

597

598

599

<term>Section 2.2: <citetitle>Text Representation of

600

Addresses</citetitle></term>

601

602

</varlistentry>

603

604

<term>Section 2.5.5.2: <citetitle>IPv4-Mapped IPv6

605

Address</citetitle></term>

606

607

</varlistentry>

608

609

<term>Section 2.5.6, <citetitle>Link-Local IPv6 Unicast

610

Addresses</citetitle></term>

611

612

<para>

613

The clients use IPv6 link-local addresses, which are

614

immediately usable since a link-local addresses is

615

automatically assigned to a network interfaces when it

616

is brought up.

617

</para>

618

</listitem>

619

</varlistentry>

620

</variablelist>

643

<para>

644

The clients use IPv6 link-local addresses, which are

645

immediately usable since a link-local addresses is

646

automatically assigned to a network interfaces when it is

647

brought up.

648

</para>

621

649

</listitem>

622

650

</varlistentry>

623

651

624

652

<term>

625

RFC 4346: <citetitle>The Transport Layer Security (TLS)

626

Protocol Version 1.1</citetitle>

653

<citation>RFC 4346: <citetitle>The Transport Layer Security

654

(TLS) Protocol Version 1.1</citetitle></citation>

627

655

</term>

628

656

629

657

<para>

633

661

</varlistentry>

634

662

635

663

<term>

636

RFC 4880: <citetitle>OpenPGP Message Format</citetitle>

664

<citation>RFC 4880: <citetitle>OpenPGP Message

665

Format</citetitle></citation>

637

666

</term>

638

667

639

668

<para>

643

672

</varlistentry>

644

673

645

674

<term>

646

RFC 5081: <citetitle>Using OpenPGP Keys for Transport Layer

647

Security</citetitle>

675

<citation>RFC 5081: <citetitle>Using OpenPGP Keys for

676

Transport Layer Security</citetitle></citation>

648

677

</term>

649

678

650

679

<para>

656

685

</variablelist>

657

686

</refsect1>

658

687

</refentry>

659

660

661

662

663

Older »