/mandos/trunk : revision 89

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos.xml

Committer: Teddy Hogeborn
Date: 2008-08-18 23:55:28 UTC
Revision ID: teddy@fukt.bsnet.se-20080818235528-dn628nlbrtzl7z4f

* Makefile: Bug fix: fixed creation of man pages for section 5 pages.

* mandos (main): Changed from requiring "[server]" in mandos.conf(5)
                 to requiring "[DEFAULT]".

* mandos.conf ([server]): Renamed to "[DEFAULT]".

* mandos.conf.xml: Removed <?xml-stylesheet>.  New entity "&OVERVIEW;"
                   referring to "overview.xml".
  (DESCRIPTION): Updated to specify the syntax more precisely.  Use
                 <varname> around the option names.

files added:
plugins.d/usplash

files removed:
.bzr-builddeb

.bzr-builddeb/default.conf

.bzrignore

DBUS-API

INSTALL

NEWS

README

common.ent

dbus-mandos.conf

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.examples

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/po

debian/rules

debian/source

debian/source/format

debian/source/local-options

debian/watch

default-mandos

init.d-mandos

intro.xml

legalnotice.xml

mandos-ctl

mandos-ctl.xml

mandos-monitor

mandos-monitor.xml

mandos-options.xml

mandos.lsm

network-hooks.d

network-hooks.d/bridge

network-hooks.d/bridge.conf

network-hooks.d/openvpn

network-hooks.d/openvpn.conf

network-hooks.d/wireless

network-hooks.d/wireless.conf

plugin-runner.conf

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

files renamed:
plugins.d/mandos-client.c => plugins.d/password-request.c

plugins.d/mandos-client.xml => plugins.d/password-request.xml

files modified:
Makefile

TODO

clients.conf

initramfs-tools-hook

initramfs-tools-hook-conf

initramfs-tools-script

mandos

mandos-clients.conf.xml

mandos-keygen

mandos-keygen.xml

mandos.conf

mandos.conf.xml

mandos.xml

overview.xml

plugin-runner.c

plugin-runner.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

Show diffs side-by-side

added added

removed removed

mandos.xml

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY VERSION "1.0">

<!ENTITY COMMANDNAME "mandos">

<!ENTITY TIMESTAMP "2012-05-26">

<!ENTITY % common SYSTEM "common.ent">

%common;

<!ENTITY OVERVIEW SYSTEM "overview.xml">

<title>Mandos Manual</title>

<title>&COMMANDNAME;</title>

<productname>Mandos</productname>

<productnumber>&version;</productnumber>

<date>&TIMESTAMP;</date>

<productname>&COMMANDNAME;</productname>

<productnumber>&VERSION;</productnumber>

<firstname>Björn</firstname>

<surname>Påhlsson</surname>

<email>belorn@recompile.se</email>

<email>belorn@fukt.bsnet.se</email>

</address>

</author>

<firstname>Teddy</firstname>

<surname>Hogeborn</surname>

<email>teddy@recompile.se</email>

<email>teddy@fukt.bsnet.se</email>

</address>

</author>

</authorgroup>

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

<xi:include href="legalnotice.xml"/>

<para>

This manual page is free software: you can redistribute it

and/or modify it under the terms of the GNU General Public

License as published by the Free Software Foundation,

either version 3 of the License, or (at your option) any

later version.

</para>

<para>

This manual page is distributed in the hope that it will

be useful, but WITHOUT ANY WARRANTY; without even the

implied warranty of MERCHANTABILITY or FITNESS FOR A

PARTICULAR PURPOSE. See the GNU General Public License

for more details.

</para>

<para>

You should have received a copy of the GNU General Public

License along with this program; If not, see

<ulink url="http://www.gnu.org/licenses/"/>.

</para>

</legalnotice>

</refentryinfo>

<refentrytitle>&COMMANDNAME;</refentrytitle>

<refname><command>&COMMANDNAME;</command></refname>

Gives encrypted passwords to authenticated Mandos clients

Sends encrypted passwords to authenticated Mandos clients

</refpurpose>

</refnamediv>

<command>&COMMANDNAME;</command>

<group>

<arg choice="plain"><option>--interface

<arg choice="plain"><option>-i

</group>

<sbr/>

<group>

<arg choice="plain"><option>--address

<replaceable>ADDRESS</replaceable></option></arg>

<arg choice="plain"><option>-a

<replaceable>ADDRESS</replaceable></option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--port

<arg choice="plain"><option>-p

</group>

<sbr/>

<arg><option>--priority

<replaceable>PRIORITY</replaceable></option></arg>

<sbr/>

<arg><option>--servicename

<sbr/>

<arg><option>--configdir

<replaceable>DIRECTORY</replaceable></option></arg>

<sbr/>

<arg><option>--debug</option></arg>

<sbr/>

<arg><option>--debuglevel

<replaceable>LEVEL</replaceable></option></arg>

<sbr/>

<sbr/>

<sbr/>

<arg><option>--no-restore</option></arg>

100

<sbr/>

101

<arg><option>--statedir

102

<replaceable>DIRECTORY</replaceable></option></arg>

103

<sbr/>

104

<arg><option>--socket

105

<arg>--interface<arg choice="plain">IF</arg></arg>

<arg>--address<arg choice="plain">ADDRESS</arg></arg>

<arg>--priority<arg choice="plain">PRIORITY</arg></arg>

<arg>--servicename<arg choice="plain">NAME</arg></arg>

<arg>--configdir<arg choice="plain">DIRECTORY</arg></arg>

<arg>--debug</arg>

</cmdsynopsis>

<command>&COMMANDNAME;</command>

<arg>-a<arg choice="plain">ADDRESS</arg></arg>

<arg>--priority<arg choice="plain">PRIORITY</arg></arg>

<arg>--servicename<arg choice="plain">NAME</arg></arg>

<arg>--configdir<arg choice="plain">DIRECTORY</arg></arg>

<arg>--debug</arg>

106

</cmdsynopsis>

107

108

<command>&COMMANDNAME;</command>

109

110

111

112

</group>

113

100

</cmdsynopsis>

114

101

115

102

<command>&COMMANDNAME;</command>

116

<arg choice="plain"><option>--version</option></arg>

103

<arg choice="plain">--version</arg>

117

104

</cmdsynopsis>

118

105

119

106

<command>&COMMANDNAME;</command>

120

<arg choice="plain"><option>--check</option></arg>

107

<arg choice="plain">--check</arg>

121

108

</cmdsynopsis>

122

109

</refsynopsisdiv>

123

110

124

111

125

112

<title>DESCRIPTION</title>

126

113

<para>

127

114

<command>&COMMANDNAME;</command> is a server daemon which

128

115

handles incoming request for passwords for a pre-defined list of

129

client host computers. For an introduction, see

130

<citerefentry><refentrytitle>intro</refentrytitle>

131

<manvolnum>8mandos</manvolnum></citerefentry>. The Mandos server

132

uses Zeroconf to announce itself on the local network, and uses

133

TLS to communicate securely with and to authenticate the

134

clients. The Mandos server uses IPv6 to allow Mandos clients to

135

use IPv6 link-local addresses, since the clients will probably

136

not have any other addresses configured (see <xref

137

linkend="overview"/>). Any authenticated client is then given

138

the stored pre-encrypted password for that specific client.

116

client host computers. The Mandos server uses Zeroconf to

117

announce itself on the local network, and uses TLS to

118

communicate securely with and to authenticate the clients. The

119

Mandos server uses IPv6 to allow Mandos clients to use IPv6

120

link-local addresses, since the clients will probably not have

121

any other addresses configured (see <xref linkend="overview"/>).

122

Any authenticated client is then given the stored pre-encrypted

123

password for that specific client.

139

124

</para>

125

140

126

</refsect1>

141

127

142

128

143

129

<title>PURPOSE</title>

130

144

131

<para>

145

132

The purpose of this is to enable <emphasis>remote and unattended

146

133

rebooting</emphasis> of client host computer with an

147

134

<emphasis>encrypted root file system</emphasis>. See <xref

148

135

linkend="overview"/> for details.

149

136

</para>

137

150

138

</refsect1>

151

139

152

140

153

141

<title>OPTIONS</title>

142

154

143

155

144

156

157

145

158

146

159

147

<para>

160

148

Show a help message and exit

161

149

</para>

162

150

</listitem>

163

151

</varlistentry>

164

165

166

<term><option>--interface</option>

167

168

169

170

171

<xi:include href="mandos-options.xml" xpointer="interface"/>

172

</listitem>

173

</varlistentry>

174

175

176

<term><option>--address

177

<replaceable>ADDRESS</replaceable></option></term>

178

<term><option>-a

179

<replaceable>ADDRESS</replaceable></option></term>

180

181

<xi:include href="mandos-options.xml" xpointer="address"/>

182

</listitem>

183

</varlistentry>

184

185

186

<term><option>--port

187

188

<term><option>-p

189

190

191

<xi:include href="mandos-options.xml" xpointer="port"/>

192

</listitem>

193

</varlistentry>

194

195

196

<term><option>--check</option></term>

152

153

154

<term><literal>-i</literal>, <literal>--interface <replaceable>

155

IF</replaceable></literal></term>

156

157

<para>

158

Only announce the server and listen to requests on network

159

interface <replaceable>IF</replaceable>. Default is to

160

use all available interfaces. <emphasis>Note:</emphasis>

161

a failure to bind to the specified interface is not

162

considered critical, and the server does not exit.

163

</para>

164

</listitem>

165

</varlistentry>

166

167

168

<term><literal>-a</literal>, <literal>--address <replaceable>

169

ADDRESS</replaceable></literal></term>

170

171

<para>

172

If this option is used, the server will only listen to a

173

specific address. This must currently be an IPv6 address;

174

an IPv4 address can be specified using the

175

<quote><literal>::FFFF:192.0.2.3</literal></quote> syntax.

176

Also, if a link-local address is specified, an interface

177

should be set, since a link-local address is only valid on

178

a single interface. By default, the server will listen to

179

all available addresses.

180

</para>

181

</listitem>

182

</varlistentry>

183

184

185

186

PORT</replaceable></literal></term>

187

188

<para>

189

If this option is used, the server to bind to that

190

port. By default, the server will listen to an arbitrary

191

port given by the operating system.

192

</para>

193

</listitem>

194

</varlistentry>

195

196

197

<term><literal>--check</literal></term>

197

198

198

199

<para>

199

200

Run the server’s self-tests. This includes any unit

201

202

</para>

202

203

</listitem>

203

204

</varlistentry>

204

205

206

<term><option>--debug</option></term>

207

208

<xi:include href="mandos-options.xml" xpointer="debug"/>

209

</listitem>

210

</varlistentry>

211

212

213

<term><option>--debuglevel

214

<replaceable>LEVEL</replaceable></option></term>

215

216

<para>

217

Set the debugging log level.

218

<replaceable>LEVEL</replaceable> is a string, one of

219

<quote><literal>CRITICAL</literal></quote>,

220

<quote><literal>ERROR</literal></quote>,

221

<quote><literal>WARNING</literal></quote>,

222

<quote><literal>INFO</literal></quote>, or

223

<quote><literal>DEBUG</literal></quote>, in order of

224

increasing verbosity. The default level is

225

<quote><literal>WARNING</literal></quote>.

226

</para>

227

</listitem>

228

</varlistentry>

229

230

231

<term><option>--priority <replaceable>

232

PRIORITY</replaceable></option></term>

233

234

<xi:include href="mandos-options.xml" xpointer="priority"/>

235

</listitem>

236

</varlistentry>

237

238

239

<term><option>--servicename

240

241

242

<xi:include href="mandos-options.xml"

243

xpointer="servicename"/>

244

</listitem>

245

</varlistentry>

246

247

248

<term><option>--configdir

249

<replaceable>DIRECTORY</replaceable></option></term>

205

206

207

<term><literal>--debug</literal></term>

208

209

<para>

210

If the server is run in debug mode, it will run in the

211

foreground and print a lot of debugging information. The

212

default is <emphasis>not</emphasis> to run in debug mode.

213

</para>

214

</listitem>

215

</varlistentry>

216

217

218

<term><literal>--priority <replaceable>

219

PRIORITY</replaceable></literal></term>

220

221

<para>

222

GnuTLS priority string for the TLS handshake with the

223

clients. The default is

224

<quote><literal>SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP</literal></quote>.

225

See <citerefentry><refentrytitle>gnutls_priority_init

226

</refentrytitle><manvolnum>3</manvolnum></citerefentry>

227

for the syntax. <emphasis>Warning</emphasis>: changing

228

this may make the TLS handshake fail, making communication

229

with clients impossible.

230

</para>

231

</listitem>

232

</varlistentry>

233

234

235

<term><literal>--servicename <replaceable>NAME</replaceable>

236

</literal></term>

237

238

<para>

239

Zeroconf service name. The default is

240

<quote><literal>Mandos</literal></quote>. This only needs

241

to be changed this if it, for some reason, is necessary to

242

run more than one server on the same

243

<emphasis>host</emphasis>, which would not normally be

244

useful. If there are name collisions on the same

245

<emphasis>network</emphasis>, the newer server will

246

automatically rename itself to <quote><literal>Mandos

247

#2</literal></quote>, and so on; therefore, this option is

248

not needed in that case.

249

</para>

250

</listitem>

251

</varlistentry>

252

253

254

<term><literal>--configdir <replaceable>DIR</replaceable>

255

</literal></term>

250

256

251

257

<para>

252

258

Directory to search for configuration files. Default is

258

264

</para>

259

265

</listitem>

260

266

</varlistentry>

261

267

262

268

263

<term><option>--version</option></term>

269

<term><literal>--version</literal></term>

264

270

265

271

<para>

266

272

Prints the program version and exit.

267

273

</para>

268

274

</listitem>

269

275

</varlistentry>

270

271

272

273

274

<xi:include href="mandos-options.xml" xpointer="dbus"/>

275

<para>

276

See also <xref linkend="dbus_interface"/>.

277

</para>

278

</listitem>

279

</varlistentry>

280

281

282

283

284

<xi:include href="mandos-options.xml" xpointer="ipv6"/>

285

</listitem>

286

</varlistentry>

287

288

289

<term><option>--no-restore</option></term>

290

291

<xi:include href="mandos-options.xml" xpointer="restore"/>

292

<para>

293

See also <xref linkend="persistent_state"/>.

294

</para>

295

</listitem>

296

</varlistentry>

297

298

299

<term><option>--statedir

300

<replaceable>DIRECTORY</replaceable></option></term>

301

302

<xi:include href="mandos-options.xml" xpointer="statedir"/>

303

</listitem>

304

</varlistentry>

305

306

307

<term><option>--socket

308

309

310

<xi:include href="mandos-options.xml" xpointer="socket"/>

311

</listitem>

312

</varlistentry>

313

314

276

</variablelist>

315

277

</refsect1>

316

278

317

279

318

280

<title>OVERVIEW</title>

319

<xi:include href="overview.xml"/>

281

&OVERVIEW;

320

282

<para>

321

283

This program is the server part. It is a normal server program

322

284

and will run in a normal system environment, not in an initial

323

<acronym>RAM</acronym> disk environment.

285

RAM disk environment.

324

286

</para>

325

287

</refsect1>

326

288

327

289

328

290

<title>NETWORK PROTOCOL</title>

329

291

<para>

355

317

356

318

</row>

357

319

<row>

358

320

359

321

360

322

</row>

361

323

<row>

381

343

</row>

382

344

</tbody></tgroup></table>

383

345

</refsect1>

384

346

385

347

386

348

<title>CHECKING</title>

387

349

<para>

388

350

The server will, by default, continually check that the clients

389

351

are still up. If a client has not been confirmed as being up

390

352

for some time, the client is assumed to be compromised and is no

391

longer eligible to receive the encrypted password. (Manual

392

intervention is required to re-enable a client.) The timeout,

393

extended timeout, checker program, and interval between checks

394

can be configured both globally and per client; see

395

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

353

longer eligible to receive the encrypted password. The timeout,

354

checker program, and interval between checks can be configured

355

both globally and per client; see <citerefentry>

356

<refentrytitle>mandos.conf</refentrytitle>

357

358

<refentrytitle>mandos-clients.conf</refentrytitle>

396

359

<manvolnum>5</manvolnum></citerefentry>.

397

360

</para>

398

361

</refsect1>

399

400

401

<title>APPROVAL</title>

402

<para>

403

The server can be configured to require manual approval for a

404

client before it is sent its secret. The delay to wait for such

405

approval and the default action (approve or deny) can be

406

configured both globally and per client; see <citerefentry>

407

<refentrytitle>mandos-clients.conf</refentrytitle>

408

<manvolnum>5</manvolnum></citerefentry>. By default all clients

409

will be approved immediately without delay.

410

</para>

411

<para>

412

This can be used to deny a client its secret if not manually

413

approved within a specified time. It can also be used to make

414

the server delay before giving a client its secret, allowing

415

optional manual denying of this specific client.

416

</para>

417

418

</refsect1>

419

362

420

363

421

364

<title>LOGGING</title>

422

365

<para>

423

The server will send log message with various severity levels to

424

<filename class="devicefile">/dev/log</filename>. With the

366

The server will send log messaged with various severity levels

367

to <filename>/dev/log</filename>. With the

425

368

<option>--debug</option> option, it will log even more messages,

426

369

and also show them on the console.

427

370

</para>

428

371

</refsect1>

429

430

431

<title>PERSISTENT STATE</title>

432

<para>

433

Client settings, initially read from

434

<filename>clients.conf</filename>, are persistent across

435

restarts, and run-time changes will override settings in

436

<filename>clients.conf</filename>. However, if a setting is

437

<emphasis>changed</emphasis> (or a client added, or removed) in

438

<filename>clients.conf</filename>, this will take precedence.

439

</para>

440

</refsect1>

441

442

443

<title>D-BUS INTERFACE</title>

444

<para>

445

The server will by default provide a D-Bus system bus interface.

446

This interface will only be accessible by the root user or a

447

Mandos-specific user, if such a user exists. For documentation

448

of the D-Bus API, see the file <filename>DBUS-API</filename>.

449

</para>

450

</refsect1>

451

372

452

373

453

374

<title>EXIT STATUS</title>

454

375

<para>

456

377

critical error is encountered.

457

378

</para>

458

379

</refsect1>

459

380

460

381

461

382

<title>ENVIRONMENT</title>

462

383

463

384

464

385

465

386

466

387

<para>

467

388

To start the configured checker (see <xref

470

391

<varname>PATH</varname> to search for matching commands if

471

392

an absolute path is not given. See <citerefentry>

472

393

473

</citerefentry>.

394

</citerefentry>

474

395

</para>

475

396

</listitem>

476

397

</varlistentry>

477

398

</variablelist>

478

399

</refsect1>

479

480

400

401

481

402

<title>FILES</title>

482

403

<para>

483

404

Use the <option>--configdir</option> option to change where

506

427

</listitem>

507

428

</varlistentry>

508

429

509

<term><filename>/var/run/mandos.pid</filename></term>

510

511

<para>

512

The file containing the process id of the

513

<command>&COMMANDNAME;</command> process started last.

514

</para>

515

</listitem>

516

</varlistentry>

517

518

519

</varlistentry>

520

521

<term><filename

522

class="directory">/var/lib/mandos</filename></term>

523

524

<para>

525

Directory where persistent state will be saved. Change

526

this with the <option>--statedir</option> option. See

527

also the <option>--no-restore</option> option.

430

<term><filename>/var/run/mandos/mandos.pid</filename></term>

431

432

<para>

433

The file containing the process id of

434

<command>&COMMANDNAME;</command>.

528

435

</para>

529

436

</listitem>

530

437

</varlistentry>

558

465

backtrace. This could be considered a feature.

559

466

</para>

560

467

<para>

468

Currently, if a client is declared <quote>invalid</quote> due to

469

having timed out, the server does not record this fact onto

470

permanent storage. This has some security implications, see

471

<xref linkend="CLIENTS"/>.

472

</para>

473

<para>

474

There is currently no way of querying the server of the current

475

status of clients, other than analyzing its <systemitem

476

class="service">syslog</systemitem> output.

477

</para>

478

<para>

561

479

There is no fine-grained control over logging and debug output.

562

480

</para>

563

481

<para>

564

482

Debug mode is conflated with running in the foreground.

565

483

</para>

566

484

<para>

567

This server does not check the expire time of clients’ OpenPGP

568

keys.

485

The console log messages does not show a timestamp.

569

486

</para>

570

487

</refsect1>

571

488

576

493

Normal invocation needs no options:

577

494

</para>

578

495

<para>

579

<userinput>&COMMANDNAME;</userinput>

496

<userinput>mandos</userinput>

580

497

</para>

581

498

</informalexample>

582

499

583

500

<para>

584

501

Run the server in debug mode, read configuration files from

585

the <filename class="directory">~/mandos</filename> directory,

586

and use the Zeroconf service name <quote>Test</quote> to not

587

collide with any other official Mandos server on this host:

502

the <filename>~/mandos</filename> directory, and use the

503

Zeroconf service name <quote>Test</quote> to not collide with

504

any other official Mandos server on this host:

588

505

</para>

589

506

<para>

590

507

591

508

592

<userinput>&COMMANDNAME; --debug --configdir ~/mandos --servicename Test</userinput>

509

<userinput>mandos --debug --configdir ~/mandos --servicename Test</userinput>

593

510

594

511

</para>

595

512

</informalexample>

601

518

<para>

602

519

603

520

604

<userinput>&COMMANDNAME; --interface eth7 --address fe80::aede:48ff:fe71:f6f2</userinput>

521

<userinput>mandos --interface eth7 --address fe80::aede:48ff:fe71:f6f2</userinput>

605

522

606

523

</para>

607

524

</informalexample>

608

525

</refsect1>

609

526

610

527

611

528

<title>SECURITY</title>

612

529

613

530

<title>SERVER</title>

614

531

<para>

615

532

Running this <command>&COMMANDNAME;</command> server program

616

533

should not in itself present any security risk to the host

617

computer running it. The program switches to a non-root user

618

soon after startup.

534

computer running it. The program does not need any special

535

privileges to run, and is designed to run as a non-root user.

619

536

</para>

620

537

</refsect2>

621

538

622

539

<title>CLIENTS</title>

623

540

<para>

624

541

The server only gives out its stored data to clients which

631

548

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

632

549

<manvolnum>5</manvolnum></citerefentry>)

633

550

<emphasis>must</emphasis> be made non-readable by anyone

634

except the user starting the server (usually root).

551

except the user running the server.

635

552

</para>

636

553

<para>

637

554

As detailed in <xref linkend="checking"/>, the status of all

639

556

compromised if they are gone for too long.

640

557

</para>

641

558

<para>

559

If a client is compromised, its downtime should be duly noted

560

by the server which would therefore declare the client

561

invalid. But if the server was ever restarted, it would

562

re-read its client list from its configuration file and again

563

regard all clients therein as valid, and hence eligible to

564

receive their passwords. Therefore, be careful when

565

restarting servers if it is suspected that a client has, in

566

fact, been compromised by parties who may now be running a

567

fake Mandos client with the keys from the non-encrypted

568

initial RAM image of the client host. What should be done in

569

that case (if restarting the server program really is

570

necessary) is to stop the server program, edit the

571

configuration file to omit any suspect clients, and restart

572

the server program.

573

</para>

574

<para>

642

575

For more details on client-side security, see

643

<citerefentry><refentrytitle>mandos-client</refentrytitle>

576

<citerefentry><refentrytitle>password-request</refentrytitle>

644

577

<manvolnum>8mandos</manvolnum></citerefentry>.

645

578

</para>

646

579

</refsect2>

647

580

</refsect1>

648

581

649

582

650

583

651

<para>

652

<citerefentry><refentrytitle>intro</refentrytitle>

653

<manvolnum>8mandos</manvolnum></citerefentry>,

654

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

655

<manvolnum>5</manvolnum></citerefentry>,

656

<citerefentry><refentrytitle>mandos.conf</refentrytitle>

657

<manvolnum>5</manvolnum></citerefentry>,

658

<citerefentry><refentrytitle>mandos-client</refentrytitle>

659

<manvolnum>8mandos</manvolnum></citerefentry>,

660

661

662

</para>

663

584

664

585

665

586

<term>

587

588

<refentrytitle>password-request</refentrytitle>

589

<manvolnum>8mandos</manvolnum>

590

</citerefentry>

591

</term>

592

593

<para>

594

This is the actual program which talks to this server.

595

Note that it is normally not invoked directly, and is only

596

run in the initial RAM disk environment, and not on a

597

fully started system.

598

</para>

599

</listitem>

600

</varlistentry>

601

602

<term>

666

603

<ulink url="http://www.zeroconf.org/">Zeroconf</ulink>

667

604

</term>

668

605

685

622

</varlistentry>

686

623

687

624

<term>

688

<ulink url="http://www.gnu.org/software/gnutls/"

689

>GnuTLS</ulink>

625

<ulink

626

url="http://www.gnu.org/software/gnutls/">GnuTLS</ulink>

690

627

</term>

691

628

692

629

<para>

698

635

</varlistentry>

699

636

700

637

<term>

701

RFC 4291: <citetitle>IP Version 6 Addressing

702

Architecture</citetitle>

638

<citation>RFC 4291: <citetitle>IP Version 6 Addressing

639

Architecture</citetitle>, section 2.5.6, Link-Local IPv6

640

Unicast Addresses</citation>

703

641

</term>

704

642

705

706

707

<term>Section 2.2: <citetitle>Text Representation of

708

Addresses</citetitle></term>

709

710

</varlistentry>

711

712

<term>Section 2.5.5.2: <citetitle>IPv4-Mapped IPv6

713

Address</citetitle></term>

714

715

</varlistentry>

716

717

<term>Section 2.5.6, <citetitle>Link-Local IPv6 Unicast

718

Addresses</citetitle></term>

719

720

<para>

721

The clients use IPv6 link-local addresses, which are

722

immediately usable since a link-local addresses is

723

automatically assigned to a network interfaces when it

724

is brought up.

725

</para>

726

</listitem>

727

</varlistentry>

728

</variablelist>

643

<para>

644

The clients use IPv6 link-local addresses, which are

645

immediately usable since a link-local addresses is

646

automatically assigned to a network interfaces when it is

647

brought up.

648

</para>

729

649

</listitem>

730

650

</varlistentry>

731

651

732

652

<term>

733

RFC 4346: <citetitle>The Transport Layer Security (TLS)

734

Protocol Version 1.1</citetitle>

653

<citation>RFC 4346: <citetitle>The Transport Layer Security

654

(TLS) Protocol Version 1.1</citetitle></citation>

735

655

</term>

736

656

737

657

<para>

741

661

</varlistentry>

742

662

743

663

<term>

744

RFC 4880: <citetitle>OpenPGP Message Format</citetitle>

664

<citation>RFC 4880: <citetitle>OpenPGP Message

665

Format</citetitle></citation>

745

666

</term>

746

667

747

668

<para>

751

672

</varlistentry>

752

673

753

674

<term>

754

RFC 5081: <citetitle>Using OpenPGP Keys for Transport Layer

755

Security</citetitle>

675

<citation>RFC 5081: <citetitle>Using OpenPGP Keys for

676

Transport Layer Security</citetitle></citation>

756

677

</term>

757

678

758

679

<para>

764

685

</variablelist>

765

686

</refsect1>

766

687

</refentry>

767

768

769

770

771

Older »