/mandos/trunk : revision 90

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos.xml

Committer: Teddy Hogeborn
Date: 2008-08-19 13:25:14 UTC
Revision ID: teddy@fukt.bsnet.se-20080819132514-wawrvgmfjovg9poj

* Makefile (DOCBOOKTOMAN): Added "--xinclude".

* mandos-options.xml: New file; moved mandos(8) option descriptions
                      here.

* mandos.conf.xml: Add XInclude namespace.
  (OPTIONS): New separate section with options from old "DESCRIPTION"
             section.  Changed all options to include a synopsis and
             include its paragraph from "mandos-options.xml".
  (FILES): Moved to before "EXAMPLES".
  (BUGS): New section.
  (EXAMPLES): Renamed to "EXAMPLE", as per man-pages(7).  Unindented
              example text.

* mandos.xml: Removed OVERVIEW entity.  Add XInclude namespace.
  (OPTIONS): Moved all descriptive paragraphs to "mandos-options.xml"
             and just <xi:include/> them from here.
  (OVERVIEW): Changed to do <xi:include/>.

* overview.xml: Added DOCTYPE; reportedly needed for XInclude to work.

Show diffs side-by-side

added added

removed removed

mandos.xml

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY VERSION "1.0">

<!ENTITY COMMANDNAME "mandos">

<!ENTITY TIMESTAMP "2008-09-01">

<title>Mandos Manual</title>

<title>&COMMANDNAME;</title>

<productname>Mandos</productname>

<productname>&COMMANDNAME;</productname>

<productnumber>&VERSION;</productnumber>

<date>&TIMESTAMP;</date>

<firstname>Björn</firstname>

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

<xi:include href="legalnotice.xml"/>

<para>

This manual page is free software: you can redistribute it

and/or modify it under the terms of the GNU General Public

License as published by the Free Software Foundation,

either version 3 of the License, or (at your option) any

later version.

</para>

<para>

This manual page is distributed in the hope that it will

be useful, but WITHOUT ANY WARRANTY; without even the

implied warranty of MERCHANTABILITY or FITNESS FOR A

PARTICULAR PURPOSE. See the GNU General Public License

for more details.

</para>

<para>

You should have received a copy of the GNU General Public

License along with this program; If not, see

<ulink url="http://www.gnu.org/licenses/"/>.

</para>

</legalnotice>

</refentryinfo>

<refname><command>&COMMANDNAME;</command></refname>

Gives encrypted passwords to authenticated Mandos clients

Sends encrypted passwords to authenticated Mandos clients

</refpurpose>

</refnamediv>

<command>&COMMANDNAME;</command>

<group>

<arg choice="plain"><option>--interface

<arg choice="plain"><option>-i

</group>

<sbr/>

<group>

<arg choice="plain"><option>--address

<replaceable>ADDRESS</replaceable></option></arg>

<arg choice="plain"><option>-a

<replaceable>ADDRESS</replaceable></option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--port

<arg choice="plain"><option>-p

</group>

<sbr/>

<arg><option>--priority

<replaceable>PRIORITY</replaceable></option></arg>

<sbr/>

<arg><option>--servicename

<sbr/>

<arg><option>--configdir

<replaceable>DIRECTORY</replaceable></option></arg>

<sbr/>

<arg><option>--debug</option></arg>

<arg>--interface<arg choice="plain">IF</arg></arg>

<arg>--address<arg choice="plain">ADDRESS</arg></arg>

<arg>--priority<arg choice="plain">PRIORITY</arg></arg>

<arg>--servicename<arg choice="plain">NAME</arg></arg>

<arg>--configdir<arg choice="plain">DIRECTORY</arg></arg>

<arg>--debug</arg>

</cmdsynopsis>

<command>&COMMANDNAME;</command>

<arg>-a<arg choice="plain">ADDRESS</arg></arg>

<arg>--priority<arg choice="plain">PRIORITY</arg></arg>

<arg>--servicename<arg choice="plain">NAME</arg></arg>

<arg>--configdir<arg choice="plain">DIRECTORY</arg></arg>

<arg>--debug</arg>

</cmdsynopsis>

<command>&COMMANDNAME;</command>

</group>

</cmdsynopsis>

100

101

<command>&COMMANDNAME;</command>

<arg choice="plain"><option>--version</option></arg>

102

<arg choice="plain">--version</arg>

103

</cmdsynopsis>

104

105

<command>&COMMANDNAME;</command>

100

<arg choice="plain"><option>--check</option></arg>

106

<arg choice="plain">--check</arg>

101

107

</cmdsynopsis>

102

108

</refsynopsisdiv>

103

109

127

133

<emphasis>encrypted root file system</emphasis>. See <xref

128

134

linkend="overview"/> for details.

129

135

</para>

130

136

131

137

</refsect1>

132

138

133

139

134

140

<title>OPTIONS</title>

135

141

136

142

137

143

138

139

144

140

145

141

146

<para>

142

147

Show a help message and exit

143

148

</para>

144

149

</listitem>

145

150

</varlistentry>

146

151

147

152

148

<term><option>--interface</option>

149

150

151

153

<term><literal>-i</literal>, <literal>--interface <replaceable>

154

IF</replaceable></literal></term>

152

155

153

156

<xi:include href="mandos-options.xml" xpointer="interface"/>

154

157

</listitem>

155

158

</varlistentry>

156

159

157

160

158

<term><option>--address

159

<replaceable>ADDRESS</replaceable></option></term>

160

<term><option>-a

161

<replaceable>ADDRESS</replaceable></option></term>

161

<term><literal>-a</literal>, <literal>--address <replaceable>

162

ADDRESS</replaceable></literal></term>

162

163

163

164

<xi:include href="mandos-options.xml" xpointer="address"/>

164

165

</listitem>

165

166

</varlistentry>

166

167

168

168

<term><option>--port

169

170

<term><option>-p

171

169

170

PORT</replaceable></literal></term>

172

171

173

172

<xi:include href="mandos-options.xml" xpointer="port"/>

174

173

</listitem>

175

174

</varlistentry>

176

175

177

176

178

<term><option>--check</option></term>

177

<term><literal>--check</literal></term>

179

178

180

179

<para>

181

180

Run the server’s self-tests. This includes any unit

183

182

</para>

184

183

</listitem>

185

184

</varlistentry>

186

185

187

186

188

<term><option>--debug</option></term>

187

<term><literal>--debug</literal></term>

189

188

190

189

<xi:include href="mandos-options.xml" xpointer="debug"/>

191

190

</listitem>

192

191

</varlistentry>

193

192

194

193

195

<term><option>--priority <replaceable>

196

PRIORITY</replaceable></option></term>

194

<term><literal>--priority <replaceable>

195

PRIORITY</replaceable></literal></term>

197

196

198

197

<xi:include href="mandos-options.xml" xpointer="priority"/>

199

198

</listitem>

200

199

</varlistentry>

201

200

202

201

203

<term><option>--servicename

204

202

<term><literal>--servicename <replaceable>NAME</replaceable>

203

</literal></term>

205

204

206

205

<xi:include href="mandos-options.xml"

207

206

xpointer="servicename"/>

209

208

</varlistentry>

210

209

211

210

212

<term><option>--configdir

213

<replaceable>DIRECTORY</replaceable></option></term>

211

<term><literal>--configdir <replaceable>DIR</replaceable>

212

</literal></term>

214

213

215

214

<para>

216

215

Directory to search for configuration files. Default is

224

223

</varlistentry>

225

224

226

225

227

<term><option>--version</option></term>

226

<term><literal>--version</literal></term>

228

227

229

228

<para>

230

229

Prints the program version and exit.

240

239

<para>

241

240

This program is the server part. It is a normal server program

242

241

and will run in a normal system environment, not in an initial

243

<acronym>RAM</acronym> disk environment.

242

RAM disk environment.

244

243

</para>

245

244

</refsect1>

246

245

275

274

276

275

</row>

277

276

<row>

278

277

279

278

280

279

</row>

281

280

<row>

311

310

longer eligible to receive the encrypted password. The timeout,

312

311

checker program, and interval between checks can be configured

313

312

both globally and per client; see <citerefentry>

313

<refentrytitle>mandos.conf</refentrytitle>

314

314

315

<refentrytitle>mandos-clients.conf</refentrytitle>

315

316

<manvolnum>5</manvolnum></citerefentry>.

316

317

</para>

319

320

320

321

<title>LOGGING</title>

321

322

<para>

322

The server will send log message with various severity levels to

323

<filename>/dev/log</filename>. With the

323

The server will send log messaged with various severity levels

324

to <filename>/dev/log</filename>. With the

324

325

<option>--debug</option> option, it will log even more messages,

325

326

and also show them on the console.

326

327

</para>

338

339

<title>ENVIRONMENT</title>

339

340

340

341

341

342

342

343

343

344

<para>

344

345

To start the configured checker (see <xref

347

348

<varname>PATH</varname> to search for matching commands if

348

349

an absolute path is not given. See <citerefentry>

349

350

350

</citerefentry>.

351

</citerefentry>

351

352

</para>

352

353

</listitem>

353

354

</varlistentry>

449

450

Normal invocation needs no options:

450

451

</para>

451

452

<para>

452

<userinput>&COMMANDNAME;</userinput>

453

<userinput>mandos</userinput>

453

454

</para>

454

455

</informalexample>

455

456

462

463

<para>

463

464

465

465

<userinput>&COMMANDNAME; --debug --configdir ~/mandos --servicename Test</userinput>

466

<userinput>mandos --debug --configdir ~/mandos --servicename Test</userinput>

466

467

468

</para>

468

469

</informalexample>

474

475

<para>

475

476

477

477

<userinput>&COMMANDNAME; --interface eth7 --address fe80::aede:48ff:fe71:f6f2</userinput>

478

<userinput>mandos --interface eth7 --address fe80::aede:48ff:fe71:f6f2</userinput>

478

479

480

</para>

480

481

</informalexample>

521

522

restarting servers if it is suspected that a client has, in

522

523

fact, been compromised by parties who may now be running a

523

524

fake Mandos client with the keys from the non-encrypted

524

initial <acronym>RAM</acronym> image of the client host. What

525

should be done in that case (if restarting the server program

526

really is necessary) is to stop the server program, edit the

525

initial RAM image of the client host. What should be done in

526

that case (if restarting the server program really is

527

necessary) is to stop the server program, edit the

527

528

configuration file to omit any suspect clients, and restart

528

529

the server program.

529

530

</para>

537

538

539

539

540

540

<para>

541

542

<refentrytitle>mandos-clients.conf</refentrytitle>

543

544

<refentrytitle>mandos.conf</refentrytitle>

545

546

<refentrytitle>password-request</refentrytitle>

547

<manvolnum>8mandos</manvolnum></citerefentry>, <citerefentry>

548

549

</citerefentry>

550

</para>

551

541

552

542

553

543

<term>

544

545

<refentrytitle>password-request</refentrytitle>

546

<manvolnum>8mandos</manvolnum>

547

</citerefentry>

548

</term>

549

550

<para>

551

This is the actual program which talks to this server.

552

Note that it is normally not invoked directly, and is only

553

run in the initial RAM disk environment, and not on a

554

fully started system.

555

</para>

556

</listitem>

557

</varlistentry>

558

559

<term>

554

560

<ulink url="http://www.zeroconf.org/">Zeroconf</ulink>

555

561

</term>

556

562

573

579

</varlistentry>

574

580

575

581

<term>

576

<ulink url="http://www.gnu.org/software/gnutls/"

577

>GnuTLS</ulink>

582

<ulink

583

url="http://www.gnu.org/software/gnutls/">GnuTLS</ulink>

578

584

</term>

579

585

580

586

<para>

586

592

</varlistentry>

587

593

588

594

<term>

589

RFC 4291: <citetitle>IP Version 6 Addressing

590

Architecture</citetitle>

595

<citation>RFC 4291: <citetitle>IP Version 6 Addressing

596

Architecture</citetitle>, section 2.5.6, Link-Local IPv6

597

Unicast Addresses</citation>

591

598

</term>

592

599

593

594

595

<term>Section 2.2: <citetitle>Text Representation of

596

Addresses</citetitle></term>

597

598

</varlistentry>

599

600

<term>Section 2.5.5.2: <citetitle>IPv4-Mapped IPv6

601

Address</citetitle></term>

602

603

</varlistentry>

604

605

<term>Section 2.5.6, <citetitle>Link-Local IPv6 Unicast

606

Addresses</citetitle></term>

607

608

<para>

609

The clients use IPv6 link-local addresses, which are

610

immediately usable since a link-local addresses is

611

automatically assigned to a network interfaces when it

612

is brought up.

613

</para>

614

</listitem>

615

</varlistentry>

616

</variablelist>

600

<para>

601

The clients use IPv6 link-local addresses, which are

602

immediately usable since a link-local addresses is

603

automatically assigned to a network interfaces when it is

604

brought up.

605

</para>

617

606

</listitem>

618

607

</varlistentry>

619

608

620

609

<term>

621

RFC 4346: <citetitle>The Transport Layer Security (TLS)

622

Protocol Version 1.1</citetitle>

610

<citation>RFC 4346: <citetitle>The Transport Layer Security

611

(TLS) Protocol Version 1.1</citetitle></citation>

623

612

</term>

624

613

625

614

<para>

629

618

</varlistentry>

630

619

631

620

<term>

632

RFC 4880: <citetitle>OpenPGP Message Format</citetitle>

621

<citation>RFC 4880: <citetitle>OpenPGP Message

622

Format</citetitle></citation>

633

623

</term>

634

624

635

625

<para>

639

629

</varlistentry>

640

630

641

631

<term>

642

RFC 5081: <citetitle>Using OpenPGP Keys for Transport Layer

643

Security</citetitle>

632

<citation>RFC 5081: <citetitle>Using OpenPGP Keys for

633

Transport Layer Security</citetitle></citation>

644

634

</term>

645

635

646

636

<para>

652

642

</variablelist>

653

643

</refsect1>

654

644

</refentry>

655

656

657

658

659

Older »