/mandos/trunk : revision 900

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos-ctl.xml

Committer: Teddy Hogeborn
Date: 2017-02-23 21:14:58 UTC
mfrom: (237.4.90 release)
Revision ID: teddy@recompile.se-20170223211458-2rv7ec5bxmk4ts81

Merge from release branch

files added:
DBUS-API

bugs.xml

dbus-mandos.conf

debian/mandos-client.examples

debian/source

debian/source/format

debian/source/local-options

debian/upstream

debian/upstream/signing-key.asc

initramfs-unpack

intro.xml

mandos-ctl.xml

mandos-monitor

mandos-monitor.xml

mandos.service

network-hooks.d

network-hooks.d/bridge

network-hooks.d/bridge.conf

network-hooks.d/openvpn

network-hooks.d/openvpn.conf

network-hooks.d/wireless

network-hooks.d/wireless.conf

plugin-helpers

plugin-helpers/mandos-client-iprouteadddel.c

plugins.d/plymouth.c

plugins.d/plymouth.xml

tmpfiles.d-mandos.conf

files modified:
.bzrignore

INSTALL

Makefile

NEWS

README

TODO

clients.conf

common.ent

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/rules

debian/watch

init.d-mandos

initramfs-tools-hook

initramfs-tools-script

mandos

mandos-clients.conf.xml

mandos-ctl

mandos-keygen

mandos-keygen.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.lsm

mandos.xml

plugin-runner.c

plugin-runner.xml

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/mandos-client.c

plugins.d/mandos-client.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

Show diffs side-by-side

added added

removed removed

mandos-ctl.xml

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY COMMANDNAME "mandos-ctl">

<!ENTITY TIMESTAMP "2017-02-23">

<!ENTITY % common SYSTEM "common.ent">

%common;

<title>Mandos Manual</title>

<productname>Mandos</productname>

<productnumber>&version;</productnumber>

<date>&TIMESTAMP;</date>

<firstname>Björn</firstname>

<surname>Påhlsson</surname>

<email>belorn@recompile.se</email>

</address>

</author>

<firstname>Teddy</firstname>

<surname>Hogeborn</surname>

<email>teddy@recompile.se</email>

</address>

</author>

</authorgroup>

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

<xi:include href="legalnotice.xml"/>

</refentryinfo>

<refentrytitle>&COMMANDNAME;</refentrytitle>

</refmeta>

<refname><command>&COMMANDNAME;</command></refname>

Control or query the operation of the Mandos server

</refpurpose>

</refnamediv>

<command>&COMMANDNAME;</command>

<group>

<arg choice="plain"><option>--enable</option></arg>

<sbr/>

<arg choice="plain"><option>--disable</option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--bump-timeout</option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--start-checker</option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--stop-checker</option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--remove</option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--checker

<replaceable>COMMAND</replaceable></option></arg>

<arg choice="plain"><option>-c

<replaceable>COMMAND</replaceable></option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--timeout

100

<arg choice="plain"><option>-t

101

102

</group>

103

<sbr/>

104

<group>

105

<arg choice="plain"><option>--extended-timeout

106

107

</group>

108

<sbr/>

109

<group>

110

<arg choice="plain"><option>--interval

111

112

<arg choice="plain"><option>-i

113

114

</group>

115

<sbr/>

116

<group>

117

<arg choice="plain"><option>--approve-by-default</option

118

></arg>

119

<sbr/>

120

<arg choice="plain"><option>--deny-by-default</option></arg>

121

</group>

122

<sbr/>

123

<group>

124

<arg choice="plain"><option>--approval-delay

125

126

</group>

127

<sbr/>

128

<group>

129

<arg choice="plain"><option>--approval-duration

130

131

</group>

132

<sbr/>

133

<group>

134

<arg choice="plain"><option>--interval

135

136

<arg choice="plain"><option>-i

137

138

</group>

139

<sbr/>

140

<group>

141

<arg choice="plain"><option>--host

142

<replaceable>STRING</replaceable></option></arg>

143

<arg choice="plain"><option>-H

144

<replaceable>STRING</replaceable></option></arg>

145

</group>

146

<sbr/>

147

<group>

148

<arg choice="plain"><option>--secret

149

<replaceable>FILENAME</replaceable></option></arg>

150

<arg choice="plain"><option>-s

151

<replaceable>FILENAME</replaceable></option></arg>

152

</group>

153

<sbr/>

154

<group>

155

<arg choice="plain"><option>--approve</option></arg>

156

157

<sbr/>

158

159

160

</group>

161

</group>

162

<sbr/>

163

164

165

166

167

<replaceable>CLIENT</replaceable>

168

</arg>

169

</group>

170

</cmdsynopsis>

171

172

<command>&COMMANDNAME;</command>

173

<group>

174

<arg choice="plain"><option>--verbose</option></arg>

175

176

<sbr/>

177

178

179

</group>

180

<group>

181

182

<replaceable>CLIENT</replaceable>

183

</arg>

184

</group>

185

</cmdsynopsis>

186

187

<command>&COMMANDNAME;</command>

188

189

<arg choice="plain"><option>--is-enabled</option></arg>

190

191

</group>

192

<arg choice='plain'><replaceable>CLIENT</replaceable></arg>

193

</cmdsynopsis>

194

195

<command>&COMMANDNAME;</command>

196

197

198

199

</group>

200

</cmdsynopsis>

201

202

<command>&COMMANDNAME;</command>

203

204

<arg choice="plain"><option>--version</option></arg>

205

206

</group>

207

</cmdsynopsis>

208

209

<command>&COMMANDNAME;</command>

210

<arg choice="plain"><option>--check</option></arg>

211

</cmdsynopsis>

212

</refsynopsisdiv>

213

214

215

<title>DESCRIPTION</title>

216

<para>

217

<command>&COMMANDNAME;</command> is a program to control or

218

query the operation of the Mandos server

219

<citerefentry><refentrytitle>mandos</refentrytitle><manvolnum

220

>8</manvolnum></citerefentry>.

221

</para>

222

<para>

223

This program can be used to change client settings, approve or

224

deny client requests, and to remove clients from the server.

225

</para>

226

</refsect1>

227

228

229

<title>PURPOSE</title>

230

<para>

231

The purpose of this is to enable <emphasis>remote and unattended

232

rebooting</emphasis> of client host computer with an

233

<emphasis>encrypted root file system</emphasis>. See <xref

234

linkend="overview"/> for details.

235

</para>

236

</refsect1>

237

238

239

<title>OPTIONS</title>

240

241

242

243

244

245

246

<para>

247

Show a help message and exit

248

</para>

249

</listitem>

250

</varlistentry>

251

252

253

<term><option>--enable</option></term>

254

255

256

<para>

257

Enable client(s). An enabled client will be eligble to

258

receive its secret.

259

</para>

260

</listitem>

261

</varlistentry>

262

263

264

<term><option>--disable</option></term>

265

266

267

<para>

268

Disable client(s). A disabled client will not be eligble

269

to receive its secret, and no checkers will be started for

270

it.

271

</para>

272

</listitem>

273

</varlistentry>

274

275

276

<term><option>--bump-timeout</option></term>

277

278

<para>

279

Bump the timeout of the specified client(s), just as if a

280

checker had completed successfully for it/them.

281

</para>

282

</listitem>

283

</varlistentry>

284

285

286

<term><option>--start-checker</option></term>

287

288

<para>

289

Start a new checker now for the specified client(s).

290

</para>

291

</listitem>

292

</varlistentry>

293

294

295

<term><option>--stop-checker</option></term>

296

297

<para>

298

Stop any running checker for the specified client(s).

299

</para>

300

</listitem>

301

</varlistentry>

302

303

304

<term><option>--remove</option></term>

305

306

307

<para>

308

Remove the specified client(s) from the server.

309

</para>

310

</listitem>

311

</varlistentry>

312

313

314

<term><option>--checker

315

<replaceable>COMMAND</replaceable></option></term>

316

<term><option>-c

317

<replaceable>COMMAND</replaceable></option></term>

318

319

<para>

320

Set the <varname>checker</varname> option of the specified

321

client(s); see <citerefentry><refentrytitle

322

>mandos-clients.conf</refentrytitle><manvolnum

323

>5</manvolnum></citerefentry>.

324

</para>

325

</listitem>

326

</varlistentry>

327

328

329

<term><option>--timeout

330

331

<term><option>-t

332

333

334

<para>

335

Set the <varname>timeout</varname> option of the specified

336

client(s); see <citerefentry><refentrytitle

337

>mandos-clients.conf</refentrytitle><manvolnum

338

>5</manvolnum></citerefentry>.

339

</para>

340

</listitem>

341

</varlistentry>

342

343

344

<term><option>--extended-timeout

345

346

347

<para>

348

Set the <varname>extended_timeout</varname> option of the

349

specified client(s); see <citerefentry><refentrytitle

350

>mandos-clients.conf</refentrytitle><manvolnum

351

>5</manvolnum></citerefentry>.

352

</para>

353

</listitem>

354

</varlistentry>

355

356

357

<term><option>--interval

358

359

<term><option>-i

360

361

362

<para>

363

Set the <varname>interval</varname> option of the

364

specified client(s); see <citerefentry><refentrytitle

365

>mandos-clients.conf</refentrytitle><manvolnum

366

>5</manvolnum></citerefentry>.

367

</para>

368

</listitem>

369

</varlistentry>

370

371

372

<term><option>--approve-by-default</option></term>

373

<term><option>--deny-by-default</option></term>

374

375

<para>

376

Set the <varname>approved_by_default</varname> option of

377

the specified client(s) to <literal>True</literal> or

378

<literal>False</literal>, respectively; see

379

<citerefentry><refentrytitle

380

>mandos-clients.conf</refentrytitle><manvolnum

381

>5</manvolnum></citerefentry>.

382

</para>

383

</listitem>

384

</varlistentry>

385

386

387

<term><option>--approval-delay

388

389

390

<para>

391

Set the <varname>approval_delay</varname> option of the

392

specified client(s); see <citerefentry><refentrytitle

393

>mandos-clients.conf</refentrytitle><manvolnum

394

>5</manvolnum></citerefentry>.

395

</para>

396

</listitem>

397

</varlistentry>

398

399

400

<term><option>--approval-duration

401

402

403

<para>

404

Set the <varname>approval_duration</varname> option of the

405

specified client(s); see <citerefentry><refentrytitle

406

>mandos-clients.conf</refentrytitle><manvolnum

407

>5</manvolnum></citerefentry>.

408

</para>

409

</listitem>

410

</varlistentry>

411

412

413

<term><option>--host

414

<replaceable>STRING</replaceable></option></term>

415

<term><option>-H

416

<replaceable>STRING</replaceable></option></term>

417

418

<para>

419

Set the <varname>host</varname> option of the specified

420

client(s); see <citerefentry><refentrytitle

421

>mandos-clients.conf</refentrytitle><manvolnum

422

>5</manvolnum></citerefentry>.

423

</para>

424

</listitem>

425

</varlistentry>

426

427

428

<term><option>--secret

429

<replaceable>FILENAME</replaceable></option></term>

430

<term><option>-s

431

<replaceable>FILENAME</replaceable></option></term>

432

433

<para>

434

Set the <varname>secfile</varname> option of the specified

435

client(s); see <citerefentry><refentrytitle

436

>mandos-clients.conf</refentrytitle><manvolnum

437

>5</manvolnum></citerefentry>.

438

</para>

439

</listitem>

440

</varlistentry>

441

442

443

<term><option>--approve</option></term>

444

445

446

<para>

447

Approve client(s) if currently waiting for approval.

448

</para>

449

</listitem>

450

</varlistentry>

451

452

453

454

455

456

<para>

457

Deny client(s) if currently waiting for approval.

458

</para>

459

</listitem>

460

</varlistentry>

461

462

463

464

465

466

<para>

467

Make the client-modifying options modify <emphasis

468

>all</emphasis> clients.

469

</para>

470

</listitem>

471

</varlistentry>

472

473

474

<term><option>--verbose</option></term>

475

476

477

<para>

478

Show all client settings, not just a subset.

479

</para>

480

</listitem>

481

</varlistentry>

482

483

484

485

486

487

<para>

488

Dump client settings as JSON to standard output.

489

</para>

490

</listitem>

491

</varlistentry>

492

493

494

<term><option>--is-enabled</option></term>

495

496

497

<para>

498

Check if a single client is enabled or not, and exit with

499

a successful exit status only if the client is enabled.

500

</para>

501

</listitem>

502

</varlistentry>

503

504

505

<term><option>--check</option></term>

506

507

<para>

508

Run self-tests. This includes any unit tests, etc.

509

</para>

510

</listitem>

511

</varlistentry>

512

513

</variablelist>

514

</refsect1>

515

516

517

<title>OVERVIEW</title>

518

<xi:include href="overview.xml"/>

519

<para>

520

This program is a small utility to generate new OpenPGP keys for

521

new Mandos clients, and to generate sections for inclusion in

522

<filename>clients.conf</filename> on the server.

523

</para>

524

</refsect1>

525

526

527

<title>EXIT STATUS</title>

528

<para>

529

If the <option>--is-enabled</option> option is used, the exit

530

status will be 0 only if the specified client is enabled.

531

</para>

532

</refsect1>

533

534

535

536

<xi:include href="bugs.xml"/>

537

</refsect1>

538

539

540

<title>EXAMPLE</title>

541

542

<para>

543

To list all clients:

544

</para>

545

<para>

546

<userinput>&COMMANDNAME;</userinput>

547

</para>

548

</informalexample>

549

550

551

<para>

552

To list <emphasis>all</emphasis> settings for the clients

553

named <quote>foo1.example.org</quote> and <quote

554

>foo2.example.org</quote>:

555

</para>

556

<para>

557

558

559

<userinput>&COMMANDNAME; --verbose foo1.example.org foo2.example.org</userinput>

560

561

</para>

562

</informalexample>

563

564

565

<para>

566

To enable all clients:

567

</para>

568

<para>

569

<userinput>&COMMANDNAME; --enable --all</userinput>

570

</para>

571

</informalexample>

572

573

574

<para>

575

To change timeout and interval value for the clients

576

named <quote>foo1.example.org</quote> and <quote

577

>foo2.example.org</quote>:

578

</para>

579

<para>

580

581

582

<userinput>&COMMANDNAME; --timeout="5m" --interval="1m" foo1.example.org foo2.example.org</userinput>

583

584

</para>

585

</informalexample>

586

587

588

<para>

589

To approve all clients currently waiting for it:

590

</para>

591

<para>

592

<userinput>&COMMANDNAME; --approve --all</userinput>

593

</para>

594

</informalexample>

595

</refsect1>

596

597

598

<title>SECURITY</title>

599

<para>

600

This program must be permitted to access the Mandos server via

601

the D-Bus interface. This normally requires the root user, but

602

could be configured otherwise by reconfiguring the D-Bus server.

603

</para>

604

</refsect1>

605

606

607

608

<para>

609

<citerefentry><refentrytitle>intro</refentrytitle>

610

<manvolnum>8mandos</manvolnum></citerefentry>,

611

<citerefentry><refentrytitle>mandos</refentrytitle>

612

<manvolnum>8</manvolnum></citerefentry>,

613

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

614

<manvolnum>5</manvolnum></citerefentry>,

615

<citerefentry><refentrytitle>mandos-monitor</refentrytitle>

616

617

</para>

618

</refsect1>

619

620

</refentry>

621

622

623

624

625

Older »