/mandos/trunk

To get this branch, use:
bzr branch http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos-clients.conf.xml

  • Committer: Teddy Hogeborn
  • Date: 2017-08-20 14:14:14 UTC
  • Revision ID: teddy@recompile.se-20170820141414-m034xuebg7ccaeui
Add some more restrictions to the systemd service file.

* mandos.service ([Service]/ProtectKernelTunables): New; set to "yes".
  ([Service]/ProtectControlGroups): - '' -

Show diffs side-by-side

added added

removed removed

Lines of Context:
3
3
        "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4
4
<!ENTITY CONFNAME "mandos-clients.conf">
5
5
<!ENTITY CONFPATH "<filename>/etc/mandos/clients.conf</filename>">
6
 
<!ENTITY TIMESTAMP "2013-10-15">
 
6
<!ENTITY TIMESTAMP "2017-02-23">
7
7
<!ENTITY % common SYSTEM "common.ent">
8
8
%common;
9
9
]>
37
37
      <year>2010</year>
38
38
      <year>2011</year>
39
39
      <year>2012</year>
 
40
      <year>2013</year>
 
41
      <year>2014</year>
 
42
      <year>2015</year>
 
43
      <year>2016</year>
 
44
      <year>2017</year>
40
45
      <holder>Teddy Hogeborn</holder>
41
46
      <holder>Björn Påhlsson</holder>
42
47
    </copyright>
177
182
            <varname>PATH</varname> will be searched.  The default
178
183
            value for the checker command is <quote><literal
179
184
            ><command>fping</command> <option>-q</option> <option
180
 
            >--</option> %%(host)s</literal></quote>.
 
185
            >--</option> %%(host)s</literal></quote>.  Note that
 
186
            <command>mandos-keygen</command>, when generating output
 
187
            to be inserted into this file, normally looks for an SSH
 
188
            server on the Mandos client, and, if it find one, outputs
 
189
            a <option>checker</option> option to check for the
 
190
            client’s key fingerprint – this is more secure against
 
191
            spoofing.
181
192
          </para>
182
193
          <para>
183
194
            In addition to normal start time expansion, this option
220
231
          <para>
221
232
            This option sets the OpenPGP fingerprint that identifies
222
233
            the public key that clients authenticate themselves with
223
 
            through TLS.  The string needs to be in hexidecimal form,
 
234
            through TLS.  The string needs to be in hexadecimal form,
224
235
            but spaces or upper/lower case are not significant.
225
236
          </para>
226
237
        </listitem>
453
464
      <literal>%(<replaceable>foo</replaceable>)s</literal> is
454
465
      obscure.
455
466
    </para>
 
467
    <xi:include href="bugs.xml"/>
456
468
  </refsect1>
457
469
  
458
470
  <refsect1 id="example">