3
3
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4
4
<!ENTITY VERSION "1.0">
5
5
<!ENTITY COMMANDNAME "mandos">
6
<!ENTITY TIMESTAMP "2008-09-21">
9
8
<refentry xmlns:xi="http://www.w3.org/2001/XInclude">
11
<title>Mandos Manual</title>
10
<title>&COMMANDNAME;</title>
12
11
<!-- NWalsh’s docbook scripts use this to generate the footer: -->
13
<productname>Mandos</productname>
12
<productname>&COMMANDNAME;</productname>
14
13
<productnumber>&VERSION;</productnumber>
15
<date>&TIMESTAMP;</date>
18
16
<firstname>Björn</firstname>
34
32
<holder>Teddy Hogeborn</holder>
35
33
<holder>Björn Påhlsson</holder>
37
<xi:include href="legalnotice.xml"/>
37
This manual page is free software: you can redistribute it
38
and/or modify it under the terms of the GNU General Public
39
License as published by the Free Software Foundation,
40
either version 3 of the License, or (at your option) any
45
This manual page is distributed in the hope that it will
46
be useful, but WITHOUT ANY WARRANTY; without even the
47
implied warranty of MERCHANTABILITY or FITNESS FOR A
48
PARTICULAR PURPOSE. See the GNU General Public License
53
You should have received a copy of the GNU General Public
54
License along with this program; If not, see
55
<ulink url="http://www.gnu.org/licenses/"/>.
41
61
<refentrytitle>&COMMANDNAME;</refentrytitle>
42
62
<manvolnum>8</manvolnum>
46
66
<refname><command>&COMMANDNAME;</command></refname>
48
Gives encrypted passwords to authenticated Mandos clients
68
Sends encrypted passwords to authenticated Mandos clients
54
74
<command>&COMMANDNAME;</command>
56
<arg choice="plain"><option>--interface
57
<replaceable>NAME</replaceable></option></arg>
58
<arg choice="plain"><option>-i
59
<replaceable>NAME</replaceable></option></arg>
63
<arg choice="plain"><option>--address
64
<replaceable>ADDRESS</replaceable></option></arg>
65
<arg choice="plain"><option>-a
66
<replaceable>ADDRESS</replaceable></option></arg>
70
<arg choice="plain"><option>--port
71
<replaceable>PORT</replaceable></option></arg>
72
<arg choice="plain"><option>-p
73
<replaceable>PORT</replaceable></option></arg>
76
<arg><option>--priority
77
<replaceable>PRIORITY</replaceable></option></arg>
79
<arg><option>--servicename
80
<replaceable>NAME</replaceable></option></arg>
82
<arg><option>--configdir
83
<replaceable>DIRECTORY</replaceable></option></arg>
85
<arg><option>--debug</option></arg>
75
<arg>--interface<arg choice="plain">IF</arg></arg>
76
<arg>--address<arg choice="plain">ADDRESS</arg></arg>
77
<arg>--port<arg choice="plain">PORT</arg></arg>
78
<arg>--priority<arg choice="plain">PRIORITY</arg></arg>
79
<arg>--servicename<arg choice="plain">NAME</arg></arg>
80
<arg>--configdir<arg choice="plain">DIRECTORY</arg></arg>
84
<command>&COMMANDNAME;</command>
85
<arg>-i<arg choice="plain">IF</arg></arg>
86
<arg>-a<arg choice="plain">ADDRESS</arg></arg>
87
<arg>-p<arg choice="plain">PORT</arg></arg>
88
<arg>--priority<arg choice="plain">PRIORITY</arg></arg>
89
<arg>--servicename<arg choice="plain">NAME</arg></arg>
90
<arg>--configdir<arg choice="plain">DIRECTORY</arg></arg>
88
94
<command>&COMMANDNAME;</command>
89
95
<group choice="req">
90
<arg choice="plain"><option>--help</option></arg>
91
<arg choice="plain"><option>-h</option></arg>
96
<arg choice="plain">-h</arg>
97
<arg choice="plain">--help</arg>
95
101
<command>&COMMANDNAME;</command>
96
<arg choice="plain"><option>--version</option></arg>
102
<arg choice="plain">--version</arg>
99
105
<command>&COMMANDNAME;</command>
100
<arg choice="plain"><option>--check</option></arg>
106
<arg choice="plain">--check</arg>
102
108
</refsynopsisdiv>
104
110
<refsect1 id="description">
105
111
<title>DESCRIPTION</title>
115
121
Any authenticated client is then given the stored pre-encrypted
116
122
password for that specific client.
120
127
<refsect1 id="purpose">
121
128
<title>PURPOSE</title>
123
131
The purpose of this is to enable <emphasis>remote and unattended
124
132
rebooting</emphasis> of client host computer with an
125
133
<emphasis>encrypted root file system</emphasis>. See <xref
126
134
linkend="overview"/> for details.
130
139
<refsect1 id="options">
131
140
<title>OPTIONS</title>
134
<term><option>--help</option></term>
135
<term><option>-h</option></term>
144
<term><literal>-h</literal>, <literal>--help</literal></term>
138
147
Show a help message and exit
144
<term><option>--interface</option>
145
<replaceable>NAME</replaceable></term>
146
<term><option>-i</option>
147
<replaceable>NAME</replaceable></term>
153
<term><literal>-i</literal>, <literal>--interface <replaceable>
154
IF</replaceable></literal></term>
149
156
<xi:include href="mandos-options.xml" xpointer="interface"/>
154
<term><option>--address
155
<replaceable>ADDRESS</replaceable></option></term>
157
<replaceable>ADDRESS</replaceable></option></term>
161
<term><literal>-a</literal>, <literal>--address <replaceable>
162
ADDRESS</replaceable></literal></term>
159
164
<xi:include href="mandos-options.xml" xpointer="address"/>
165
<replaceable>PORT</replaceable></option></term>
167
<replaceable>PORT</replaceable></option></term>
169
<term><literal>-p</literal>, <literal>--port <replaceable>
170
PORT</replaceable></literal></term>
169
172
<xi:include href="mandos-options.xml" xpointer="port"/>
174
<term><option>--check</option></term>
177
<term><literal>--check</literal></term>
177
180
Run the server’s self-tests. This includes any unit
184
<term><option>--debug</option></term>
187
<term><literal>--debug</literal></term>
186
189
<xi:include href="mandos-options.xml" xpointer="debug"/>
191
<term><option>--priority <replaceable>
192
PRIORITY</replaceable></option></term>
194
<term><literal>--priority <replaceable>
195
PRIORITY</replaceable></literal></term>
194
197
<xi:include href="mandos-options.xml" xpointer="priority"/>
199
<term><option>--servicename
200
<replaceable>NAME</replaceable></option></term>
202
<term><literal>--servicename <replaceable>NAME</replaceable>
202
205
<xi:include href="mandos-options.xml"
203
206
xpointer="servicename"/>
208
<term><option>--configdir
209
<replaceable>DIRECTORY</replaceable></option></term>
211
<term><literal>--configdir <replaceable>DIR</replaceable>
212
215
Directory to search for configuration files. Default is
504
503
<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>
505
504
<manvolnum>5</manvolnum></citerefentry>)
506
505
<emphasis>must</emphasis> be made non-readable by anyone
507
except the user starting the server (usually root).
506
except the user running the server.
510
509
As detailed in <xref linkend="checking"/>, the status of all
521
520
restarting servers if it is suspected that a client has, in
522
521
fact, been compromised by parties who may now be running a
523
522
fake Mandos client with the keys from the non-encrypted
524
initial <acronym>RAM</acronym> image of the client host. What
525
should be done in that case (if restarting the server program
526
really is necessary) is to stop the server program, edit the
523
initial RAM image of the client host. What should be done in
524
that case (if restarting the server program really is
525
necessary) is to stop the server program, edit the
527
526
configuration file to omit any suspect clients, and restart
528
527
the server program.
531
530
For more details on client-side security, see
532
<citerefentry><refentrytitle>mandos-client</refentrytitle>
531
<citerefentry><refentrytitle>password-request</refentrytitle>
533
532
<manvolnum>8mandos</manvolnum></citerefentry>.
538
537
<refsect1 id="see_also">
539
538
<title>SEE ALSO</title>
542
<refentrytitle>mandos-clients.conf</refentrytitle>
543
<manvolnum>5</manvolnum></citerefentry>, <citerefentry>
544
<refentrytitle>mandos.conf</refentrytitle>
545
<manvolnum>5</manvolnum></citerefentry>, <citerefentry>
546
<refentrytitle>mandos-client</refentrytitle>
547
<manvolnum>8mandos</manvolnum></citerefentry>, <citerefentry>
548
<refentrytitle>sh</refentrytitle><manvolnum>1</manvolnum>
543
<refentrytitle>password-request</refentrytitle>
544
<manvolnum>8mandos</manvolnum>
549
This is the actual program which talks to this server.
550
Note that it is normally not invoked directly, and is only
551
run in the initial RAM disk environment, and not on a
552
fully started system.
554
558
<ulink url="http://www.zeroconf.org/">Zeroconf</ulink>
589
RFC 4291: <citetitle>IP Version 6 Addressing
590
Architecture</citetitle>
593
<citation>RFC 4291: <citetitle>IP Version 6 Addressing
594
Architecture</citetitle>, section 2.5.6, Link-Local IPv6
595
Unicast Addresses</citation>
595
<term>Section 2.2: <citetitle>Text Representation of
596
Addresses</citetitle></term>
597
<listitem><para/></listitem>
600
<term>Section 2.5.5.2: <citetitle>IPv4-Mapped IPv6
601
Address</citetitle></term>
602
<listitem><para/></listitem>
605
<term>Section 2.5.6, <citetitle>Link-Local IPv6 Unicast
606
Addresses</citetitle></term>
609
The clients use IPv6 link-local addresses, which are
610
immediately usable since a link-local addresses is
611
automatically assigned to a network interfaces when it
599
The clients use IPv6 link-local addresses, which are
600
immediately usable since a link-local addresses is
601
automatically assigned to a network interfaces when it is
621
RFC 4346: <citetitle>The Transport Layer Security (TLS)
622
Protocol Version 1.1</citetitle>
608
<citation>RFC 4346: <citetitle>The Transport Layer Security
609
(TLS) Protocol Version 1.1</citetitle></citation>