/mandos/trunk : revision 94

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos-clients.conf.xml

Committer: Teddy Hogeborn
Date: 2008-08-22 00:16:20 UTC
mfrom: (24.1.57 mandos)
Revision ID: teddy@fukt.bsnet.se-20080822001620-vxpn1evy0t0kyvj0

* clients.conf ([DEFAULT]/checker): Update to new default value.

* mandos (Client.start_checker): Bug fix: OSError, not
                                 subprocess.OSError.
  (main): Use "fping -q -- %(host)s" instead of "fping -q --
          %%(host)s" as default value for "checker".  Always redirect
          stdin to be from /dev/null, even if in debug mode.

* mandos-clients.conf.xml (DESCRIPTION): Improved wording and refer to
                                         the EXPANSION section.
  (OPTIONS): Added synopsis and improved wording for "checker",
             "fingerprint", and "secret".  Refer to the RUNTIME
             EXPANSION section for the "checker" option.
  (EXAMPLE): Update to new default value for "checker".

* mandos-keygen (trap): Split lines and add "set +e".

files modified:
TODO

clients.conf

mandos

mandos-clients.conf.xml

mandos-keygen

Show diffs side-by-side

added added

removed removed

mandos-clients.conf.xml

server.

</para>

<para>

The format starts with a section under [] which is either

The format starts with a <literal>[<replaceable>section

header</replaceable>]</literal> which is either

<literal>[DEFAULT]</literal> or <literal>[<replaceable>client

name</replaceable>]</literal>. Following the section is any

number of <quote><varname><replaceable>option</replaceable

name</replaceable>]</literal>. The <replaceable>client

name</replaceable> can be anything, and is not tied to a host

name. Following the section header is any number of

<quote><varname><replaceable>option</replaceable

></varname>=<replaceable>value</replaceable></quote> entries,

with continuations in the style of RFC 822. <quote><varname

100

><replaceable>option</replaceable></varname>: <replaceable

101

>value</replaceable></quote> is also accepted. Note that

102

leading whitespace is removed from values. Values can contain

100

103

format strings which refer to other values in the same section,

101

or values in the <quote>DEFAULT</quote> section. Lines

102

beginning with <quote>#</quote> or <quote>;</quote> are ignored

103

and may be used to provide comments.

104

or values in the <quote>DEFAULT</quote> section (see <xref

105

linkend="expansion"/>). Lines beginning with <quote>#</quote>

106

or <quote>;</quote> are ignored and may be used to provide

107

comments.

104

108

</para>

105

109

</refsect1>

106

110

165

169

166

170

<term><literal>checker</literal></term>

167

171

172

<synopsis><literal>checker = </literal><replaceable

173

>COMMAND</replaceable>

174

</synopsis>

168

175

<para>

169

176

This option allows you to override the default shell

170

command that the server will use to check up if the client

171

is still up. By default mandos will "fping -q -- %%(host)s"

177

command that the server will use to check if the client is

178

still up. The output of the command will be ignored, only

179

the exit code is checked. The command will be run using

180

181

<option>-c</option></command></quote>. The default

182

command is <quote><literal><command>fping</command>

183

184

%(host)s</literal></quote>.

185

</para>

186

<para>

187

In addition to normal start time expansion, this option

188

will also be subject to runtime expansion; see <xref

189

linkend="expansion"/>.

172

190

</para>

173

191

</listitem>

174

192

</varlistentry>

176

194

177

195

<term><literal>fingerprint</literal></term>

178

196

197

<synopsis><literal>fingerprint = </literal><replaceable

198

>HEXSTRING</replaceable>

199

</synopsis>

179

200

<para>

180

This option sets the openpgp fingerprint that identifies

181

the public certificate that clients authenticates themself

182

through gnutls. The string need to be in hex-decimal form.

201

This option sets the OpenPGP fingerprint that identifies

202

the public key that clients authenticate themselves with

203

through TLS. The string needs to be in hexidecimal form,

204

but spaces or upper/lower case are not significant.

183

205

</para>

184

206

</listitem>

185

207

</varlistentry>

187

209

188

210

<term><literal>secret</literal></term>

189

211

190

<para>

191

Base 64 encoded OpenPGP encrypted password encrypted by

192

the clients openpgp certificate.

212

<synopsis><literal>secret = </literal><replaceable

213

>BASE64_ENCODED_DATA</replaceable>

214

</synopsis>

215

<para>

216

If present, this option must be set to a string of

217

base64-encoded binary data. It will be decoded and sent

218

to the client matching the above

219

<option>fingerprint</option>. This should, of course, be

220

OpenPGP encrypted data, decryptable only by the client.

221

222

223

224

225

</para>

226

<para>

227

Note: this value of this option will probably run over

228

many lines, and will then have to use the fact that a line

229

beginning with white space adds to the value of the

230

previous line, RFC 822-style.

193

231

</para>

194

232

</listitem>

195

233

</varlistentry>

242

280

There are two forms of expansion: Start time expansion and

243

281

runtime expansion.

244

282

</para>

245

283

246

284

<title>START TIME EXPANSION</title>

247

285

<para>

248

286

Any string in an option value of the form

260

298

entered.

261

299

</para>

262

300

</refsect2>

263

301

264

302

<title>RUNTIME EXPANSION</title>

265

303

<para>

266

304

This is currently only done for the <varname>checker</varname>

317

355

[DEFAULT]

318

356

timeout = 1h

319

357

interval = 5m

320

checker = fping -q -- %%(host)s

358

checker = fping -q -- %(host)s

321

359

322

360

# Client "foo"

323

361

[foo]

Older »