Provided by: mandos_1.4.0-1_all bug


       mandos-clients.conf - Configuration file for the Mandos server




       The file /etc/mandos/clients.conf is a configuration file for mandos(8), read by it at
       startup. The file needs to list all clients that should be able to use the service. All
       clients listed will be regarded as enabled, even if a client was disabled in a previous
       run of the server.

       The format starts with a [section header] which is either [DEFAULT] or [client name]. The
       client name can be anything, and is not tied to a host name. Following the section header
       is any number of “option=value” entries, with continuations in the style of RFC 822.
       “option: value” is also accepted. Note that leading whitespace is removed from values.
       Values can contain format strings which refer to other values in the same section, or
       values in the “DEFAULT” section (see the section called “EXPANSION”). Lines beginning with
       “#” or “;” are ignored and may be used to provide comments.


       Note: all option values are subject to start time expansion, see the section called

       Unknown options are ignored. The used options are as follows:

       approval_delay = TIME
           This option is optional.

           How long to wait for external approval before resorting to use the approved_by_default
           value. The default is “0s”, i.e. not to wait.

           The format of TIME is the same as for timeout below.

       approval_duration = TIME
           This option is optional.

           How long an external approval lasts. The default is 1 second.

           The format of TIME is the same as for timeout below.

       approved_by_default = { 1 | yes | true | on | 0 | no | false | off }
           Whether to approve a client by default after the approval_delay. The default is

       checker = COMMAND
           This option is optional.

           This option allows you to override the default shell command that the server will use
           to check if the client is still up. Any output of the command will be ignored, only
           the exit code is checked: If the exit code of the command is zero, the client is
           considered up. The command will be run using “/bin/sh -c”, so PATH will be searched.
           The default value for the checker command is “fping -q -- %%(host)s”.

           In addition to normal start time expansion, this option will also be subject to
           runtime expansion; see the section called “EXPANSION”.

       extended_timeout = TIME
           This option is optional.

           Extended timeout is an added timeout that is given once after a password has been sent
           sucessfully to a client. The timeout is by default longer than the normal timeout, and
           is used for handling the extra long downtime while a machine is booting up. Time to
           take into consideration when changing this value is file system checks and quota
           checks. The default value is 15 minutes.

           The format of TIME is the same as for timeout below.

       fingerprint = HEXSTRING
           This option is required.

           This option sets the OpenPGP fingerprint that identifies the public key that clients
           authenticate themselves with through TLS. The string needs to be in hexidecimal form,
           but spaces or upper/lower case are not significant.

       host = STRING
           This option is optional, but highly recommended unless the checker option is modified
           to a non-standard value without “%%(host)s” in it.

           Host name for this client. This is not used by the server directly, but can be, and is
           by default, used by the checker. See the checker option.

       interval = TIME
           This option is optional.

           How often to run the checker to confirm that a client is still up.  Note: a new
           checker will not be started if an old one is still running. The server will wait for a
           checker to complete until the below “timeout” occurs, at which time the client will be
           disabled, and any running checker killed. The default interval is 2 minutes.

           The format of TIME is the same as for timeout below.

       secfile = FILENAME
           This option is only used if secret is not specified, in which case this option is

           Similar to the secret, except the secret data is in an external file. The contents of
           the file should not be base64-encoded, but will be sent to clients verbatim.

           File names of the form ~user/foo/bar and $ENVVAR/foo/bar are supported.

       secret = BASE64_ENCODED_DATA
           If this option is not specified, the secfile option is required to be present.

           If present, this option must be set to a string of base64-encoded binary data. It will
           be decoded and sent to the client matching the above fingerprint. This should, of
           course, be OpenPGP encrypted data, decryptable only by the client. The program mandos-
           keygen(8) can, using its --password option, be used to generate this, if desired.

           Note: this value of this option will probably be very long. A useful feature to avoid
           having unreadably-long lines is that a line beginning with white space adds to the
           value of the previous line, RFC 822-style.

       timeout = TIME
           This option is optional.

           The timeout is how long the server will wait, after a successful checker run, until a
           client is disabled and not allowed to get the data this server holds. By default
           Mandos will use 5 minutes. See also the extended_timeout option.

           The TIME is specified as a space-separated number of values, each of which is a number
           and a one-character suffix. The suffix must be one of “d”, “s”, “m”, “h”, and “w” for
           days, seconds, minutes, hours, and weeks, respectively. The values are added together
           to give the total time value, so all of “330s”, “110s 110s 110s”, and “5m 30s” will
           give a value of five minutes and thirty seconds.


       There are two forms of expansion: Start time expansion and runtime expansion.

       Any string in an option value of the form “%(foo)s” will be replaced by the value of the
       option foo either in the same section, or, if it does not exist there, the [DEFAULT]
       section. This is done at start time, when the configuration file is read.

       Note that this means that, in order to include an actual percent character (“%”) in an
       option value, two percent characters in a row (“%%”) must be entered.

       This is currently only done for the checker option.

       Any string in an option value of the form “%%(foo)s” will be replaced by the value of the
       attribute foo of the internal “Client” object in the Mandos server. The currently allowed
       values for foo are: “approval_delay”, “approval_duration”, “created”, “enabled”,
       “fingerprint”, “host”, “interval”, “last_approval_request”, “last_checked_ok”,
       “last_enabled”, “name”, “timeout”, and, if using D-Bus, “dbus_object_path”. See the source
       code for details.  Currently, none of these attributes except “host” are guaranteed to be
       valid in future versions.  Therefore, please let the authors know of any attributes that
       are useful so they may be preserved to any new versions of this software.

       Note that this means that, in order to include an actual percent character (“%”) in a
       checker option, four percent characters in a row (“%%%%”) must be entered. Also, a bad
       format here will lead to an immediate but silent run-time fatal exit; debug mode is needed
       to expose an error of this kind.


       The file described here is /etc/mandos/clients.conf


       The format for specifying times for timeout and interval is not very good.

       The difference between %%(foo)s and %(foo)s is obscure.


           timeout = 5m
           interval = 2m
           checker = fping -q -- %%(host)s

           # Client "foo"
           fingerprint =  7788 2722 5BA7 DE53 9C5A  7CFA 59CF F7CD BD9A 5920
           secret =
           host =
           interval = 1m

           # Client "bar"
           fingerprint = 3e393aeaefb84c7e89e2f547b3a107558fca3a27
           secfile = /etc/mandos/bar-secret
           timeout = 15m
           approved_by_default = False
           approval_delay = 30s


       intro(8mandos), mandos-keygen(8), mandos.conf(5), mandos(8)


       Copyright © 2008-2011 Teddy Hogeborn, Björn Påhlsson

       This manual page is free software: you can redistribute it and/or modify it under the
       terms of the GNU General Public License as published by the Free Software Foundation,
       either version 3 of the License, or (at your option) any later version.

       This manual page is distributed in the hope that it will be useful, but WITHOUT ANY
       WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
       PURPOSE. See the GNU General Public License for more details.

       You should have received a copy of the GNU General Public License along with this program.
       If not, see