'\" t .\" Title: mandos-ctl .\" Author: Bj\(:orn P\(oahlsson .\" Generator: DocBook XSL Stylesheets vsnapshot .\" Date: 2019-07-29 .\" Manual: Mandos Manual .\" Source: Mandos 1.8.14 .\" Language: English .\" .TH "MANDOS\-CTL" "8" "2019\-07\-29" "Mandos 1.8.14" "Mandos Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .\" http://bugs.debian.org/507673 .\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" ----------------------------------------------------------------- .\" * set default formatting .\" ----------------------------------------------------------------- .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) .ad l .\" ----------------------------------------------------------------- .\" * MAIN CONTENT STARTS HERE * .\" ----------------------------------------------------------------- .SH "NAME" mandos-ctl \- Control or query the operation of the Mandos server .SH "SYNOPSIS" .HP \w'\fBmandos\-ctl\fR\ 'u \fBmandos\-ctl\fR [\fB\-\-verbose\fR | \fB\-v\fR .br |\fB\-\-dump\-json\fR | \fB\-j\fR] [\fB\-\-debug\fR] [\fICLIENT\fR...] .HP \w'\fBmandos\-ctl\fR\ 'u \fBmandos\-ctl\fR {[\fB\-\-enable\fR | \fB\-e\fR .br |\fB\-\-disable\fR | \fB\-d\fR] .br [\fB\-\-bump\-timeout\fR | \fB\-b\fR] .br [\fB\-\-start\-checker\fR | \fB\-\-stop\-checker\fR] .br [\fB\-\-checker\ \fR\fB\fICOMMAND\fR\fR | \fB\-c\ \fR\fB\fICOMMAND\fR\fR] .br [\fB\-\-timeout\ \fR\fB\fITIME\fR\fR | \fB\-t\ \fR\fB\fITIME\fR\fR] .br [\fB\-\-extended\-timeout\ \fR\fB\fITIME\fR\fR] .br [\fB\-\-interval\ \fR\fB\fITIME\fR\fR | \fB\-i\ \fR\fB\fITIME\fR\fR] .br [\fB\-\-approve\-by\-default\fR .br |\fB\-\-deny\-by\-default\fR] .br [\fB\-\-approval\-delay\ \fR\fB\fITIME\fR\fR] .br [\fB\-\-approval\-duration\ \fR\fB\fITIME\fR\fR] .br [\fB\-\-host\ \fR\fB\fISTRING\fR\fR | \fB\-H\ \fR\fB\fISTRING\fR\fR] .br [\fB\-\-secret\ \fR\fB\fIFILENAME\fR\fR | \fB\-s\ \fR\fB\fIFILENAME\fR\fR] .br [\fB\-\-approve\fR | \fB\-A\fR .br |\fB\-\-deny\fR | \fB\-D\fR]} .br [\fB\-\-debug\fR] {\fB\-\-all\fR | \fB\-a\fR | \fICLIENT\fR...} .HP \w'\fBmandos\-ctl\fR\ 'u \fBmandos\-ctl\fR [\fB\-\-deny\fR | \fB\-D\fR] {\fB\-\-remove\fR | \fB\-r\fR} .br [\fB\-\-debug\fR] {\fB\-\-all\fR | \fB\-a\fR | \fICLIENT\fR...} .HP \w'\fBmandos\-ctl\fR\ 'u \fBmandos\-ctl\fR {\fB\-\-is\-enabled\fR | \fB\-V\fR} [\fB\-\-debug\fR] \fICLIENT\fR .HP \w'\fBmandos\-ctl\fR\ 'u \fBmandos\-ctl\fR {\fB\-\-help\fR | \fB\-h\fR} .HP \w'\fBmandos\-ctl\fR\ 'u \fBmandos\-ctl\fR {\fB\-\-version\fR | \fB\-v\fR} .HP \w'\fBmandos\-ctl\fR\ 'u \fBmandos\-ctl\fR \fB\-\-check\fR .SH "DESCRIPTION" .PP \fBmandos\-ctl\fR is a program to control or query the operation of the Mandos server \fBmandos\fR(8)\&. .PP This program can be used to change client settings, approve or deny client requests, and to remove clients from the server\&. .SH "PURPOSE" .PP The purpose of this is to enable \fIremote and unattended rebooting\fR of client host computer with an \fIencrypted root file system\fR\&. See the section called \(lqOVERVIEW\(rq for details\&. .SH "OPTIONS" .PP \fB\-\-help\fR, \fB\-h\fR .RS 4 Show a help message and exit .RE .PP \fB\-\-enable\fR, \fB\-e\fR .RS 4 Enable client(s)\&. An enabled client will be eligble to receive its secret\&. .RE .PP \fB\-\-disable\fR, \fB\-d\fR .RS 4 Disable client(s)\&. A disabled client will not be eligble to receive its secret, and no checkers will be started for it\&. .RE .PP \fB\-\-bump\-timeout\fR .RS 4 Bump the timeout of the specified client(s), just as if a checker had completed successfully for it/them\&. .RE .PP \fB\-\-start\-checker\fR .RS 4 Start a new checker now for the specified client(s)\&. .RE .PP \fB\-\-stop\-checker\fR .RS 4 Stop any running checker for the specified client(s)\&. .RE .PP \fB\-\-remove\fR, \fB\-r\fR .RS 4 Remove the specified client(s) from the server\&. .RE .PP \fB\-\-checker \fR\fB\fICOMMAND\fR\fR, \fB\-c \fR\fB\fICOMMAND\fR\fR .RS 4 Set the \fIchecker\fR option of the specified client(s); see \fBmandos-clients.conf\fR(5)\&. .RE .PP \fB\-\-timeout \fR\fB\fITIME\fR\fR, \fB\-t \fR\fB\fITIME\fR\fR .RS 4 Set the \fItimeout\fR option of the specified client(s); see \fBmandos-clients.conf\fR(5)\&. .RE .PP \fB\-\-extended\-timeout \fR\fB\fITIME\fR\fR .RS 4 Set the \fIextended_timeout\fR option of the specified client(s); see \fBmandos-clients.conf\fR(5)\&. .RE .PP \fB\-\-interval \fR\fB\fITIME\fR\fR, \fB\-i \fR\fB\fITIME\fR\fR .RS 4 Set the \fIinterval\fR option of the specified client(s); see \fBmandos-clients.conf\fR(5)\&. .RE .PP \fB\-\-approve\-by\-default\fR, \fB\-\-deny\-by\-default\fR .RS 4 Set the \fIapproved_by_default\fR option of the specified client(s) to True or False, respectively; see \fBmandos-clients.conf\fR(5)\&. .RE .PP \fB\-\-approval\-delay \fR\fB\fITIME\fR\fR .RS 4 Set the \fIapproval_delay\fR option of the specified client(s); see \fBmandos-clients.conf\fR(5)\&. .RE .PP \fB\-\-approval\-duration \fR\fB\fITIME\fR\fR .RS 4 Set the \fIapproval_duration\fR option of the specified client(s); see \fBmandos-clients.conf\fR(5)\&. .RE .PP \fB\-\-host \fR\fB\fISTRING\fR\fR, \fB\-H \fR\fB\fISTRING\fR\fR .RS 4 Set the \fIhost\fR option of the specified client(s); see \fBmandos-clients.conf\fR(5)\&. .RE .PP \fB\-\-secret \fR\fB\fIFILENAME\fR\fR, \fB\-s \fR\fB\fIFILENAME\fR\fR .RS 4 Set the \fIsecfile\fR option of the specified client(s); see \fBmandos-clients.conf\fR(5)\&. .RE .PP \fB\-\-approve\fR, \fB\-A\fR .RS 4 Approve client(s) if currently waiting for approval\&. .RE .PP \fB\-\-deny\fR, \fB\-D\fR .RS 4 Deny client(s) if currently waiting for approval\&. .RE .PP \fB\-\-all\fR, \fB\-a\fR .RS 4 Make the client\-modifying options modify \fIall\fR clients\&. .RE .PP \fB\-\-verbose\fR, \fB\-v\fR .RS 4 Show all client settings, not just a subset\&. .RE .PP \fB\-\-dump\-json\fR, \fB\-j\fR .RS 4 Dump client settings as JSON to standard output\&. .RE .PP \fB\-\-is\-enabled\fR, \fB\-V\fR .RS 4 Check if a single client is enabled or not, and exit with a successful exit status only if the client is enabled\&. .RE .PP \fB\-\-debug\fR .RS 4 Show debug output; currently, this means show D\-Bus calls\&. .RE .PP \fB\-\-check\fR .RS 4 Run self\-tests\&. This includes any unit tests, etc\&. .RE .SH "OVERVIEW" .PP This is part of the Mandos system for allowing computers to have encrypted root file systems and at the same time be capable of remote and/or unattended reboots\&. The computers run a small client program in the initial RAM disk environment which will communicate with a server over a network\&. All network communication is encrypted using TLS\&. The clients are identified by the server using a TLS key; each client has one unique to it\&. The server sends the clients an encrypted password\&. The encrypted password is decrypted by the clients using a separate OpenPGP key, and the password is then used to unlock the root file system, whereupon the computers can continue booting normally\&. .PP This program is a small utility to generate new OpenPGP keys for new Mandos clients, and to generate sections for inclusion in clients\&.conf on the server\&. .SH "EXIT STATUS" .PP If the \fB\-\-is\-enabled\fR option is used, the exit status will be 0 only if the specified client is enabled\&. .SH "BUGS" .PP Please report bugs to the Mandos development mailing list: (subscription required)\&. Note that this list is public\&. The developers can be reached privately at (OpenPGP key fingerprint 153A 37F1 0BBA 0435 987F 2C4A 7223 2973 CA34 C2C4 for encrypted mail)\&. .SH "EXAMPLE" .PP To list all clients: .PP \fBmandos\-ctl\fR .PP To list \fIall\fR settings for the clients named \(lqfoo1\&.example\&.org\(rq and \(lqfoo2\&.example\&.org\(rq: .PP \fBmandos\-ctl \-\-verbose foo1\&.example\&.org foo2\&.example\&.org\fR .PP To enable all clients: .PP \fBmandos\-ctl \-\-enable \-\-all\fR .PP To change timeout and interval value for the clients named \(lqfoo1\&.example\&.org\(rq and \(lqfoo2\&.example\&.org\(rq: .PP \fBmandos\-ctl \-\-timeout=PT5M \-\-interval=PT1M foo1\&.example\&.org foo2\&.example\&.org\fR .PP To approve all clients currently waiting for approval: .PP \fBmandos\-ctl \-\-approve \-\-all\fR .SH "SECURITY" .PP This program must be permitted to access the Mandos server via the D\-Bus interface\&. This normally requires the root user, but could be configured otherwise by reconfiguring the D\-Bus server\&. .SH "SEE ALSO" .PP \fBintro\fR(8mandos), \fBmandos\fR(8), \fBmandos-clients.conf\fR(5), \fBmandos-monitor\fR(8) .SH "COPYRIGHT" .br Copyright \(co 2010-2019 Teddy Hogeborn, Bj\(:orn P\(oahlsson .br .PP This manual page is part of Mandos\&. .PP Mandos is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version\&. .PP Mandos is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE\&. See the GNU General Public License for more details\&. .PP You should have received a copy of the GNU General Public License along with Mandos\&. If not, see \m[blue]\fBhttp://www\&.gnu\&.org/licenses/\fR\m[]\&. .sp