'\" t .\" Title: mandos.conf .\" Author: Bj\(:orn P\(oahlsson .\" Generator: DocBook XSL Stylesheets vsnapshot .\" Date: 2019-06-20 .\" Manual: Mandos Manual .\" Source: Mandos 1.8.14 .\" Language: English .\" .TH "MANDOS\&.CONF" "5" "2019\-06\-20" "Mandos 1.8.14" "Mandos Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .\" http://bugs.debian.org/507673 .\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" ----------------------------------------------------------------- .\" * set default formatting .\" ----------------------------------------------------------------- .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) .ad l .\" ----------------------------------------------------------------- .\" * MAIN CONTENT STARTS HERE * .\" ----------------------------------------------------------------- .SH "NAME" mandos.conf \- Configuration file for the Mandos server .SH "SYNOPSIS" .sp .nf /etc/mandos/mandos\&.conf .fi .SH "DESCRIPTION" .PP The file /etc/mandos/mandos\&.conf is a simple configuration file for \fBmandos\fR(8), and is read by it at startup\&. The configuration file starts with \(lq[DEFAULT]\(rq on a line by itself, followed by any number of \(lq\fI\fIoption\fR\fR=\fIvalue\fR\(rq entries, with continuations in the style of RFC 822\&. \(lq\fI\fIoption\fR\fR: \fIvalue\fR\(rq is also accepted\&. Note that leading whitespace is removed from values\&. Lines beginning with \(lq#\(rq or \(lq;\(rq are ignored and may be used to provide comments\&. .SH "OPTIONS" .PP \fBinterface\fR\fB = \fR\fB\fINAME\fR\fR .RS 4 If this is specified, the server will only announce the service and listen to requests on the specified network interface\&. Default is to use all available interfaces\&. \fINote:\fR a failure to bind to the specified interface is not considered critical, and the server will not exit, but instead continue normally\&. .RE .PP \fBaddress\fR\fB = \fR\fB\fIADDRESS\fR\fR .RS 4 If this option is used, the server will only listen to the specified IPv6 address\&. If a link\-local address is specified, an interface should be set, since a link\-local address is only valid on a single interface\&. By default, the server will listen to all available addresses\&. If set, this must normally be an IPv6 address; an IPv4 address can only be specified using IPv4\-mapped IPv6 address syntax: \(lq::FFFF:192\&.0\&.2\&.3\(rq\&. (Only if IPv6 usage is \fIdisabled\fR (see below) must this be an IPv4 address\&.) .RE .PP \fBport\fR\fB = \fR\fB\fINUMBER\fR\fR .RS 4 If this option is used, the server will bind to that port\&. By default, the server will listen to an arbitrary port given by the operating system\&. .RE .PP \fBdebug\fR\fB = \fR\fB{ \fR\fB1\fR\fB | \fR\fByes\fR\fB | \fR\fBtrue\fR\fB | \fR\fBon\fR\fB | \fR\fB0\fR\fB | \fR\fBno\fR\fB | \fR\fBfalse\fR\fB | \fR\fBoff\fR\fB }\fR .RS 4 If the server is run in debug mode, it will run in the foreground and print a lot of debugging information\&. The default is to \fInot\fR run in debug mode\&. .RE .PP \fBpriority\fR\fB = \fR\fB\fISTRING\fR\fR .RS 4 GnuTLS priority string for the TLS handshake\&. The default is \(lqSECURE128\::!CTYPE\-X\&.509\::+CTYPE\-RAWPK\::!RSA\::!VERS\-ALL\::+VERS\-TLS1\&.3\::%PROFILE_ULTRA\(rq when using raw public keys in TLS, and \(lqSECURE256\::!CTYPE\-X\&.509\::+CTYPE\-OPENPGP\::!RSA\::+SIGN\-DSA\-SHA256\(rq when using OpenPGP keys in TLS,\&. See \fBgnutls_priority_init\fR(3) for the syntax\&. \fIWarning\fR: changing this may make the TLS handshake fail, making server\-client communication impossible\&. Changing this option may also make the network traffic decryptable by an attacker\&. .RE .PP \fBservicename\fR\fB = \fR\fB\fINAME\fR\fR .RS 4 Zeroconf service name\&. The default is \(lqMandos\(rq\&. This only needs to be changed if for some reason is would be necessary to run more than one server on the same \fIhost\fR\&. This would not normally be useful\&. If there are name collisions on the same \fInetwork\fR, the newer server will automatically rename itself to \(lqMandos #2\(rq, and so on; therefore, this option is not needed in that case\&. .RE .PP \fBuse_dbus\fR\fB = \fR\fB{ \fR\fB1\fR\fB | \fR\fByes\fR\fB | \fR\fBtrue\fR\fB | \fR\fBon\fR\fB | \fR\fB0\fR\fB | \fR\fBno\fR\fB | \fR\fBfalse\fR\fB | \fR\fBoff\fR\fB }\fR .RS 4 This option controls whether the server will provide a D\-Bus system bus interface\&. The default is to provide such an interface\&. .RE .PP \fBuse_ipv6\fR\fB = \fR\fB{ \fR\fB1\fR\fB | \fR\fByes\fR\fB | \fR\fBtrue\fR\fB | \fR\fBon\fR\fB | \fR\fB0\fR\fB | \fR\fBno\fR\fB | \fR\fBfalse\fR\fB | \fR\fBoff\fR\fB }\fR .RS 4 This option controls whether the server will use IPv6 sockets and addresses\&. The default is to use IPv6\&. This option should \fInever\fR normally be turned off, \fIeven in IPv4\-only environments\fR\&. This is because \fBmandos-client\fR(8mandos) will normally use IPv6 link\-local addresses, and will not be able to find or connect to the server if this option is turned off\&. \fIOnly advanced users should consider changing this option\fR\&. .RE .PP \fBrestore\fR\fB = \fR\fB{ \fR\fB1\fR\fB | \fR\fByes\fR\fB | \fR\fBtrue\fR\fB | \fR\fBon\fR\fB | \fR\fB0\fR\fB | \fR\fBno\fR\fB | \fR\fBfalse\fR\fB | \fR\fBoff\fR\fB }\fR .RS 4 This option controls whether the server will restore its state from the last time it ran\&. Default is to restore last state\&. .RE .PP \fBstatedir\fR\fB = \fR\fB\fIDIRECTORY\fR\fR .RS 4 Directory to save (and restore) state in\&. Default is \(lq/var/lib/mandos\(rq\&. .RE .PP \fBsocket\fR\fB = \fR\fB\fINUMBER\fR\fR .RS 4 If this option is used, the server will not create a new network socket, but will instead use the supplied file descriptor\&. By default, the server will create a new network socket\&. .RE .SH "FILES" .PP The file described here is /etc/mandos/mandos\&.conf .SH "BUGS" .PP The [DEFAULT] is necessary because the Python built\-in module ConfigParser requires it\&. .PP Please report bugs to the Mandos development mailing list: (subscription required)\&. Note that this list is public\&. The developers can be reached privately at (OpenPGP key fingerprint 153A 37F1 0BBA 0435 987F 2C4A 7223 2973 CA34 C2C4 for encrypted mail)\&. .SH "EXAMPLE" .PP No options are actually required: .sp .if n \{\ .RS 4 .\} .nf [DEFAULT] .fi .if n \{\ .RE .\} .PP An example using all the options: .sp .if n \{\ .RS 4 .\} .nf [DEFAULT] # A configuration example interface = enp1s0 address = fe80::aede:48ff:fe71:f6f2 port = 1025 debug = True priority = SECURE128:!CTYPE\-X\&.509:+CTYPE\-RAWPK:!RSA:!VERS\-ALL:+VERS\-TLS1\&.3:%PROFILE_ULTRA servicename = Daena use_dbus = False use_ipv6 = True restore = True statedir = /var/lib/mandos .fi .if n \{\ .RE .\} .SH "SEE ALSO" .PP \fBintro\fR(8mandos), \fBgnutls_priority_init\fR(3), \fBmandos\fR(8), \fBmandos-clients.conf\fR(5) .PP RFC 4291: IP Version 6 Addressing Architecture .RS 4 .PP Section 2\&.2: Text Representation of Addresses .RS 4 .RE .PP Section 2\&.5\&.5\&.2: IPv4\-Mapped IPv6 Address .RS 4 .RE .PP Section 2\&.5\&.6, Link\-Local IPv6 Unicast Addresses .RS 4 The clients use IPv6 link\-local addresses, which are immediately usable since a link\-local addresses is automatically assigned to a network interface when it is brought up\&. .RE .RE .PP \m[blue]\fBZeroconf\fR\m[]\&\s-2\u[1]\d\s+2 .RS 4 Zeroconf is the network protocol standard used by clients for finding the Mandos server on the local network\&. .RE .SH "COPYRIGHT" .br Copyright \(co 2008-2019 Teddy Hogeborn, Bj\(:orn P\(oahlsson .br .PP This manual page is part of Mandos\&. .PP Mandos is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version\&. .PP Mandos is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE\&. See the GNU General Public License for more details\&. .PP You should have received a copy of the GNU General Public License along with Mandos\&. If not, see \m[blue]\fBhttp://www\&.gnu\&.org/licenses/\fR\m[]\&. .sp .SH "NOTES" .IP " 1." 4 Zeroconf .RS 4 \%http://www.zeroconf.org/ .RE