'\" t .\" Title: mandos-ctl .\" Author: Bj\(:orn P\(oahlsson .\" Generator: DocBook XSL Stylesheets v1.79.1 .\" Date: 2017-02-23 .\" Manual: Mandos Manual .\" Source: Mandos 1.7.15 .\" Language: English .\" .TH "MANDOS\-CTL" "8" "2017\-02\-23" "Mandos 1.7.15" "Mandos Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .\" http://bugs.debian.org/507673 .\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" ----------------------------------------------------------------- .\" * set default formatting .\" ----------------------------------------------------------------- .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) .ad l .\" ----------------------------------------------------------------- .\" * MAIN CONTENT STARTS HERE * .\" ----------------------------------------------------------------- .SH "NAME" mandos-ctl \- Control or query the operation of the Mandos server .SH "SYNOPSIS" .HP \w'\fBmandos\-ctl\fR\ 'u \fBmandos\-ctl\fR {[\fB\-\-enable\fR | \fB\-e\fR .br |\fB\-\-disable\fR | \fB\-d\fR] .br [\fB\-\-bump\-timeout\fR | \fB\-b\fR] .br [\fB\-\-start\-checker\fR] .br [\fB\-\-stop\-checker\fR] .br [\fB\-\-remove\fR | \fB\-r\fR] .br [\fB\-\-checker\ \fR\fB\fICOMMAND\fR\fR | \fB\-c\ \fR\fB\fICOMMAND\fR\fR] .br [\fB\-\-timeout\ \fR\fB\fITIME\fR\fR | \fB\-t\ \fR\fB\fITIME\fR\fR] .br [\fB\-\-extended\-timeout\ \fR\fB\fITIME\fR\fR] .br [\fB\-\-interval\ \fR\fB\fITIME\fR\fR | \fB\-i\ \fR\fB\fITIME\fR\fR] .br [\fB\-\-approve\-by\-default\fR .br |\fB\-\-deny\-by\-default\fR] .br [\fB\-\-approval\-delay\ \fR\fB\fITIME\fR\fR] .br [\fB\-\-approval\-duration\ \fR\fB\fITIME\fR\fR] .br [\fB\-\-interval\ \fR\fB\fITIME\fR\fR | \fB\-i\ \fR\fB\fITIME\fR\fR] .br [\fB\-\-host\ \fR\fB\fISTRING\fR\fR | \fB\-H\ \fR\fB\fISTRING\fR\fR] .br [\fB\-\-secret\ \fR\fB\fIFILENAME\fR\fR | \fB\-s\ \fR\fB\fIFILENAME\fR\fR] .br [\fB\-\-approve\fR | \fB\-A\fR .br |\fB\-\-deny\fR | \fB\-D\fR]} .br {\fB\-\-all\fR | \fB\-a\fR | \fICLIENT\fR...} .HP \w'\fBmandos\-ctl\fR\ 'u \fBmandos\-ctl\fR [\fB\-\-verbose\fR | \fB\-v\fR .br |\fB\-\-dump\-json\fR | \fB\-j\fR] [\fICLIENT\fR...] .HP \w'\fBmandos\-ctl\fR\ 'u \fBmandos\-ctl\fR {\fB\-\-is\-enabled\fR | \fB\-V\fR} \fICLIENT\fR .HP \w'\fBmandos\-ctl\fR\ 'u \fBmandos\-ctl\fR {\fB\-\-help\fR | \fB\-h\fR} .HP \w'\fBmandos\-ctl\fR\ 'u \fBmandos\-ctl\fR {\fB\-\-version\fR | \fB\-v\fR} .HP \w'\fBmandos\-ctl\fR\ 'u \fBmandos\-ctl\fR \fB\-\-check\fR .SH "DESCRIPTION" .PP \fBmandos\-ctl\fR is a program to control or query the operation of the Mandos server \fBmandos\fR(8)\&. .PP This program can be used to change client settings, approve or deny client requests, and to remove clients from the server\&. .SH "PURPOSE" .PP The purpose of this is to enable \fIremote and unattended rebooting\fR of client host computer with an \fIencrypted root file system\fR\&. See the section called \(lqOVERVIEW\(rq for details\&. .SH "OPTIONS" .PP \fB\-\-help\fR, \fB\-h\fR .RS 4 Show a help message and exit .RE .PP \fB\-\-enable\fR, \fB\-e\fR .RS 4 Enable client(s)\&. An enabled client will be eligble to receive its secret\&. .RE .PP \fB\-\-disable\fR, \fB\-d\fR .RS 4 Disable client(s)\&. A disabled client will not be eligble to receive its secret, and no checkers will be started for it\&. .RE .PP \fB\-\-bump\-timeout\fR .RS 4 Bump the timeout of the specified client(s), just as if a checker had completed successfully for it/them\&. .RE .PP \fB\-\-start\-checker\fR .RS 4 Start a new checker now for the specified client(s)\&. .RE .PP \fB\-\-stop\-checker\fR .RS 4 Stop any running checker for the specified client(s)\&. .RE .PP \fB\-\-remove\fR, \fB\-r\fR .RS 4 Remove the specified client(s) from the server\&. .RE .PP \fB\-\-checker \fR\fB\fICOMMAND\fR\fR, \fB\-c \fR\fB\fICOMMAND\fR\fR .RS 4 Set the \fIchecker\fR option of the specified client(s); see \fBmandos-clients.conf\fR(5)\&. .RE .PP \fB\-\-timeout \fR\fB\fITIME\fR\fR, \fB\-t \fR\fB\fITIME\fR\fR .RS 4 Set the \fItimeout\fR option of the specified client(s); see \fBmandos-clients.conf\fR(5)\&. .RE .PP \fB\-\-extended\-timeout \fR\fB\fITIME\fR\fR .RS 4 Set the \fIextended_timeout\fR option of the specified client(s); see \fBmandos-clients.conf\fR(5)\&. .RE .PP \fB\-\-interval \fR\fB\fITIME\fR\fR, \fB\-i \fR\fB\fITIME\fR\fR .RS 4 Set the \fIinterval\fR option of the specified client(s); see \fBmandos-clients.conf\fR(5)\&. .RE .PP \fB\-\-approve\-by\-default\fR, \fB\-\-deny\-by\-default\fR .RS 4 Set the \fIapproved_by_default\fR option of the specified client(s) to True or False, respectively; see \fBmandos-clients.conf\fR(5)\&. .RE .PP \fB\-\-approval\-delay \fR\fB\fITIME\fR\fR .RS 4 Set the \fIapproval_delay\fR option of the specified client(s); see \fBmandos-clients.conf\fR(5)\&. .RE .PP \fB\-\-approval\-duration \fR\fB\fITIME\fR\fR .RS 4 Set the \fIapproval_duration\fR option of the specified client(s); see \fBmandos-clients.conf\fR(5)\&. .RE .PP \fB\-\-host \fR\fB\fISTRING\fR\fR, \fB\-H \fR\fB\fISTRING\fR\fR .RS 4 Set the \fIhost\fR option of the specified client(s); see \fBmandos-clients.conf\fR(5)\&. .RE .PP \fB\-\-secret \fR\fB\fIFILENAME\fR\fR, \fB\-s \fR\fB\fIFILENAME\fR\fR .RS 4 Set the \fIsecfile\fR option of the specified client(s); see \fBmandos-clients.conf\fR(5)\&. .RE .PP \fB\-\-approve\fR, \fB\-A\fR .RS 4 Approve client(s) if currently waiting for approval\&. .RE .PP \fB\-\-deny\fR, \fB\-D\fR .RS 4 Deny client(s) if currently waiting for approval\&. .RE .PP \fB\-\-all\fR, \fB\-a\fR .RS 4 Make the client\-modifying options modify \fIall\fR clients\&. .RE .PP \fB\-\-verbose\fR, \fB\-v\fR .RS 4 Show all client settings, not just a subset\&. .RE .PP \fB\-\-dump\-json\fR, \fB\-j\fR .RS 4 Dump client settings as JSON to standard output\&. .RE .PP \fB\-\-is\-enabled\fR, \fB\-V\fR .RS 4 Check if a single client is enabled or not, and exit with a successful exit status only if the client is enabled\&. .RE .PP \fB\-\-check\fR .RS 4 Run self\-tests\&. This includes any unit tests, etc\&. .RE .SH "OVERVIEW" .PP This is part of the Mandos system for allowing computers to have encrypted root file systems and at the same time be capable of remote and/or unattended reboots\&. The computers run a small client program in the initial RAM disk environment which will communicate with a server over a network\&. All network communication is encrypted using TLS\&. The clients are identified by the server using an OpenPGP key; each client has one unique to it\&. The server sends the clients an encrypted password\&. The encrypted password is decrypted by the clients using the same OpenPGP key, and the password is then used to unlock the root file system, whereupon the computers can continue booting normally\&. .PP This program is a small utility to generate new OpenPGP keys for new Mandos clients, and to generate sections for inclusion in clients\&.conf on the server\&. .SH "EXIT STATUS" .PP If the \fB\-\-is\-enabled\fR option is used, the exit status will be 0 only if the specified client is enabled\&. .SH "BUGS" .PP Please report bugs to the Mandos development mailing list: (subscription required)\&. Note that this list is public\&. The developers can be reached privately at (OpenPGP key fingerprint 153A 37F1 0BBA 0435 987F 2C4A 7223 2973 CA34 C2C4 for encrypted mail)\&. .SH "EXAMPLE" .PP To list all clients: .PP \fBmandos\-ctl\fR .PP To list \fIall\fR settings for the clients named \(lqfoo1\&.example\&.org\(rq and \(lqfoo2\&.example\&.org\(rq: .PP \fBmandos\-ctl \-\-verbose foo1\&.example\&.org foo2\&.example\&.org\fR .PP To enable all clients: .PP \fBmandos\-ctl \-\-enable \-\-all\fR .PP To change timeout and interval value for the clients named \(lqfoo1\&.example\&.org\(rq and \(lqfoo2\&.example\&.org\(rq: .PP \fBmandos\-ctl \-\-timeout="5m" \-\-interval="1m" foo1\&.example\&.org foo2\&.example\&.org\fR .PP To approve all clients currently waiting for it: .PP \fBmandos\-ctl \-\-approve \-\-all\fR .SH "SECURITY" .PP This program must be permitted to access the Mandos server via the D\-Bus interface\&. This normally requires the root user, but could be configured otherwise by reconfiguring the D\-Bus server\&. .SH "SEE ALSO" .PP \fBintro\fR(8mandos), \fBmandos\fR(8), \fBmandos-clients.conf\fR(5), \fBmandos-monitor\fR(8) .SH "COPYRIGHT" .br Copyright \(co 2010-2017 Teddy Hogeborn, Bj\(:orn P\(oahlsson .br .PP This manual page is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version\&. .PP This manual page is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE\&. See the GNU General Public License for more details\&. .PP You should have received a copy of the GNU General Public License along with this program\&. If not, see \m[blue]\fBhttp://www\&.gnu\&.org/licenses/\fR\m[]\&. .sp