NAME¶
mandos.conf - Configuration file for the Mandos server
SYNOPSIS¶
/etc/mandos/mandos.conf
DESCRIPTION¶
The file /etc/mandos/mandos.conf is a simple configuration file for
mandos(8), and is read by it at startup. The configuration file starts
with “[DEFAULT]” on a line by itself, followed by any number of
“option=value” entries, with continuations
in the style of RFC 822. “option: value” is
also accepted. Note that leading whitespace is removed from values. Lines
beginning with “#” or “;” are ignored and may be
used to provide comments.
OPTIONS¶
interface = NAME
If this is specified, the server will only announce the
service and listen to requests on the specified network interface. Default is
to use all available interfaces. Note: a failure to bind to the
specified interface is not considered critical, and the server will not exit,
but instead continue normally.
address = ADDRESS
If this option is used, the server will only listen to
the specified IPv6 address. If a link-local address is specified, an interface
should be set, since a link-local address is only valid on a single interface.
By default, the server will listen to all available addresses. If set, this
must normally be an IPv6 address; an IPv4 address can only be specified using
IPv4-mapped IPv6 address syntax: “::FFFF:192.0.2.3”. (Only if
IPv6 usage is disabled (see below) must this be an IPv4 address.)
port = NUMBER
If this option is used, the server will bind to that
port. By default, the server will listen to an arbitrary port given by the
operating system.
debug = { 1 | yes |
true | on | 0 | no |
false | off }
If the server is run in debug mode, it will run in the
foreground and print a lot of debugging information. The default is to
not run in debug mode.
priority = STRING
GnuTLS priority string for the TLS handshake. The default
is “SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA
:+SIGN-DSA-SHA256”. See
gnutls_priority_init(3) for the syntax.
Warning: changing this may make the TLS handshake fail, making
server-client communication impossible. Changing this option may also make the
network traffic decryptable by an attacker.
servicename = NAME
Zeroconf service name. The default is
“Mandos”. This only needs to be changed if for some reason is
would be necessary to run more than one server on the same host. This
would not normally be useful. If there are name collisions on the same
network, the newer server will automatically rename itself to
“Mandos #2”, and so on; therefore, this option is not needed in
that case.
use_dbus = { 1 | yes
| true | on | 0 | no
| false | off }
This option controls whether the server will provide a
D-Bus system bus interface. The default is to provide such an interface.
use_ipv6 = { 1 | yes
| true | on | 0 | no
| false | off }
This option controls whether the server will use IPv6
sockets and addresses. The default is to use IPv6. This option should
never normally be turned off, even in IPv4-only environments.
This is because mandos-client(8mandos) will normally use IPv6
link-local addresses, and will not be able to find or connect to the server if
this option is turned off. Only advanced users should consider changing
this option.
restore = { 1 | yes |
true | on | 0 | no |
false | off }
This option controls whether the server will restore its
state from the last time it ran. Default is to restore last state.
statedir = DIRECTORY
Directory to save (and restore) state in. Default is
“/var/lib/mandos”.
socket = NUMBER
If this option is used, the server will not create a new
network socket, but will instead use the supplied file descriptor. By default,
the server will create a new network socket.
FILES¶
The file described here is /etc/mandos/mandos.conf
BUGS¶
The [DEFAULT] is necessary because the Python built-in module ConfigParser
requires it.
Please report bugs to the Mandos development mailing list:
<mandos-dev@recompile.se> (subscription required). Note that this list
is public. The developers can be reached privately at
<mandos@recompile.se> (OpenPGP key fingerprint 153A 37F1 0BBA 0435
987F 2C4A 7223 2973 CA34 C2C4 for encrypted mail).
EXAMPLE¶
No options are actually required:
An example using all the options:
[DEFAULT]
# A configuration example
interface = eth0
address = fe80::aede:48ff:fe71:f6f2
port = 1025
debug = True
priority = SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA
servicename = Daena
use_dbus = False
use_ipv6 = True
restore = True
statedir = /var/lib/mandos
SEE ALSO¶
intro(8mandos), gnutls_priority_init(3), mandos(8),
mandos-clients.conf(5)
RFC 4291: IP Version 6 Addressing Architecture
Section 2.2: Text Representation of Addresses
Section 2.5.5.2: IPv4-Mapped IPv6 Address
Section 2.5.6, Link-Local IPv6 Unicast Addresses
The clients use IPv6 link-local addresses, which are
immediately usable since a link-local addresses is automatically assigned to a
network interface when it is brought up.
Zeroconf[1]
Zeroconf is the network protocol standard used by clients
for finding the Mandos server on the local network.
COPYRIGHT¶
Copyright © 2008-2017 Teddy Hogeborn, Björn Påhlsson
This manual page is free software: you can redistribute it and/or
modify it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or (at your
option) any later version.
This manual page is distributed in the hope that it will be
useful, but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see
http://www.gnu.org/licenses/.