MANDOS-CTL(8) | Mandos Manual | MANDOS-CTL(8) |
NAME¶
mandos-ctl - Control the operation of the Mandos serverSYNOPSIS¶
mandos-ctl
[ --enable | -e
| --disable | -d]
[ --bump-timeout | -b]
[ --start-checker]
[ --stop-checker]
[ --remove | -r]
[ --checker COMMAND |
-c COMMAND]
[ --timeout TIME | -t TIME]
[ --extended-timeout TIME]
[ --interval TIME | -i TIME]
[ --approve-by-default
| --deny-by-default]
[ --approval-delay TIME]
[ --approval-duration TIME]
[ --interval TIME | -i TIME]
[ --host STRING | -H STRING]
[ --secret FILENAME |
-s FILENAME]
[ --approve | -A
| --deny | -D]
{ --all | -a | CLIENT...}
| --disable | -d]
| --deny-by-default]
| --deny | -D]
mandos-ctl
[ --verbose | -v] [CLIENT...]
mandos-ctl
{ --is-enabled | -V} CLIENT
mandos-ctl
{ --help | -h}
mandos-ctl
{ --version | -v}
DESCRIPTION¶
PURPOSE¶
The purpose of this is to enable remote and unattended rebooting of client host computer with an encrypted root file system. See the section called “OVERVIEW” for details.OPTIONS¶
--help, -hShow a help message and exit
--enable, -e
Enable client(s). An enabled client will be
eligble to receive its secret.
--disable, -d
Disable client(s). A disabled client will not
be eligble to receive its secret, and no checkers will be started for
it.
--bump-timeout
Bump the timeout of the specified client(s),
just as if a checker had completed successfully for it/them.
--start-checker
Start a new checker now for the specified
client(s).
--stop-checker
Stop any running checker for the specified
client(s).
--remove, -r
Remove the specified client(s) from the
server.
--checker COMMAND, -c COMMAND
Set the checker option of the specified
client(s); see mandos-clients.conf(5).
--timeout TIME, -t TIME
Set the timeout option of the specified
client(s); see mandos-clients.conf(5).
--extended-timeout TIME
Set the extended_timeout option of the
specified client(s); see mandos-clients.conf(5).
--interval TIME, -i TIME
Set the interval option of the
specified client(s); see mandos-clients.conf(5).
--approve-by-default, --deny-by-default
Set the approved_by_default option of
the specified client(s) to True or False, respectively; see
mandos-clients.conf(5).
--approval-delay TIME
Set the approval_delay option of the
specified client(s); see mandos-clients.conf(5).
--approval-duration TIME
Set the approval_duration option of the
specified client(s); see mandos-clients.conf(5).
--host STRING, -H STRING
Set the host option of the specified
client(s); see mandos-clients.conf(5).
--secret FILENAME, -s FILENAME
Set the secfile option of the specified
client(s); see mandos-clients.conf(5).
--approve, -A
Approve client(s) if currently waiting for
approval.
--deny, -D
Deny client(s) if currently waiting for
approval.
--all, -a
Make the client-modifying options modify
all clients.
--verbose, -v
Show all client settings, not just a
subset.
--is-enabled, -V
Check if a single client is enabled or not,
and exit with a successful exit status only if the client is enabled.
OVERVIEW¶
This is part of the Mandos system for allowing computers to have encrypted root file systems and at the same time be capable of remote and/or unattended reboots. The computers run a small client program in the initial RAM disk environment which will communicate with a server over a network. All network communication is encrypted using TLS. The clients are identified by the server using an OpenPGP key; each client has one unique to it. The server sends the clients an encrypted password. The encrypted password is decrypted by the clients using the same OpenPGP key, and the password is then used to unlock the root file system, whereupon the computers can continue booting normally. This program is a small utility to generate new OpenPGP keys for new Mandos clients, and to generate sections for inclusion in clients.conf on the server.EXIT STATUS¶
If the --is-enabled option is used, the exit status will be 0 only if the specified client is enabled.EXAMPLE¶
To list all clients:SECURITY¶
This program must be permitted to access the Mandos server via the D-Bus interface. This normally requires the root user, but could be configured otherwise by reconfiguring the D-Bus server.SEE ALSO¶
COPYRIGHT¶
Copyright © 2010-2012 Teddy Hogeborn, Björn Påhlsson2012-01-01 | Mandos 1.5.5 |