mandos-ctl — Control or query the operation of the Mandos server
mandos-ctl
[ --verbose
| -v
| --dump-json
| -j
] [--debug
] [
CLIENT
... ]
mandos-ctl
{[ --enable
| -e
| --disable
| -d
]
[ --bump-timeout
| -b
]
[ --start-checker
| --stop-checker
]
[ --checker
| COMMAND
-c
]COMMAND
[ --timeout
| TIME
-t
]TIME
[ --extended-timeout
]TIME
[ --interval
| TIME
-i
]TIME
[ --approve-by-default
| --deny-by-default
]
[ --approval-delay
]TIME
[ --approval-duration
]TIME
[ --host
| STRING
-H
]STRING
[ --secret
| FILENAME
-s
]FILENAME
[ --approve
| -A
| --deny
| -D
]}
[--debug
] { --all
| -a
|
CLIENT
... }
mandos-ctl
[ --deny
| -D
] { --remove
| -r
}
[--debug
] { --all
| -a
|
CLIENT
... }
mandos-ctl
{ --is-enabled
| -V
} [--debug
] CLIENT
mandos-ctl
{ --help
| -h
}
mandos-ctl
{ --version
| -v
}
mandos-ctl
--check
mandos-ctl is a program to control or query the operation of the Mandos server mandos(8).
This program can be used to change client settings, approve or deny client requests, and to remove clients from the server.
The purpose of this is to enable remote and unattended rebooting of client host computer with an encrypted root file system. See the section called “OVERVIEW” for details.
--help
, -h
Show a help message and exit
--enable
, -e
Enable client(s). An enabled client will be eligble to receive its secret.
--disable
, -d
Disable client(s). A disabled client will not be eligble to receive its secret, and no checkers will be started for it.
--bump-timeout
Bump the timeout of the specified client(s), just as if a checker had completed successfully for it/them.
--start-checker
Start a new checker now for the specified client(s).
--stop-checker
Stop any running checker for the specified client(s).
--remove
, -r
Remove the specified client(s) from the server.
--checker
COMMAND
, -c
COMMAND
Set the checker
option of the specified
client(s); see mandos-clients.conf(5).
--timeout
TIME
, -t
TIME
Set the timeout
option of the specified
client(s); see mandos-clients.conf(5).
--extended-timeout
TIME
Set the extended_timeout
option of the
specified client(s); see mandos-clients.conf(5).
--interval
TIME
, -i
TIME
Set the interval
option of the
specified client(s); see mandos-clients.conf(5).
--approve-by-default
, --deny-by-default
Set the approved_by_default
option of
the specified client(s) to True
or
False
, respectively; see
mandos-clients.conf(5).
--approval-delay
TIME
Set the approval_delay
option of the
specified client(s); see mandos-clients.conf(5).
--approval-duration
TIME
Set the approval_duration
option of the
specified client(s); see mandos-clients.conf(5).
--host
STRING
, -H
STRING
Set the host
option of the specified
client(s); see mandos-clients.conf(5).
--secret
FILENAME
, -s
FILENAME
Set the secfile
option of the specified
client(s); see mandos-clients.conf(5).
--approve
, -A
Approve client(s) if currently waiting for approval.
--deny
, -D
Deny client(s) if currently waiting for approval.
--all
, -a
Make the client-modifying options modify all clients.
--verbose
, -v
Show all client settings, not just a subset.
--dump-json
, -j
Dump client settings as JSON to standard output.
--is-enabled
, -V
Check if a single client is enabled or not, and exit with a successful exit status only if the client is enabled.
--debug
Show debug output; currently, this means show D-Bus calls.
--check
Run self-tests. This includes any unit tests, etc.
This is part of the Mandos system for allowing computers to have encrypted root file systems and at the same time be capable of remote and/or unattended reboots. The computers run a small client program in the initial RAM disk environment which will communicate with a server over a network. All network communication is encrypted using TLS. The clients are identified by the server using a TLS key; each client has one unique to it. The server sends the clients an encrypted password. The encrypted password is decrypted by the clients using a separate OpenPGP key, and the password is then used to unlock the root file system, whereupon the computers can continue booting normally.
This program is a small utility to generate new OpenPGP keys for
new Mandos clients, and to generate sections for inclusion in
clients.conf
on the server.
If the --is-enabled
option is used, the exit
status will be 0 only if the specified client is enabled.
Please report bugs to the Mandos development mailing list:
<mandos-dev@recompile.se>
(subscription required).
Note that this list is public. The developers can be reached
privately at <mandos@recompile.se>
(OpenPGP key
fingerprint 153A 37F1 0BBA 0435 987F 2C4A 7223 2973 CA34
C2C4
for encrypted mail).
To list all clients:
mandos-ctl
To list all settings for the clients named “foo1.example.org” and “foo2.example.org”:
mandos-ctl --verbose foo1.example.org foo2.example.org
To enable all clients:
mandos-ctl --enable --all
To change timeout and interval value for the clients named “foo1.example.org” and “foo2.example.org”:
mandos-ctl --timeout=PT5M --interval=PT1M foo1.example.org foo2.example.org
To approve all clients currently waiting for approval:
mandos-ctl --approve --all