mandos.conf
—
Configuration file for the Mandos server
/etc/mandos/mandos.conf
The file /etc/mandos/mandos.conf
is a configuration file for
mandos(8), and is read by it at
startup. The configuration file starts with “[DEFAULT]
” on a line by itself, followed by
any number of “
=option
value
” entries,
with continuations in the style of RFC 822. “
: option
value
” is also accepted. Note that
leading whitespace is removed from values. Lines beginning with
“#” or “;” are ignored and may be used
to provide comments.
interface =
NAME
If this is specified, the server will only announce the service and listen to requests on the specified network interface. Default is to use all available interfaces. Note: a failure to bind to the specified interface is not considered critical, and the server will not exit, but instead continue normally.
address =
ADDRESS
If this option is used, the server will only listen to the
specified IPv6 address. If a link-local address is specified, an
interface should be set, since a link-local address is only valid
on a single interface. By default, the server will listen to all
available addresses. If set, this must normally be an IPv6
address; an IPv4 address can only be specified using IPv4-mapped
IPv6 address syntax: “::FFFF:192.0.2.3
”. (Only if IPv6 usage is
disabled (see below) must this be an IPv4
address.)
port =
NUMBER
If this option is used, the server will bind to that port. By default, the server will listen to an arbitrary port given by the operating system.
debug =
{ 1
| yes
| true
| on
| 0
| no
| false
| off
}
If the server is run in debug mode, it will run in the foreground and print a lot of debugging information. The default is to not run in debug mode.
priority =
STRING
GnuTLS priority string for the TLS handshake.
The default is
“SECURE128:!CTYPE-X.509:+CTYPE-RAWPK:!RSA:!VERS-ALL:+VERS-TLS1.3:%PROFILE_ULTRA
”
when using raw public keys in TLS, and
“SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA:+SIGN-DSA-SHA256
”
when using OpenPGP keys in TLS,. See gnutls_priority_init(3) for the syntax.
Warning: changing this may make the
TLS handshake fail, making server-client
communication impossible. Changing this option may also make the
network traffic decryptable by an attacker.
servicename =
NAME
Zeroconf service name. The default is
“Mandos
”. This only needs to be
changed if for some reason is would be necessary to run more than
one server on the same host. This would not
normally be useful. If there are name collisions on the same
network, the newer server will automatically
rename itself to “Mandos #2
”, and
so on; therefore, this option is not needed in that case.
use_dbus =
{ 1
| yes
| true
| on
| 0
| no
| false
| off
}
This option controls whether the server will provide a D-Bus system bus interface. The default is to provide such an interface.
use_ipv6 =
{ 1
| yes
| true
| on
| 0
| no
| false
| off
}
This option controls whether the server will use IPv6 sockets and addresses. The default is to use IPv6. This option should never normally be turned off, even in IPv4-only environments. This is because mandos-client(8mandos) will normally use IPv6 link-local addresses, and will not be able to find or connect to the server if this option is turned off. Only advanced users should consider changing this option.
restore =
{ 1
| yes
| true
| on
| 0
| no
| false
| off
}
This option controls whether the server will restore its state from the last time it ran. Default is to restore last state.
statedir =
DIRECTORY
Directory to save (and restore) state in. Default is
“/var/lib/mandos
”.
socket =
NUMBER
If this option is used, the server will not create a new network socket, but will instead use the supplied file descriptor. By default, the server will create a new network socket.
The [DEFAULT]
is necessary because the Python
built-in module ConfigParser
requires it.
Please report bugs to the Mandos development mailing list:
<mandos-dev@recompile.se>
(subscription required).
Note that this list is public. The developers can be reached
privately at <mandos@recompile.se>
(OpenPGP key
fingerprint 153A 37F1 0BBA 0435 987F 2C4A 7223 2973 CA34
C2C4
for encrypted mail).
No options are actually required:
[DEFAULT]
An example using all the options:
[DEFAULT] # A configuration example interface = enp1s0 address = fe80::aede:48ff:fe71:f6f2 port = 1025 debug = True priority = SECURE128:!CTYPE-X.509:+CTYPE-RAWPK:!RSA:!VERS-ALL:+VERS-TLS1.3:%PROFILE_ULTRA servicename = Daena use_dbus = False use_ipv6 = True restore = True statedir = /var/lib/mandos
intro(8mandos), gnutls_priority_init(3), mandos(8), mandos-clients.conf(5)
The clients use IPv6 link-local addresses, which are immediately usable since a link-local addresses is automatically assigned to a network interface when it is brought up.
Zeroconf is the network protocol standard used by clients for finding the Mandos server on the local network.