mandos-ctl

MANDOS-CTL(8)                     Mandos Manual                    MANDOS-CTL(8)



NAME
       mandos-ctl - Control or query the operation of the Mandos server

SYNOPSIS
       mandos-ctl {[--enable | -e
                   |--disable | -d]
                  [--bump-timeout | -b]
                  [--start-checker]
                  [--stop-checker]
                  [--remove | -r]
                  [--checker COMMAND | -c COMMAND]
                  [--timeout TIME | -t TIME]
                  [--extended-timeout TIME]
                  [--interval TIME | -i TIME]
                  [--approve-by-default
                   |--deny-by-default]
                  [--approval-delay TIME]
                  [--approval-duration TIME]
                  [--interval TIME | -i TIME]
                  [--host STRING | -H STRING]
                  [--secret FILENAME | -s FILENAME]
                  [--approve | -A
                   |--deny | -D]}
                  {--all | -a | CLIENT...}

       mandos-ctl [--verbose | -v
                   |--dump-json | -j] [CLIENT...]

       mandos-ctl {--is-enabled | -V} CLIENT

       mandos-ctl {--help | -h}

       mandos-ctl {--version | -v}

       mandos-ctl --check

DESCRIPTION
       mandos-ctl is a program to control or query the operation of the Mandos
       server mandos(8).

       This program can be used to change client settings, approve or deny
       client requests, and to remove clients from the server.

PURPOSE
       The purpose of this is to enable remote and unattended rebooting of
       client host computer with an encrypted root file system. See the section
       called “OVERVIEW” for details.

OPTIONS
       --help, -h
           Show a help message and exit

       --enable, -e
           Enable client(s). An enabled client will be eligble to receive its
           secret.

       --disable, -d
           Disable client(s). A disabled client will not be eligble to receive
           its secret, and no checkers will be started for it.

       --bump-timeout
           Bump the timeout of the specified client(s), just as if a checker had
           completed successfully for it/them.

       --start-checker
           Start a new checker now for the specified client(s).

       --stop-checker
           Stop any running checker for the specified client(s).

       --remove, -r
           Remove the specified client(s) from the server.

       --checker COMMAND, -c COMMAND
           Set the checker option of the specified client(s); see mandos-
           clients.conf(5).

       --timeout TIME, -t TIME
           Set the timeout option of the specified client(s); see mandos-
           clients.conf(5).

       --extended-timeout TIME
           Set the extended_timeout option of the specified client(s); see
           mandos-clients.conf(5).

       --interval TIME, -i TIME
           Set the interval option of the specified client(s); see mandos-
           clients.conf(5).

       --approve-by-default, --deny-by-default
           Set the approved_by_default option of the specified client(s) to True
           or False, respectively; see mandos-clients.conf(5).

       --approval-delay TIME
           Set the approval_delay option of the specified client(s); see mandos-
           clients.conf(5).

       --approval-duration TIME
           Set the approval_duration option of the specified client(s); see
           mandos-clients.conf(5).

       --host STRING, -H STRING
           Set the host option of the specified client(s); see mandos-
           clients.conf(5).

       --secret FILENAME, -s FILENAME
           Set the secfile option of the specified client(s); see mandos-
           clients.conf(5).

       --approve, -A
           Approve client(s) if currently waiting for approval.

       --deny, -D
           Deny client(s) if currently waiting for approval.

       --all, -a
           Make the client-modifying options modify all clients.

       --verbose, -v
           Show all client settings, not just a subset.

       --dump-json, -j
           Dump client settings as JSON to standard output.

       --is-enabled, -V
           Check if a single client is enabled or not, and exit with a
           successful exit status only if the client is enabled.

       --check
           Run self-tests. This includes any unit tests, etc.

OVERVIEW
       This is part of the Mandos system for allowing computers to have
       encrypted root file systems and at the same time be capable of remote
       and/or unattended reboots. The computers run a small client program in
       the initial RAM disk environment which will communicate with a server
       over a network. All network communication is encrypted using TLS. The
       clients are identified by the server using an OpenPGP key; each client
       has one unique to it. The server sends the clients an encrypted password.
       The encrypted password is decrypted by the clients using the same OpenPGP
       key, and the password is then used to unlock the root file system,
       whereupon the computers can continue booting normally.

       This program is a small utility to generate new OpenPGP keys for new
       Mandos clients, and to generate sections for inclusion in clients.conf on
       the server.

EXIT STATUS
       If the --is-enabled option is used, the exit status will be 0 only if the
       specified client is enabled.

BUGS
       Please report bugs to the Mandos development mailing list:
       <mandos-dev@recompile.se> (subscription required). Note that this list is
       public. The developers can be reached privately at <mandos@recompile.se>
       (OpenPGP key fingerprint 153A 37F1 0BBA 0435 987F 2C4A 7223 2973 CA34
       C2C4 for encrypted mail).

EXAMPLE
       To list all clients:

       mandos-ctl

       To list all settings for the clients named “foo1.example.org” and
       “foo2.example.org”:

       mandos-ctl --verbose foo1.example.org foo2.example.org

       To enable all clients:

       mandos-ctl --enable --all

       To change timeout and interval value for the clients named
       “foo1.example.org” and “foo2.example.org”:

       mandos-ctl --timeout="5m" --interval="1m" foo1.example.org
       foo2.example.org

       To approve all clients currently waiting for it:

       mandos-ctl --approve --all

SECURITY
       This program must be permitted to access the Mandos server via the D-Bus
       interface. This normally requires the root user, but could be configured
       otherwise by reconfiguring the D-Bus server.

SEE ALSO
       intro(8mandos), mandos(8), mandos-clients.conf(5), mandos-monitor(8)

COPYRIGHT
       Copyright © 2010-2017 Teddy Hogeborn, Björn Påhlsson

       This manual page is free software: you can redistribute it and/or modify
       it under the terms of the GNU General Public License as published by the
       Free Software Foundation, either version 3 of the License, or (at your
       option) any later version.

       This manual page is distributed in the hope that it will be useful, but
       WITHOUT ANY WARRANTY; without even the implied warranty of
       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
       Public License for more details.

       You should have received a copy of the GNU General Public License along
       with this program. If not, see http://www.gnu.org/licenses/.




Mandos 1.7.15                      2017-02-23                      MANDOS-CTL(8)