Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help
radmind(8)		    System Manager's Manual		    radmind(8)

NAME
       radmind - Remote	administration daemon

SYNOPSIS
       radmind	[  -dBrUV  ]  [	-a bind-address	] [ -b backlog ] [ -C crl-pem-
       file-or-dir ] [ -D path ] [ -F syslog-facility ]	[ -L syslog-level ]  [
       -m max-connections  ]  [	 -P ca-directory  ] [ -p port ]	[ -u umask ] [
       -w auth-level ] [ -x ca-pem-file	] [ -y cert-pem-file ]	[  -z private-
       key-file	] [ -Z max-compression-level ]

DESCRIPTION
       Radmind	uses  the  radmind access protocol to communicate with radmind
       clients.

       On startup, radmind changes directory to	/var/radmind, creates command,
       file, special, tmp, tmp/file, tmp/transcript and	transcript ( with per-
       missions	0750 ) if they do not exist, and begins	listening on the  rad-
       mind  port  (  by default 6222 )	for incoming connections.  With	the -D
       option, radmind will use	path as	its working directory.	Radmind	 forks
       a  child	 for  each connection.	On receiving a SIGUSR1 signal, radmind
       will reread its TLS configuration.

       The file	config contains	a list of known	clients	that  can  connect  to
       radmind,	 one  per  line.  Each line contains the CN, domain name or IP
       address of the client and the client's command file.  The server	checks
       each  line  of the config file, first checking to see if	the connecting
       client's	CN, domain name, and finally IP	address	match in  that	order.
       CNs and domain names are	case insensitive.  If the optional third field
       begins with a '#', it is	ignored	and treated as an in-line comment.

       Lines that are blank or begin with '#' are ignored. There  are  several
       supported  wildcard  patterns similar to	shell globbing.	'*' will match
       any string.  A number range can be given	by "<min-max>"	where  min  is
       the  lower  bound  and  max  is the upper bound.	'?' matches any	single
       character. The square bracket character list, "[abcd]", will match  any
       single  character within	the brackets. Comma-separated values contained
       in curly	braces,	 "{riverrun,past,Eve}"	will  match  the  first	 whole
       string found. '\' can be	used to	escape any character.

       A  client  is only given	access to command files	and transcripts	listed
       in their	base command file as determined	by the config file.

       /var/radmind/config can include other config files  using  the  keyword
       "@include",  which  can	be used	in two ways. The first is a simple in-
       clude of	another	file. If the path does not begin with a	slash (/), the
       path is interpreted as being relative to	/var/radmind. For example:

	    @include configs/ldap-servers.config

       which  would  cause  every  connecting client to	be checked against the
       contents	of /var/radmind/configs/ldap-servers.config. The @include key-
       word  can also take an optional third argument, a wildcard pattern lim-
       iting which clients will	read the included config file. For example:

	    @include configs/kerberos-kdcs.config *.kerberos.example.edu

       would cause only	clients	with FQDNs  matching  '*.kerberos.example.edu'
       to  read	 the included file. The	wildcard is checked, in	order, against
       the client's certificate	CN (if the client presents one), the  client's
       fully-qualified domain name, and	the client's IP	address.

DIRECTORY STRUCTURE
       command		  Stores command files.

       transcripts	  Stores transcripts.

       file		  All  files served from the radmind server are	stored
			  in the file directory.  All files for	a given	 tran-
			  script  are stored in	file/_transcript_ where	_tran-
			  script_ is the name of the transcript.   A  file  is
			  stored  in  file/_transcript_/_path_ where _path_ is
			  the file's path as listed in the transcript.

       special		  All special files are	stored in special.   The  spe-
			  cial	files  for  a  given  host  are	stored in spe-
			  cial/_key_ where _key_ is  the  client's  CN,	 fully
			  qualified  domain  name  or IP address as matched in
			  the  config  file.   Individual  special  files  are
			  stored  in special/_host_/_path_ where _path_	is the
			  path of the special file as listed in	 the  client's
			  command file.

       tmp/file		  All  files  stored on	the server using the STOR com-
			  mand are saved in tmp/file.  Files for a given tran-
			  script  are  stored  in  tmp/transcript/_transcript_
			  /_path_ where	_transcript_ is	the name of the	 tran-
			  script and _path_ is the file's path as given	in the
			  STOR command.

       tmp/transcript	  All transcripts stored on the	server using the  STOR
			  command are saved in tmp/transcript.

RADMIND	ACCESS PROTOCOL
       Radmind	currently supports the following Radmind Access	Protocol ( RAP
       ) requests:

       QUIT	 terminate session

       NOOP	 do nothing

       HELP	 display helpful message

       STAT	 stat a	transcript, command or special file.  When statting  a
		 command  file or transcript, the mode,	UID and	GID default to
		 0444, 0, and 0	respectively.  If no command  file  is	speci-
		 fied, the server returns information on the base command file
		 as indicated in the config file.

		 Status	of a special file is determined	by a single transcript
		 line  listed  in a file named special/<special-file-path>.T ,
		 where <special-file-path> is the full	path  to  the  special
		 file.	 If that does not exist, a listing for the file	in the
		 transcript/special.T transcript in the	 transcript  directory
		 will  be  used.   If neither of those exist, the defaults are
		 returned.

       RETR	 retrieve a file, transcript command or	special	file.	If  no
		 command  file	is specified, the server returns the base com-
		 mand file as indicated	in the config file.

       STOR	 store a file or transcript.  If user  authentication  is  en-
		 abled,	 this  command	is only	valid after the	client sends a
		 successful LOGI.

       STAR	 Start TLS.  If	the server is run with an authorization	 level
		 of  2,	 this command must be given before a client can	send a
		 STAT, RETR, or	STOR.

       LOGI	 Login user.  This command is only valid after	TLS  has  been
		 started.

       COMP	 start compression

       REPO	 report	 a  client status message. The daemon logs the message
		 in the	following format:

		 report	HOSTNAME IP CN - EVENT MESSAGE...

		 First the string "report", followed by	the client's  hostname
		 and  IP  address.   If	the client authenticates to the	server
		 with a	certificate, its common	name will be listed next.   If
		 the  client  does  not	 present  a certificate, a '-' will be
		 listed.  Next,	a '-' is printed as a placeholder for a	future
		 field.	 Finally, the event and	message	are logged as reported
		 by the	client.

OPTIONS
       -a bind-address	  specifies the	address	on  which  the	server	should
			  listen, e.g.	127.0.0.1.  By default the server lis-
			  tens on all available	interfaces (wildcard address).

       -B		  register daemon as a Bonjour service.	Replaces  dep-
			  recated -R option.

       -b backlog	  Defines  the maximum queue of	pending	connections to
			  listen(2), by	default	five.

       -C crl-pem-file-or-dir
			  specifies either a single  PEM-formatted  file  con-
			  taining  the CRL(s) or a directory that contains the
			  CRL(s).  Any CRLs in a directory must	be in PEM for-
			  mat  and the directory must have been	processed with
			  the openssl c_rehash utility.

       -D path		  specifies the	radmind	working	directory, by  default
			  /var/radmind

       -d		  debug	 mode.	Does not disassociate from controlling
			  tty.

       -F syslog-facility specifies to which syslog facility to	log messages.

       -f		  run in foreground

       -L syslog-level	  specifies at which syslog level to log messages.

       -m max-connections specifies the	maximum	number of simultaneous connec-
			  tions,  by default 0.	 Value must be greater than or
			  equal	to 0 with 0 indicating no limit.

       -p port		  specifies the	port of	the radmind server, by default
			  6222.

       -P ca-directory	  specifies  a directory that contains certificates to
			  be used when verifying a client.  Certificates  must
			  be  in  PEM  format and the directory	must have been
			  processed with the openssl c_rehash utility.

       -r		  use random seed file $RANDFILE if  that  environment
			  variable   is	  set,	 $HOME/.rnd   otherwise.   See
			  RAND_load_file(3o).

       -u umask		  specifies the	umask the server uses to  write	 files
			  to the disk, defaulting to the user's	umask.

       -U		  Turn	on  PAM	 user  authentication.	Requires auth-
			  level	> 0.  radmind uses the PAM service  name  rad-
			  mind.

       -V		  displays the version of radmind and exits.

       -w auth-level	  TLS  authorization level, by default 0.  0 = no TLS,
			  1 = server verification, 2 = server and client veri-
			  fication,  3	=  server and client verification with
			  crl checking,	4 =  server  and  client  verification
			  with full-chain crl checking.

       -x ca-pem-file	  Certificate  authority's  public certificate,	by de-
			  fault	/var/radmind/cert/ca.pem.  The default is  not
			  used when -P is specified.

       -y cert-pem-file	  Server's  public  certificate,  by default /var/rad-
			  mind/cert/cert.pem.

       -z private-key-file
			  Server's   private   key,   by   default   /var/rad-
			  mind/cert/cert.pem.

       -Z max-compression-level
			  Offer	 compression  to  clients.  If client requests
			  compression, the server will compress	 all  outbound
			  data	using  using  the  lower value of max_compres-
			  sion_level or	compression level set by client.  max-
			  compression-level  can  be  between 0	and 9: 1 gives
			  best speed, 9	gives best  compression,  0  gives  no
			  compression  at all (the input data is simply	copied
			  a block at a time).

EXAMPLES
       The  following  example	of  /var/radmind/config	 defines  four	 known
       clients,	 each  using  one of three different command files.  Also, any
       client that ends	with ".lab.umich.edu" will get	lab.K  as  its	config
       file  and  clients  in  the IP range 212.12.243.1 through 212.12.243.50
       will get	solaris8.K as their config file.  Note that numeric ranges ig-
       nore  leading  zeros.   Therefore the last line will match clients with
       hostnames of mac1.umich.edu, mac01.umich.edu, mac001.umich,edu, etc.

	      #
	      #	Client		     command file     optional-comment
	      #
	      amber.umich.edu	     apple.K	      #	mail server
	      josh.umich.edu	     apple.K
	      ben.umich.edu	     apple-test.K
	      oreo.umich.edu	     solaris8.K
	      *.lab.umich.edu	     lab.K
	      212.12.243.<1-50>	     solaris8.K
	      mac<1-15>.umich.edu    apple.K

FILES
       /var/radmind/config

SEE ALSO
       fsdiff(1), ktcheck(1),  lapply(1),  lcreate(1),	lcksum(1),  lfdiff(1),
       lmerge(1),      lsort(1),      repo(1),	   twhich(1),	  pam.conf(4),
       RAND_load_file(3o).

       Also see	the three Linux-PAM Guides, for	System administrators,	module
       developers, and application developers.

RSUG			       November	30, 2020		    radmind(8)

NAME | SYNOPSIS | DESCRIPTION | DIRECTORY STRUCTURE | RADMIND ACCESS PROTOCOL | OPTIONS | EXAMPLES | FILES | SEE ALSO

Want to link to this manual page? Use this URL:
<https://www.freebsd.org/cgi/man.cgi?query=radmind&sektion=8&manpath=FreeBSD+13.0-RELEASE+and+Ports>

home | help