mirror of
https://gitlab.com/openconnect/ocserv.git
synced 2026-02-10 00:37:00 +08:00
doc update
This commit is contained in:
Nikos Mavrogiannopoulos
33
doc/ocserv.1
33
doc/ocserv.1
@@ -1,8 +1,8 @@
|
||||
.TH ocserv 1 "12 Feb 2013" "" "User Commands"
|
||||
.TH ocserv 1 "16 Feb 2013" "" "User Commands"
|
||||
.\"
|
||||
.\" DO NOT EDIT THIS FILE (ocserv-args.man)
|
||||
.\"
|
||||
.\" It has been AutoGen-ed February 12, 2013 at 07:18:42 PM by AutoGen 5.16
|
||||
.\" It has been AutoGen-ed February 16, 2013 at 04:33:33 PM by AutoGen 5.16
|
||||
.\" From the definitions ../src/ocserv-args.def.tmp
|
||||
.\" and the template file agman-cmd.tpl
|
||||
.\"
|
||||
@@ -19,6 +19,13 @@ All arguments must be options.
|
||||
This program is openconnect VPN server (ocserv), a server compatible with the
|
||||
openconnect VPN client. It is believed to be compatible with the protocol
|
||||
used by CISCO's AnyConnect SSL VPN.
|
||||
Multiple authentication methods are available including PAM and certificate
|
||||
authentication.
|
||||
Authenticated users are assigned an unprivileged worker process and obtain
|
||||
a networking (tun) device and IP from a configurable pool of address.
|
||||
Currently there is no tool to manipulate logged-in users. However,
|
||||
they can be disconnected by killing their worker process. The pid of that
|
||||
process can be seen with @var{who -u} if utmp logging is enabled.
|
||||
.SH "OPTIONS"
|
||||
.TP
|
||||
.BR \-f ", " -\-foreground
|
||||
@@ -129,9 +136,10 @@ the HUP signal.
|
||||
.sp
|
||||
.SH "IMPLEMENTATION NOTES"
|
||||
Note that while this server utilizes privilege separation for password
|
||||
authentication, this does not occur for TLS and client certificate authentication.
|
||||
This was done to take advantage of multi\-core systems by distributing the
|
||||
expensive TLS calculations to the workers.
|
||||
authentication, this does not apply for TLS and client certificate authentication.
|
||||
This has the advantage of spreading TLS calculations to multiple workers (i.e. cores)
|
||||
if available, but at the cost of each worker having a copy of the server's
|
||||
private key.
|
||||
.SH FILES
|
||||
.br
|
||||
\fBocserv's configuration file format\fP
|
||||
@@ -165,10 +173,10 @@ tcp\-port = 3333
|
||||
udp\-port = 3333
|
||||
.sp
|
||||
# Keepalive in seconds
|
||||
keepalive = 3600
|
||||
keepalive = 32400
|
||||
.sp
|
||||
# Dead peer detection in seconds
|
||||
dpd = 60
|
||||
dpd = 240
|
||||
.sp
|
||||
# The key and the certificates of the server
|
||||
# The key may be a file, or any URL supported by GnuTLS (i.e., tpmkey or pkcs11)
|
||||
@@ -209,7 +217,7 @@ auth\-timeout = 40
|
||||
# Once a client is authenticated he's provided a cookie with
|
||||
# which he can reconnect. This option sets the maximum lifetime
|
||||
# of that cookie.
|
||||
cookie\-validity = 14400
|
||||
cookie\-validity = 43200
|
||||
.sp
|
||||
# A cookie database. If not set cookies are stored in memory and
|
||||
# server restarts won't preserve them.
|
||||
@@ -273,10 +281,13 @@ The operation failed or the command syntax was not valid.
|
||||
Supports both TCP and UDP VPN tunnels using TLS and Datagram TLS.
|
||||
.ti -4
|
||||
\fB*\fP
|
||||
Support for the server key being stored in TPM, a hardware security module (HSM), or smart card.
|
||||
Support for the server key being stored in TPM, hardware security modules (HSM), or even a smart card. They can be specified as files using the tpmkey or pkcs11 URLs.
|
||||
.ti -4
|
||||
\fB*\fP
|
||||
Authentication using PAM (username\-password) or certificates
|
||||
Authentication using PAM or certificates.
|
||||
.ti -4
|
||||
\fB*\fP
|
||||
Each client is isolated from the others on a separate process with a separate tun device. This allows routing using the system facilies, allows having separate settings per user or group (e.g. bandwidth limits).
|
||||
.ti -4
|
||||
\fB*\fP
|
||||
Privilege separation between the main process which performs TUN allocation and authentication, with the worker processes which handles messages from the client.
|
||||
@@ -293,7 +304,7 @@ Nikos Mavrogiannopoulos
|
||||
Copyright (C) 2013 Nikos Mavrogiannopoulos all rights reserved.
|
||||
This program is released under the terms of the GNU General Public License, version 2.
|
||||
.SH "BUGS"
|
||||
Please send bug reports to: nmav@gnutls.org
|
||||
Please send bug reports to: openconnect-devel@lists.infradead.org
|
||||
.SH "NOTES"
|
||||
This manual page was \fIAutoGen\fP-erated from the \fBocserv\fP
|
||||
option definitions.
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
*
|
||||
* DO NOT EDIT THIS FILE (ocserv-args.c)
|
||||
*
|
||||
* It has been AutoGen-ed February 15, 2013 at 11:01:15 PM by AutoGen 5.16
|
||||
* It has been AutoGen-ed February 16, 2013 at 04:33:31 PM by AutoGen 5.16
|
||||
* From the definitions ocserv-args.def
|
||||
* and the template file options
|
||||
*
|
||||
@@ -65,7 +65,7 @@ extern FILE * option_usage_fp;
|
||||
/*
|
||||
* ocserv option static const strings
|
||||
*/
|
||||
static char const ocserv_opt_strs[1523] =
|
||||
static char const ocserv_opt_strs[1970] =
|
||||
/* 0 */ "ocserv\n"
|
||||
"Copyright (C) 2013 Nikos Mavrogiannopoulos, all rights reserved.\n"
|
||||
"This is free software. It is licensed for use, modification and\n"
|
||||
@@ -104,8 +104,15 @@ static char const ocserv_opt_strs[1523] =
|
||||
/* 1257 */ "\n"
|
||||
"This program is openconnect VPN server (ocserv), a server compatible with\n"
|
||||
"the openconnect VPN client. It is believed to be compatible with the\n"
|
||||
"protocol used by CISCO's AnyConnect SSL VPN.\n\0"
|
||||
/* 1448 */ "Usage: ocserv [options] -c [config]\n"
|
||||
"protocol used by CISCO's AnyConnect SSL VPN.\n\n"
|
||||
"Multiple authentication methods are available including PAM and certificate\n"
|
||||
"authentication. Authenticated users are assigned an unprivileged worker\n"
|
||||
"process and obtain a networking (tun) device and IP from a configurable\n"
|
||||
"pool of address.\n\n"
|
||||
"Currently there is no tool to manipulate logged-in users. However, they\n"
|
||||
"can be disconnected by killing their worker process. The pid of that\n"
|
||||
"process can be seen with ``who -u'' if utmp logging is enabled.\n\0"
|
||||
/* 1895 */ "Usage: ocserv [options] -c [config]\n"
|
||||
"ocserv --help for usage instructions.\n";
|
||||
|
||||
/*
|
||||
@@ -272,7 +279,7 @@ static tOptDesc optDesc[OPTION_CT] = {
|
||||
|
||||
#define ocserv_full_usage (NULL)
|
||||
|
||||
#define ocserv_short_usage (ocserv_opt_strs+1448)
|
||||
#define ocserv_short_usage (ocserv_opt_strs+1895)
|
||||
|
||||
#endif /* not defined __doxygen__ */
|
||||
|
||||
|
||||
@@ -14,7 +14,17 @@ explain = "";
|
||||
|
||||
detail = "This program is openconnect VPN server (ocserv), a server compatible with the
|
||||
openconnect VPN client. It is believed to be compatible with the protocol
|
||||
used by CISCO's AnyConnect SSL VPN.";
|
||||
used by CISCO's AnyConnect SSL VPN.
|
||||
|
||||
Multiple authentication methods are available including PAM and certificate
|
||||
authentication.
|
||||
Authenticated users are assigned an unprivileged worker process and obtain
|
||||
a networking (tun) device and IP from a configurable pool of address.
|
||||
|
||||
Currently there is no tool to manipulate logged-in users. However,
|
||||
they can be disconnected by killing their worker process. The pid of that
|
||||
process can be seen with @var{who -u} if utmp logging is enabled.
|
||||
";
|
||||
|
||||
|
||||
copyright = {
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
*
|
||||
* DO NOT EDIT THIS FILE (ocserv-args.h)
|
||||
*
|
||||
* It has been AutoGen-ed February 15, 2013 at 11:01:15 PM by AutoGen 5.16
|
||||
* It has been AutoGen-ed February 16, 2013 at 04:33:31 PM by AutoGen 5.16
|
||||
* From the definitions ocserv-args.def
|
||||
* and the template file options
|
||||
*
|
||||
|
||||
Reference in New Issue
Block a user