doc update

doc/ocserv.1

@@ -1,8 +1,8 @@
-.TH ocserv 1 "12 Feb 2013" "" "User Commands"
+.TH ocserv 1 "16 Feb 2013" "" "User Commands"
 .\"
 .\"  DO NOT EDIT THIS FILE   (ocserv-args.man)
 .\"  
-.\"  It has been AutoGen-ed  February 12, 2013 at 07:18:42 PM by AutoGen 5.16
+.\"  It has been AutoGen-ed  February 16, 2013 at 04:33:33 PM by AutoGen 5.16
 .\"  From the definitions    ../src/ocserv-args.def.tmp
 .\"  and the template file   agman-cmd.tpl
 .\"
@@ -19,6 +19,13 @@ All arguments must be options.
 This program is openconnect VPN server (ocserv), a server compatible with the
 openconnect VPN client. It is believed to be compatible with the protocol
 used by CISCO's AnyConnect SSL VPN.
+Multiple authentication methods are available including PAM and certificate
+authentication.
+Authenticated users are assigned an unprivileged worker process and obtain 
+a networking (tun) device and IP from a configurable pool of address.
+Currently there is no tool to manipulate logged-in users. However,
+they can be disconnected by killing their worker process. The pid of that
+process can be seen with @var{who -u} if utmp logging is enabled.
 .SH "OPTIONS"
 .TP
 .BR \-f ", " -\-foreground
@@ -129,9 +136,10 @@ the HUP signal.
 .sp
 .SH "IMPLEMENTATION NOTES"
 Note that while this server utilizes privilege separation for password
-authentication, this does not occur for TLS and client certificate authentication.
-This was done to take advantage of multi\-core systems by distributing the
-expensive TLS calculations to the workers.
+authentication, this does not apply for TLS and client certificate authentication.
+This has the advantage of spreading TLS calculations to multiple workers (i.e. cores)
+if available, but at the cost of each worker having a copy of the server's 
+private key.
 .SH FILES
 .br
 \fBocserv's configuration file format\fP
@@ -165,10 +173,10 @@ tcp\-port = 3333
 udp\-port = 3333
 .sp
 # Keepalive in seconds
-keepalive = 3600
+keepalive = 32400
 .sp
 # Dead peer detection in seconds
-dpd = 60
+dpd = 240
 .sp
 # The key and the certificates of the server
 # The key may be a file, or any URL supported by GnuTLS (i.e., tpmkey or pkcs11)
@@ -209,7 +217,7 @@ auth\-timeout = 40
 # Once a client is authenticated he's provided a cookie with
 # which he can reconnect. This option sets the maximum lifetime
 # of that cookie.
-cookie\-validity = 14400
+cookie\-validity = 43200
 .sp
 # A cookie database. If not set cookies are stored in memory and
 # server restarts won't preserve them.
@@ -273,10 +281,13 @@ The operation failed or the command syntax was not valid.
 Supports both TCP and UDP VPN tunnels using TLS and Datagram TLS.
 .ti -4
 \fB*\fP
-Support for the server key being stored in TPM, a hardware security module (HSM), or smart card.
+Support for the server key being stored in TPM, hardware security modules (HSM), or even a smart card. They can be specified as files using the tpmkey or pkcs11 URLs.
 .ti -4
 \fB*\fP
-Authentication using PAM (username\-password) or certificates
+Authentication using PAM or certificates.
+.ti -4
+\fB*\fP
+Each client is isolated from the others on a separate process with a separate tun device. This allows routing using the system facilies, allows having separate settings per user or group (e.g. bandwidth limits).
 .ti -4
 \fB*\fP
 Privilege separation between the main process which performs TUN allocation and authentication, with the worker processes which handles messages from the client.
@@ -293,7 +304,7 @@ Nikos Mavrogiannopoulos
 Copyright (C) 2013 Nikos Mavrogiannopoulos all rights reserved.
 This program is released under the terms of the GNU General Public License, version 2.
 .SH "BUGS"
-Please send bug reports to: nmav@gnutls.org
+Please send bug reports to: openconnect-devel@lists.infradead.org
 .SH "NOTES"
 This manual page was \fIAutoGen\fP-erated from the \fBocserv\fP
 option definitions.