diff --git a/doc/ocserv.1 b/doc/ocserv.1 index e24e8cc3..e18b2e75 100644 --- a/doc/ocserv.1 +++ b/doc/ocserv.1 @@ -1,8 +1,8 @@ -.TH ocserv 1 "19 Feb 2013" "0.0.1" "User Commands" +.TH ocserv 1 "20 Feb 2013" "0.0.1" "User Commands" .\" .\" DO NOT EDIT THIS FILE (ocserv-args.man) .\" -.\" It has been AutoGen-ed February 19, 2013 at 07:11:24 PM by AutoGen 5.16 +.\" It has been AutoGen-ed February 20, 2013 at 09:23:10 PM by AutoGen 5.16 .\" From the definitions ../src/ocserv-args.def.tmp .\" and the template file agman-cmd.tpl .\" @@ -22,10 +22,7 @@ used by CISCO's AnyConnect SSL VPN. Multiple authentication methods are available including PAM and certificate authentication. Authenticated users are assigned an unprivileged worker process and obtain -a networking (tun) device and IP from a configurable pool of address. -Currently there is no tool to manipulate logged-in users. However, -they can be disconnected by killing their worker process. The pid of that -process is available from the command 'who -u' if utmp logging is enabled. +a networking (tun) device and IP from a configurable pool of addresses. .SH "OPTIONS" .TP .BR \-f ", " -\-foreground @@ -55,6 +52,10 @@ Output version of program and exit. The default mode is `v', a simple version. The `c' mode will print copyright information and `n' will print the full copyright notice. .SH AUTHENTICATION +Users can be authenticated in multiple ways, which are explained in the following +paragraphs. Once authenticated users can be disconnected by killing their worker process. +The pid of that process is available from the command 'who \-u' if utmp logging is enabled. +.sp .br \fBPassword authentication\fP .br @@ -288,32 +289,7 @@ Successful program execution. .BR 1 " (EXIT_FAILURE)" The operation failed or the command syntax was not valid. .SH COMPATIBILITY -.br -\fBFeatures of the server\fP -.br -.in +4 -.ti -4 -\fB*\fP -Supports both TCP and UDP VPN tunnels using TLS 1.2 and Datagram TLS. -.ti -4 -\fB*\fP -Support for the server key being stored in TPM, hardware security modules (HSM), or even a smart card. They can be specified as files using the tpmkey or pkcs11 URLs. -.ti -4 -\fB*\fP -Authentication using PAM or certificates. -.ti -4 -\fB*\fP -Each client is isolated from the others on a separate process with a separate tun device. This allows routing using the system facilies, allows having separate settings per user or group (e.g. bandwidth limits). -.ti -4 -\fB*\fP -Privilege separation between the main process which performs TUN allocation and authentication, with the worker processes which handles messages from the client. -.ti -4 -\fB*\fP -Registers VPN leases to UTMP and WTMP files. -.ti -4 -\fB*\fP -Persistent storage of cookies, to allow a seamless server restart. -.in -4 +The server has been tested to be compatible with the openconnect VPN client. .SH "AUTHORS" Nikos Mavrogiannopoulos .SH "COPYRIGHT" diff --git a/src/ocserv-args.c b/src/ocserv-args.c index 3af53d1e..7cca1038 100644 --- a/src/ocserv-args.c +++ b/src/ocserv-args.c @@ -2,7 +2,7 @@ * * DO NOT EDIT THIS FILE (ocserv-args.c) * - * It has been AutoGen-ed February 19, 2013 at 07:07:24 PM by AutoGen 5.16 + * It has been AutoGen-ed February 20, 2013 at 09:23:08 PM by AutoGen 5.16 * From the definitions ocserv-args.def * and the template file options * @@ -65,7 +65,7 @@ extern FILE * option_usage_fp; /* * ocserv option static const strings */ -static char const ocserv_opt_strs[2057] = +static char const ocserv_opt_strs[1840] = /* 0 */ "ocserv 0.0.1\n" "Copyright (C) 2013 Nikos Mavrogiannopoulos, all rights reserved.\n" "This is free software. It is licensed for use, modification and\n" @@ -110,12 +110,9 @@ static char const ocserv_opt_strs[2057] = "Multiple authentication methods are available including PAM and certificate\n" "authentication. Authenticated users are assigned an unprivileged worker\n" "process and obtain a networking (tun) device and IP from a configurable\n" - "pool of address.\n\n" - "Currently there is no tool to manipulate logged-in users. However, they\n" - "can be disconnected by killing their worker process. The pid of that\n" - "process is available from the command 'who -u' if utmp logging is enabled.\n\0" -/* 1969 */ "ocserv 0.0.1\0" -/* 1982 */ "Usage: ocserv [options] -c [config]\n" + "pool of addresses.\n\0" +/* 1752 */ "ocserv 0.0.1\0" +/* 1765 */ "Usage: ocserv [options] -c [config]\n" "ocserv --help for usage instructions.\n"; /* @@ -291,7 +288,7 @@ static tOptDesc optDesc[OPTION_CT] = { #define zBugsAddr (ocserv_opt_strs+1279) #define zExplain (ocserv_opt_strs+1317) #define zDetail (ocserv_opt_strs+1320) -#define zFullVersion (ocserv_opt_strs+1969) +#define zFullVersion (ocserv_opt_strs+1752) /* extracted from optcode.tlib near line 350 */ #if defined(ENABLE_NLS) @@ -305,7 +302,7 @@ static tOptDesc optDesc[OPTION_CT] = { #define ocserv_full_usage (NULL) -#define ocserv_short_usage (ocserv_opt_strs+1982) +#define ocserv_short_usage (ocserv_opt_strs+1765) #endif /* not defined __doxygen__ */ diff --git a/src/ocserv-args.def b/src/ocserv-args.def index 7590bdc4..4a8135d9 100644 --- a/src/ocserv-args.def +++ b/src/ocserv-args.def @@ -19,11 +19,8 @@ used by CISCO's AnyConnect SSL VPN. Multiple authentication methods are available including PAM and certificate authentication. Authenticated users are assigned an unprivileged worker process and obtain -a networking (tun) device and IP from a configurable pool of address. +a networking (tun) device and IP from a configurable pool of addresses."; -Currently there is no tool to manipulate logged-in users. However, -they can be disconnected by killing their worker process. The pid of that -process is available from the command 'who -u' if utmp logging is enabled."; copyright = { @@ -205,6 +202,10 @@ doc-section = { ds-type = 'AUTHENTICATION'; ds-format = 'texi'; ds-text = <<-_EOT_ +Users can be authenticated in multiple ways, which are explained in the following +paragraphs. Once authenticated users can be disconnected by killing their worker process. +The pid of that process is available from the command 'who -u' if utmp logging is enabled. + @subheading Password authentication If your system supports Pluggable Authentication Modules (PAM), then ocserv will take advantage of it to password authenticate its users. @@ -289,15 +290,6 @@ doc-section = { ds-type = 'COMPATIBILITY'; ds-format = 'texi'; ds-text = <<-_EOT_ -@subheading Features of the server -@itemize -@item Supports both TCP and UDP VPN tunnels using TLS 1.2 and Datagram TLS. -@item Support for the server key being stored in TPM, hardware security modules (HSM), or even a smart card. They can be specified as files using the tpmkey or pkcs11 URLs. -@item Authentication using PAM or certificates. -@item Each client is isolated from the others on a separate process with a separate tun device. This allows routing using the system facilies, allows having separate settings per user or group (e.g. bandwidth limits). -@item Privilege separation between the main process which performs TUN allocation and authentication, with the worker processes which handles messages from the client. -@item Registers VPN leases to UTMP and WTMP files. -@item Persistent storage of cookies, to allow a seamless server restart. -@end itemize +The server has been tested to be compatible with the openconnect VPN client. _EOT_; }; diff --git a/src/ocserv-args.h b/src/ocserv-args.h index 6c824277..fcc6958a 100644 --- a/src/ocserv-args.h +++ b/src/ocserv-args.h @@ -2,7 +2,7 @@ * * DO NOT EDIT THIS FILE (ocserv-args.h) * - * It has been AutoGen-ed February 19, 2013 at 07:07:24 PM by AutoGen 5.16 + * It has been AutoGen-ed February 20, 2013 at 09:23:08 PM by AutoGen 5.16 * From the definitions ocserv-args.def * and the template file options *