guestlist(5) Doorman & Knocker guestlist(5)
NAME
guestlist - The secondary doormand configuration file
DESCRIPTION
The doorman daemon doormand requires a list of permitted "guests", or
groups. There must be one record per group, with the following order:
<groupname> <secret> <port1> <port2> .. <address1> <address2> ..
Records may span multiple lines. The groupname MUST begin on the first
character of a line. Continuation lines MUST be preceeded by at least
one character of whitespace (tabs or spaces). Tabs and space charac-
ters may be freely used in any order.
Any part of a line following a '#' character is ignored, and may be
used as a comment. Blank lines are ignored.
This file MUST be readable and writeable by root, only.
groupname - The name which is sent by a knock client to identify
itself. Group names may be up to 32 characters in length. Both
group names and secrets may contain any alphanumeric character, as
well as the characters: !@#$%^&*()_-+=|{};:'"<>,?/
Note that whitespace and the "." character (period, or decimal
point) are not permitted.
secret - an authenticating password. This is sent by the client as an
MD5 hash salted with the client's IP address and the rounded sec-
onds-of-epoch.
Secrets may be up to 64 characters in length, and use the same
character set as group names. (Remember: -no- periods!)
The existence of this secret in plaintext on both the client and
server machines is the reason this file, and the client's
~/.knockcf file, must be readable only by their users. Under NO
circumstances should it correspond to anything in any 'passwd' file
anywhere.
port1 port2 .. - a whitespace-delimited list of the ports to which the
group may connect. A port may be specified as a number or a ser-
vice name; that is, "22" and "ssh" are equivalent. Service names
are case sensitive.
address1 address2 .. - a whitespace-delimited list of IP addresses or
hostnames from which the group may connect. Addresses may be
unique, or expressed as ranges by means of an "/nbits" modifier.
Using a hostname to specify a range is permitted. There must be no
whitespace before or after the "/" character.
An example record:
group187 b1g%Hairy_[seCret}! # groupname & secret
ssh 23 # allowed ports
1.2.3.4/16 5.6.7.8 x.myplace.org/24 # allowed addresses
SEE ALSO
knock(1), knockcf(5), doormand(8), doormand.cf(5)
ACKNOWLEDGEMENT
doormand.cf(5) Doorman & Knocker doormand.cf(5)
doormand and knock are an implementation of an original idea by Martin
Krzywinski. See his site at http://www.portknocking.org
COPYRIGHT
Copyright (c) 2003-2005, J.B.Ward
<bward2@users.sourceforge.net>
Doorman, V0.81 Aug 14, 2005 doormand.cf(5)