From d9e938a7ec28e0fd237d0408511d67657296de4a Mon Sep 17 00:00:00 2001 From: fredrik Date: Wed, 11 Apr 2007 18:13:19 +0000 Subject: [PATCH] Updated for the new default config. git-svn-id: svn+ssh://svn.dolda2000.com/srv/svn/repos/src/doldaconnect@901 959494ce-11ee-0310-bf91-de5d638817bd --- INSTALL | 86 ++++++++++++++++++++++++++++++++++++++++++----------------------- 1 file changed, 56 insertions(+), 30 deletions(-) diff --git a/INSTALL b/INSTALL index 2cd26b6..fa72c7d 100644 --- a/INSTALL +++ b/INSTALL @@ -76,36 +76,14 @@ named /usr/local/etc/doldacond.conf, but it depends on the installation prefixes that are chosen. If Dolda Connect will be running in multi-user mode, it should remain there, but if it will be running in single-user mode, it is recommended that you make a copy of -it named ~/.doldacond (if ~/.doldacond does not exist, the server will -still read the system-wide file, but it will be easier to edit a local -copy, as you need not be root to do so). +it named ~/.doldacond.conf (if ~/.doldacond.conf does not exist, the +server will still read the system-wide file, but it will be easier to +edit a local copy, as you need not be root to do so). Edit the configuration file. If you do no other changes, make sure to -at least change the "cli.defnick", "share" and "user" settings. Most -directives are explained in comments in the shipped file and need no -further explanation here. However, there are a few points to note. - -First, you need to choose how you will authenticate to the server. If -you are an administrator of a Kerberos-enabled network using the MIT -Kerberos libraries, you can use Kerberos V authentication and get -secure single sign-on, which gives the best of all worlds, but for -normal users, there are two choices: - - * PAM based password authentication -- The clients will ask for your - password every time they connect to the server. This option can be - somewhat cumbersome, but should be perfectly secure. - * Password-less authentication -- The server will simply trust the - clients not to lie. This option is completely insecure, but may be - a better option where all users are trusted and/or Kerberos is not - available. - -PAM authentication is always enabled. To enable password-less -authentication, set the "auth.authless" setting in the configuration -file to "1". It is also greatly recommended that the "ui.onlylocal" -setting be set to "1" when using password-less authentication, so that -connections are only accepted from localhost. If you use password-less -authentication without turning on "ui.onlylocal", you should make sure -that you *really* know what you are doing before proceeding. +at least change the "cli.defnick" and "share". Most directives are +explained in comments in the shipped file and need no further +explanation here. However, there are a few points to note. If the computer running the daemon is connected directly to the Internet, no network configuration will be necessary. However, if it @@ -130,11 +108,59 @@ other. There are currently two options available: IPv4 address of the NAT router, by way of the "net.visibleipv4" setting. +There is a large number of configuration directives not covered in +this file, nor in the default configuration file. Please see the +doldacond.conf(5) manual page for information on the rest. + + Running clients over the network + +For convenience of setup, the default configuration file disables +running clients over the network. Using the default configuration +file, the daemon will only enable clients to connect over a local Unix +socket. They will use Unix socket credentials passing for +authentication, for maximum security. It is also likely that many will +want to keep it that way. However, for those who want to be able to +run clients over the network, just follow the instructions in this +section to enable UIs over TCP. + +First, you need to choose how you will authenticate to the server. If +you are an administrator of a Kerberos-enabled network using the MIT +Kerberos libraries, you can use Kerberos V authentication and get +secure single sign-on, which gives the best of all worlds, but for +normal users, there are two choices: + + * PAM based password authentication -- The clients will ask for your + password every time they connect to the server. This option can be + somewhat cumbersome, but should be perfectly secure. Note, however, + that the password is transmitted to the server unencrypted. + * Password-less authentication -- The server will simply trust the + clients not to lie. This option is completely insecure, but may be + a better option where all users are trusted and/or Kerberos is not + available. + +PAM authentication is always enabled. To enable password-less +authentication, set the "auth.authless" setting in the configuration +file to "1". If your network is not completely trusted (especially the +host running doldacond is globally accessible via the Internet), you +really should make sure to set up some firewalling rules. + +Note that doldacond does *not* support tcp-wrappers, but it does +support very simple internal firewalling in the form of the +"ui.onlylocal" options. When "ui.onlylocal" is set to true, the +daemon will only accept UI connections over a loopback interface. That +includes 127.0.0.1, ::ffff:127.0.0.1, ::1 and Unix sockets. + Starting the daemon To start the daemon, just run "doldacond" -- as root if you are running in multi-user mode, and as your ordinary user if you are -running in single-user mode. +running in single-user mode. See the doldacond(8) manual page for more +detailed information about command-line switches and related +information. + +If you are using the daemon in multi-user mode on Gentoo, you might +find contrib/gentoo-init.d-doldacond, an init script for Gentoo, +useful. The first time you start the daemon, it will need to calculate the TTH hashes on all the files you share (as required by the Direct Connect @@ -149,5 +175,5 @@ allow you in if not all TTH hashes are calculated. -This documented was last updated 2006-10-27, reflecting release 0.3 of +This documented was last updated 2007-04-11, reflecting release 0.3 of Dolda Connect. -- 2.11.0