1
1
<?xml version="1.0" encoding="UTF-8"?>
2
2
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3
3
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4
<!ENTITY VERSION "1.0">
4
5
<!ENTITY COMMANDNAME "mandos-keygen">
5
<!ENTITY TIMESTAMP "2013-08-27">
6
<!ENTITY % common SYSTEM "common.ent">
6
<!ENTITY TIMESTAMP "2008-08-29">
10
9
<refentry xmlns:xi="http://www.w3.org/2001/XInclude">
12
<title>Mandos Manual</title>
11
<title>&COMMANDNAME;</title>
13
12
<!-- NWalsh’s docbook scripts use this to generate the footer: -->
14
<productname>Mandos</productname>
15
<productnumber>&version;</productnumber>
13
<productname>&COMMANDNAME;</productname>
14
<productnumber>&VERSION;</productnumber>
16
15
<date>&TIMESTAMP;</date>
19
18
<firstname>Björn</firstname>
20
19
<surname>Påhlsson</surname>
22
<email>belorn@recompile.se</email>
21
<email>belorn@fukt.bsnet.se</email>
26
25
<firstname>Teddy</firstname>
27
26
<surname>Hogeborn</surname>
29
<email>teddy@recompile.se</email>
28
<email>teddy@fukt.bsnet.se</email>
38
34
<holder>Teddy Hogeborn</holder>
39
35
<holder>Björn Påhlsson</holder>
41
<xi:include href="legalnotice.xml"/>
39
This manual page is free software: you can redistribute it
40
and/or modify it under the terms of the GNU General Public
41
License as published by the Free Software Foundation,
42
either version 3 of the License, or (at your option) any
47
This manual page is distributed in the hope that it will
48
be useful, but WITHOUT ANY WARRANTY; without even the
49
implied warranty of MERCHANTABILITY or FITNESS FOR A
50
PARTICULAR PURPOSE. See the GNU General Public License
55
You should have received a copy of the GNU General Public
56
License along with this program; If not, see
57
<ulink url="http://www.gnu.org/licenses/"/>.
45
63
<refentrytitle>&COMMANDNAME;</refentrytitle>
46
64
<manvolnum>8</manvolnum>
50
68
<refname><command>&COMMANDNAME;</command></refname>
52
Generate key and password for Mandos client and server.
70
Generate keys for <citerefentry><refentrytitle>password-request
71
</refentrytitle><manvolnum>8mandos</manvolnum></citerefentry>
58
77
<command>&COMMANDNAME;</command>
60
<arg choice="plain"><option>--dir
61
<replaceable>DIRECTORY</replaceable></option></arg>
62
<arg choice="plain"><option>-d
63
<replaceable>DIRECTORY</replaceable></option></arg>
67
<arg choice="plain"><option>--type
68
<replaceable>KEYTYPE</replaceable></option></arg>
69
<arg choice="plain"><option>-t
70
<replaceable>KEYTYPE</replaceable></option></arg>
74
<arg choice="plain"><option>--length
75
<replaceable>BITS</replaceable></option></arg>
76
<arg choice="plain"><option>-l
77
<replaceable>BITS</replaceable></option></arg>
81
<arg choice="plain"><option>--subtype
82
<replaceable>KEYTYPE</replaceable></option></arg>
83
<arg choice="plain"><option>-s
84
<replaceable>KEYTYPE</replaceable></option></arg>
88
<arg choice="plain"><option>--sublength
89
<replaceable>BITS</replaceable></option></arg>
90
<arg choice="plain"><option>-L
91
<replaceable>BITS</replaceable></option></arg>
95
<arg choice="plain"><option>--name
96
<replaceable>NAME</replaceable></option></arg>
97
<arg choice="plain"><option>-n
98
<replaceable>NAME</replaceable></option></arg>
102
<arg choice="plain"><option>--email
103
<replaceable>ADDRESS</replaceable></option></arg>
104
<arg choice="plain"><option>-e
105
<replaceable>ADDRESS</replaceable></option></arg>
109
<arg choice="plain"><option>--comment
110
<replaceable>TEXT</replaceable></option></arg>
111
<arg choice="plain"><option>-c
112
<replaceable>TEXT</replaceable></option></arg>
116
<arg choice="plain"><option>--expire
117
<replaceable>TIME</replaceable></option></arg>
118
<arg choice="plain"><option>-x
119
<replaceable>TIME</replaceable></option></arg>
122
<arg><option>--force</option></arg>
79
<arg choice="plain"><option>--dir</option>
80
<replaceable>directory</replaceable></arg>
83
<arg choice="plain"><option>--type</option>
84
<replaceable>type</replaceable></arg>
87
<arg choice="plain"><option>--length</option>
88
<replaceable>bits</replaceable></arg>
91
<arg choice="plain"><option>--subtype</option>
92
<replaceable>type</replaceable></arg>
95
<arg choice="plain"><option>--sublength</option>
96
<replaceable>bits</replaceable></arg>
99
<arg choice="plain"><option>--name</option>
100
<replaceable>NAME</replaceable></arg>
103
<arg choice="plain"><option>--email</option>
104
<replaceable>EMAIL</replaceable></arg>
107
<arg choice="plain"><option>--comment</option>
108
<replaceable>COMMENT</replaceable></arg>
111
<arg choice="plain"><option>--expire</option>
112
<replaceable>TIME</replaceable></arg>
115
<arg choice="plain"><option>--force</option></arg>
119
<command>&COMMANDNAME;</command>
121
<arg choice="plain"><option>-d</option>
122
<replaceable>directory</replaceable></arg>
125
<arg choice="plain"><option>-t</option>
126
<replaceable>type</replaceable></arg>
129
<arg choice="plain"><option>-l</option>
130
<replaceable>bits</replaceable></arg>
133
<arg choice="plain"><option>-s</option>
134
<replaceable>type</replaceable></arg>
137
<arg choice="plain"><option>-L</option>
138
<replaceable>bits</replaceable></arg>
141
<arg choice="plain"><option>-n</option>
142
<replaceable>NAME</replaceable></arg>
145
<arg choice="plain"><option>-e</option>
146
<replaceable>EMAIL</replaceable></arg>
149
<arg choice="plain"><option>-c</option>
150
<replaceable>COMMENT</replaceable></arg>
153
<arg choice="plain"><option>-x</option>
154
<replaceable>TIME</replaceable></arg>
157
<arg choice="plain"><option>-f</option></arg>
125
161
<command>&COMMANDNAME;</command>
126
162
<group choice="req">
163
<arg choice="plain"><option>-p</option></arg>
127
164
<arg choice="plain"><option>--password</option></arg>
128
<arg choice="plain"><option>-p</option></arg>
129
<arg choice="plain"><option>--passfile
130
<replaceable>FILE</replaceable></option></arg>
131
<arg choice="plain"><option>-F</option>
132
<replaceable>FILE</replaceable></arg>
136
<arg choice="plain"><option>--dir
137
<replaceable>DIRECTORY</replaceable></option></arg>
138
<arg choice="plain"><option>-d
139
<replaceable>DIRECTORY</replaceable></option></arg>
143
<arg choice="plain"><option>--name
144
<replaceable>NAME</replaceable></option></arg>
145
<arg choice="plain"><option>-n
146
<replaceable>NAME</replaceable></option></arg>
167
<arg choice="plain"><option>--dir</option>
168
<replaceable>directory</replaceable></arg>
171
<arg choice="plain"><option>--name</option>
172
<replaceable>NAME</replaceable></arg>
150
176
<command>&COMMANDNAME;</command>
151
177
<group choice="req">
178
<arg choice="plain"><option>-h</option></arg>
152
179
<arg choice="plain"><option>--help</option></arg>
153
<arg choice="plain"><option>-h</option></arg>
157
183
<command>&COMMANDNAME;</command>
158
184
<group choice="req">
185
<arg choice="plain"><option>-v</option></arg>
159
186
<arg choice="plain"><option>--version</option></arg>
160
<arg choice="plain"><option>-v</option></arg>
163
189
</refsynopsisdiv>
165
191
<refsect1 id="description">
166
192
<title>DESCRIPTION</title>
168
194
<command>&COMMANDNAME;</command> is a program to generate the
170
<citerefentry><refentrytitle>mandos-client</refentrytitle>
171
<manvolnum>8mandos</manvolnum></citerefentry>. The key is
196
<citerefentry><refentrytitle>password-request</refentrytitle>
197
<manvolnum>8mandos</manvolnum></citerefentry>. The keys are
172
198
normally written to /etc/mandos for later installation into the
173
initrd image, but this, and most other things, can be changed
174
with command line options.
199
initrd image, but this, like most things, can be changed with
200
command line options.
177
This program can also be used with the
178
<option>--password</option> or <option>--passfile</option>
179
options to generate a ready-made section for
180
<filename>clients.conf</filename> (see
203
It can also be used to generate ready-made sections for
181
204
<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>
182
<manvolnum>5</manvolnum></citerefentry>).
205
<manvolnum>5</manvolnum></citerefentry> using the
206
<option>--password</option> option.
186
210
<refsect1 id="purpose">
187
211
<title>PURPOSE</title>
189
214
The purpose of this is to enable <emphasis>remote and unattended
190
215
rebooting</emphasis> of client host computer with an
191
216
<emphasis>encrypted root file system</emphasis>. See <xref
192
217
linkend="overview"/> for details.
196
222
<refsect1 id="options">
197
223
<title>OPTIONS</title>
201
<term><option>--help</option></term>
202
<term><option>-h</option></term>
227
<term><literal>-h</literal>, <literal>--help</literal></term>
205
230
Show a help message and exit
212
<replaceable>DIRECTORY</replaceable></option></term>
214
<replaceable>DIRECTORY</replaceable></option></term>
236
<term><literal>-d</literal>, <literal>--dir
237
<replaceable>directory</replaceable></literal></term>
217
240
Target directory for key files. Default is
218
<filename class="directory">/etc/mandos</filename>.
225
<replaceable>TYPE</replaceable></option></term>
227
<replaceable>TYPE</replaceable></option></term>
230
Key type. Default is <quote>RSA</quote>.
236
<term><option>--length
237
<replaceable>BITS</replaceable></option></term>
239
<replaceable>BITS</replaceable></option></term>
242
Key length in bits. Default is 4096.
248
<term><option>--subtype
249
<replaceable>KEYTYPE</replaceable></option></term>
251
<replaceable>KEYTYPE</replaceable></option></term>
254
Subkey type. Default is <quote>RSA</quote> (Elgamal
241
<filename>/etc/mandos</filename>.
247
<term><literal>-t</literal>, <literal>--type
248
<replaceable>type</replaceable></literal></term>
251
Key type. Default is <quote>DSA</quote>.
257
<term><literal>-l</literal>, <literal>--length
258
<replaceable>bits</replaceable></literal></term>
261
Key length in bits. Default is 2048.
267
<term><literal>-s</literal>, <literal>--subtype
268
<replaceable>type</replaceable></literal></term>
271
Subkey type. Default is <quote>ELG-E</quote> (Elgamal
255
272
encryption-only).
261
<term><option>--sublength
262
<replaceable>BITS</replaceable></option></term>
264
<replaceable>BITS</replaceable></option></term>
278
<term><literal>-L</literal>, <literal>--sublength
279
<replaceable>bits</replaceable></literal></term>
267
Subkey length in bits. Default is 4096.
282
Subkey length in bits. Default is 2048.
273
<term><option>--email
274
<replaceable>ADDRESS</replaceable></option></term>
276
<replaceable>ADDRESS</replaceable></option></term>
288
<term><literal>-e</literal>, <literal>--email</literal>
289
<replaceable>address</replaceable></term>
279
292
Email address of key. Default is empty.
285
<term><option>--comment
286
<replaceable>TEXT</replaceable></option></term>
288
<replaceable>TEXT</replaceable></option></term>
298
<term><literal>-c</literal>, <literal>--comment</literal>
299
<replaceable>comment</replaceable></term>
291
302
Comment field for key. The default value is
436
431
Normal invocation needs no options:
439
<userinput>&COMMANDNAME;</userinput>
434
<userinput>mandos-keygen</userinput>
441
436
</informalexample>
442
437
<informalexample>
444
Create key in another directory and of another type. Force
439
Create keys in another directory and of another type. Force
445
440
overwriting old key files:
449
444
<!-- do not wrap this line -->
450
<userinput>&COMMANDNAME; --dir ~/keydir --type RSA --force</userinput>
456
Prompt for a password, encrypt it with the key in <filename
457
class="directory">/etc/mandos</filename> and output a section
458
suitable for <filename>clients.conf</filename>.
461
<userinput>&COMMANDNAME; --password</userinput>
466
Prompt for a password, encrypt it with the key in the
467
<filename>client-key</filename> directory and output a section
468
suitable for <filename>clients.conf</filename>.
472
<!-- do not wrap this line -->
473
<userinput>&COMMANDNAME; --password --dir client-key</userinput>
445
<userinput>mandos-keygen --dir ~/keydir --type RSA --force</userinput>
476
448
</informalexample>
479
451
<refsect1 id="security">
480
452
<title>SECURITY</title>
482
454
The <option>--type</option>, <option>--length</option>,
483
455
<option>--subtype</option>, and <option>--sublength</option>
484
options can be used to create keys of low security. If in
485
doubt, leave them to the default values.
456
options can be used to create keys of insufficient security. If
457
in doubt, leave them to the default values.
488
The key expire time is <emphasis>not</emphasis> guaranteed to be
489
honored by <citerefentry><refentrytitle>mandos</refentrytitle>
460
The key expire time is not guaranteed to be honored by
461
<citerefentry><refentrytitle>mandos</refentrytitle>
490
462
<manvolnum>8</manvolnum></citerefentry>.
494
466
<refsect1 id="see_also">
495
467
<title>SEE ALSO</title>
497
<citerefentry><refentrytitle>intro</refentrytitle>
469
<citerefentry><refentrytitle>password-request</refentrytitle>
498
470
<manvolnum>8mandos</manvolnum></citerefentry>,
471
<citerefentry><refentrytitle>mandos</refentrytitle>
472
<manvolnum>8</manvolnum></citerefentry>,
499
473
<citerefentry><refentrytitle>gpg</refentrytitle>
500
<manvolnum>1</manvolnum></citerefentry>,
501
<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>
502
<manvolnum>5</manvolnum></citerefentry>,
503
<citerefentry><refentrytitle>mandos</refentrytitle>
504
<manvolnum>8</manvolnum></citerefentry>,
505
<citerefentry><refentrytitle>mandos-client</refentrytitle>
506
<manvolnum>8mandos</manvolnum></citerefentry>
474
<manvolnum>1</manvolnum></citerefentry>