/mandos/release : revision 200

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/release

« back to all changes in this revision

Viewing changes to mandos-keygen.xml

Committer: Teddy Hogeborn
Date: 2008-09-21 12:04:02 UTC
Revision ID: teddy@fukt.bsnet.se-20080921120402-mgd2jl8xo634jw18

* Makefile: Put the init script before avahi-daemon.

* debian/mandos.prerm: Bug fix: stop mandos, not ssh.

* debian/rules (install-indep): Put the init script before
avahi-daemon.

* init.d/mandos: Require "avahi-daemon".

files added:
.bzr-builddeb

.bzr-builddeb/default.conf

.bzrignore

INSTALL

README

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.config

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos-client.templates

debian/mandos.README.Debian

debian/mandos.config

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/mandos.templates

debian/po

debian/po/POTFILES.in

debian/po/sv.po

debian/rules

default-mandos

init.d-mandos

legalnotice.xml

plugin-runner.conf

files renamed:
plugins.d/password-request.c => plugins.d/mandos-client.c

plugins.d/password-request.xml => plugins.d/mandos-client.xml

files modified:
Makefile

TODO

clients.conf

initramfs-tools-hook

initramfs-tools-script

mandos

mandos-clients.conf.xml

mandos-keygen

mandos-keygen.xml

mandos-options.xml

mandos.conf.xml

mandos.xml

overview.xml

plugin-runner.c

plugin-runner.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

Show diffs side-by-side

added added

removed removed

mandos-keygen.xml

<?xml version='1.0' encoding='UTF-8'?>

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY VERSION "1.0">

<!ENTITY COMMANDNAME "mandos-keygen">

<!ENTITY TIMESTAMP "2008-09-20">

<title>&COMMANDNAME;</title>

<productname>&COMMANDNAME;</productname>

<title>Mandos Manual</title>

<productname>Mandos</productname>

<productnumber>&VERSION;</productnumber>

<date>&TIMESTAMP;</date>

<firstname>Björn</firstname>

</authorgroup>

<holder>Teddy Hogeborn & Björn Påhlsson</holder>

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

<para>

This manual page is free software: you can redistribute it

and/or modify it under the terms of the GNU General Public

License as published by the Free Software Foundation,

either version 3 of the License, or (at your option) any

later version.

</para>

<para>

This manual page is distributed in the hope that it will

be useful, but WITHOUT ANY WARRANTY; without even the

implied warranty of MERCHANTABILITY or FITNESS FOR A

PARTICULAR PURPOSE. See the GNU General Public License

for more details.

</para>

<para>

You should have received a copy of the GNU General Public

License along with this program; If not, see

<ulink url="http://www.gnu.org/licenses/"/>.

</para>

</legalnotice>

<xi:include href="legalnotice.xml"/>

</refentryinfo>

<refentrytitle>&COMMANDNAME;</refentrytitle>

<refname><command>&COMMANDNAME;</command></refname>

Generate keys for <citerefentry><refentrytitle>password-request

</refentrytitle><manvolnum>8mandos</manvolnum></citerefentry>

Generate key and password for Mandos client and server.

</refpurpose>

</refnamediv>

<command>&COMMANDNAME;</command>

<replaceable>directory</replaceable></arg>

</group>

</group>

<arg choice="plain"><option>--length</option>

</group>

</group>

<arg choice="plain"><option>--email</option>

<replaceable>EMAIL</replaceable></arg>

</group>

<arg choice="plain"><option>--comment</option>

<replaceable>COMMENT</replaceable></arg>

</group>

100

<arg choice="plain"><option>--expire</option>

101

102

</group>

103

104

<arg choice="plain"><option>--force</option></arg>

105

</group>

106

</cmdsynopsis>

107

108

<command>&COMMANDNAME;</command>

109

110

111

<replaceable>directory</replaceable></arg>

112

</group>

113

114

115

116

</group>

117

118

119

120

</group>

121

122

123

124

</group>

125

126

127

<replaceable>EMAIL</replaceable></arg>

128

</group>

129

130

131

<replaceable>COMMENT</replaceable></arg>

132

</group>

133

134

135

136

</group>

137

138

139

</group>

140

</cmdsynopsis>

141

142

<command>&COMMANDNAME;</command>

143

144

145

146

</group>

147

</cmdsynopsis>

148

149

<command>&COMMANDNAME;</command>

150

151

152

<arg choice='plain'><option>--version</option></arg>

<group>

<arg choice="plain"><option>--dir

<replaceable>DIRECTORY</replaceable></option></arg>

<arg choice="plain"><option>-d

<replaceable>DIRECTORY</replaceable></option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--type

<replaceable>KEYTYPE</replaceable></option></arg>

<arg choice="plain"><option>-t

<replaceable>KEYTYPE</replaceable></option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--length

<arg choice="plain"><option>-l

</group>

<sbr/>

<group>

<arg choice="plain"><option>--subtype

<replaceable>KEYTYPE</replaceable></option></arg>

<arg choice="plain"><option>-s

<replaceable>KEYTYPE</replaceable></option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--sublength

<arg choice="plain"><option>-L

</group>

<sbr/>

<group>

<arg choice="plain"><option>--name

<arg choice="plain"><option>-n

</group>

<sbr/>

<group>

<arg choice="plain"><option>--email

<replaceable>ADDRESS</replaceable></option></arg>

100

<arg choice="plain"><option>-e

101

<replaceable>ADDRESS</replaceable></option></arg>

102

</group>

103

<sbr/>

104

<group>

105

<arg choice="plain"><option>--comment

106

107

<arg choice="plain"><option>-c

108

109

</group>

110

<sbr/>

111

<group>

112

<arg choice="plain"><option>--expire

113

114

<arg choice="plain"><option>-x

115

116

</group>

117

<sbr/>

118

<arg><option>--force</option></arg>

119

</cmdsynopsis>

120

121

<command>&COMMANDNAME;</command>

122

123

<arg choice="plain"><option>--password</option></arg>

124

125

<arg choice="plain"><option>--passfile

126

127

128

129

</group>

130

<sbr/>

131

<group>

132

<arg choice="plain"><option>--dir

133

<replaceable>DIRECTORY</replaceable></option></arg>

134

<arg choice="plain"><option>-d

135

<replaceable>DIRECTORY</replaceable></option></arg>

136

</group>

137

<sbr/>

138

<group>

139

<arg choice="plain"><option>--name

140

141

<arg choice="plain"><option>-n

142

143

</group>

144

</cmdsynopsis>

145

146

<command>&COMMANDNAME;</command>

147

148

149

150

</group>

151

</cmdsynopsis>

152

153

<command>&COMMANDNAME;</command>

154

155

<arg choice="plain"><option>--version</option></arg>

156

153

157

</group>

154

158

</cmdsynopsis>

155

159

</refsynopsisdiv>

156

160

157

161

158

162

<title>DESCRIPTION</title>

159

163

<para>

160

164

<command>&COMMANDNAME;</command> is a program to generate the

161

OpenPGP keys used by

162

<citerefentry><refentrytitle>password-request</refentrytitle>

163

<manvolnum>8mandos</manvolnum></citerefentry>. The keys are

165

OpenPGP key used by

166

<citerefentry><refentrytitle>mandos-client</refentrytitle>

167

<manvolnum>8mandos</manvolnum></citerefentry>. The key is

164

168

normally written to /etc/mandos for later installation into the

165

initrd image, but this, like most things, can be changed with

166

command line options.

169

initrd image, but this, and most other things, can be changed

170

with command line options.

171

</para>

172

<para>

173

This program can also be used with the

174

<option>--password</option> or <option>--passfile</option>

175

options to generate a ready-made section for

176

<filename>clients.conf</filename> (see

177

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

178

<manvolnum>5</manvolnum></citerefentry>).

167

179

</para>

168

180

</refsect1>

169

181

170

182

171

183

<title>PURPOSE</title>

172

173

184

<para>

174

185

The purpose of this is to enable <emphasis>remote and unattended

175

186

rebooting</emphasis> of client host computer with an

176

187

<emphasis>encrypted root file system</emphasis>. See <xref

177

188

linkend="overview"/> for details.

178

189

</para>

179

180

190

</refsect1>

181

191

182

192

183

193

<title>OPTIONS</title>

184

194

185

195

186

196

187

197

198

188

199

189

200

<para>

190

201

Show a help message and exit

191

202

</para>

192

203

</listitem>

193

204

</varlistentry>

194

195

196

<term><literal>-d</literal>, <literal>--dir

197

<replaceable>directory</replaceable></literal></term>

198

199

<para>

200

Target directory for key files.

201

</para>

202

</listitem>

203

</varlistentry>

204

205

206

<term><literal>-t</literal>, <literal>--type

207

208

209

<para>

210

Key type. Default is DSA.

211

</para>

212

</listitem>

213

</varlistentry>

214

215

216

<term><literal>-l</literal>, <literal>--length

217

218

219

<para>

220

Key length in bits. Default is 1024.

221

</para>

222

</listitem>

223

</varlistentry>

224

225

226

<term><literal>-e</literal>, <literal>--email</literal>

227

<replaceable>address</replaceable></term>

205

206

207

<term><option>--dir

208

<replaceable>DIRECTORY</replaceable></option></term>

209

<term><option>-d

210

<replaceable>DIRECTORY</replaceable></option></term>

211

212

<para>

213

Target directory for key files. Default is

214

<filename>/etc/mandos</filename>.

215

</para>

216

</listitem>

217

</varlistentry>

218

219

220

<term><option>--type

221

222

<term><option>-t

223

224

225

<para>

226

Key type. Default is <quote>DSA</quote>.

227

</para>

228

</listitem>

229

</varlistentry>

230

231

232

<term><option>--length

233

234

<term><option>-l

235

236

237

<para>

238

Key length in bits. Default is 2048.

239

</para>

240

</listitem>

241

</varlistentry>

242

243

244

<term><option>--subtype

245

<replaceable>KEYTYPE</replaceable></option></term>

246

<term><option>-s

247

<replaceable>KEYTYPE</replaceable></option></term>

248

249

<para>

250

Subkey type. Default is <quote>ELG-E</quote> (Elgamal

251

encryption-only).

252

</para>

253

</listitem>

254

</varlistentry>

255

256

257

<term><option>--sublength

258

259

<term><option>-L

260

261

262

<para>

263

Subkey length in bits. Default is 2048.

264

</para>

265

</listitem>

266

</varlistentry>

267

268

269

<term><option>--email

270

<replaceable>ADDRESS</replaceable></option></term>

271

<term><option>-e

272

<replaceable>ADDRESS</replaceable></option></term>

228

273

229

274

<para>

230

275

Email address of key. Default is empty.

231

276

</para>

232

277

</listitem>

233

278

</varlistentry>

234

279

235

280

236

<term><literal>-c</literal>, <literal>--comment</literal>

237

<replaceable>comment</replaceable></term>

281

<term><option>--comment

282

283

<term><option>-c

284

238

285

239

286

<para>

240

287

Comment field for key. The default value is

241

"<literal>Mandos client key</literal>".

288

<quote><literal>Mandos client key</literal></quote>.

242

289

</para>

243

290

</listitem>

244

291

</varlistentry>

245

292

246

293

247

<term><literal>-x</literal>, <literal>--expire</literal>

248

294

<term><option>--expire

295

296

<term><option>-x

297

249

298

250

299

<para>

251

300

Key expire time. Default is no expiration. See

254

303

</para>

255

304

</listitem>

256

305

</varlistentry>

257

258

259

<term><literal>-f</literal>, <literal>--force</literal></term>

260

261

<para>

262

Force overwriting old keys.

306

307

308

<term><option>--force</option></term>

309

310

311

<para>

312

Force overwriting old key.

313

</para>

314

</listitem>

315

</varlistentry>

316

317

<term><option>--password</option></term>

318

319

320

<para>

321

Prompt for a password and encrypt it with the key already

322

present in either <filename>/etc/mandos</filename> or the

323

directory specified with the <option>--dir</option>

324

option. Outputs, on standard output, a section suitable

325

for inclusion in <citerefentry><refentrytitle

326

>mandos-clients.conf</refentrytitle><manvolnum

327

>8</manvolnum></citerefentry>. The host name or the name

328

specified with the <option>--name</option> option is used

329

for the section header. All other options are ignored,

330

and no key is created.

331

</para>

332

</listitem>

333

</varlistentry>

334

335

<term><option>--passfile

336

337

<term><option>-F

338

339

340

<para>

341

The same as <option>--password</option>, but read from

342

<replaceable>FILE</replaceable>, not the terminal.

263

343

</para>

264

344

</listitem>

265

345

</varlistentry>

266

346

</variablelist>

267

347

</refsect1>

268

348

269

349

270

350

<title>OVERVIEW</title>

271

351

<xi:include href="overview.xml"/>

272

352

<para>

273

This program is a small program to generate new OpenPGP keys for

274

new Mandos clients.

353

This program is a small utility to generate new OpenPGP keys for

354

new Mandos clients, and to generate sections for inclusion in

355

<filename>clients.conf</filename> on the server.

275

356

</para>

276

357

</refsect1>

277

358

278

359

279

360

<title>EXIT STATUS</title>

280

361

<para>

281

The exit status will be 0 if new keys were successfully created,

282

otherwise not.

362

The exit status will be 0 if a new key (or password, if the

363

<option>--password</option> option was used) was successfully

364

created, otherwise not.

283

365

</para>

284

366

</refsect1>

285

367

287

369

<title>ENVIRONMENT</title>

288

370

289

371

290

<term><varname>TMPDIR</varname></term>

372

<term><envar>TMPDIR</envar></term>

291

373

292

374

<para>

293

375

If set, temporary files will be created here. See

336

418

</varlistentry>

337

419

</variablelist>

338

420

</refsect1>

339

340

341

342

<para>

343

None are known at this time.

344

</para>

345

</refsect1>

346

421

422

423

424

425

426

427

347

428

348

429

<title>EXAMPLE</title>

349

430

351

432

Normal invocation needs no options:

352

433

</para>

353

434

<para>

354

<userinput>mandos-keygen</userinput>

435

<userinput>&COMMANDNAME;</userinput>

355

436

</para>

356

437

</informalexample>

357

438

358

439

<para>

359

Create keys in another directory and of another type. Force

440

Create key in another directory and of another type. Force

360

441

overwriting old key files:

361

442

</para>

362

443

<para>

363

444

364

445

365

<userinput>mandos-keygen --dir ~/keydir --type RSA --force</userinput>

446

<userinput>&COMMANDNAME; --dir ~/keydir --type RSA --force</userinput>

447

448

</para>

449

</informalexample>

450

451

<para>

452

Prompt for a password, encrypt it with the key in

453

<filename>/etc/mandos</filename> and output a section suitable

454

for <filename>clients.conf</filename>.

455

</para>

456

<para>

457

<userinput>&COMMANDNAME; --password</userinput>

458

</para>

459

</informalexample>

460

461

<para>

462

Prompt for a password, encrypt it with the key in the

463

<filename>client-key</filename> directory and output a section

464

suitable for <filename>clients.conf</filename>.

465

</para>

466

<para>

467

468

469

<userinput>&COMMANDNAME; --password --dir client-key</userinput>

366

470

367

471

</para>

368

472

</informalexample>

369

473

</refsect1>

370

474

371

475

372

476

<title>SECURITY</title>

373

477

<para>

374

The <option>--type</option> and <option>--length</option>

375

options can be used to create keys of insufficient security. If

376

in doubt, leave them to the default values.

478

The <option>--type</option>, <option>--length</option>,

479

<option>--subtype</option>, and <option>--sublength</option>

480

options can be used to create keys of low security. If in

481

doubt, leave them to the default values.

377

482

</para>

378

483

<para>

379

The key expire time is not guaranteed to be honored by

380

<citerefentry><refentrytitle>mandos</refentrytitle>

484

The key expire time is <emphasis>not</emphasis> guaranteed to be

485

honored by <citerefentry><refentrytitle>mandos</refentrytitle>

381

486

<manvolnum>8</manvolnum></citerefentry>.

382

487

</para>

383

488

</refsect1>

384

489

385

490

386

491

387

492

<para>

388

<citerefentry><refentrytitle>password-request</refentrytitle>

389

<manvolnum>8mandos</manvolnum></citerefentry>,

390

<citerefentry><refentrytitle>mandos</refentrytitle>

391

<manvolnum>8</manvolnum></citerefentry>, and

392

493

393

494

<manvolnum>1</manvolnum></citerefentry>,

495

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

496

<manvolnum>5</manvolnum></citerefentry>,

497

<citerefentry><refentrytitle>mandos</refentrytitle>

498

<manvolnum>8</manvolnum></citerefentry>,

499

<citerefentry><refentrytitle>mandos-client</refentrytitle>

500

<manvolnum>8mandos</manvolnum></citerefentry>

394

501

</para>

395

502

</refsect1>

396

503

397

504

</refentry>

505

506

507

508

509

Older »