1
1
<?xml version="1.0" encoding="UTF-8"?>
2
2
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3
3
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4
<!ENTITY VERSION "1.0">
5
4
<!ENTITY COMMANDNAME "mandos-keygen">
6
<!ENTITY TIMESTAMP "2008-08-31">
5
<!ENTITY TIMESTAMP "2008-09-30">
6
<!ENTITY % common SYSTEM "common.ent">
9
10
<refentry xmlns:xi="http://www.w3.org/2001/XInclude">
11
12
<title>Mandos Manual</title>
12
13
<!-- NWalsh’s docbook scripts use this to generate the footer: -->
13
14
<productname>Mandos</productname>
14
<productnumber>&VERSION;</productnumber>
15
<productnumber>&version;</productnumber>
15
16
<date>&TIMESTAMP;</date>
34
35
<holder>Teddy Hogeborn</holder>
35
36
<holder>Björn Påhlsson</holder>
39
This manual page is free software: you can redistribute it
40
and/or modify it under the terms of the GNU General Public
41
License as published by the Free Software Foundation,
42
either version 3 of the License, or (at your option) any
47
This manual page is distributed in the hope that it will
48
be useful, but WITHOUT ANY WARRANTY; without even the
49
implied warranty of MERCHANTABILITY or FITNESS FOR A
50
PARTICULAR PURPOSE. See the GNU General Public License
55
You should have received a copy of the GNU General Public
56
License along with this program; If not, see
57
<ulink url="http://www.gnu.org/licenses/"/>.
38
<xi:include href="legalnotice.xml"/>
63
42
<refentrytitle>&COMMANDNAME;</refentrytitle>
64
43
<manvolnum>8</manvolnum>
68
47
<refname><command>&COMMANDNAME;</command></refname>
70
Generate keys for <citerefentry><refentrytitle>password-request
71
</refentrytitle><manvolnum>8mandos</manvolnum></citerefentry>
49
Generate key and password for Mandos client and server.
77
55
<command>&COMMANDNAME;</command>
145
123
<group choice="req">
146
124
<arg choice="plain"><option>--password</option></arg>
147
125
<arg choice="plain"><option>-p</option></arg>
126
<arg choice="plain"><option>--passfile
127
<replaceable>FILE</replaceable></option></arg>
128
<arg choice="plain"><option>-F</option>
129
<replaceable>FILE</replaceable></arg>
178
160
</refsynopsisdiv>
180
162
<refsect1 id="description">
181
163
<title>DESCRIPTION</title>
183
165
<command>&COMMANDNAME;</command> is a program to generate the
185
<citerefentry><refentrytitle>password-request</refentrytitle>
186
<manvolnum>8mandos</manvolnum></citerefentry>. The keys are
167
<citerefentry><refentrytitle>mandos-client</refentrytitle>
168
<manvolnum>8mandos</manvolnum></citerefentry>. The key is
187
169
normally written to /etc/mandos for later installation into the
188
initrd image, but this, like most things, can be changed with
189
command line options.
170
initrd image, but this, and most other things, can be changed
171
with command line options.
192
It can also be used to generate ready-made sections for
174
This program can also be used with the
175
<option>--password</option> or <option>--passfile</option>
176
options to generate a ready-made section for
177
<filename>clients.conf</filename> (see
193
178
<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>
194
<manvolnum>5</manvolnum></citerefentry> using the
195
<option>--password</option> option.
179
<manvolnum>5</manvolnum></citerefentry>).
199
183
<refsect1 id="purpose">
200
184
<title>PURPOSE</title>
203
186
The purpose of this is to enable <emphasis>remote and unattended
204
187
rebooting</emphasis> of client host computer with an
205
188
<emphasis>encrypted root file system</emphasis>. See <xref
206
189
linkend="overview"/> for details.
211
193
<refsect1 id="options">
212
194
<title>OPTIONS</title>
216
<term><literal>-h</literal>, <literal>--help</literal></term>
198
<term><option>--help</option></term>
199
<term><option>-h</option></term>
219
202
Show a help message and exit
225
<term><literal>-d</literal>, <literal>--dir
226
<replaceable>directory</replaceable></literal></term>
209
<replaceable>DIRECTORY</replaceable></option></term>
211
<replaceable>DIRECTORY</replaceable></option></term>
229
214
Target directory for key files. Default is
236
<term><literal>-t</literal>, <literal>--type
237
<replaceable>type</replaceable></literal></term>
222
<replaceable>TYPE</replaceable></option></term>
224
<replaceable>TYPE</replaceable></option></term>
240
227
Key type. Default is <quote>DSA</quote>.
246
<term><literal>-l</literal>, <literal>--length
247
<replaceable>bits</replaceable></literal></term>
233
<term><option>--length
234
<replaceable>BITS</replaceable></option></term>
236
<replaceable>BITS</replaceable></option></term>
250
239
Key length in bits. Default is 2048.
256
<term><literal>-s</literal>, <literal>--subtype
257
<replaceable>type</replaceable></literal></term>
245
<term><option>--subtype
246
<replaceable>KEYTYPE</replaceable></option></term>
248
<replaceable>KEYTYPE</replaceable></option></term>
260
251
Subkey type. Default is <quote>ELG-E</quote> (Elgamal
267
<term><literal>-L</literal>, <literal>--sublength
268
<replaceable>bits</replaceable></literal></term>
258
<term><option>--sublength
259
<replaceable>BITS</replaceable></option></term>
261
<replaceable>BITS</replaceable></option></term>
271
264
Subkey length in bits. Default is 2048.
277
<term><literal>-e</literal>, <literal>--email</literal>
278
<replaceable>address</replaceable></term>
270
<term><option>--email
271
<replaceable>ADDRESS</replaceable></option></term>
273
<replaceable>ADDRESS</replaceable></option></term>
281
276
Email address of key. Default is empty.
287
<term><literal>-c</literal>, <literal>--comment</literal>
288
<replaceable>comment</replaceable></term>
282
<term><option>--comment
283
<replaceable>TEXT</replaceable></option></term>
285
<replaceable>TEXT</replaceable></option></term>
291
288
Comment field for key. The default value is
298
<term><literal>-x</literal>, <literal>--expire</literal>
299
<replaceable>time</replaceable></term>
295
<term><option>--expire
296
<replaceable>TIME</replaceable></option></term>
298
<replaceable>TIME</replaceable></option></term>
302
301
Key expire time. Default is no expiration. See
310
<term><literal>-f</literal>, <literal>--force</literal></term>
309
<term><option>--force</option></term>
310
<term><option>-f</option></term>
313
Force overwriting old keys.
313
Force overwriting old key.
318
<term><literal>-p</literal>, <literal>--password</literal
318
<term><option>--password</option></term>
319
<term><option>-p</option></term>
322
322
Prompt for a password and encrypt it with the key already
328
328
>8</manvolnum></citerefentry>. The host name or the name
329
329
specified with the <option>--name</option> option is used
330
330
for the section header. All other options are ignored,
331
and no keys are created.
331
and no key is created.
336
<term><option>--passfile
337
<replaceable>FILE</replaceable></option></term>
339
<replaceable>FILE</replaceable></option></term>
342
The same as <option>--password</option>, but read from
343
<replaceable>FILE</replaceable>, not the terminal.
338
350
<refsect1 id="overview">
339
351
<title>OVERVIEW</title>
340
352
<xi:include href="overview.xml"/>
342
354
This program is a small utility to generate new OpenPGP keys for
355
new Mandos clients, and to generate sections for inclusion in
356
<filename>clients.conf</filename> on the server.
347
360
<refsect1 id="exit_status">
348
361
<title>EXIT STATUS</title>
350
The exit status will be 0 if new keys were successfully created,
363
The exit status will be 0 if a new key (or password, if the
364
<option>--password</option> option was used) was successfully
365
created, otherwise not.
437
450
</informalexample>
453
Prompt for a password, encrypt it with the key in
454
<filename>/etc/mandos</filename> and output a section suitable
455
for <filename>clients.conf</filename>.
458
<userinput>&COMMANDNAME; --password</userinput>
463
Prompt for a password, encrypt it with the key in the
464
<filename>client-key</filename> directory and output a section
465
suitable for <filename>clients.conf</filename>.
469
<!-- do not wrap this line -->
470
<userinput>&COMMANDNAME; --password --dir client-key</userinput>
440
476
<refsect1 id="security">
441
477
<title>SECURITY</title>
443
479
The <option>--type</option>, <option>--length</option>,
444
480
<option>--subtype</option>, and <option>--sublength</option>
445
options can be used to create keys of insufficient security. If
446
in doubt, leave them to the default values.
481
options can be used to create keys of low security. If in
482
doubt, leave them to the default values.
449
The key expire time is not guaranteed to be honored by
450
<citerefentry><refentrytitle>mandos</refentrytitle>
485
The key expire time is <emphasis>not</emphasis> guaranteed to be
486
honored by <citerefentry><refentrytitle>mandos</refentrytitle>
451
487
<manvolnum>8</manvolnum></citerefentry>.
455
491
<refsect1 id="see_also">
456
492
<title>SEE ALSO</title>
458
494
<citerefentry><refentrytitle>gpg</refentrytitle>
459
495
<manvolnum>1</manvolnum></citerefentry>,
496
<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>
497
<manvolnum>5</manvolnum></citerefentry>,
460
498
<citerefentry><refentrytitle>mandos</refentrytitle>
461
499
<manvolnum>8</manvolnum></citerefentry>,
462
<citerefentry><refentrytitle>password-request</refentrytitle>
500
<citerefentry><refentrytitle>mandos-client</refentrytitle>
463
501
<manvolnum>8mandos</manvolnum></citerefentry>