/mandos/release : revision 232

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/release

« back to all changes in this revision

Viewing changes to mandos-keygen.xml

Committer: Teddy Hogeborn
Date: 2008-10-17 18:56:25 UTC
Revision ID: teddy@fukt.bsnet.se-20081017185625-xrfv8oevzm7lyvl6

Tags: version-1.0.2-1

* Makefile (version): Changed to "1.0.2".
* NEWS (Version 1.0.2): New entry.
* debian/changelog (1.0.2-1): New entry.

files added:
.bzr-builddeb

.bzr-builddeb/default.conf

.bzrignore

INSTALL

NEWS

README

common.ent

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.config

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos-client.templates

debian/mandos.README.Debian

debian/mandos.config

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/mandos.templates

debian/po

debian/po/POTFILES.in

debian/po/sv.po

debian/rules

default-mandos

init.d-mandos

legalnotice.xml

plugin-runner.conf

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

files removed:
plugins.d/usplash

files renamed:
plugins.d/password-request.c => plugins.d/mandos-client.c

plugins.d/password-request.xml => plugins.d/mandos-client.xml

files modified:
Makefile

TODO

clients.conf

initramfs-tools-hook

initramfs-tools-script

mandos

mandos-clients.conf.xml

mandos-keygen

mandos-keygen.xml

mandos-options.xml

mandos.conf.xml

mandos.xml

overview.xml

plugin-runner.c

plugin-runner.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

Show diffs side-by-side

added added

removed removed

mandos-keygen.xml

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY VERSION "1.0">

<!ENTITY COMMANDNAME "mandos-keygen">

<!ENTITY TIMESTAMP "2008-10-03">

<!ENTITY % common SYSTEM "common.ent">

%common;

<title>&COMMANDNAME;</title>

<title>Mandos Manual</title>

<productname>&COMMANDNAME;</productname>

<productnumber>&VERSION;</productnumber>

<productname>Mandos</productname>

<productnumber>&version;</productnumber>

<date>&TIMESTAMP;</date>

<firstname>Björn</firstname>

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

<para>

This manual page is free software: you can redistribute it

and/or modify it under the terms of the GNU General Public

License as published by the Free Software Foundation,

either version 3 of the License, or (at your option) any

later version.

</para>

<para>

This manual page is distributed in the hope that it will

be useful, but WITHOUT ANY WARRANTY; without even the

implied warranty of MERCHANTABILITY or FITNESS FOR A

PARTICULAR PURPOSE. See the GNU General Public License

for more details.

</para>

<para>

You should have received a copy of the GNU General Public

License along with this program; If not, see

<ulink url="http://www.gnu.org/licenses/"/>.

</para>

</legalnotice>

<xi:include href="legalnotice.xml"/>

</refentryinfo>

<refentrytitle>&COMMANDNAME;</refentrytitle>

<refname><command>&COMMANDNAME;</command></refname>

Generate keys for <citerefentry><refentrytitle>password-request

</refentrytitle><manvolnum>8mandos</manvolnum></citerefentry>

Generate key and password for Mandos client and server.

</refpurpose>

</refnamediv>

<command>&COMMANDNAME;</command>

<replaceable>directory</replaceable></arg>

</group>

</group>

<arg choice="plain"><option>--length</option>

</group>

<arg choice="plain"><option>--subtype</option>

</group>

<arg choice="plain"><option>--sublength</option>

</group>

</group>

100

101

<arg choice="plain"><option>--email</option>

102

<replaceable>EMAIL</replaceable></arg>

103

</group>

104

105

<arg choice="plain"><option>--comment</option>

106

<replaceable>COMMENT</replaceable></arg>

107

</group>

108

109

<arg choice="plain"><option>--expire</option>

110

111

</group>

112

113

<arg choice="plain"><option>--force</option></arg>

114

</group>

115

</cmdsynopsis>

116

117

<command>&COMMANDNAME;</command>

118

119

120

<replaceable>directory</replaceable></arg>

121

</group>

122

123

124

125

</group>

126

127

128

129

</group>

130

131

132

133

</group>

134

135

136

137

</group>

138

139

140

141

</group>

142

143

144

<replaceable>EMAIL</replaceable></arg>

145

</group>

146

147

148

<replaceable>COMMENT</replaceable></arg>

149

</group>

150

151

152

153

</group>

154

155

156

</group>

157

</cmdsynopsis>

158

159

<command>&COMMANDNAME;</command>

160

<group>

<arg choice="plain"><option>--dir

<replaceable>DIRECTORY</replaceable></option></arg>

<arg choice="plain"><option>-d

<replaceable>DIRECTORY</replaceable></option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--type

<replaceable>KEYTYPE</replaceable></option></arg>

<arg choice="plain"><option>-t

<replaceable>KEYTYPE</replaceable></option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--length

<arg choice="plain"><option>-l

</group>

<sbr/>

<group>

<arg choice="plain"><option>--subtype

<replaceable>KEYTYPE</replaceable></option></arg>

<arg choice="plain"><option>-s

<replaceable>KEYTYPE</replaceable></option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--sublength

<arg choice="plain"><option>-L

</group>

<sbr/>

<group>

<arg choice="plain"><option>--name

<arg choice="plain"><option>-n

</group>

<sbr/>

<group>

<arg choice="plain"><option>--email

100

<replaceable>ADDRESS</replaceable></option></arg>

101

<arg choice="plain"><option>-e

102

<replaceable>ADDRESS</replaceable></option></arg>

103

</group>

104

<sbr/>

105

<group>

106

<arg choice="plain"><option>--comment

107

108

<arg choice="plain"><option>-c

109

110

</group>

111

<sbr/>

112

<group>

113

<arg choice="plain"><option>--expire

114

115

<arg choice="plain"><option>-x

116

117

</group>

118

<sbr/>

119

<arg><option>--force</option></arg>

120

</cmdsynopsis>

121

122

<command>&COMMANDNAME;</command>

123

124

<arg choice="plain"><option>--password</option></arg>

125

126

<arg choice="plain"><option>--passfile

127

128

129

130

</group>

131

<sbr/>

132

<group>

133

<arg choice="plain"><option>--dir

134

<replaceable>DIRECTORY</replaceable></option></arg>

135

<arg choice="plain"><option>-d

136

<replaceable>DIRECTORY</replaceable></option></arg>

137

</group>

138

<sbr/>

139

<group>

140

<arg choice="plain"><option>--name

141

142

<arg choice="plain"><option>-n

143

144

</group>

145

</cmdsynopsis>

146

147

<command>&COMMANDNAME;</command>

148

149

161

150

162

163

151

</group>

164

152

</cmdsynopsis>

165

153

166

154

<command>&COMMANDNAME;</command>

167

155

156

<arg choice="plain"><option>--version</option></arg>

168

157

169

<arg choice="plain"><option>--version</option></arg>

170

158

</group>

171

159

</cmdsynopsis>

172

160

</refsynopsisdiv>

173

161

174

162

175

163

<title>DESCRIPTION</title>

176

164

<para>

177

165

<command>&COMMANDNAME;</command> is a program to generate the

178

OpenPGP keys used by

179

<citerefentry><refentrytitle>password-request</refentrytitle>

180

<manvolnum>8mandos</manvolnum></citerefentry>. The keys are

166

OpenPGP key used by

167

<citerefentry><refentrytitle>mandos-client</refentrytitle>

168

<manvolnum>8mandos</manvolnum></citerefentry>. The key is

181

169

normally written to /etc/mandos for later installation into the

182

initrd image, but this, like most things, can be changed with

183

command line options.

170

initrd image, but this, and most other things, can be changed

171

with command line options.

172

</para>

173

<para>

174

This program can also be used with the

175

<option>--password</option> or <option>--passfile</option>

176

options to generate a ready-made section for

177

<filename>clients.conf</filename> (see

178

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

179

<manvolnum>5</manvolnum></citerefentry>).

184

180

</para>

185

181

</refsect1>

186

182

187

183

188

184

<title>PURPOSE</title>

189

190

185

<para>

191

186

The purpose of this is to enable <emphasis>remote and unattended

192

187

rebooting</emphasis> of client host computer with an

193

188

<emphasis>encrypted root file system</emphasis>. See <xref

194

189

linkend="overview"/> for details.

195

190

</para>

196

197

191

</refsect1>

198

192

199

193

200

194

<title>OPTIONS</title>

201

195

202

196

203

197

204

198

199

205

200

206

201

<para>

207

202

Show a help message and exit

208

203

</para>

209

204

</listitem>

210

205

</varlistentry>

211

206

212

207

213

<term><literal>-d</literal>, <literal>--dir

214

<replaceable>directory</replaceable></literal></term>

208

<term><option>--dir

209

<replaceable>DIRECTORY</replaceable></option></term>

210

<term><option>-d

211

<replaceable>DIRECTORY</replaceable></option></term>

215

212

216

213

<para>

217

Target directory for key files.

214

Target directory for key files. Default is

215

<filename>/etc/mandos</filename>.

218

216

</para>

219

217

</listitem>

220

218

</varlistentry>

221

219

222

220

223

<term><literal>-t</literal>, <literal>--type

224

221

<term><option>--type

222

223

<term><option>-t

224

225

226

<para>

227

Key type. Default is <quote>DSA</quote>.

228

</para>

229

</listitem>

230

</varlistentry>

231

232

233

<term><literal>-l</literal>, <literal>--length

234

233

<term><option>--length

234

235

<term><option>-l

236

235

237

236

238

<para>

237

Key length in bits. Default is 1024.

239

Key length in bits. Default is 2048.

238

240

</para>

239

241

</listitem>

240

242

</varlistentry>

241

243

242

244

243

<term><literal>-s</literal>, <literal>--subtype

244

245

<term><option>--subtype

246

<replaceable>KEYTYPE</replaceable></option></term>

247

<term><option>-s

248

<replaceable>KEYTYPE</replaceable></option></term>

245

249

246

250

<para>

247

251

Subkey type. Default is <quote>ELG-E</quote> (Elgamal

249

253

</para>

250

254

</listitem>

251

255

</varlistentry>

252

256

253

257

254

<term><literal>-L</literal>, <literal>--sublength

255

258

<term><option>--sublength

259

260

<term><option>-L

261

256

262

257

263

<para>

258

264

Subkey length in bits. Default is 2048.

259

265

</para>

260

266

</listitem>

261

267

</varlistentry>

262

268

263

269

264

<term><literal>-e</literal>, <literal>--email</literal>

265

<replaceable>address</replaceable></term>

270

<term><option>--email

271

<replaceable>ADDRESS</replaceable></option></term>

272

<term><option>-e

273

<replaceable>ADDRESS</replaceable></option></term>

266

274

267

275

<para>

268

276

Email address of key. Default is empty.

269

277

</para>

270

278

</listitem>

271

279

</varlistentry>

272

280

273

281

274

<term><literal>-c</literal>, <literal>--comment</literal>

275

<replaceable>comment</replaceable></term>

282

<term><option>--comment

283

284

<term><option>-c

285

276

286

277

287

<para>

278

288

Comment field for key. The default value is

280

290

</para>

281

291

</listitem>

282

292

</varlistentry>

283

293

284

294

285

<term><literal>-x</literal>, <literal>--expire</literal>

286

295

<term><option>--expire

296

297

<term><option>-x

298

287

299

288

300

<para>

289

301

Key expire time. Default is no expiration. See

292

304

</para>

293

305

</listitem>

294

306

</varlistentry>

295

296

297

<term><literal>-f</literal>, <literal>--force</literal></term>

298

299

<para>

300

Force overwriting old keys.

307

308

309

<term><option>--force</option></term>

310

311

312

<para>

313

Force overwriting old key.

314

</para>

315

</listitem>

316

</varlistentry>

317

318

<term><option>--password</option></term>

319

320

321

<para>

322

Prompt for a password and encrypt it with the key already

323

present in either <filename>/etc/mandos</filename> or the

324

directory specified with the <option>--dir</option>

325

option. Outputs, on standard output, a section suitable

326

for inclusion in <citerefentry><refentrytitle

327

>mandos-clients.conf</refentrytitle><manvolnum

328

>8</manvolnum></citerefentry>. The host name or the name

329

specified with the <option>--name</option> option is used

330

for the section header. All other options are ignored,

331

and no key is created.

332

</para>

333

</listitem>

334

</varlistentry>

335

336

<term><option>--passfile

337

338

<term><option>-F

339

340

341

<para>

342

The same as <option>--password</option>, but read from

343

<replaceable>FILE</replaceable>, not the terminal.

301

344

</para>

302

345

</listitem>

303

346

</varlistentry>

304

347

</variablelist>

305

348

</refsect1>

306

349

307

350

308

351

<title>OVERVIEW</title>

309

352

<xi:include href="overview.xml"/>

310

353

<para>

311

354

This program is a small utility to generate new OpenPGP keys for

312

new Mandos clients.

355

new Mandos clients, and to generate sections for inclusion in

356

<filename>clients.conf</filename> on the server.

313

357

</para>

314

358

</refsect1>

315

359

316

360

317

361

<title>EXIT STATUS</title>

318

362

<para>

319

The exit status will be 0 if new keys were successfully created,

320

otherwise not.

363

The exit status will be 0 if a new key (or password, if the

364

<option>--password</option> option was used) was successfully

365

created, otherwise not.

321

366

</para>

322

367

</refsect1>

323

368

325

370

<title>ENVIRONMENT</title>

326

371

327

372

328

<term><varname>TMPDIR</varname></term>

373

<term><envar>TMPDIR</envar></term>

329

374

330

375

<para>

331

376

If set, temporary files will be created here. See

337

382

</variablelist>

338

383

</refsect1>

339

384

340

385

341

386

<title>FILES</title>

342

387

<para>

343

388

Use the <option>--dir</option> option to change where

374

419

</varlistentry>

375

420

</variablelist>

376

421

</refsect1>

377

378

379

380

<para>

381

None are known at this time.

382

</para>

383

</refsect1>

384

422

423

424

425

426

427

428

385

429

386

430

<title>EXAMPLE</title>

387

431

389

433

Normal invocation needs no options:

390

434

</para>

391

435

<para>

392

<userinput>mandos-keygen</userinput>

436

<userinput>&COMMANDNAME;</userinput>

393

437

</para>

394

438

</informalexample>

395

439

396

440

<para>

397

Create keys in another directory and of another type. Force

441

Create key in another directory and of another type. Force

398

442

overwriting old key files:

399

443

</para>

400

444

<para>

401

445

402

446

403

<userinput>mandos-keygen --dir ~/keydir --type RSA --force</userinput>

447

<userinput>&COMMANDNAME; --dir ~/keydir --type RSA --force</userinput>

448

449

</para>

450

</informalexample>

451

452

<para>

453

Prompt for a password, encrypt it with the key in

454

<filename>/etc/mandos</filename> and output a section suitable

455

for <filename>clients.conf</filename>.

456

</para>

457

<para>

458

<userinput>&COMMANDNAME; --password</userinput>

459

</para>

460

</informalexample>

461

462

<para>

463

Prompt for a password, encrypt it with the key in the

464

<filename>client-key</filename> directory and output a section

465

suitable for <filename>clients.conf</filename>.

466

</para>

467

<para>

468

469

470

<userinput>&COMMANDNAME; --password --dir client-key</userinput>

404

471

405

472

</para>

406

473

</informalexample>

407

474

</refsect1>

408

475

409

476

410

477

<title>SECURITY</title>

411

478

<para>

412

479

The <option>--type</option>, <option>--length</option>,

413

480

<option>--subtype</option>, and <option>--sublength</option>

414

options can be used to create keys of insufficient security. If

415

in doubt, leave them to the default values.

481

options can be used to create keys of low security. If in

482

doubt, leave them to the default values.

416

483

</para>

417

484

<para>

418

The key expire time is not guaranteed to be honored by

419

<citerefentry><refentrytitle>mandos</refentrytitle>

485

The key expire time is <emphasis>not</emphasis> guaranteed to be

486

honored by <citerefentry><refentrytitle>mandos</refentrytitle>

420

487

<manvolnum>8</manvolnum></citerefentry>.

421

488

</para>

422

489

</refsect1>

423

490

424

491

425

492

426

493

<para>

427

<citerefentry><refentrytitle>password-request</refentrytitle>

428

<manvolnum>8mandos</manvolnum></citerefentry>,

494

495

<manvolnum>1</manvolnum></citerefentry>,

496

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

497

<manvolnum>5</manvolnum></citerefentry>,

429

498

<citerefentry><refentrytitle>mandos</refentrytitle>

430

499

<manvolnum>8</manvolnum></citerefentry>,

431

432

500

<citerefentry><refentrytitle>mandos-client</refentrytitle>

501

<manvolnum>8mandos</manvolnum></citerefentry>

433

502

</para>

434

503

</refsect1>

435

504

436

505

</refentry>

506

507

508

509

510

Older »