/mandos/release

To get this branch, use:
bzr branch http://bzr.recompile.se/loggerhead/mandos/release

« back to all changes in this revision

Viewing changes to mandos-keygen.xml

First version of a somewhat complete D-Bus server interface.  Also
change user/group name to "_mandos".

* debian/mandos.postinst: Rename old "mandos" user and group to
                          "_mandos"; create "_mandos" user and group
                          if none exist.
* debian/mandos-client.postinst: - '' -

* initramfs-tools-hook: Try "_mandos" before "mandos" as user and
                        group name.

* mandos (_datetime_to_dbus_struct): New; was previously local.
  (Client.started): Renamed to "last_started".  All users changed.
  (Client.started): New; boolean.
  (Client.dbus_object_path): New.
  (Client.check_command): Renamed to "checker_command".  All users
                          changed.
  (Client.__init__): Set and use "self.dbus_object_path".  Set
                     "self.started".
  (Client.start): Update "self.started".  Emit "self.PropertyChanged"
                  signals for both "started" and "last_started".
  (Client.stop): Update "self.started".  Emit "self.PropertyChanged"
                 signal for "started".
  (Client.checker_callback): Take additional "command" argument.  All
                             callers changed. Emit
                             "self.PropertyChanged" signal.
  (Client.bump_timeout): Emit "self.PropertyChanged" signal for
                         "last_checked_ok".
  (Client.start_checker): Emit "self.PropertyChanged" signal for
                          "checker_running".
  (Client.stop_checker): Emit "self.PropertyChanged" signal for
                         "checker_running".
  (Client.still_valid): Bug fix: use "getattr(self, started, False)"
                        instead of "self.started" in case this client
                        object is so new that the "started" attribute
                        has not been created yet.
  (Client.IntervalChanged, Client.CheckerIsRunning, Client.GetChecker,
  Client.GetCreated, Client.GetFingerprint, Client.GetHost,
  Client.GetInterval, Client.GetName, Client.GetStarted,
  Client.GetTimeout, Client.StateChanged, Client.TimeoutChanged):
  Removed; all callers changed.
  (Client.CheckerCompleted): Add "condition" and "command" arguments.
                             All callers changed.
  (Client.GetAllProperties, Client.PropertyChanged): New.
  (Client.StillValid): Renamed to "IsStillValid".
  (Client.StartChecker): Changed to its own function to avoid the
                         return value from "Client.start_checker()".
  (Client.Stop): Changed to its own function to avoid the return value
                 from "Client.stop()".
  (main): Try "_mandos" before "mandos" as user and group name.
          Removed inner function "remove_from_clients".  New inner
          class "MandosServer".

Show diffs side-by-side

added added

removed removed

Lines of Context:
2
2
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3
3
        "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4
4
<!ENTITY COMMANDNAME "mandos-keygen">
5
 
<!ENTITY TIMESTAMP "2019-07-18">
 
5
<!ENTITY TIMESTAMP "2008-10-03">
6
6
<!ENTITY % common SYSTEM "common.ent">
7
7
%common;
8
8
]>
19
19
        <firstname>Björn</firstname>
20
20
        <surname>Påhlsson</surname>
21
21
        <address>
22
 
          <email>belorn@recompile.se</email>
 
22
          <email>belorn@fukt.bsnet.se</email>
23
23
        </address>
24
24
      </author>
25
25
      <author>
26
26
        <firstname>Teddy</firstname>
27
27
        <surname>Hogeborn</surname>
28
28
        <address>
29
 
          <email>teddy@recompile.se</email>
 
29
          <email>teddy@fukt.bsnet.se</email>
30
30
        </address>
31
31
      </author>
32
32
    </authorgroup>
33
33
    <copyright>
34
34
      <year>2008</year>
35
 
      <year>2009</year>
36
 
      <year>2010</year>
37
 
      <year>2011</year>
38
 
      <year>2012</year>
39
 
      <year>2013</year>
40
 
      <year>2014</year>
41
 
      <year>2015</year>
42
 
      <year>2016</year>
43
 
      <year>2017</year>
44
 
      <year>2018</year>
45
 
      <year>2019</year>
46
35
      <holder>Teddy Hogeborn</holder>
47
36
      <holder>Björn Påhlsson</holder>
48
37
    </copyright>
127
116
        <replaceable>TIME</replaceable></option></arg>
128
117
      </group>
129
118
      <sbr/>
130
 
      <group>
131
 
        <arg choice="plain"><option>--tls-keytype
132
 
        <replaceable>KEYTYPE</replaceable></option></arg>
133
 
        <arg choice="plain"><option>-T
134
 
        <replaceable>KEYTYPE</replaceable></option></arg>
135
 
      </group>
136
 
      <sbr/>
137
 
      <group>
138
 
        <arg choice="plain"><option>--force</option></arg>
139
 
        <arg choice="plain"><option>-f</option></arg>
140
 
      </group>
 
119
      <arg><option>--force</option></arg>
141
120
    </cmdsynopsis>
142
121
    <cmdsynopsis>
143
122
      <command>&COMMANDNAME;</command>
163
142
        <arg choice="plain"><option>-n
164
143
        <replaceable>NAME</replaceable></option></arg>
165
144
      </group>
166
 
      <group>
167
 
        <arg choice="plain"><option>--no-ssh</option></arg>
168
 
        <arg choice="plain"><option>-S</option></arg>
169
 
      </group>
170
145
    </cmdsynopsis>
171
146
    <cmdsynopsis>
172
147
      <command>&COMMANDNAME;</command>
188
163
    <title>DESCRIPTION</title>
189
164
    <para>
190
165
      <command>&COMMANDNAME;</command> is a program to generate the
191
 
      TLS and OpenPGP keys used by
 
166
      OpenPGP key used by
192
167
      <citerefentry><refentrytitle>mandos-client</refentrytitle>
193
 
      <manvolnum>8mandos</manvolnum></citerefentry>.  The keys are
194
 
      normally written to /etc/keys/mandos for later installation into
195
 
      the initrd image, but this, and most other things, can be
196
 
      changed with command line options.
 
168
      <manvolnum>8mandos</manvolnum></citerefentry>.  The key is
 
169
      normally written to /etc/mandos for later installation into the
 
170
      initrd image, but this, and most other things, can be changed
 
171
      with command line options.
197
172
    </para>
198
173
    <para>
199
174
      This program can also be used with the
236
211
        <replaceable>DIRECTORY</replaceable></option></term>
237
212
        <listitem>
238
213
          <para>
239
 
            Target directory for key files.  Default is <filename
240
 
            class="directory">/etc/keys/mandos</filename>.
 
214
            Target directory for key files.  Default is
 
215
            <filename>/etc/mandos</filename>.
241
216
          </para>
242
217
        </listitem>
243
218
      </varlistentry>
249
224
        <replaceable>TYPE</replaceable></option></term>
250
225
        <listitem>
251
226
          <para>
252
 
            OpenPGP key type.  Default is <quote>RSA</quote>.
 
227
            Key type.  Default is <quote>DSA</quote>.
253
228
          </para>
254
229
        </listitem>
255
230
      </varlistentry>
261
236
        <replaceable>BITS</replaceable></option></term>
262
237
        <listitem>
263
238
          <para>
264
 
            OpenPGP key length in bits.  Default is 4096.
 
239
            Key length in bits.  Default is 2048.
265
240
          </para>
266
241
        </listitem>
267
242
      </varlistentry>
273
248
        <replaceable>KEYTYPE</replaceable></option></term>
274
249
        <listitem>
275
250
          <para>
276
 
            OpenPGP subkey type.  Default is <quote>RSA</quote>
 
251
            Subkey type.  Default is <quote>ELG-E</quote> (Elgamal
 
252
            encryption-only).
277
253
          </para>
278
254
        </listitem>
279
255
      </varlistentry>
285
261
        <replaceable>BITS</replaceable></option></term>
286
262
        <listitem>
287
263
          <para>
288
 
            OpenPGP subkey length in bits.  Default is 4096.
 
264
            Subkey length in bits.  Default is 2048.
289
265
          </para>
290
266
        </listitem>
291
267
      </varlistentry>
309
285
        <replaceable>TEXT</replaceable></option></term>
310
286
        <listitem>
311
287
          <para>
312
 
            Comment field for key.  Default is empty.
 
288
            Comment field for key.  The default value is
 
289
            <quote><literal>Mandos client key</literal></quote>.
313
290
          </para>
314
291
        </listitem>
315
292
      </varlistentry>
329
306
      </varlistentry>
330
307
      
331
308
      <varlistentry>
332
 
        <term><option>--tls-keytype
333
 
        <replaceable>KEYTYPE</replaceable></option></term>
334
 
        <term><option>-T
335
 
        <replaceable>KEYTYPE</replaceable></option></term>
336
 
        <listitem>
337
 
          <para>
338
 
            TLS key type.  Default is <quote>ed25519</quote>
339
 
          </para>
340
 
        </listitem>
341
 
      </varlistentry>
342
 
      
343
 
      <varlistentry>
344
309
        <term><option>--force</option></term>
345
310
        <term><option>-f</option></term>
346
311
        <listitem>
355
320
        <listitem>
356
321
          <para>
357
322
            Prompt for a password and encrypt it with the key already
358
 
            present in either <filename>/etc/keys/mandos</filename> or
359
 
            the directory specified with the <option>--dir</option>
 
323
            present in either <filename>/etc/mandos</filename> or the
 
324
            directory specified with the <option>--dir</option>
360
325
            option.  Outputs, on standard output, a section suitable
361
326
            for inclusion in <citerefentry><refentrytitle
362
327
            >mandos-clients.conf</refentrytitle><manvolnum
363
328
            >8</manvolnum></citerefentry>.  The host name or the name
364
329
            specified with the <option>--name</option> option is used
365
330
            for the section header.  All other options are ignored,
366
 
            and no key is created.  Note: white space is stripped from
367
 
            the beginning and from the end of the password; See <xref
368
 
            linkend="bugs"/>.
 
331
            and no key is created.
369
332
          </para>
370
333
        </listitem>
371
334
      </varlistentry>
377
340
        <listitem>
378
341
          <para>
379
342
            The same as <option>--password</option>, but read from
380
 
            <replaceable>FILE</replaceable>, not the terminal, and
381
 
            white space is not stripped from the password in any way.
382
 
          </para>
383
 
        </listitem>
384
 
      </varlistentry>
385
 
      <varlistentry>
386
 
        <term><option>--no-ssh</option></term>
387
 
        <term><option>-S</option></term>
388
 
        <listitem>
389
 
          <para>
390
 
            When <option>--password</option> or
391
 
            <option>--passfile</option> is given, this option will
392
 
            prevent <command>&COMMANDNAME;</command> from calling
393
 
            <command>ssh-keyscan</command> to get an SSH fingerprint
394
 
            for this host and, if successful, output suitable config
395
 
            options to use this fingerprint as a
396
 
            <option>checker</option> option in the output.  This is
397
 
            otherwise the default behavior.
 
343
            <replaceable>FILE</replaceable>, not the terminal.
398
344
          </para>
399
345
        </listitem>
400
346
      </varlistentry>
405
351
    <title>OVERVIEW</title>
406
352
    <xi:include href="overview.xml"/>
407
353
    <para>
408
 
      This program is a small utility to generate new TLS and OpenPGP
409
 
      keys for new Mandos clients, and to generate sections for
410
 
      inclusion in <filename>clients.conf</filename> on the server.
 
354
      This program is a small utility to generate new OpenPGP keys for
 
355
      new Mandos clients, and to generate sections for inclusion in
 
356
      <filename>clients.conf</filename> on the server.
411
357
    </para>
412
358
  </refsect1>
413
359
  
445
391
    </para>
446
392
    <variablelist>
447
393
      <varlistentry>
448
 
        <term><filename>/etc/keys/mandos/seckey.txt</filename></term>
 
394
        <term><filename>/etc/mandos/seckey.txt</filename></term>
449
395
        <listitem>
450
396
          <para>
451
397
            OpenPGP secret key file which will be created or
454
400
        </listitem>
455
401
      </varlistentry>
456
402
      <varlistentry>
457
 
        <term><filename>/etc/keys/mandos/pubkey.txt</filename></term>
 
403
        <term><filename>/etc/mandos/pubkey.txt</filename></term>
458
404
        <listitem>
459
405
          <para>
460
406
            OpenPGP public key file which will be created or
463
409
        </listitem>
464
410
      </varlistentry>
465
411
      <varlistentry>
466
 
        <term><filename>/etc/keys/mandos/tls-privkey.pem</filename></term>
467
 
        <listitem>
468
 
          <para>
469
 
            Private key file which will be created or overwritten.
470
 
          </para>
471
 
        </listitem>
472
 
      </varlistentry>
473
 
      <varlistentry>
474
 
        <term><filename>/etc/keys/mandos/tls-pubkey.pem</filename></term>
475
 
        <listitem>
476
 
          <para>
477
 
            Public key file which will be created or overwritten.
478
 
          </para>
479
 
        </listitem>
480
 
      </varlistentry>
481
 
      <varlistentry>
482
 
        <term><filename class="directory">/tmp</filename></term>
 
412
        <term><filename>/tmp</filename></term>
483
413
        <listitem>
484
414
          <para>
485
415
            Temporary files will be written here if
490
420
    </variablelist>
491
421
  </refsect1>
492
422
  
493
 
  <refsect1 id="bugs">
494
 
    <title>BUGS</title>
495
 
    <para>
496
 
      The <option>--password</option>/<option>-p</option> option
497
 
      strips white space from the start and from the end of the
498
 
      password before using it.  If this is a problem, use the
499
 
      <option>--passfile</option> option instead, which does not do
500
 
      this.
501
 
    </para>
502
 
    <xi:include href="bugs.xml"/>
503
 
  </refsect1>
 
423
<!--   <refsect1 id="bugs"> -->
 
424
<!--     <title>BUGS</title> -->
 
425
<!--     <para> -->
 
426
<!--     </para> -->
 
427
<!--   </refsect1> -->
504
428
  
505
429
  <refsect1 id="example">
506
430
    <title>EXAMPLE</title>
526
450
    </informalexample>
527
451
    <informalexample>
528
452
      <para>
529
 
        Prompt for a password, encrypt it with the keys in <filename
530
 
        class="directory">/etc/keys/mandos</filename> and output a
531
 
        section suitable for <filename>clients.conf</filename>.
 
453
        Prompt for a password, encrypt it with the key in
 
454
        <filename>/etc/mandos</filename> and output a section suitable
 
455
        for <filename>clients.conf</filename>.
532
456
      </para>
533
457
      <para>
534
458
        <userinput>&COMMANDNAME; --password</userinput>
536
460
    </informalexample>
537
461
    <informalexample>
538
462
      <para>
539
 
        Prompt for a password, encrypt it with the keys in the
 
463
        Prompt for a password, encrypt it with the key in the
540
464
        <filename>client-key</filename> directory and output a section
541
465
        suitable for <filename>clients.conf</filename>.
542
466
      </para>
567
491
  <refsect1 id="see_also">
568
492
    <title>SEE ALSO</title>
569
493
    <para>
570
 
      <citerefentry><refentrytitle>intro</refentrytitle>
571
 
      <manvolnum>8mandos</manvolnum></citerefentry>,
572
494
      <citerefentry><refentrytitle>gpg</refentrytitle>
573
495
      <manvolnum>1</manvolnum></citerefentry>,
574
496
      <citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>
576
498
      <citerefentry><refentrytitle>mandos</refentrytitle>
577
499
      <manvolnum>8</manvolnum></citerefentry>,
578
500
      <citerefentry><refentrytitle>mandos-client</refentrytitle>
579
 
      <manvolnum>8mandos</manvolnum></citerefentry>,
580
 
      <citerefentry><refentrytitle>ssh-keyscan</refentrytitle>
581
 
      <manvolnum>1</manvolnum></citerefentry>
 
501
      <manvolnum>8mandos</manvolnum></citerefentry>
582
502
    </para>
583
503
  </refsect1>
584
504