/mandos/release : revision 237.7.133

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/release

« back to all changes in this revision

Viewing changes to mandos-keygen.xml

Committer: Teddy Hogeborn
Date: 2012-05-17 01:55:58 UTC
mto: (299.1.1 release) (300.1.1 release) (237.7.139 trunk) (301.1.1 release)
mto: This revision was merged to the branch mainline in revision 300.
Revision ID: teddy@recompile.se-20120517015558-5703p8nkquc2rhgd

* .bzrignore (statedir): Added.

files added:
.bzr-builddeb

.bzr-builddeb/default.conf

.bzrignore

DBUS-API

INSTALL

NEWS

README

common.ent

dbus-mandos.conf

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/po

debian/rules

debian/source

debian/source/format

debian/source/local-options

debian/watch

default-mandos

init.d-mandos

intro.xml

legalnotice.xml

mandos-ctl

mandos-ctl.xml

mandos-monitor

mandos-monitor.xml

mandos.lsm

network-hooks.d

network-hooks.d/bridge

network-hooks.d/bridge.conf

network-hooks.d/openvpn

network-hooks.d/openvpn.conf

network-hooks.d/wireless

network-hooks.d/wireless.conf

plugin-runner.conf

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

files removed:
plugins.d/usplash

files renamed:
plugins.d/password-request.c => plugins.d/mandos-client.c

plugins.d/password-request.xml => plugins.d/mandos-client.xml

files modified:
Makefile

TODO

clients.conf

initramfs-tools-hook

initramfs-tools-hook-conf

initramfs-tools-script

mandos

mandos-clients.conf.xml

mandos-keygen

mandos-keygen.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.xml

overview.xml

plugin-runner.c

plugin-runner.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

Show diffs side-by-side

added added

removed removed

mandos-keygen.xml

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY VERSION "1.0">

<!ENTITY COMMANDNAME "mandos-keygen">

<!ENTITY TIMESTAMP "2012-01-01">

<!ENTITY % common SYSTEM "common.ent">

%common;

<title>&COMMANDNAME;</title>

<title>Mandos Manual</title>

<productname>&COMMANDNAME;</productname>

<productnumber>&VERSION;</productnumber>

<productname>Mandos</productname>

<productnumber>&version;</productnumber>

<date>&TIMESTAMP;</date>

<firstname>Björn</firstname>

<surname>Påhlsson</surname>

<email>belorn@fukt.bsnet.se</email>

<email>belorn@recompile.se</email>

</address>

</author>

<firstname>Teddy</firstname>

<surname>Hogeborn</surname>

<email>teddy@fukt.bsnet.se</email>

<email>teddy@recompile.se</email>

</address>

</author>

</authorgroup>

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

<para>

This manual page is free software: you can redistribute it

and/or modify it under the terms of the GNU General Public

License as published by the Free Software Foundation,

either version 3 of the License, or (at your option) any

later version.

</para>

<para>

This manual page is distributed in the hope that it will

be useful, but WITHOUT ANY WARRANTY; without even the

implied warranty of MERCHANTABILITY or FITNESS FOR A

PARTICULAR PURPOSE. See the GNU General Public License

for more details.

</para>

<para>

You should have received a copy of the GNU General Public

License along with this program; If not, see

<ulink url="http://www.gnu.org/licenses/"/>.

</para>

</legalnotice>

<xi:include href="legalnotice.xml"/>

</refentryinfo>

<refentrytitle>&COMMANDNAME;</refentrytitle>

<refname><command>&COMMANDNAME;</command></refname>

Generate keys for <citerefentry><refentrytitle>password-request

</refentrytitle><manvolnum>8mandos</manvolnum></citerefentry>

Generate key and password for Mandos client and server.

</refpurpose>

</refnamediv>

<command>&COMMANDNAME;</command>

<replaceable>directory</replaceable></arg>

</group>

</group>

<arg choice="plain"><option>--length</option>

</group>

<arg choice="plain"><option>--subtype</option>

</group>

<arg choice="plain"><option>--sublength</option>

</group>

</group>

100

101

<arg choice="plain"><option>--email</option>

102

<replaceable>EMAIL</replaceable></arg>

103

</group>

104

105

<arg choice="plain"><option>--comment</option>

106

<replaceable>COMMENT</replaceable></arg>

107

</group>

108

109

<arg choice="plain"><option>--expire</option>

110

111

</group>

112

113

<arg choice="plain"><option>--force</option></arg>

114

</group>

115

</cmdsynopsis>

116

117

<command>&COMMANDNAME;</command>

118

119

120

<replaceable>directory</replaceable></arg>

121

</group>

122

123

124

125

</group>

126

127

128

129

</group>

130

131

132

133

</group>

134

135

136

137

</group>

138

139

140

141

</group>

142

143

144

<replaceable>EMAIL</replaceable></arg>

145

</group>

146

147

148

<replaceable>COMMENT</replaceable></arg>

149

</group>

150

151

152

153

</group>

154

155

156

</group>

157

</cmdsynopsis>

158

159

<command>&COMMANDNAME;</command>

160

<group>

<arg choice="plain"><option>--dir

<replaceable>DIRECTORY</replaceable></option></arg>

<arg choice="plain"><option>-d

<replaceable>DIRECTORY</replaceable></option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--type

<replaceable>KEYTYPE</replaceable></option></arg>

<arg choice="plain"><option>-t

<replaceable>KEYTYPE</replaceable></option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--length

<arg choice="plain"><option>-l

</group>

<sbr/>

<group>

<arg choice="plain"><option>--subtype

<replaceable>KEYTYPE</replaceable></option></arg>

<arg choice="plain"><option>-s

<replaceable>KEYTYPE</replaceable></option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--sublength

<arg choice="plain"><option>-L

</group>

<sbr/>

<group>

<arg choice="plain"><option>--name

<arg choice="plain"><option>-n

</group>

100

<sbr/>

101

<group>

102

<arg choice="plain"><option>--email

103

<replaceable>ADDRESS</replaceable></option></arg>

104

<arg choice="plain"><option>-e

105

<replaceable>ADDRESS</replaceable></option></arg>

106

</group>

107

<sbr/>

108

<group>

109

<arg choice="plain"><option>--comment

110

111

<arg choice="plain"><option>-c

112

113

</group>

114

<sbr/>

115

<group>

116

<arg choice="plain"><option>--expire

117

118

<arg choice="plain"><option>-x

119

120

</group>

121

<sbr/>

122

<arg><option>--force</option></arg>

123

</cmdsynopsis>

124

125

<command>&COMMANDNAME;</command>

126

127

<arg choice="plain"><option>--password</option></arg>

128

129

<arg choice="plain"><option>--passfile

130

131

132

133

</group>

134

<sbr/>

135

<group>

136

<arg choice="plain"><option>--dir

137

<replaceable>DIRECTORY</replaceable></option></arg>

138

<arg choice="plain"><option>-d

139

<replaceable>DIRECTORY</replaceable></option></arg>

140

</group>

141

<sbr/>

142

<group>

143

<arg choice="plain"><option>--name

144

145

<arg choice="plain"><option>-n

146

147

</group>

148

</cmdsynopsis>

149

150

<command>&COMMANDNAME;</command>

151

152

161

153

162

163

154

</group>

164

155

</cmdsynopsis>

165

156

166

157

<command>&COMMANDNAME;</command>

167

158

159

<arg choice="plain"><option>--version</option></arg>

168

160

169

<arg choice="plain"><option>--version</option></arg>

170

161

</group>

171

162

</cmdsynopsis>

172

163

</refsynopsisdiv>

173

164

174

165

175

166

<title>DESCRIPTION</title>

176

167

<para>

177

168

<command>&COMMANDNAME;</command> is a program to generate the

178

OpenPGP keys used by

179

<citerefentry><refentrytitle>password-request</refentrytitle>

180

<manvolnum>8mandos</manvolnum></citerefentry>. The keys are

169

OpenPGP key used by

170

<citerefentry><refentrytitle>mandos-client</refentrytitle>

171

<manvolnum>8mandos</manvolnum></citerefentry>. The key is

181

172

normally written to /etc/mandos for later installation into the

182

initrd image, but this, like most things, can be changed with

183

command line options.

173

initrd image, but this, and most other things, can be changed

174

with command line options.

175

</para>

176

<para>

177

This program can also be used with the

178

<option>--password</option> or <option>--passfile</option>

179

options to generate a ready-made section for

180

<filename>clients.conf</filename> (see

181

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

182

<manvolnum>5</manvolnum></citerefentry>).

184

183

</para>

185

184

</refsect1>

186

185

187

186

188

187

<title>PURPOSE</title>

189

190

188

<para>

191

189

The purpose of this is to enable <emphasis>remote and unattended

192

190

rebooting</emphasis> of client host computer with an

193

191

<emphasis>encrypted root file system</emphasis>. See <xref

194

192

linkend="overview"/> for details.

195

193

</para>

196

197

194

</refsect1>

198

195

199

196

200

197

<title>OPTIONS</title>

201

198

202

199

203

200

204

201

202

205

203

206

204

<para>

207

205

Show a help message and exit

208

206

</para>

209

207

</listitem>

210

208

</varlistentry>

211

209

212

210

213

<term><literal>-d</literal>, <literal>--dir

214

<replaceable>directory</replaceable></literal></term>

211

<term><option>--dir

212

<replaceable>DIRECTORY</replaceable></option></term>

213

<term><option>-d

214

<replaceable>DIRECTORY</replaceable></option></term>

215

216

<para>

217

Target directory for key files.

217

Target directory for key files. Default is

218

<filename class="directory">/etc/mandos</filename>.

218

219

</para>

219

220

</listitem>

220

221

</varlistentry>

221

222

223

223

<term><literal>-t</literal>, <literal>--type

224

224

<term><option>--type

225

226

<term><option>-t

227

225

228

226

229

<para>

227

230

Key type. Default is <quote>DSA</quote>.

228

231

</para>

229

232

</listitem>

230

233

</varlistentry>

231

234

232

235

233

<term><literal>-l</literal>, <literal>--length

234

236

<term><option>--length

237

238

<term><option>-l

239

235

240

236

241

<para>

237

Key length in bits. Default is 1024.

242

Key length in bits. Default is 2048.

238

243

</para>

239

244

</listitem>

240

245

</varlistentry>

241

246

242

247

243

<term><literal>-s</literal>, <literal>--subtype

244

248

<term><option>--subtype

249

<replaceable>KEYTYPE</replaceable></option></term>

250

<term><option>-s

251

<replaceable>KEYTYPE</replaceable></option></term>

245

252

246

253

<para>

247

254

Subkey type. Default is <quote>ELG-E</quote> (Elgamal

249

256

</para>

250

257

</listitem>

251

258

</varlistentry>

252

259

253

260

254

<term><literal>-L</literal>, <literal>--sublength

255

261

<term><option>--sublength

262

263

<term><option>-L

264

256

265

257

266

<para>

258

267

Subkey length in bits. Default is 2048.

259

268

</para>

260

269

</listitem>

261

270

</varlistentry>

262

271

263

272

264

<term><literal>-e</literal>, <literal>--email</literal>

265

<replaceable>address</replaceable></term>

273

<term><option>--email

274

<replaceable>ADDRESS</replaceable></option></term>

275

<term><option>-e

276

<replaceable>ADDRESS</replaceable></option></term>

266

277

267

278

<para>

268

279

Email address of key. Default is empty.

269

280

</para>

270

281

</listitem>

271

282

</varlistentry>

272

283

273

284

274

<term><literal>-c</literal>, <literal>--comment</literal>

275

<replaceable>comment</replaceable></term>

285

<term><option>--comment

286

287

<term><option>-c

288

276

289

277

290

<para>

278

291

Comment field for key. The default value is

280

293

</para>

281

294

</listitem>

282

295

</varlistentry>

283

296

284

297

285

<term><literal>-x</literal>, <literal>--expire</literal>

286

298

<term><option>--expire

299

300

<term><option>-x

301

287

302

288

303

<para>

289

304

Key expire time. Default is no expiration. See

292

307

</para>

293

308

</listitem>

294

309

</varlistentry>

295

296

297

<term><literal>-f</literal>, <literal>--force</literal></term>

298

299

<para>

300

Force overwriting old keys.

310

311

312

<term><option>--force</option></term>

313

314

315

<para>

316

Force overwriting old key.

317

</para>

318

</listitem>

319

</varlistentry>

320

321

<term><option>--password</option></term>

322

323

324

<para>

325

Prompt for a password and encrypt it with the key already

326

present in either <filename>/etc/mandos</filename> or the

327

directory specified with the <option>--dir</option>

328

option. Outputs, on standard output, a section suitable

329

for inclusion in <citerefentry><refentrytitle

330

>mandos-clients.conf</refentrytitle><manvolnum

331

>8</manvolnum></citerefentry>. The host name or the name

332

specified with the <option>--name</option> option is used

333

for the section header. All other options are ignored,

334

and no key is created.

335

</para>

336

</listitem>

337

</varlistentry>

338

339

<term><option>--passfile

340

341

<term><option>-F

342

343

344

<para>

345

The same as <option>--password</option>, but read from

346

<replaceable>FILE</replaceable>, not the terminal.

301

347

</para>

302

348

</listitem>

303

349

</varlistentry>

304

350

</variablelist>

305

351

</refsect1>

306

352

307

353

308

354

<title>OVERVIEW</title>

309

355

<xi:include href="overview.xml"/>

310

356

<para>

311

357

This program is a small utility to generate new OpenPGP keys for

312

new Mandos clients.

358

new Mandos clients, and to generate sections for inclusion in

359

<filename>clients.conf</filename> on the server.

313

360

</para>

314

361

</refsect1>

315

362

316

363

317

364

<title>EXIT STATUS</title>

318

365

<para>

319

The exit status will be 0 if new keys were successfully created,

320

otherwise not.

366

The exit status will be 0 if a new key (or password, if the

367

<option>--password</option> option was used) was successfully

368

created, otherwise not.

321

369

</para>

322

370

</refsect1>

323

371

325

373

<title>ENVIRONMENT</title>

326

374

327

375

328

<term><varname>TMPDIR</varname></term>

376

<term><envar>TMPDIR</envar></term>

329

377

330

378

<para>

331

379

If set, temporary files will be created here. See

337

385

</variablelist>

338

386

</refsect1>

339

387

340

388

341

389

<title>FILES</title>

342

390

<para>

343

391

Use the <option>--dir</option> option to change where

364

412

</listitem>

365

413

</varlistentry>

366

414

367

415

368

416

369

417

<para>

370

418

Temporary files will be written here if

374

422

</varlistentry>

375

423

</variablelist>

376

424

</refsect1>

377

378

379

380

<para>

381

None are known at this time.

382

</para>

383

</refsect1>

384

425

426

427

428

429

430

431

385

432

386

433

<title>EXAMPLE</title>

387

434

389

436

Normal invocation needs no options:

390

437

</para>

391

438

<para>

392

<userinput>mandos-keygen</userinput>

439

<userinput>&COMMANDNAME;</userinput>

393

440

</para>

394

441

</informalexample>

395

442

396

443

<para>

397

Create keys in another directory and of another type. Force

444

Create key in another directory and of another type. Force

398

445

overwriting old key files:

399

446

</para>

400

447

<para>

401

448

402

449

403

<userinput>mandos-keygen --dir ~/keydir --type RSA --force</userinput>

450

<userinput>&COMMANDNAME; --dir ~/keydir --type RSA --force</userinput>

451

452

</para>

453

</informalexample>

454

455

<para>

456

Prompt for a password, encrypt it with the key in <filename

457

class="directory">/etc/mandos</filename> and output a section

458

suitable for <filename>clients.conf</filename>.

459

</para>

460

<para>

461

<userinput>&COMMANDNAME; --password</userinput>

462

</para>

463

</informalexample>

464

465

<para>

466

Prompt for a password, encrypt it with the key in the

467

<filename>client-key</filename> directory and output a section

468

suitable for <filename>clients.conf</filename>.

469

</para>

470

<para>

471

472

473

<userinput>&COMMANDNAME; --password --dir client-key</userinput>

404

474

405

475

</para>

406

476

</informalexample>

407

477

</refsect1>

408

478

409

479

410

480

<title>SECURITY</title>

411

481

<para>

412

482

The <option>--type</option>, <option>--length</option>,

413

483

<option>--subtype</option>, and <option>--sublength</option>

414

options can be used to create keys of insufficient security. If

415

in doubt, leave them to the default values.

484

options can be used to create keys of low security. If in

485

doubt, leave them to the default values.

416

486

</para>

417

487

<para>

418

The key expire time is not guaranteed to be honored by

419

<citerefentry><refentrytitle>mandos</refentrytitle>

488

The key expire time is <emphasis>not</emphasis> guaranteed to be

489

honored by <citerefentry><refentrytitle>mandos</refentrytitle>

420

490

<manvolnum>8</manvolnum></citerefentry>.

421

491

</para>

422

492

</refsect1>

423

493

424

494

425

495

426

496

<para>

427

<citerefentry><refentrytitle>password-request</refentrytitle>

497

<citerefentry><refentrytitle>intro</refentrytitle>

428

498

<manvolnum>8mandos</manvolnum></citerefentry>,

499

500

<manvolnum>1</manvolnum></citerefentry>,

501

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

502

<manvolnum>5</manvolnum></citerefentry>,

429

503

<citerefentry><refentrytitle>mandos</refentrytitle>

430

504

<manvolnum>8</manvolnum></citerefentry>,

431

432

505

<citerefentry><refentrytitle>mandos-client</refentrytitle>

506

<manvolnum>8mandos</manvolnum></citerefentry>

433

507

</para>

434

508

</refsect1>

435

509

436

510

</refentry>

511

512

513

514

515

Older »