/mandos/release : revision 237.7.341

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/release

« back to all changes in this revision

Viewing changes to mandos-keygen.xml

Committer: Teddy Hogeborn
Date: 2015-12-03 21:06:34 UTC
mto: (237.7.594 trunk)
mto: This revision was merged to the branch mainline in revision 329.
Revision ID: teddy@recompile.se-20151203210634-5dcyccalld40cygn

http://bugs.debian.org/806073

* debian/rules (override_dh_fixperms): Split into
                                       "override_dh_fixperms-arch" and
                                       "override_dh_fixperms-indep".
                                       Fixes Debian bug #806073.

files added:
.bzr-builddeb

.bzr-builddeb/default.conf

DBUS-API

INSTALL

NEWS

README

common.ent

dbus-mandos.conf

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.examples

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/po

debian/rules

debian/source

debian/source/format

debian/source/local-options

debian/upstream

debian/upstream/signing-key.asc

debian/watch

default-mandos

init.d-mandos

initramfs-unpack

intro.xml

legalnotice.xml

mandos-ctl

mandos-ctl.xml

mandos-monitor

mandos-monitor.xml

mandos.lsm

mandos.service

network-hooks.d

network-hooks.d/bridge

network-hooks.d/bridge.conf

network-hooks.d/openvpn

network-hooks.d/openvpn.conf

network-hooks.d/wireless

network-hooks.d/wireless.conf

plugin-helpers

plugin-helpers/mandos-client-iprouteadddel.c

plugin-runner.conf

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

files removed:
plugins.d/usplash

files renamed:
plugins.d/password-request.c => plugins.d/mandos-client.c

plugins.d/password-request.xml => plugins.d/mandos-client.xml

files modified:
.bzrignore

Makefile

TODO

clients.conf

initramfs-tools-hook

initramfs-tools-hook-conf

initramfs-tools-script

mandos

mandos-clients.conf.xml

mandos-keygen

mandos-keygen.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.xml

overview.xml

plugin-runner.c

plugin-runner.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

Show diffs side-by-side

added added

removed removed

mandos-keygen.xml

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY VERSION "1.0">

<!ENTITY COMMANDNAME "mandos-keygen">

<!ENTITY TIMESTAMP "2008-08-29">

<!ENTITY TIMESTAMP "2015-07-20">

<!ENTITY % common SYSTEM "common.ent">

%common;

<title>Mandos Manual</title>

<productname>Mandos</productname>

<productnumber>&VERSION;</productnumber>

<productnumber>&version;</productnumber>

<date>&TIMESTAMP;</date>

<firstname>Björn</firstname>

<surname>Påhlsson</surname>

<email>belorn@fukt.bsnet.se</email>

<email>belorn@recompile.se</email>

</address>

</author>

<firstname>Teddy</firstname>

<surname>Hogeborn</surname>

<email>teddy@fukt.bsnet.se</email>

<email>teddy@recompile.se</email>

</address>

</author>

</authorgroup>

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

<para>

This manual page is free software: you can redistribute it

and/or modify it under the terms of the GNU General Public

License as published by the Free Software Foundation,

either version 3 of the License, or (at your option) any

later version.

</para>

<para>

This manual page is distributed in the hope that it will

be useful, but WITHOUT ANY WARRANTY; without even the

implied warranty of MERCHANTABILITY or FITNESS FOR A

PARTICULAR PURPOSE. See the GNU General Public License

for more details.

</para>

<para>

You should have received a copy of the GNU General Public

License along with this program; If not, see

<ulink url="http://www.gnu.org/licenses/"/>.

</para>

</legalnotice>

<xi:include href="legalnotice.xml"/>

</refentryinfo>

<refentrytitle>&COMMANDNAME;</refentrytitle>

<refname><command>&COMMANDNAME;</command></refname>

Generate keys for <citerefentry><refentrytitle>password-request

</refentrytitle><manvolnum>8mandos</manvolnum></citerefentry>

Generate key and password for Mandos client and server.

</refpurpose>

</refnamediv>

<command>&COMMANDNAME;</command>

<replaceable>directory</replaceable></arg>

</group>

</group>

<arg choice="plain"><option>--length</option>

</group>

<arg choice="plain"><option>--subtype</option>

</group>

<arg choice="plain"><option>--sublength</option>

</group>

100

101

</group>

102

103

<arg choice="plain"><option>--email</option>

104

<replaceable>EMAIL</replaceable></arg>

105

</group>

106

107

<arg choice="plain"><option>--comment</option>

108

<replaceable>COMMENT</replaceable></arg>

109

</group>

110

111

<arg choice="plain"><option>--expire</option>

112

113

</group>

114

<group>

<arg choice="plain"><option>--dir

<replaceable>DIRECTORY</replaceable></option></arg>

<arg choice="plain"><option>-d

<replaceable>DIRECTORY</replaceable></option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--type

<replaceable>KEYTYPE</replaceable></option></arg>

<arg choice="plain"><option>-t

<replaceable>KEYTYPE</replaceable></option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--length

<arg choice="plain"><option>-l

</group>

<sbr/>

<group>

<arg choice="plain"><option>--subtype

<replaceable>KEYTYPE</replaceable></option></arg>

<arg choice="plain"><option>-s

<replaceable>KEYTYPE</replaceable></option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--sublength

<arg choice="plain"><option>-L

</group>

<sbr/>

<group>

<arg choice="plain"><option>--name

100

101

<arg choice="plain"><option>-n

102

103

</group>

104

<sbr/>

105

<group>

106

<arg choice="plain"><option>--email

107

<replaceable>ADDRESS</replaceable></option></arg>

108

<arg choice="plain"><option>-e

109

<replaceable>ADDRESS</replaceable></option></arg>

110

</group>

111

<sbr/>

112

<group>

113

<arg choice="plain"><option>--comment

114

115

<arg choice="plain"><option>-c

116

117

</group>

118

<sbr/>

119

<group>

120

<arg choice="plain"><option>--expire

121

122

<arg choice="plain"><option>-x

123

124

</group>

125

<sbr/>

126

<group>

115

127

<arg choice="plain"><option>--force</option></arg>

116

</group>

117

</cmdsynopsis>

118

119

<command>&COMMANDNAME;</command>

120

121

122

<replaceable>directory</replaceable></arg>

123

</group>

124

125

126

127

</group>

128

129

130

131

</group>

132

133

134

135

</group>

136

137

138

139

</group>

140

141

142

143

</group>

144

145

146

<replaceable>EMAIL</replaceable></arg>

147

</group>

148

149

150

<replaceable>COMMENT</replaceable></arg>

151

</group>

152

153

154

155

</group>

156

157

128

158

129

</group>

159

130

</cmdsynopsis>

160

131

161

132

<command>&COMMANDNAME;</command>

162

133

134

<arg choice="plain"><option>--password</option></arg>

163

135

164

<arg choice="plain"><option>--password</option></arg>

165

</group>

166

167

168

<replaceable>directory</replaceable></arg>

169

</group>

170

171

172

136

<arg choice="plain"><option>--passfile

137

138

139

140

</group>

141

<sbr/>

142

<group>

143

<arg choice="plain"><option>--dir

144

<replaceable>DIRECTORY</replaceable></option></arg>

145

<arg choice="plain"><option>-d

146

<replaceable>DIRECTORY</replaceable></option></arg>

147

</group>

148

<sbr/>

149

<group>

150

<arg choice="plain"><option>--name

151

152

<arg choice="plain"><option>-n

153

154

</group>

155

<group>

156

157

173

158

</group>

174

159

</cmdsynopsis>

175

160

176

161

<command>&COMMANDNAME;</command>

177

162

163

178

164

179

180

165

</group>

181

166

</cmdsynopsis>

182

167

183

168

<command>&COMMANDNAME;</command>

184

169

170

<arg choice="plain"><option>--version</option></arg>

185

171

186

<arg choice="plain"><option>--version</option></arg>

187

172

</group>

188

173

</cmdsynopsis>

189

174

</refsynopsisdiv>

190

175

191

176

192

177

<title>DESCRIPTION</title>

193

178

<para>

194

179

<command>&COMMANDNAME;</command> is a program to generate the

195

OpenPGP keys used by

196

<citerefentry><refentrytitle>password-request</refentrytitle>

197

<manvolnum>8mandos</manvolnum></citerefentry>. The keys are

180

OpenPGP key used by

181

<citerefentry><refentrytitle>mandos-client</refentrytitle>

182

<manvolnum>8mandos</manvolnum></citerefentry>. The key is

198

183

normally written to /etc/mandos for later installation into the

199

initrd image, but this, like most things, can be changed with

200

command line options.

184

initrd image, but this, and most other things, can be changed

185

with command line options.

201

186

</para>

202

187

<para>

203

It can also be used to generate ready-made sections for

188

This program can also be used with the

189

<option>--password</option> or <option>--passfile</option>

190

options to generate a ready-made section for

191

<filename>clients.conf</filename> (see

204

192

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

205

<manvolnum>5</manvolnum></citerefentry> using the

206

<option>--password</option> option.

193

<manvolnum>5</manvolnum></citerefentry>).

207

194

</para>

208

195

</refsect1>

209

196

210

197

211

198

<title>PURPOSE</title>

212

213

199

<para>

214

200

The purpose of this is to enable <emphasis>remote and unattended

215

201

rebooting</emphasis> of client host computer with an

216

202

<emphasis>encrypted root file system</emphasis>. See <xref

217

203

linkend="overview"/> for details.

218

204

</para>

219

220

205

</refsect1>

221

206

222

207

223

208

<title>OPTIONS</title>

224

209

225

210

226

211

227

212

213

228

214

229

215

<para>

230

216

Show a help message and exit

231

217

</para>

232

218

</listitem>

233

219

</varlistentry>

234

220

235

221

236

<term><literal>-d</literal>, <literal>--dir

237

<replaceable>directory</replaceable></literal></term>

222

<term><option>--dir

223

<replaceable>DIRECTORY</replaceable></option></term>

224

<term><option>-d

225

<replaceable>DIRECTORY</replaceable></option></term>

238

226

239

227

<para>

240

228

Target directory for key files. Default is

241

<filename>/etc/mandos</filename>.

242

</para>

243

</listitem>

244

</varlistentry>

245

246

247

<term><literal>-t</literal>, <literal>--type

248

249

250

<para>

251

Key type. Default is <quote>DSA</quote>.

252

</para>

253

</listitem>

254

</varlistentry>

255

256

257

<term><literal>-l</literal>, <literal>--length

258

259

260

<para>

261

Key length in bits. Default is 2048.

262

</para>

263

</listitem>

264

</varlistentry>

265

266

267

<term><literal>-s</literal>, <literal>--subtype

268

269

270

<para>

271

Subkey type. Default is <quote>ELG-E</quote> (Elgamal

229

<filename class="directory">/etc/mandos</filename>.

230

</para>

231

</listitem>

232

</varlistentry>

233

234

235

<term><option>--type

236

237

<term><option>-t

238

239

240

<para>

241

Key type. Default is <quote>RSA</quote>.

242

</para>

243

</listitem>

244

</varlistentry>

245

246

247

<term><option>--length

248

249

<term><option>-l

250

251

252

<para>

253

Key length in bits. Default is 4096.

254

</para>

255

</listitem>

256

</varlistentry>

257

258

259

<term><option>--subtype

260

<replaceable>KEYTYPE</replaceable></option></term>

261

<term><option>-s

262

<replaceable>KEYTYPE</replaceable></option></term>

263

264

<para>

265

Subkey type. Default is <quote>RSA</quote> (Elgamal

272

266

encryption-only).

273

267

</para>

274

268

</listitem>

275

269

</varlistentry>

276

270

277

271

278

<term><literal>-L</literal>, <literal>--sublength

279

272

<term><option>--sublength

273

274

<term><option>-L

275

280

276

281

277

<para>

282

Subkey length in bits. Default is 2048.

278

Subkey length in bits. Default is 4096.

283

279

</para>

284

280

</listitem>

285

281

</varlistentry>

286

282

287

283

288

<term><literal>-e</literal>, <literal>--email</literal>

289

<replaceable>address</replaceable></term>

284

<term><option>--email

285

<replaceable>ADDRESS</replaceable></option></term>

286

<term><option>-e

287

<replaceable>ADDRESS</replaceable></option></term>

290

288

291

289

<para>

292

290

Email address of key. Default is empty.

293

291

</para>

294

292

</listitem>

295

293

</varlistentry>

296

294

297

295

298

<term><literal>-c</literal>, <literal>--comment</literal>

299

<replaceable>comment</replaceable></term>

296

<term><option>--comment

297

298

<term><option>-c

299

300

301

<para>

302

Comment field for key. The default value is

303

<quote><literal>Mandos client key</literal></quote>.

302

Comment field for key. Default is empty.

304

303

</para>

305

304

</listitem>

306

305

</varlistentry>

307

306

308

307

309

<term><literal>-x</literal>, <literal>--expire</literal>

310

308

<term><option>--expire

309

310

<term><option>-x

311

311

312

312

313

<para>

313

314

Key expire time. Default is no expiration. See

316

317

</para>

317

318

</listitem>

318

319

</varlistentry>

319

320

321

321

<term><literal>-f</literal>, <literal>--force</literal></term>

322

<term><option>--force</option></term>

323

322

324

323

325

<para>

324

Force overwriting old keys.

326

Force overwriting old key.

325

327

</para>

326

328

</listitem>

327

329

</varlistentry>

328

330

329

<term><literal>-p</literal>, <literal>--password</literal

330

></term>

331

<term><option>--password</option></term>

332

331

333

332

334

<para>

333

335

Prompt for a password and encrypt it with the key already

339

341

>8</manvolnum></citerefentry>. The host name or the name

340

342

specified with the <option>--name</option> option is used

341

343

for the section header. All other options are ignored,

342

and no keys are created.

344

and no key is created.

345

</para>

346

</listitem>

347

</varlistentry>

348

349

<term><option>--passfile

350

351

<term><option>-F

352

353

354

<para>

355

The same as <option>--password</option>, but read from

356

<replaceable>FILE</replaceable>, not the terminal.

357

</para>

358

</listitem>

359

</varlistentry>

360

361

362

363

364

<para>

365

When <option>--password</option> or

366

<option>--passfile</option> is given, this option will

367

prevent <command>&COMMANDNAME;</command> from calling

368

<command>ssh-keyscan</command> to get an SSH fingerprint

369

for this host and, if successful, output suitable config

370

options to use this fingerprint as a

371

<option>checker</option> option in the output. This is

372

otherwise the default behavior.

343

373

</para>

344

374

</listitem>

345

375

</varlistentry>

346

376

</variablelist>

347

377

</refsect1>

348

378

349

379

350

380

<title>OVERVIEW</title>

351

381

<xi:include href="overview.xml"/>

352

382

<para>

353

383

This program is a small utility to generate new OpenPGP keys for

354

new Mandos clients.

384

new Mandos clients, and to generate sections for inclusion in

385

<filename>clients.conf</filename> on the server.

355

386

</para>

356

387

</refsect1>

357

388

358

389

359

390

<title>EXIT STATUS</title>

360

391

<para>

361

The exit status will be 0 if new keys were successfully created,

362

otherwise not.

392

The exit status will be 0 if a new key (or password, if the

393

<option>--password</option> option was used) was successfully

394

created, otherwise not.

363

395

</para>

364

396

</refsect1>

365

397

367

399

<title>ENVIRONMENT</title>

368

400

369

401

370

<term><varname>TMPDIR</varname></term>

402

<term><envar>TMPDIR</envar></term>

371

403

372

404

<para>

373

405

If set, temporary files will be created here. See

379

411

</variablelist>

380

412

</refsect1>

381

413

382

414

383

415

<title>FILES</title>

384

416

<para>

385

417

Use the <option>--dir</option> option to change where

406

438

</listitem>

407

439

</varlistentry>

408

440

409

441

410

442

411

443

<para>

412

444

Temporary files will be written here if

416

448

</varlistentry>

417

449

</variablelist>

418

450

</refsect1>

419

420

421

422

<para>

423

None are known at this time.

424

</para>

425

</refsect1>

426

451

452

453

454

455

456

457

427

458

428

459

<title>EXAMPLE</title>

429

460

431

462

Normal invocation needs no options:

432

463

</para>

433

464

<para>

434

<userinput>mandos-keygen</userinput>

465

<userinput>&COMMANDNAME;</userinput>

435

466

</para>

436

467

</informalexample>

437

468

438

469

<para>

439

Create keys in another directory and of another type. Force

470

Create key in another directory and of another type. Force

440

471

overwriting old key files:

441

472

</para>

442

473

<para>

443

474

444

475

445

<userinput>mandos-keygen --dir ~/keydir --type RSA --force</userinput>

476

<userinput>&COMMANDNAME; --dir ~/keydir --type RSA --force</userinput>

477

478

</para>

479

</informalexample>

480

481

<para>

482

Prompt for a password, encrypt it with the key in <filename

483

class="directory">/etc/mandos</filename> and output a section

484

suitable for <filename>clients.conf</filename>.

485

</para>

486

<para>

487

<userinput>&COMMANDNAME; --password</userinput>

488

</para>

489

</informalexample>

490

491

<para>

492

Prompt for a password, encrypt it with the key in the

493

<filename>client-key</filename> directory and output a section

494

suitable for <filename>clients.conf</filename>.

495

</para>

496

<para>

497

498

499

<userinput>&COMMANDNAME; --password --dir client-key</userinput>

446

500

447

501

</para>

448

502

</informalexample>

449

503

</refsect1>

450

504

451

505

452

506

<title>SECURITY</title>

453

507

<para>

454

508

The <option>--type</option>, <option>--length</option>,

455

509

<option>--subtype</option>, and <option>--sublength</option>

456

options can be used to create keys of insufficient security. If

457

in doubt, leave them to the default values.

510

options can be used to create keys of low security. If in

511

doubt, leave them to the default values.

458

512

</para>

459

513

<para>

460

The key expire time is not guaranteed to be honored by

461

<citerefentry><refentrytitle>mandos</refentrytitle>

514

The key expire time is <emphasis>not</emphasis> guaranteed to be

515

honored by <citerefentry><refentrytitle>mandos</refentrytitle>

462

516

<manvolnum>8</manvolnum></citerefentry>.

463

517

</para>

464

518

</refsect1>

465

519

466

520

467

521

468

522

<para>

469

<citerefentry><refentrytitle>password-request</refentrytitle>

523

<citerefentry><refentrytitle>intro</refentrytitle>

470

524

<manvolnum>8mandos</manvolnum></citerefentry>,

525

526

<manvolnum>1</manvolnum></citerefentry>,

527

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

528

<manvolnum>5</manvolnum></citerefentry>,

471

529

<citerefentry><refentrytitle>mandos</refentrytitle>

472

530

<manvolnum>8</manvolnum></citerefentry>,

473

531

<citerefentry><refentrytitle>mandos-client</refentrytitle>

532

<manvolnum>8mandos</manvolnum></citerefentry>,

533

<citerefentry><refentrytitle>ssh-keyscan</refentrytitle>

474

534

475

535

</para>

476

536

</refsect1>

Older »