11
12
<title>Mandos Manual</title>
12
13
<!-- NWalsh’s docbook scripts use this to generate the footer: -->
13
14
<productname>Mandos</productname>
14
<productnumber>&VERSION;</productnumber>
15
<productnumber>&version;</productnumber>
15
16
<date>&TIMESTAMP;</date>
18
19
<firstname>Björn</firstname>
19
20
<surname>Påhlsson</surname>
21
<email>belorn@fukt.bsnet.se</email>
22
<email>belorn@recompile.se</email>
25
26
<firstname>Teddy</firstname>
26
27
<surname>Hogeborn</surname>
28
<email>teddy@fukt.bsnet.se</email>
29
<email>teddy@recompile.se</email>
34
44
<holder>Teddy Hogeborn</holder>
35
45
<holder>Björn Påhlsson</holder>
39
This manual page is free software: you can redistribute it
40
and/or modify it under the terms of the GNU General Public
41
License as published by the Free Software Foundation,
42
either version 3 of the License, or (at your option) any
47
This manual page is distributed in the hope that it will
48
be useful, but WITHOUT ANY WARRANTY; without even the
49
implied warranty of MERCHANTABILITY or FITNESS FOR A
50
PARTICULAR PURPOSE. See the GNU General Public License
55
You should have received a copy of the GNU General Public
56
License along with this program; If not, see
57
<ulink url="http://www.gnu.org/licenses/"/>.
47
<xi:include href="legalnotice.xml"/>
63
51
<refentrytitle>&COMMANDNAME;</refentrytitle>
64
52
<manvolnum>8</manvolnum>
178
176
</refsynopsisdiv>
180
178
<refsect1 id="description">
181
179
<title>DESCRIPTION</title>
183
181
<command>&COMMANDNAME;</command> is a program to generate the
185
<citerefentry><refentrytitle>password-request</refentrytitle>
186
<manvolnum>8mandos</manvolnum></citerefentry>. The keys are
183
<citerefentry><refentrytitle>mandos-client</refentrytitle>
184
<manvolnum>8mandos</manvolnum></citerefentry>. The key is
187
185
normally written to /etc/mandos for later installation into the
188
initrd image, but this, like most things, can be changed with
189
command line options.
186
initrd image, but this, and most other things, can be changed
187
with command line options.
192
It can also be used to generate ready-made sections for
190
This program can also be used with the
191
<option>--password</option> or <option>--passfile</option>
192
options to generate a ready-made section for
193
<filename>clients.conf</filename> (see
193
194
<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>
194
<manvolnum>5</manvolnum></citerefentry> using the
195
<option>--password</option> option.
195
<manvolnum>5</manvolnum></citerefentry>).
199
199
<refsect1 id="purpose">
200
200
<title>PURPOSE</title>
203
202
The purpose of this is to enable <emphasis>remote and unattended
204
203
rebooting</emphasis> of client host computer with an
205
204
<emphasis>encrypted root file system</emphasis>. See <xref
206
205
linkend="overview"/> for details.
211
209
<refsect1 id="options">
212
210
<title>OPTIONS</title>
216
<term><literal>-h</literal>, <literal>--help</literal></term>
214
<term><option>--help</option></term>
215
<term><option>-h</option></term>
219
218
Show a help message and exit
225
<term><literal>-d</literal>, <literal>--dir
226
<replaceable>directory</replaceable></literal></term>
225
<replaceable>DIRECTORY</replaceable></option></term>
227
<replaceable>DIRECTORY</replaceable></option></term>
229
230
Target directory for key files. Default is
230
<filename>/etc/mandos</filename>.
236
<term><literal>-t</literal>, <literal>--type
237
<replaceable>type</replaceable></literal></term>
240
Key type. Default is <quote>DSA</quote>.
246
<term><literal>-l</literal>, <literal>--length
247
<replaceable>bits</replaceable></literal></term>
250
Key length in bits. Default is 2048.
256
<term><literal>-s</literal>, <literal>--subtype
257
<replaceable>type</replaceable></literal></term>
260
Subkey type. Default is <quote>ELG-E</quote> (Elgamal
231
<filename class="directory">/etc/mandos</filename>.
238
<replaceable>TYPE</replaceable></option></term>
240
<replaceable>TYPE</replaceable></option></term>
243
Key type. Default is <quote>RSA</quote>.
249
<term><option>--length
250
<replaceable>BITS</replaceable></option></term>
252
<replaceable>BITS</replaceable></option></term>
255
Key length in bits. Default is 4096.
261
<term><option>--subtype
262
<replaceable>KEYTYPE</replaceable></option></term>
264
<replaceable>KEYTYPE</replaceable></option></term>
267
Subkey type. Default is <quote>RSA</quote> (Elgamal
261
268
encryption-only).
267
<term><literal>-L</literal>, <literal>--sublength
268
<replaceable>bits</replaceable></literal></term>
274
<term><option>--sublength
275
<replaceable>BITS</replaceable></option></term>
277
<replaceable>BITS</replaceable></option></term>
271
Subkey length in bits. Default is 2048.
280
Subkey length in bits. Default is 4096.
277
<term><literal>-e</literal>, <literal>--email</literal>
278
<replaceable>address</replaceable></term>
286
<term><option>--email
287
<replaceable>ADDRESS</replaceable></option></term>
289
<replaceable>ADDRESS</replaceable></option></term>
281
292
Email address of key. Default is empty.
287
<term><literal>-c</literal>, <literal>--comment</literal>
288
<replaceable>comment</replaceable></term>
298
<term><option>--comment
299
<replaceable>TEXT</replaceable></option></term>
301
<replaceable>TEXT</replaceable></option></term>
291
Comment field for key. The default value is
292
<quote><literal>Mandos client key</literal></quote>.
304
Comment field for key. Default is empty.
298
<term><literal>-x</literal>, <literal>--expire</literal>
299
<replaceable>time</replaceable></term>
310
<term><option>--expire
311
<replaceable>TIME</replaceable></option></term>
313
<replaceable>TIME</replaceable></option></term>
302
316
Key expire time. Default is no expiration. See
328
343
>8</manvolnum></citerefentry>. The host name or the name
329
344
specified with the <option>--name</option> option is used
330
345
for the section header. All other options are ignored,
331
and no keys are created.
346
and no key is created.
351
<term><option>--passfile
352
<replaceable>FILE</replaceable></option></term>
354
<replaceable>FILE</replaceable></option></term>
357
The same as <option>--password</option>, but read from
358
<replaceable>FILE</replaceable>, not the terminal.
363
<term><option>--no-ssh</option></term>
364
<term><option>-S</option></term>
367
When <option>--password</option> or
368
<option>--passfile</option> is given, this option will
369
prevent <command>&COMMANDNAME;</command> from calling
370
<command>ssh-keyscan</command> to get an SSH fingerprint
371
for this host and, if successful, output suitable config
372
options to use this fingerprint as a
373
<option>checker</option> option in the output. This is
374
otherwise the default behavior.
338
381
<refsect1 id="overview">
339
382
<title>OVERVIEW</title>
340
383
<xi:include href="overview.xml"/>
342
385
This program is a small utility to generate new OpenPGP keys for
386
new Mandos clients, and to generate sections for inclusion in
387
<filename>clients.conf</filename> on the server.
347
391
<refsect1 id="exit_status">
348
392
<title>EXIT STATUS</title>
350
The exit status will be 0 if new keys were successfully created,
394
The exit status will be 0 if a new key (or password, if the
395
<option>--password</option> option was used) was successfully
396
created, otherwise not.
437
480
</informalexample>
483
Prompt for a password, encrypt it with the key in <filename
484
class="directory">/etc/mandos</filename> and output a section
485
suitable for <filename>clients.conf</filename>.
488
<userinput>&COMMANDNAME; --password</userinput>
493
Prompt for a password, encrypt it with the key in the
494
<filename>client-key</filename> directory and output a section
495
suitable for <filename>clients.conf</filename>.
499
<!-- do not wrap this line -->
500
<userinput>&COMMANDNAME; --password --dir client-key</userinput>
440
506
<refsect1 id="security">
441
507
<title>SECURITY</title>
443
509
The <option>--type</option>, <option>--length</option>,
444
510
<option>--subtype</option>, and <option>--sublength</option>
445
options can be used to create keys of insufficient security. If
446
in doubt, leave them to the default values.
511
options can be used to create keys of low security. If in
512
doubt, leave them to the default values.
449
The key expire time is not guaranteed to be honored by
450
<citerefentry><refentrytitle>mandos</refentrytitle>
515
The key expire time is <emphasis>not</emphasis> guaranteed to be
516
honored by <citerefentry><refentrytitle>mandos</refentrytitle>
451
517
<manvolnum>8</manvolnum></citerefentry>.
455
521
<refsect1 id="see_also">
456
522
<title>SEE ALSO</title>
524
<citerefentry><refentrytitle>intro</refentrytitle>
525
<manvolnum>8mandos</manvolnum></citerefentry>,
458
526
<citerefentry><refentrytitle>gpg</refentrytitle>
459
527
<manvolnum>1</manvolnum></citerefentry>,
528
<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>
529
<manvolnum>5</manvolnum></citerefentry>,
460
530
<citerefentry><refentrytitle>mandos</refentrytitle>
461
531
<manvolnum>8</manvolnum></citerefentry>,
462
<citerefentry><refentrytitle>password-request</refentrytitle>
463
<manvolnum>8mandos</manvolnum></citerefentry>
532
<citerefentry><refentrytitle>mandos-client</refentrytitle>
533
<manvolnum>8mandos</manvolnum></citerefentry>,
534
<citerefentry><refentrytitle>ssh-keyscan</refentrytitle>
535
<manvolnum>1</manvolnum></citerefentry>