1
1
<?xml version="1.0" encoding="UTF-8"?>
2
2
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3
3
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4
<!ENTITY VERSION "1.0">
5
4
<!ENTITY COMMANDNAME "mandos-keygen">
6
<!ENTITY TIMESTAMP "2008-09-06">
5
<!ENTITY TIMESTAMP "2019-02-10">
6
<!ENTITY % common SYSTEM "common.ent">
9
10
<refentry xmlns:xi="http://www.w3.org/2001/XInclude">
11
12
<title>Mandos Manual</title>
12
13
<!-- NWalsh’s docbook scripts use this to generate the footer: -->
13
14
<productname>Mandos</productname>
14
<productnumber>&VERSION;</productnumber>
15
<productnumber>&version;</productnumber>
15
16
<date>&TIMESTAMP;</date>
18
19
<firstname>Björn</firstname>
19
20
<surname>Påhlsson</surname>
21
<email>belorn@fukt.bsnet.se</email>
22
<email>belorn@recompile.se</email>
25
26
<firstname>Teddy</firstname>
26
27
<surname>Hogeborn</surname>
28
<email>teddy@fukt.bsnet.se</email>
29
<email>teddy@recompile.se</email>
34
45
<holder>Teddy Hogeborn</holder>
35
46
<holder>Björn Påhlsson</holder>
37
48
<xi:include href="legalnotice.xml"/>
41
52
<refentrytitle>&COMMANDNAME;</refentrytitle>
42
53
<manvolnum>8</manvolnum>
115
126
<replaceable>TIME</replaceable></option></arg>
118
<arg><option>--force</option></arg>
130
<arg choice="plain"><option>--tls-keytype
131
<replaceable>KEYTYPE</replaceable></option></arg>
132
<arg choice="plain"><option>-T
133
<replaceable>KEYTYPE</replaceable></option></arg>
137
<arg choice="plain"><option>--force</option></arg>
138
<arg choice="plain"><option>-f</option></arg>
121
142
<command>&COMMANDNAME;</command>
122
143
<group choice="req">
123
144
<arg choice="plain"><option>--password</option></arg>
124
145
<arg choice="plain"><option>-p</option></arg>
146
<arg choice="plain"><option>--passfile
147
<replaceable>FILE</replaceable></option></arg>
148
<arg choice="plain"><option>-F</option>
149
<replaceable>FILE</replaceable></arg>
137
162
<arg choice="plain"><option>-n
138
163
<replaceable>NAME</replaceable></option></arg>
166
<arg choice="plain"><option>--no-ssh</option></arg>
167
<arg choice="plain"><option>-S</option></arg>
142
171
<command>&COMMANDNAME;</command>
158
187
<title>DESCRIPTION</title>
160
189
<command>&COMMANDNAME;</command> is a program to generate the
190
TLS and OpenPGP keys used by
162
191
<citerefentry><refentrytitle>mandos-client</refentrytitle>
163
<manvolnum>8mandos</manvolnum></citerefentry>. The key is
192
<manvolnum>8mandos</manvolnum></citerefentry>. The keys are
164
193
normally written to /etc/mandos for later installation into the
165
194
initrd image, but this, and most other things, can be changed
166
195
with command line options.
169
198
This program can also be used with the
170
<option>--password</option> option to generate a ready-made
171
section for <filename>clients.conf</filename> (see
199
<option>--password</option> or <option>--passfile</option>
200
options to generate a ready-made section for
201
<filename>clients.conf</filename> (see
172
202
<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>
173
203
<manvolnum>5</manvolnum></citerefentry>).
242
272
<replaceable>KEYTYPE</replaceable></option></term>
245
Subkey type. Default is <quote>ELG-E</quote> (Elgamal
275
OpenPGP subkey type. Default is <quote>RSA</quote>
252
281
<term><option>--sublength
253
282
<replaceable>BITS</replaceable></option></term>
279
308
<replaceable>TEXT</replaceable></option></term>
282
Comment field for key. The default value is
283
<quote><literal>Mandos client key</literal></quote>.
311
Comment field for key. Default is empty.
289
317
<term><option>--expire
290
318
<replaceable>TIME</replaceable></option></term>
331
<term><option>--tls-keytype
332
<replaceable>KEYTYPE</replaceable></option></term>
334
<replaceable>KEYTYPE</replaceable></option></term>
337
TLS key type. Default is <quote>ed25519</quote>
303
343
<term><option>--force</option></term>
304
344
<term><option>-f</option></term>
370
<term><option>--passfile
371
<replaceable>FILE</replaceable></option></term>
373
<replaceable>FILE</replaceable></option></term>
376
The same as <option>--password</option>, but read from
377
<replaceable>FILE</replaceable>, not the terminal.
382
<term><option>--no-ssh</option></term>
383
<term><option>-S</option></term>
386
When <option>--password</option> or
387
<option>--passfile</option> is given, this option will
388
prevent <command>&COMMANDNAME;</command> from calling
389
<command>ssh-keyscan</command> to get an SSH fingerprint
390
for this host and, if successful, output suitable config
391
options to use this fingerprint as a
392
<option>checker</option> option in the output. This is
393
otherwise the default behavior.
332
400
<refsect1 id="overview">
333
401
<title>OVERVIEW</title>
334
402
<xi:include href="overview.xml"/>
336
This program is a small utility to generate new OpenPGP keys for
337
new Mandos clients, and to generate sections for inclusion in
338
<filename>clients.conf</filename> on the server.
404
This program is a small utility to generate new TLS and OpenPGP
405
keys for new Mandos clients, and to generate sections for
406
inclusion in <filename>clients.conf</filename> on the server.
342
410
<refsect1 id="exit_status">
343
411
<title>EXIT STATUS</title>
394
<term><filename>/tmp</filename></term>
462
<term><filename>/etc/keys/mandos/tls-privkey.pem</filename></term>
465
Private key file which will be created or overwritten.
470
<term><filename>/etc/keys/mandos/tls-pubkey.pem</filename></term>
473
Public key file which will be created or overwritten.
478
<term><filename class="directory">/tmp</filename></term>
397
481
Temporary files will be written here if
432
515
</informalexample>
433
516
<informalexample>
435
Prompt for a password, encrypt it with the key in
436
<filename>/etc/mandos</filename> and output a section suitable
437
for <filename>clients.conf</filename>.
518
Prompt for a password, encrypt it with the key in <filename
519
class="directory">/etc/mandos</filename> and output a section
520
suitable for <filename>clients.conf</filename>.
440
523
<userinput>&COMMANDNAME; --password</userinput>
469
552
<manvolnum>8</manvolnum></citerefentry>.
473
556
<refsect1 id="see_also">
474
557
<title>SEE ALSO</title>
559
<citerefentry><refentrytitle>intro</refentrytitle>
560
<manvolnum>8mandos</manvolnum></citerefentry>,
476
561
<citerefentry><refentrytitle>gpg</refentrytitle>
477
562
<manvolnum>1</manvolnum></citerefentry>,
478
563
<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>
480
565
<citerefentry><refentrytitle>mandos</refentrytitle>
481
566
<manvolnum>8</manvolnum></citerefentry>,
482
567
<citerefentry><refentrytitle>mandos-client</refentrytitle>
483
<manvolnum>8mandos</manvolnum></citerefentry>
568
<manvolnum>8mandos</manvolnum></citerefentry>,
569
<citerefentry><refentrytitle>ssh-keyscan</refentrytitle>
570
<manvolnum>1</manvolnum></citerefentry>