/mandos/release

To get this branch, use:
bzr branch http://bzr.recompile.se/loggerhead/mandos/release

« back to all changes in this revision

Viewing changes to mandos-keygen.xml

  • Committer: Teddy Hogeborn
  • Date: 2019-02-10 08:41:14 UTC
  • mto: (237.7.594 trunk)
  • mto: This revision was merged to the branch mainline in revision 372.
  • Revision ID: teddy@recompile.se-20190210084114-u91mijrxtifvzra5
Bug fix: Only create TLS key with certtool, and read correct key file

* debian/mandos-client.postinst (create_keys): Remove any bad keys
                                               created by 1.8.0-1.
                                               Only create TLS keys if
                                               certtool succeeds.
* debian/mandos.postinst (configure): Remove any bad keys from
                                      clients.conf, and inform the
                                      user if any were found.
* debian/mandos.templates (mandos/removed_bad_key_ids): New message.
* mandos (MandosServer.handle_ipc): Do not trust a key_id with a known
                                    bad key ID.
* mandos-keygen (keygen): Only create TLS keys if certtool succeeds.
  (password): Bug fix: Generate key_id correctly, and only output
              key_id if TLS key exists.

Show diffs side-by-side

added added

removed removed

Lines of Context:
1
1
<?xml version="1.0" encoding="UTF-8"?>
2
2
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3
3
        "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4
 
<!ENTITY VERSION "1.0">
5
4
<!ENTITY COMMANDNAME "mandos-keygen">
 
5
<!ENTITY TIMESTAMP "2019-02-10">
 
6
<!ENTITY % common SYSTEM "common.ent">
 
7
%common;
6
8
]>
7
9
 
8
10
<refentry xmlns:xi="http://www.w3.org/2001/XInclude">
9
11
  <refentryinfo>
10
 
    <title>&COMMANDNAME;</title>
 
12
    <title>Mandos Manual</title>
11
13
    <!-- NWalsh’s docbook scripts use this to generate the footer: -->
12
 
    <productname>&COMMANDNAME;</productname>
13
 
    <productnumber>&VERSION;</productnumber>
 
14
    <productname>Mandos</productname>
 
15
    <productnumber>&version;</productnumber>
 
16
    <date>&TIMESTAMP;</date>
14
17
    <authorgroup>
15
18
      <author>
16
19
        <firstname>Björn</firstname>
17
20
        <surname>Påhlsson</surname>
18
21
        <address>
19
 
          <email>belorn@fukt.bsnet.se</email>
 
22
          <email>belorn@recompile.se</email>
20
23
        </address>
21
24
      </author>
22
25
      <author>
23
26
        <firstname>Teddy</firstname>
24
27
        <surname>Hogeborn</surname>
25
28
        <address>
26
 
          <email>teddy@fukt.bsnet.se</email>
 
29
          <email>teddy@recompile.se</email>
27
30
        </address>
28
31
      </author>
29
32
    </authorgroup>
30
33
    <copyright>
31
34
      <year>2008</year>
 
35
      <year>2009</year>
 
36
      <year>2010</year>
 
37
      <year>2011</year>
 
38
      <year>2012</year>
 
39
      <year>2013</year>
 
40
      <year>2014</year>
 
41
      <year>2015</year>
 
42
      <year>2016</year>
 
43
      <year>2017</year>
 
44
      <year>2018</year>
 
45
      <year>2019</year>
32
46
      <holder>Teddy Hogeborn</holder>
33
47
      <holder>Björn Påhlsson</holder>
34
48
    </copyright>
35
 
    <legalnotice>
36
 
      <para>
37
 
        This manual page is free software: you can redistribute it
38
 
        and/or modify it under the terms of the GNU General Public
39
 
        License as published by the Free Software Foundation,
40
 
        either version 3 of the License, or (at your option) any
41
 
        later version.
42
 
      </para>
43
 
 
44
 
      <para>
45
 
        This manual page is distributed in the hope that it will
46
 
        be useful, but WITHOUT ANY WARRANTY; without even the
47
 
        implied warranty of MERCHANTABILITY or FITNESS FOR A
48
 
        PARTICULAR PURPOSE.  See the GNU General Public License
49
 
        for more details.
50
 
      </para>
51
 
 
52
 
      <para>
53
 
        You should have received a copy of the GNU General Public
54
 
        License along with this program; If not, see
55
 
        <ulink url="http://www.gnu.org/licenses/"/>.
56
 
      </para>
57
 
    </legalnotice>
 
49
    <xi:include href="legalnotice.xml"/>
58
50
  </refentryinfo>
59
 
 
 
51
  
60
52
  <refmeta>
61
53
    <refentrytitle>&COMMANDNAME;</refentrytitle>
62
54
    <manvolnum>8</manvolnum>
65
57
  <refnamediv>
66
58
    <refname><command>&COMMANDNAME;</command></refname>
67
59
    <refpurpose>
68
 
      Generate keys for <citerefentry><refentrytitle>password-request
69
 
      </refentrytitle><manvolnum>8mandos</manvolnum></citerefentry>
 
60
      Generate key and password for Mandos client and server.
70
61
    </refpurpose>
71
62
  </refnamediv>
72
 
 
 
63
  
73
64
  <refsynopsisdiv>
74
65
    <cmdsynopsis>
75
66
      <command>&COMMANDNAME;</command>
76
 
      <group choice="opt">
77
 
        <arg choice="plain"><option>--dir</option>
78
 
        <replaceable>directory</replaceable></arg>
79
 
      </group>
80
 
      <group choice="opt">
81
 
        <arg choice="plain"><option>--type</option>
82
 
        <replaceable>type</replaceable></arg>
83
 
      </group>
84
 
      <group choice="opt">
85
 
        <arg choice="plain"><option>--length</option>
86
 
        <replaceable>bits</replaceable></arg>
87
 
      </group>
88
 
      <group choice="opt">
89
 
        <arg choice="plain"><option>--subtype</option>
90
 
        <replaceable>type</replaceable></arg>
91
 
      </group>
92
 
      <group choice="opt">
93
 
        <arg choice="plain"><option>--sublength</option>
94
 
        <replaceable>bits</replaceable></arg>
95
 
      </group>
96
 
      <group choice="opt">
97
 
        <arg choice="plain"><option>--name</option>
98
 
        <replaceable>NAME</replaceable></arg>
99
 
      </group>
100
 
      <group choice="opt">
101
 
        <arg choice="plain"><option>--email</option>
102
 
        <replaceable>EMAIL</replaceable></arg>
103
 
      </group>
104
 
      <group choice="opt">
105
 
        <arg choice="plain"><option>--comment</option>
106
 
        <replaceable>COMMENT</replaceable></arg>
107
 
      </group>
108
 
      <group choice="opt">
109
 
        <arg choice="plain"><option>--expire</option>
110
 
        <replaceable>TIME</replaceable></arg>
111
 
      </group>
112
 
      <group choice="opt">
 
67
      <group>
 
68
        <arg choice="plain"><option>--dir
 
69
        <replaceable>DIRECTORY</replaceable></option></arg>
 
70
        <arg choice="plain"><option>-d
 
71
        <replaceable>DIRECTORY</replaceable></option></arg>
 
72
      </group>
 
73
      <sbr/>
 
74
      <group>
 
75
        <arg choice="plain"><option>--type
 
76
        <replaceable>KEYTYPE</replaceable></option></arg>
 
77
        <arg choice="plain"><option>-t
 
78
        <replaceable>KEYTYPE</replaceable></option></arg>
 
79
      </group>
 
80
      <sbr/>
 
81
      <group>
 
82
        <arg choice="plain"><option>--length
 
83
        <replaceable>BITS</replaceable></option></arg>
 
84
        <arg choice="plain"><option>-l
 
85
        <replaceable>BITS</replaceable></option></arg>
 
86
      </group>
 
87
      <sbr/>
 
88
      <group>
 
89
        <arg choice="plain"><option>--subtype
 
90
        <replaceable>KEYTYPE</replaceable></option></arg>
 
91
        <arg choice="plain"><option>-s
 
92
        <replaceable>KEYTYPE</replaceable></option></arg>
 
93
      </group>
 
94
      <sbr/>
 
95
      <group>
 
96
        <arg choice="plain"><option>--sublength
 
97
        <replaceable>BITS</replaceable></option></arg>
 
98
        <arg choice="plain"><option>-L
 
99
        <replaceable>BITS</replaceable></option></arg>
 
100
      </group>
 
101
      <sbr/>
 
102
      <group>
 
103
        <arg choice="plain"><option>--name
 
104
        <replaceable>NAME</replaceable></option></arg>
 
105
        <arg choice="plain"><option>-n
 
106
        <replaceable>NAME</replaceable></option></arg>
 
107
      </group>
 
108
      <sbr/>
 
109
      <group>
 
110
        <arg choice="plain"><option>--email
 
111
        <replaceable>ADDRESS</replaceable></option></arg>
 
112
        <arg choice="plain"><option>-e
 
113
        <replaceable>ADDRESS</replaceable></option></arg>
 
114
      </group>
 
115
      <sbr/>
 
116
      <group>
 
117
        <arg choice="plain"><option>--comment
 
118
        <replaceable>TEXT</replaceable></option></arg>
 
119
        <arg choice="plain"><option>-c
 
120
        <replaceable>TEXT</replaceable></option></arg>
 
121
      </group>
 
122
      <sbr/>
 
123
      <group>
 
124
        <arg choice="plain"><option>--expire
 
125
        <replaceable>TIME</replaceable></option></arg>
 
126
        <arg choice="plain"><option>-x
 
127
        <replaceable>TIME</replaceable></option></arg>
 
128
      </group>
 
129
      <sbr/>
 
130
      <group>
 
131
        <arg choice="plain"><option>--tls-keytype
 
132
        <replaceable>KEYTYPE</replaceable></option></arg>
 
133
        <arg choice="plain"><option>-T
 
134
        <replaceable>KEYTYPE</replaceable></option></arg>
 
135
      </group>
 
136
      <sbr/>
 
137
      <group>
113
138
        <arg choice="plain"><option>--force</option></arg>
114
 
      </group>
115
 
    </cmdsynopsis>
116
 
    <cmdsynopsis>
117
 
      <command>&COMMANDNAME;</command>
118
 
      <group choice="opt">
119
 
        <arg choice="plain"><option>-d</option>
120
 
        <replaceable>directory</replaceable></arg>
121
 
      </group>
122
 
      <group choice="opt">
123
 
        <arg choice="plain"><option>-t</option>
124
 
        <replaceable>type</replaceable></arg>
125
 
      </group>
126
 
      <group choice="opt">
127
 
        <arg choice="plain"><option>-l</option>
128
 
        <replaceable>bits</replaceable></arg>
129
 
      </group>
130
 
      <group choice="opt">
131
 
        <arg choice="plain"><option>-s</option>
132
 
        <replaceable>type</replaceable></arg>
133
 
      </group>
134
 
      <group choice="opt">
135
 
        <arg choice="plain"><option>-L</option>
136
 
        <replaceable>bits</replaceable></arg>
137
 
      </group>
138
 
      <group choice="opt">
139
 
        <arg choice="plain"><option>-n</option>
140
 
        <replaceable>NAME</replaceable></arg>
141
 
      </group>
142
 
      <group choice="opt">
143
 
        <arg choice="plain"><option>-e</option>
144
 
        <replaceable>EMAIL</replaceable></arg>
145
 
      </group>
146
 
      <group choice="opt">
147
 
        <arg choice="plain"><option>-c</option>
148
 
        <replaceable>COMMENT</replaceable></arg>
149
 
      </group>
150
 
      <group choice="opt">
151
 
        <arg choice="plain"><option>-x</option>
152
 
        <replaceable>TIME</replaceable></arg>
153
 
      </group>
154
 
      <group choice="opt">
155
139
        <arg choice="plain"><option>-f</option></arg>
156
140
      </group>
157
141
    </cmdsynopsis>
158
142
    <cmdsynopsis>
159
143
      <command>&COMMANDNAME;</command>
160
144
      <group choice="req">
 
145
        <arg choice="plain"><option>--password</option></arg>
161
146
        <arg choice="plain"><option>-p</option></arg>
162
 
        <arg choice="plain"><option>--password</option></arg>
163
 
      </group>
164
 
      <group choice="opt">
165
 
        <arg choice="plain"><option>--dir</option>
166
 
        <replaceable>directory</replaceable></arg>
167
 
      </group>
168
 
      <group choice="opt">
169
 
        <arg choice="plain"><option>--name</option>
170
 
        <replaceable>NAME</replaceable></arg>
 
147
        <arg choice="plain"><option>--passfile
 
148
        <replaceable>FILE</replaceable></option></arg>
 
149
        <arg choice="plain"><option>-F</option>
 
150
        <replaceable>FILE</replaceable></arg>
 
151
      </group>
 
152
      <sbr/>
 
153
      <group>
 
154
        <arg choice="plain"><option>--dir
 
155
        <replaceable>DIRECTORY</replaceable></option></arg>
 
156
        <arg choice="plain"><option>-d
 
157
        <replaceable>DIRECTORY</replaceable></option></arg>
 
158
      </group>
 
159
      <sbr/>
 
160
      <group>
 
161
        <arg choice="plain"><option>--name
 
162
        <replaceable>NAME</replaceable></option></arg>
 
163
        <arg choice="plain"><option>-n
 
164
        <replaceable>NAME</replaceable></option></arg>
 
165
      </group>
 
166
      <group>
 
167
        <arg choice="plain"><option>--no-ssh</option></arg>
 
168
        <arg choice="plain"><option>-S</option></arg>
171
169
      </group>
172
170
    </cmdsynopsis>
173
171
    <cmdsynopsis>
174
172
      <command>&COMMANDNAME;</command>
175
173
      <group choice="req">
 
174
        <arg choice="plain"><option>--help</option></arg>
176
175
        <arg choice="plain"><option>-h</option></arg>
177
 
        <arg choice="plain"><option>--help</option></arg>
178
176
      </group>
179
177
    </cmdsynopsis>
180
178
    <cmdsynopsis>
181
179
      <command>&COMMANDNAME;</command>
182
180
      <group choice="req">
 
181
        <arg choice="plain"><option>--version</option></arg>
183
182
        <arg choice="plain"><option>-v</option></arg>
184
 
        <arg choice="plain"><option>--version</option></arg>
185
183
      </group>
186
184
    </cmdsynopsis>
187
185
  </refsynopsisdiv>
188
 
 
 
186
  
189
187
  <refsect1 id="description">
190
188
    <title>DESCRIPTION</title>
191
189
    <para>
192
190
      <command>&COMMANDNAME;</command> is a program to generate the
193
 
      OpenPGP keys used by
194
 
      <citerefentry><refentrytitle>password-request</refentrytitle>
 
191
      TLS and OpenPGP keys used by
 
192
      <citerefentry><refentrytitle>mandos-client</refentrytitle>
195
193
      <manvolnum>8mandos</manvolnum></citerefentry>.  The keys are
196
 
      normally written to /etc/mandos for later installation into the
197
 
      initrd image, but this, like most things, can be changed with
198
 
      command line options.
 
194
      normally written to /etc/keys/mandos for later installation into
 
195
      the initrd image, but this, and most other things, can be
 
196
      changed with command line options.
199
197
    </para>
200
198
    <para>
201
 
      It can also be used to generate ready-made sections for
 
199
      This program can also be used with the
 
200
      <option>--password</option> or <option>--passfile</option>
 
201
      options to generate a ready-made section for
 
202
      <filename>clients.conf</filename> (see
202
203
      <citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>
203
 
      <manvolnum>5</manvolnum></citerefentry> using the
204
 
      <option>--password</option> option.
 
204
      <manvolnum>5</manvolnum></citerefentry>).
205
205
    </para>
206
206
  </refsect1>
207
207
  
208
208
  <refsect1 id="purpose">
209
209
    <title>PURPOSE</title>
210
 
 
211
210
    <para>
212
211
      The purpose of this is to enable <emphasis>remote and unattended
213
212
      rebooting</emphasis> of client host computer with an
214
213
      <emphasis>encrypted root file system</emphasis>.  See <xref
215
214
      linkend="overview"/> for details.
216
215
    </para>
217
 
 
218
216
  </refsect1>
219
217
  
220
218
  <refsect1 id="options">
221
219
    <title>OPTIONS</title>
222
 
 
 
220
    
223
221
    <variablelist>
224
222
      <varlistentry>
225
 
        <term><literal>-h</literal>, <literal>--help</literal></term>
 
223
        <term><option>--help</option></term>
 
224
        <term><option>-h</option></term>
226
225
        <listitem>
227
226
          <para>
228
227
            Show a help message and exit
229
228
          </para>
230
229
        </listitem>
231
230
      </varlistentry>
232
 
 
233
 
      <varlistentry>
234
 
        <term><literal>-d</literal>, <literal>--dir
235
 
        <replaceable>directory</replaceable></literal></term>
236
 
        <listitem>
237
 
          <para>
238
 
            Target directory for key files.  Default is
239
 
            <filename>/etc/mandos</filename>.
240
 
          </para>
241
 
        </listitem>
242
 
      </varlistentry>
243
 
 
244
 
      <varlistentry>
245
 
        <term><literal>-t</literal>, <literal>--type
246
 
        <replaceable>type</replaceable></literal></term>
247
 
        <listitem>
248
 
          <para>
249
 
            Key type.  Default is <quote>DSA</quote>.
250
 
          </para>
251
 
        </listitem>
252
 
      </varlistentry>
253
 
 
254
 
      <varlistentry>
255
 
        <term><literal>-l</literal>, <literal>--length
256
 
        <replaceable>bits</replaceable></literal></term>
257
 
        <listitem>
258
 
          <para>
259
 
            Key length in bits.  Default is 1024.
260
 
          </para>
261
 
        </listitem>
262
 
      </varlistentry>
263
 
 
264
 
      <varlistentry>
265
 
        <term><literal>-s</literal>, <literal>--subtype
266
 
        <replaceable>type</replaceable></literal></term>
267
 
        <listitem>
268
 
          <para>
269
 
            Subkey type.  Default is <quote>ELG-E</quote> (Elgamal
270
 
            encryption-only).
271
 
          </para>
272
 
        </listitem>
273
 
      </varlistentry>
274
 
 
275
 
      <varlistentry>
276
 
        <term><literal>-L</literal>, <literal>--sublength
277
 
        <replaceable>bits</replaceable></literal></term>
278
 
        <listitem>
279
 
          <para>
280
 
            Subkey length in bits.  Default is 2048.
281
 
          </para>
282
 
        </listitem>
283
 
      </varlistentry>
284
 
 
285
 
      <varlistentry>
286
 
        <term><literal>-e</literal>, <literal>--email</literal>
287
 
        <replaceable>address</replaceable></term>
 
231
      
 
232
      <varlistentry>
 
233
        <term><option>--dir
 
234
        <replaceable>DIRECTORY</replaceable></option></term>
 
235
        <term><option>-d
 
236
        <replaceable>DIRECTORY</replaceable></option></term>
 
237
        <listitem>
 
238
          <para>
 
239
            Target directory for key files.  Default is <filename
 
240
            class="directory">/etc/keys/mandos</filename>.
 
241
          </para>
 
242
        </listitem>
 
243
      </varlistentry>
 
244
      
 
245
      <varlistentry>
 
246
        <term><option>--type
 
247
        <replaceable>TYPE</replaceable></option></term>
 
248
        <term><option>-t
 
249
        <replaceable>TYPE</replaceable></option></term>
 
250
        <listitem>
 
251
          <para>
 
252
            OpenPGP key type.  Default is <quote>RSA</quote>.
 
253
          </para>
 
254
        </listitem>
 
255
      </varlistentry>
 
256
      
 
257
      <varlistentry>
 
258
        <term><option>--length
 
259
        <replaceable>BITS</replaceable></option></term>
 
260
        <term><option>-l
 
261
        <replaceable>BITS</replaceable></option></term>
 
262
        <listitem>
 
263
          <para>
 
264
            OpenPGP key length in bits.  Default is 4096.
 
265
          </para>
 
266
        </listitem>
 
267
      </varlistentry>
 
268
      
 
269
      <varlistentry>
 
270
        <term><option>--subtype
 
271
        <replaceable>KEYTYPE</replaceable></option></term>
 
272
        <term><option>-s
 
273
        <replaceable>KEYTYPE</replaceable></option></term>
 
274
        <listitem>
 
275
          <para>
 
276
            OpenPGP subkey type.  Default is <quote>RSA</quote>
 
277
          </para>
 
278
        </listitem>
 
279
      </varlistentry>
 
280
      
 
281
      <varlistentry>
 
282
        <term><option>--sublength
 
283
        <replaceable>BITS</replaceable></option></term>
 
284
        <term><option>-L
 
285
        <replaceable>BITS</replaceable></option></term>
 
286
        <listitem>
 
287
          <para>
 
288
            OpenPGP subkey length in bits.  Default is 4096.
 
289
          </para>
 
290
        </listitem>
 
291
      </varlistentry>
 
292
      
 
293
      <varlistentry>
 
294
        <term><option>--email
 
295
        <replaceable>ADDRESS</replaceable></option></term>
 
296
        <term><option>-e
 
297
        <replaceable>ADDRESS</replaceable></option></term>
288
298
        <listitem>
289
299
          <para>
290
300
            Email address of key.  Default is empty.
291
301
          </para>
292
302
        </listitem>
293
303
      </varlistentry>
294
 
 
 
304
      
295
305
      <varlistentry>
296
 
        <term><literal>-c</literal>, <literal>--comment</literal>
297
 
        <replaceable>comment</replaceable></term>
 
306
        <term><option>--comment
 
307
        <replaceable>TEXT</replaceable></option></term>
 
308
        <term><option>-c
 
309
        <replaceable>TEXT</replaceable></option></term>
298
310
        <listitem>
299
311
          <para>
300
 
            Comment field for key.  The default value is
301
 
            <quote><literal>Mandos client key</literal></quote>.
 
312
            Comment field for key.  Default is empty.
302
313
          </para>
303
314
        </listitem>
304
315
      </varlistentry>
305
 
 
 
316
      
306
317
      <varlistentry>
307
 
        <term><literal>-x</literal>, <literal>--expire</literal>
308
 
        <replaceable>time</replaceable></term>
 
318
        <term><option>--expire
 
319
        <replaceable>TIME</replaceable></option></term>
 
320
        <term><option>-x
 
321
        <replaceable>TIME</replaceable></option></term>
309
322
        <listitem>
310
323
          <para>
311
324
            Key expire time.  Default is no expiration.  See
314
327
          </para>
315
328
        </listitem>
316
329
      </varlistentry>
317
 
 
318
 
      <varlistentry>
319
 
        <term><literal>-f</literal>, <literal>--force</literal></term>
320
 
        <listitem>
321
 
          <para>
322
 
            Force overwriting old keys.
323
 
          </para>
324
 
        </listitem>
325
 
      </varlistentry>
326
 
      <varlistentry>
327
 
        <term><literal>-p</literal>, <literal>--password</literal
328
 
        ></term>
 
330
      
 
331
      <varlistentry>
 
332
        <term><option>--tls-keytype
 
333
        <replaceable>KEYTYPE</replaceable></option></term>
 
334
        <term><option>-T
 
335
        <replaceable>KEYTYPE</replaceable></option></term>
 
336
        <listitem>
 
337
          <para>
 
338
            TLS key type.  Default is <quote>ed25519</quote>
 
339
          </para>
 
340
        </listitem>
 
341
      </varlistentry>
 
342
      
 
343
      <varlistentry>
 
344
        <term><option>--force</option></term>
 
345
        <term><option>-f</option></term>
 
346
        <listitem>
 
347
          <para>
 
348
            Force overwriting old key.
 
349
          </para>
 
350
        </listitem>
 
351
      </varlistentry>
 
352
      <varlistentry>
 
353
        <term><option>--password</option></term>
 
354
        <term><option>-p</option></term>
329
355
        <listitem>
330
356
          <para>
331
357
            Prompt for a password and encrypt it with the key already
332
 
            present in either <filename>/etc/mandos</filename> or the
333
 
            directory specified with the <option>--dir</option>
 
358
            present in either <filename>/etc/keys/mandos</filename> or
 
359
            the directory specified with the <option>--dir</option>
334
360
            option.  Outputs, on standard output, a section suitable
335
361
            for inclusion in <citerefentry><refentrytitle
336
362
            >mandos-clients.conf</refentrytitle><manvolnum
337
363
            >8</manvolnum></citerefentry>.  The host name or the name
338
364
            specified with the <option>--name</option> option is used
339
365
            for the section header.  All other options are ignored,
340
 
            and no keys are created.
 
366
            and no key is created.
 
367
          </para>
 
368
        </listitem>
 
369
      </varlistentry>
 
370
      <varlistentry>
 
371
        <term><option>--passfile
 
372
        <replaceable>FILE</replaceable></option></term>
 
373
        <term><option>-F
 
374
        <replaceable>FILE</replaceable></option></term>
 
375
        <listitem>
 
376
          <para>
 
377
            The same as <option>--password</option>, but read from
 
378
            <replaceable>FILE</replaceable>, not the terminal.
 
379
          </para>
 
380
        </listitem>
 
381
      </varlistentry>
 
382
      <varlistentry>
 
383
        <term><option>--no-ssh</option></term>
 
384
        <term><option>-S</option></term>
 
385
        <listitem>
 
386
          <para>
 
387
            When <option>--password</option> or
 
388
            <option>--passfile</option> is given, this option will
 
389
            prevent <command>&COMMANDNAME;</command> from calling
 
390
            <command>ssh-keyscan</command> to get an SSH fingerprint
 
391
            for this host and, if successful, output suitable config
 
392
            options to use this fingerprint as a
 
393
            <option>checker</option> option in the output.  This is
 
394
            otherwise the default behavior.
341
395
          </para>
342
396
        </listitem>
343
397
      </varlistentry>
344
398
    </variablelist>
345
399
  </refsect1>
346
 
 
 
400
  
347
401
  <refsect1 id="overview">
348
402
    <title>OVERVIEW</title>
349
403
    <xi:include href="overview.xml"/>
350
404
    <para>
351
 
      This program is a small utility to generate new OpenPGP keys for
352
 
      new Mandos clients.
 
405
      This program is a small utility to generate new TLS and OpenPGP
 
406
      keys for new Mandos clients, and to generate sections for
 
407
      inclusion in <filename>clients.conf</filename> on the server.
353
408
    </para>
354
409
  </refsect1>
355
 
 
 
410
  
356
411
  <refsect1 id="exit_status">
357
412
    <title>EXIT STATUS</title>
358
413
    <para>
359
 
      The exit status will be 0 if new keys were successfully created,
360
 
      otherwise not.
 
414
      The exit status will be 0 if a new key (or password, if the
 
415
      <option>--password</option> option was used) was successfully
 
416
      created, otherwise not.
361
417
    </para>
362
418
  </refsect1>
363
419
  
365
421
    <title>ENVIRONMENT</title>
366
422
    <variablelist>
367
423
      <varlistentry>
368
 
        <term><varname>TMPDIR</varname></term>
 
424
        <term><envar>TMPDIR</envar></term>
369
425
        <listitem>
370
426
          <para>
371
427
            If set, temporary files will be created here. See
377
433
    </variablelist>
378
434
  </refsect1>
379
435
  
380
 
  <refsect1 id="file">
 
436
  <refsect1 id="files">
381
437
    <title>FILES</title>
382
438
    <para>
383
439
      Use the <option>--dir</option> option to change where
386
442
    </para>
387
443
    <variablelist>
388
444
      <varlistentry>
389
 
        <term><filename>/etc/mandos/seckey.txt</filename></term>
 
445
        <term><filename>/etc/keys/mandos/seckey.txt</filename></term>
390
446
        <listitem>
391
447
          <para>
392
448
            OpenPGP secret key file which will be created or
395
451
        </listitem>
396
452
      </varlistentry>
397
453
      <varlistentry>
398
 
        <term><filename>/etc/mandos/pubkey.txt</filename></term>
 
454
        <term><filename>/etc/keys/mandos/pubkey.txt</filename></term>
399
455
        <listitem>
400
456
          <para>
401
457
            OpenPGP public key file which will be created or
404
460
        </listitem>
405
461
      </varlistentry>
406
462
      <varlistentry>
407
 
        <term><filename>/tmp</filename></term>
 
463
        <term><filename>/etc/keys/mandos/tls-privkey.pem</filename></term>
 
464
        <listitem>
 
465
          <para>
 
466
            Private key file which will be created or overwritten.
 
467
          </para>
 
468
        </listitem>
 
469
      </varlistentry>
 
470
      <varlistentry>
 
471
        <term><filename>/etc/keys/mandos/tls-pubkey.pem</filename></term>
 
472
        <listitem>
 
473
          <para>
 
474
            Public key file which will be created or overwritten.
 
475
          </para>
 
476
        </listitem>
 
477
      </varlistentry>
 
478
      <varlistentry>
 
479
        <term><filename class="directory">/tmp</filename></term>
408
480
        <listitem>
409
481
          <para>
410
482
            Temporary files will be written here if
414
486
      </varlistentry>
415
487
    </variablelist>
416
488
  </refsect1>
417
 
 
 
489
  
418
490
  <refsect1 id="bugs">
419
491
    <title>BUGS</title>
420
 
    <para>
421
 
      None are known at this time.
422
 
    </para>
 
492
    <xi:include href="bugs.xml"/>
423
493
  </refsect1>
424
 
 
 
494
  
425
495
  <refsect1 id="example">
426
496
    <title>EXAMPLE</title>
427
497
    <informalexample>
429
499
        Normal invocation needs no options:
430
500
      </para>
431
501
      <para>
432
 
        <userinput>mandos-keygen</userinput>
 
502
        <userinput>&COMMANDNAME;</userinput>
433
503
      </para>
434
504
    </informalexample>
435
505
    <informalexample>
436
506
      <para>
437
 
        Create keys in another directory and of another type.  Force
 
507
        Create key in another directory and of another type.  Force
438
508
        overwriting old key files:
439
509
      </para>
440
510
      <para>
441
511
 
442
512
<!-- do not wrap this line -->
443
 
<userinput>mandos-keygen --dir ~/keydir --type RSA --force</userinput>
 
513
<userinput>&COMMANDNAME; --dir ~/keydir --type RSA --force</userinput>
 
514
 
 
515
      </para>
 
516
    </informalexample>
 
517
    <informalexample>
 
518
      <para>
 
519
        Prompt for a password, encrypt it with the keys in <filename
 
520
        class="directory">/etc/keys/mandos</filename> and output a
 
521
        section suitable for <filename>clients.conf</filename>.
 
522
      </para>
 
523
      <para>
 
524
        <userinput>&COMMANDNAME; --password</userinput>
 
525
      </para>
 
526
    </informalexample>
 
527
    <informalexample>
 
528
      <para>
 
529
        Prompt for a password, encrypt it with the keys in the
 
530
        <filename>client-key</filename> directory and output a section
 
531
        suitable for <filename>clients.conf</filename>.
 
532
      </para>
 
533
      <para>
 
534
 
 
535
<!-- do not wrap this line -->
 
536
<userinput>&COMMANDNAME; --password --dir client-key</userinput>
444
537
 
445
538
      </para>
446
539
    </informalexample>
447
540
  </refsect1>
448
 
 
 
541
  
449
542
  <refsect1 id="security">
450
543
    <title>SECURITY</title>
451
544
    <para>
452
545
      The <option>--type</option>, <option>--length</option>,
453
546
      <option>--subtype</option>, and <option>--sublength</option>
454
 
      options can be used to create keys of insufficient security.  If
455
 
      in doubt, leave them to the default values.
 
547
      options can be used to create keys of low security.  If in
 
548
      doubt, leave them to the default values.
456
549
    </para>
457
550
    <para>
458
 
      The key expire time is not guaranteed to be honored by
459
 
      <citerefentry><refentrytitle>mandos</refentrytitle>
 
551
      The key expire time is <emphasis>not</emphasis> guaranteed to be
 
552
      honored by <citerefentry><refentrytitle>mandos</refentrytitle>
460
553
      <manvolnum>8</manvolnum></citerefentry>.
461
554
    </para>
462
555
  </refsect1>
463
 
 
 
556
  
464
557
  <refsect1 id="see_also">
465
558
    <title>SEE ALSO</title>
466
559
    <para>
467
 
      <citerefentry><refentrytitle>password-request</refentrytitle>
 
560
      <citerefentry><refentrytitle>intro</refentrytitle>
468
561
      <manvolnum>8mandos</manvolnum></citerefentry>,
 
562
      <citerefentry><refentrytitle>gpg</refentrytitle>
 
563
      <manvolnum>1</manvolnum></citerefentry>,
 
564
      <citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>
 
565
      <manvolnum>5</manvolnum></citerefentry>,
469
566
      <citerefentry><refentrytitle>mandos</refentrytitle>
470
567
      <manvolnum>8</manvolnum></citerefentry>,
471
 
      <citerefentry><refentrytitle>gpg</refentrytitle>
 
568
      <citerefentry><refentrytitle>mandos-client</refentrytitle>
 
569
      <manvolnum>8mandos</manvolnum></citerefentry>,
 
570
      <citerefentry><refentrytitle>ssh-keyscan</refentrytitle>
472
571
      <manvolnum>1</manvolnum></citerefentry>
473
572
    </para>
474
573
  </refsect1>
475
574
  
476
575
</refentry>
 
576
<!-- Local Variables: -->
 
577
<!-- time-stamp-start: "<!ENTITY TIMESTAMP [\"']" -->
 
578
<!-- time-stamp-end: "[\"']>" -->
 
579
<!-- time-stamp-format: "%:y-%02m-%02d" -->
 
580
<!-- End: -->