/mandos/release

To get this branch, use:
bzr branch http://bzr.recompile.se/loggerhead/mandos/release

« back to all changes in this revision

Viewing changes to mandos-keygen.xml

Merge new wireless network hook.  Fix bridge network hook to use
hardware addresses instead of interface names.  Implement and document
new "CONNECT" environment variable for network hooks.

Show diffs side-by-side

added added

removed removed

Lines of Context:
mandos-keygen.xml
2
2
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3
3
        "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4
4
<!ENTITY COMMANDNAME "mandos-keygen">
5
 
<!ENTITY TIMESTAMP "2019-02-10">
 
5
<!ENTITY TIMESTAMP "2011-10-03">
6
6
<!ENTITY % common SYSTEM "common.ent">
7
7
%common;
8
8
]>
33
33
    <copyright>
34
34
      <year>2008</year>
35
35
      <year>2009</year>
36
 
      <year>2010</year>
37
36
      <year>2011</year>
38
 
      <year>2012</year>
39
 
      <year>2013</year>
40
 
      <year>2014</year>
41
 
      <year>2015</year>
42
 
      <year>2016</year>
43
 
      <year>2017</year>
44
 
      <year>2018</year>
45
37
      <holder>Teddy Hogeborn</holder>
46
38
      <holder>Björn Påhlsson</holder>
47
39
    </copyright>
126
118
        <replaceable>TIME</replaceable></option></arg>
127
119
      </group>
128
120
      <sbr/>
129
 
      <group>
130
 
        <arg choice="plain"><option>--tls-keytype
131
 
        <replaceable>KEYTYPE</replaceable></option></arg>
132
 
        <arg choice="plain"><option>-T
133
 
        <replaceable>KEYTYPE</replaceable></option></arg>
134
 
      </group>
135
 
      <sbr/>
136
 
      <group>
137
 
        <arg choice="plain"><option>--force</option></arg>
138
 
        <arg choice="plain"><option>-f</option></arg>
139
 
      </group>
 
121
      <arg><option>--force</option></arg>
140
122
    </cmdsynopsis>
141
123
    <cmdsynopsis>
142
124
      <command>&COMMANDNAME;</command>
162
144
        <arg choice="plain"><option>-n
163
145
        <replaceable>NAME</replaceable></option></arg>
164
146
      </group>
165
 
      <group>
166
 
        <arg choice="plain"><option>--no-ssh</option></arg>
167
 
        <arg choice="plain"><option>-S</option></arg>
168
 
      </group>
169
147
    </cmdsynopsis>
170
148
    <cmdsynopsis>
171
149
      <command>&COMMANDNAME;</command>
187
165
    <title>DESCRIPTION</title>
188
166
    <para>
189
167
      <command>&COMMANDNAME;</command> is a program to generate the
190
 
      TLS and OpenPGP keys used by
 
168
      OpenPGP key used by
191
169
      <citerefentry><refentrytitle>mandos-client</refentrytitle>
192
 
      <manvolnum>8mandos</manvolnum></citerefentry>.  The keys are
193
 
      normally written to /etc/keys/mandos for later installation into
194
 
      the initrd image, but this, and most other things, can be
195
 
      changed with command line options.
 
170
      <manvolnum>8mandos</manvolnum></citerefentry>.  The key is
 
171
      normally written to /etc/mandos for later installation into the
 
172
      initrd image, but this, and most other things, can be changed
 
173
      with command line options.
196
174
    </para>
197
175
    <para>
198
176
      This program can also be used with the
235
213
        <replaceable>DIRECTORY</replaceable></option></term>
236
214
        <listitem>
237
215
          <para>
238
 
            Target directory for key files.  Default is <filename
239
 
            class="directory">/etc/keys/mandos</filename>.
 
216
            Target directory for key files.  Default is
 
217
            <filename class="directory">/etc/mandos</filename>.
240
218
          </para>
241
219
        </listitem>
242
220
      </varlistentry>
248
226
        <replaceable>TYPE</replaceable></option></term>
249
227
        <listitem>
250
228
          <para>
251
 
            OpenPGP key type.  Default is <quote>RSA</quote>.
 
229
            Key type.  Default is <quote>DSA</quote>.
252
230
          </para>
253
231
        </listitem>
254
232
      </varlistentry>
260
238
        <replaceable>BITS</replaceable></option></term>
261
239
        <listitem>
262
240
          <para>
263
 
            OpenPGP key length in bits.  Default is 4096.
 
241
            Key length in bits.  Default is 2048.
264
242
          </para>
265
243
        </listitem>
266
244
      </varlistentry>
272
250
        <replaceable>KEYTYPE</replaceable></option></term>
273
251
        <listitem>
274
252
          <para>
275
 
            OpenPGP subkey type.  Default is <quote>RSA</quote>
 
253
            Subkey type.  Default is <quote>ELG-E</quote> (Elgamal
 
254
            encryption-only).
276
255
          </para>
277
256
        </listitem>
278
257
      </varlistentry>
284
263
        <replaceable>BITS</replaceable></option></term>
285
264
        <listitem>
286
265
          <para>
287
 
            OpenPGP subkey length in bits.  Default is 4096.
 
266
            Subkey length in bits.  Default is 2048.
288
267
          </para>
289
268
        </listitem>
290
269
      </varlistentry>
308
287
        <replaceable>TEXT</replaceable></option></term>
309
288
        <listitem>
310
289
          <para>
311
 
            Comment field for key.  Default is empty.
 
290
            Comment field for key.  The default value is
 
291
            <quote><literal>Mandos client key</literal></quote>.
312
292
          </para>
313
293
        </listitem>
314
294
      </varlistentry>
328
308
      </varlistentry>
329
309
      
330
310
      <varlistentry>
331
 
        <term><option>--tls-keytype
332
 
        <replaceable>KEYTYPE</replaceable></option></term>
333
 
        <term><option>-T
334
 
        <replaceable>KEYTYPE</replaceable></option></term>
335
 
        <listitem>
336
 
          <para>
337
 
            TLS key type.  Default is <quote>ed25519</quote>
338
 
          </para>
339
 
        </listitem>
340
 
      </varlistentry>
341
 
      
342
 
      <varlistentry>
343
311
        <term><option>--force</option></term>
344
312
        <term><option>-f</option></term>
345
313
        <listitem>
354
322
        <listitem>
355
323
          <para>
356
324
            Prompt for a password and encrypt it with the key already
357
 
            present in either <filename>/etc/keys/mandos</filename> or
358
 
            the directory specified with the <option>--dir</option>
 
325
            present in either <filename>/etc/mandos</filename> or the
 
326
            directory specified with the <option>--dir</option>
359
327
            option.  Outputs, on standard output, a section suitable
360
328
            for inclusion in <citerefentry><refentrytitle
361
329
            >mandos-clients.conf</refentrytitle><manvolnum
378
346
          </para>
379
347
        </listitem>
380
348
      </varlistentry>
381
 
      <varlistentry>
382
 
        <term><option>--no-ssh</option></term>
383
 
        <term><option>-S</option></term>
384
 
        <listitem>
385
 
          <para>
386
 
            When <option>--password</option> or
387
 
            <option>--passfile</option> is given, this option will
388
 
            prevent <command>&COMMANDNAME;</command> from calling
389
 
            <command>ssh-keyscan</command> to get an SSH fingerprint
390
 
            for this host and, if successful, output suitable config
391
 
            options to use this fingerprint as a
392
 
            <option>checker</option> option in the output.  This is
393
 
            otherwise the default behavior.
394
 
          </para>
395
 
        </listitem>
396
 
      </varlistentry>
397
349
    </variablelist>
398
350
  </refsect1>
399
351
  
401
353
    <title>OVERVIEW</title>
402
354
    <xi:include href="overview.xml"/>
403
355
    <para>
404
 
      This program is a small utility to generate new TLS and OpenPGP
405
 
      keys for new Mandos clients, and to generate sections for
406
 
      inclusion in <filename>clients.conf</filename> on the server.
 
356
      This program is a small utility to generate new OpenPGP keys for
 
357
      new Mandos clients, and to generate sections for inclusion in
 
358
      <filename>clients.conf</filename> on the server.
407
359
    </para>
408
360
  </refsect1>
409
361
  
441
393
    </para>
442
394
    <variablelist>
443
395
      <varlistentry>
444
 
        <term><filename>/etc/keys/mandos/seckey.txt</filename></term>
 
396
        <term><filename>/etc/mandos/seckey.txt</filename></term>
445
397
        <listitem>
446
398
          <para>
447
399
            OpenPGP secret key file which will be created or
450
402
        </listitem>
451
403
      </varlistentry>
452
404
      <varlistentry>
453
 
        <term><filename>/etc/keys/mandos/pubkey.txt</filename></term>
 
405
        <term><filename>/etc/mandos/pubkey.txt</filename></term>
454
406
        <listitem>
455
407
          <para>
456
408
            OpenPGP public key file which will be created or
459
411
        </listitem>
460
412
      </varlistentry>
461
413
      <varlistentry>
462
 
        <term><filename>/etc/keys/mandos/tls-privkey.pem</filename></term>
463
 
        <listitem>
464
 
          <para>
465
 
            Private key file which will be created or overwritten.
466
 
          </para>
467
 
        </listitem>
468
 
      </varlistentry>
469
 
      <varlistentry>
470
 
        <term><filename>/etc/keys/mandos/tls-pubkey.pem</filename></term>
471
 
        <listitem>
472
 
          <para>
473
 
            Public key file which will be created or overwritten.
474
 
          </para>
475
 
        </listitem>
476
 
      </varlistentry>
477
 
      <varlistentry>
478
414
        <term><filename class="directory">/tmp</filename></term>
479
415
        <listitem>
480
416
          <para>
486
422
    </variablelist>
487
423
  </refsect1>
488
424
  
489
 
  <refsect1 id="bugs">
490
 
    <title>BUGS</title>
491
 
    <xi:include href="bugs.xml"/>
492
 
  </refsect1>
 
425
<!--   <refsect1 id="bugs"> -->
 
426
<!--     <title>BUGS</title> -->
 
427
<!--     <para> -->
 
428
<!--     </para> -->
 
429
<!--   </refsect1> -->
493
430
  
494
431
  <refsect1 id="example">
495
432
    <title>EXAMPLE</title>
515
452
    </informalexample>
516
453
    <informalexample>
517
454
      <para>
518
 
        Prompt for a password, encrypt it with the keys in <filename
519
 
        class="directory">/etc/keys/mandos</filename> and output a
520
 
        section suitable for <filename>clients.conf</filename>.
 
455
        Prompt for a password, encrypt it with the key in <filename
 
456
        class="directory">/etc/mandos</filename> and output a section
 
457
        suitable for <filename>clients.conf</filename>.
521
458
      </para>
522
459
      <para>
523
460
        <userinput>&COMMANDNAME; --password</userinput>
525
462
    </informalexample>
526
463
    <informalexample>
527
464
      <para>
528
 
        Prompt for a password, encrypt it with the keys in the
 
465
        Prompt for a password, encrypt it with the key in the
529
466
        <filename>client-key</filename> directory and output a section
530
467
        suitable for <filename>clients.conf</filename>.
531
468
      </para>
565
502
      <citerefentry><refentrytitle>mandos</refentrytitle>
566
503
      <manvolnum>8</manvolnum></citerefentry>,
567
504
      <citerefentry><refentrytitle>mandos-client</refentrytitle>
568
 
      <manvolnum>8mandos</manvolnum></citerefentry>,
569
 
      <citerefentry><refentrytitle>ssh-keyscan</refentrytitle>
570
 
      <manvolnum>1</manvolnum></citerefentry>
 
505
      <manvolnum>8mandos</manvolnum></citerefentry>
571
506
    </para>
572
507
  </refsect1>
573
508