/mandos/release

To get this branch, use:
bzr branch http://bzr.recompile.se/loggerhead/mandos/release

« back to all changes in this revision

Viewing changes to mandos-keygen.xml

Merge new wireless network hook.  Fix bridge network hook to use
hardware addresses instead of interface names.  Implement and document
new "CONNECT" environment variable for network hooks.

Show diffs side-by-side

added added

removed removed

Lines of Context:
2
2
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3
3
        "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4
4
<!ENTITY COMMANDNAME "mandos-keygen">
5
 
<!ENTITY TIMESTAMP "2019-02-10">
 
5
<!ENTITY TIMESTAMP "2011-10-03">
6
6
<!ENTITY % common SYSTEM "common.ent">
7
7
%common;
8
8
]>
33
33
    <copyright>
34
34
      <year>2008</year>
35
35
      <year>2009</year>
36
 
      <year>2010</year>
37
36
      <year>2011</year>
38
 
      <year>2012</year>
39
 
      <year>2013</year>
40
 
      <year>2014</year>
41
 
      <year>2015</year>
42
 
      <year>2016</year>
43
 
      <year>2017</year>
44
 
      <year>2018</year>
45
 
      <year>2019</year>
46
37
      <holder>Teddy Hogeborn</holder>
47
38
      <holder>Björn Påhlsson</holder>
48
39
    </copyright>
127
118
        <replaceable>TIME</replaceable></option></arg>
128
119
      </group>
129
120
      <sbr/>
130
 
      <group>
131
 
        <arg choice="plain"><option>--tls-keytype
132
 
        <replaceable>KEYTYPE</replaceable></option></arg>
133
 
        <arg choice="plain"><option>-T
134
 
        <replaceable>KEYTYPE</replaceable></option></arg>
135
 
      </group>
136
 
      <sbr/>
137
 
      <group>
138
 
        <arg choice="plain"><option>--force</option></arg>
139
 
        <arg choice="plain"><option>-f</option></arg>
140
 
      </group>
 
121
      <arg><option>--force</option></arg>
141
122
    </cmdsynopsis>
142
123
    <cmdsynopsis>
143
124
      <command>&COMMANDNAME;</command>
163
144
        <arg choice="plain"><option>-n
164
145
        <replaceable>NAME</replaceable></option></arg>
165
146
      </group>
166
 
      <group>
167
 
        <arg choice="plain"><option>--no-ssh</option></arg>
168
 
        <arg choice="plain"><option>-S</option></arg>
169
 
      </group>
170
147
    </cmdsynopsis>
171
148
    <cmdsynopsis>
172
149
      <command>&COMMANDNAME;</command>
188
165
    <title>DESCRIPTION</title>
189
166
    <para>
190
167
      <command>&COMMANDNAME;</command> is a program to generate the
191
 
      TLS and OpenPGP keys used by
 
168
      OpenPGP key used by
192
169
      <citerefentry><refentrytitle>mandos-client</refentrytitle>
193
 
      <manvolnum>8mandos</manvolnum></citerefentry>.  The keys are
194
 
      normally written to /etc/keys/mandos for later installation into
195
 
      the initrd image, but this, and most other things, can be
196
 
      changed with command line options.
 
170
      <manvolnum>8mandos</manvolnum></citerefentry>.  The key is
 
171
      normally written to /etc/mandos for later installation into the
 
172
      initrd image, but this, and most other things, can be changed
 
173
      with command line options.
197
174
    </para>
198
175
    <para>
199
176
      This program can also be used with the
236
213
        <replaceable>DIRECTORY</replaceable></option></term>
237
214
        <listitem>
238
215
          <para>
239
 
            Target directory for key files.  Default is <filename
240
 
            class="directory">/etc/keys/mandos</filename>.
 
216
            Target directory for key files.  Default is
 
217
            <filename class="directory">/etc/mandos</filename>.
241
218
          </para>
242
219
        </listitem>
243
220
      </varlistentry>
249
226
        <replaceable>TYPE</replaceable></option></term>
250
227
        <listitem>
251
228
          <para>
252
 
            OpenPGP key type.  Default is <quote>RSA</quote>.
 
229
            Key type.  Default is <quote>DSA</quote>.
253
230
          </para>
254
231
        </listitem>
255
232
      </varlistentry>
261
238
        <replaceable>BITS</replaceable></option></term>
262
239
        <listitem>
263
240
          <para>
264
 
            OpenPGP key length in bits.  Default is 4096.
 
241
            Key length in bits.  Default is 2048.
265
242
          </para>
266
243
        </listitem>
267
244
      </varlistentry>
273
250
        <replaceable>KEYTYPE</replaceable></option></term>
274
251
        <listitem>
275
252
          <para>
276
 
            OpenPGP subkey type.  Default is <quote>RSA</quote>
 
253
            Subkey type.  Default is <quote>ELG-E</quote> (Elgamal
 
254
            encryption-only).
277
255
          </para>
278
256
        </listitem>
279
257
      </varlistentry>
285
263
        <replaceable>BITS</replaceable></option></term>
286
264
        <listitem>
287
265
          <para>
288
 
            OpenPGP subkey length in bits.  Default is 4096.
 
266
            Subkey length in bits.  Default is 2048.
289
267
          </para>
290
268
        </listitem>
291
269
      </varlistentry>
309
287
        <replaceable>TEXT</replaceable></option></term>
310
288
        <listitem>
311
289
          <para>
312
 
            Comment field for key.  Default is empty.
 
290
            Comment field for key.  The default value is
 
291
            <quote><literal>Mandos client key</literal></quote>.
313
292
          </para>
314
293
        </listitem>
315
294
      </varlistentry>
329
308
      </varlistentry>
330
309
      
331
310
      <varlistentry>
332
 
        <term><option>--tls-keytype
333
 
        <replaceable>KEYTYPE</replaceable></option></term>
334
 
        <term><option>-T
335
 
        <replaceable>KEYTYPE</replaceable></option></term>
336
 
        <listitem>
337
 
          <para>
338
 
            TLS key type.  Default is <quote>ed25519</quote>
339
 
          </para>
340
 
        </listitem>
341
 
      </varlistentry>
342
 
      
343
 
      <varlistentry>
344
311
        <term><option>--force</option></term>
345
312
        <term><option>-f</option></term>
346
313
        <listitem>
355
322
        <listitem>
356
323
          <para>
357
324
            Prompt for a password and encrypt it with the key already
358
 
            present in either <filename>/etc/keys/mandos</filename> or
359
 
            the directory specified with the <option>--dir</option>
 
325
            present in either <filename>/etc/mandos</filename> or the
 
326
            directory specified with the <option>--dir</option>
360
327
            option.  Outputs, on standard output, a section suitable
361
328
            for inclusion in <citerefentry><refentrytitle
362
329
            >mandos-clients.conf</refentrytitle><manvolnum
379
346
          </para>
380
347
        </listitem>
381
348
      </varlistentry>
382
 
      <varlistentry>
383
 
        <term><option>--no-ssh</option></term>
384
 
        <term><option>-S</option></term>
385
 
        <listitem>
386
 
          <para>
387
 
            When <option>--password</option> or
388
 
            <option>--passfile</option> is given, this option will
389
 
            prevent <command>&COMMANDNAME;</command> from calling
390
 
            <command>ssh-keyscan</command> to get an SSH fingerprint
391
 
            for this host and, if successful, output suitable config
392
 
            options to use this fingerprint as a
393
 
            <option>checker</option> option in the output.  This is
394
 
            otherwise the default behavior.
395
 
          </para>
396
 
        </listitem>
397
 
      </varlistentry>
398
349
    </variablelist>
399
350
  </refsect1>
400
351
  
402
353
    <title>OVERVIEW</title>
403
354
    <xi:include href="overview.xml"/>
404
355
    <para>
405
 
      This program is a small utility to generate new TLS and OpenPGP
406
 
      keys for new Mandos clients, and to generate sections for
407
 
      inclusion in <filename>clients.conf</filename> on the server.
 
356
      This program is a small utility to generate new OpenPGP keys for
 
357
      new Mandos clients, and to generate sections for inclusion in
 
358
      <filename>clients.conf</filename> on the server.
408
359
    </para>
409
360
  </refsect1>
410
361
  
442
393
    </para>
443
394
    <variablelist>
444
395
      <varlistentry>
445
 
        <term><filename>/etc/keys/mandos/seckey.txt</filename></term>
 
396
        <term><filename>/etc/mandos/seckey.txt</filename></term>
446
397
        <listitem>
447
398
          <para>
448
399
            OpenPGP secret key file which will be created or
451
402
        </listitem>
452
403
      </varlistentry>
453
404
      <varlistentry>
454
 
        <term><filename>/etc/keys/mandos/pubkey.txt</filename></term>
 
405
        <term><filename>/etc/mandos/pubkey.txt</filename></term>
455
406
        <listitem>
456
407
          <para>
457
408
            OpenPGP public key file which will be created or
460
411
        </listitem>
461
412
      </varlistentry>
462
413
      <varlistentry>
463
 
        <term><filename>/etc/keys/mandos/tls-privkey.pem</filename></term>
464
 
        <listitem>
465
 
          <para>
466
 
            Private key file which will be created or overwritten.
467
 
          </para>
468
 
        </listitem>
469
 
      </varlistentry>
470
 
      <varlistentry>
471
 
        <term><filename>/etc/keys/mandos/tls-pubkey.pem</filename></term>
472
 
        <listitem>
473
 
          <para>
474
 
            Public key file which will be created or overwritten.
475
 
          </para>
476
 
        </listitem>
477
 
      </varlistentry>
478
 
      <varlistentry>
479
414
        <term><filename class="directory">/tmp</filename></term>
480
415
        <listitem>
481
416
          <para>
487
422
    </variablelist>
488
423
  </refsect1>
489
424
  
490
 
  <refsect1 id="bugs">
491
 
    <title>BUGS</title>
492
 
    <xi:include href="bugs.xml"/>
493
 
  </refsect1>
 
425
<!--   <refsect1 id="bugs"> -->
 
426
<!--     <title>BUGS</title> -->
 
427
<!--     <para> -->
 
428
<!--     </para> -->
 
429
<!--   </refsect1> -->
494
430
  
495
431
  <refsect1 id="example">
496
432
    <title>EXAMPLE</title>
516
452
    </informalexample>
517
453
    <informalexample>
518
454
      <para>
519
 
        Prompt for a password, encrypt it with the keys in <filename
520
 
        class="directory">/etc/keys/mandos</filename> and output a
521
 
        section suitable for <filename>clients.conf</filename>.
 
455
        Prompt for a password, encrypt it with the key in <filename
 
456
        class="directory">/etc/mandos</filename> and output a section
 
457
        suitable for <filename>clients.conf</filename>.
522
458
      </para>
523
459
      <para>
524
460
        <userinput>&COMMANDNAME; --password</userinput>
526
462
    </informalexample>
527
463
    <informalexample>
528
464
      <para>
529
 
        Prompt for a password, encrypt it with the keys in the
 
465
        Prompt for a password, encrypt it with the key in the
530
466
        <filename>client-key</filename> directory and output a section
531
467
        suitable for <filename>clients.conf</filename>.
532
468
      </para>
566
502
      <citerefentry><refentrytitle>mandos</refentrytitle>
567
503
      <manvolnum>8</manvolnum></citerefentry>,
568
504
      <citerefentry><refentrytitle>mandos-client</refentrytitle>
569
 
      <manvolnum>8mandos</manvolnum></citerefentry>,
570
 
      <citerefentry><refentrytitle>ssh-keyscan</refentrytitle>
571
 
      <manvolnum>1</manvolnum></citerefentry>
 
505
      <manvolnum>8mandos</manvolnum></citerefentry>
572
506
    </para>
573
507
  </refsect1>
574
508