/mandos/release : revision 24.1.61

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/release

« back to all changes in this revision

Viewing changes to mandos-keygen.xml

Committer: Björn Påhlsson
Date: 2008-08-24 06:21:51 UTC
mfrom: (96 mandos)
mto: (237.7.1 mandos) (24.1.154 mandos)
mto: This revision was merged to the branch mainline in revision 99.
Revision ID: belorn@braxen-20080824062151-b5me1rgq4lszzt42

merge

files added:
plugins.d/usplash

files removed:
.bzr-builddeb

.bzr-builddeb/default.conf

.bzrignore

DBUS-API

INSTALL

NEWS

README

common.ent

dbus-mandos.conf

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.examples

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/po

debian/rules

debian/source

debian/source/format

debian/source/local-options

debian/upstream

debian/upstream/signing-key.asc

debian/watch

default-mandos

init.d-mandos

initramfs-unpack

intro.xml

legalnotice.xml

mandos-ctl

mandos-ctl.xml

mandos-monitor

mandos-monitor.xml

mandos.lsm

mandos.service

network-hooks.d

network-hooks.d/bridge

network-hooks.d/bridge.conf

network-hooks.d/openvpn

network-hooks.d/openvpn.conf

network-hooks.d/wireless

network-hooks.d/wireless.conf

plugin-helpers

plugin-helpers/mandos-client-iprouteadddel.c

plugin-runner.conf

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

files renamed:
plugins.d/mandos-client.c => plugins.d/password-request.c

plugins.d/mandos-client.xml => plugins.d/password-request.xml

files modified:
Makefile

TODO

clients.conf

initramfs-tools-hook

initramfs-tools-hook-conf

initramfs-tools-script

mandos

mandos-clients.conf.xml

mandos-keygen

mandos-keygen.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.xml

overview.xml

plugin-runner.c

plugin-runner.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

Show diffs side-by-side

added added

removed removed

mandos-keygen.xml

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY VERSION "1.0">

<!ENTITY COMMANDNAME "mandos-keygen">

<!ENTITY TIMESTAMP "2015-07-20">

<!ENTITY % common SYSTEM "common.ent">

%common;

<title>Mandos Manual</title>

<title>&COMMANDNAME;</title>

<productname>Mandos</productname>

<productnumber>&version;</productnumber>

<date>&TIMESTAMP;</date>

<productname>&COMMANDNAME;</productname>

<productnumber>&VERSION;</productnumber>

<firstname>Björn</firstname>

<surname>Påhlsson</surname>

<email>belorn@recompile.se</email>

<email>belorn@fukt.bsnet.se</email>

</address>

</author>

<firstname>Teddy</firstname>

<surname>Hogeborn</surname>

<email>teddy@recompile.se</email>

<email>teddy@fukt.bsnet.se</email>

</address>

</author>

</authorgroup>

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

<xi:include href="legalnotice.xml"/>

<para>

This manual page is free software: you can redistribute it

and/or modify it under the terms of the GNU General Public

License as published by the Free Software Foundation,

either version 3 of the License, or (at your option) any

later version.

</para>

<para>

This manual page is distributed in the hope that it will

be useful, but WITHOUT ANY WARRANTY; without even the

implied warranty of MERCHANTABILITY or FITNESS FOR A

PARTICULAR PURPOSE. See the GNU General Public License

for more details.

</para>

<para>

You should have received a copy of the GNU General Public

License along with this program; If not, see

<ulink url="http://www.gnu.org/licenses/"/>.

</para>

</legalnotice>

</refentryinfo>

<refentrytitle>&COMMANDNAME;</refentrytitle>

<refname><command>&COMMANDNAME;</command></refname>

Generate key and password for Mandos client and server.

Generate keys for <citerefentry><refentrytitle>password-request

</refentrytitle><manvolnum>8mandos</manvolnum></citerefentry>

</refpurpose>

</refnamediv>

<command>&COMMANDNAME;</command>

<group>

<arg choice="plain"><option>--dir

<replaceable>DIRECTORY</replaceable></option></arg>

<arg choice="plain"><option>-d

<replaceable>DIRECTORY</replaceable></option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--type

<replaceable>KEYTYPE</replaceable></option></arg>

<arg choice="plain"><option>-t

<replaceable>KEYTYPE</replaceable></option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--length

<arg choice="plain"><option>-l

</group>

<sbr/>

<group>

<arg choice="plain"><option>--subtype

<replaceable>KEYTYPE</replaceable></option></arg>

<arg choice="plain"><option>-s

<replaceable>KEYTYPE</replaceable></option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--sublength

<arg choice="plain"><option>-L

</group>

<sbr/>

<group>

<arg choice="plain"><option>--name

100

101

<arg choice="plain"><option>-n

102

103

</group>

104

<sbr/>

105

<group>

106

<arg choice="plain"><option>--email

107

<replaceable>ADDRESS</replaceable></option></arg>

108

<arg choice="plain"><option>-e

109

<replaceable>ADDRESS</replaceable></option></arg>

110

</group>

111

<sbr/>

112

<group>

113

<arg choice="plain"><option>--comment

114

115

<arg choice="plain"><option>-c

116

117

</group>

118

<sbr/>

119

<group>

120

<arg choice="plain"><option>--expire

121

122

<arg choice="plain"><option>-x

123

124

</group>

125

<sbr/>

126

<group>

<replaceable>directory</replaceable></arg>

</group>

</group>

<arg choice="plain"><option>--length</option>

</group>

<arg choice="plain"><option>--subtype</option>

</group>

<arg choice="plain"><option>--sublength</option>

</group>

</group>

100

101

<arg choice="plain"><option>--email</option>

102

<replaceable>EMAIL</replaceable></arg>

103

</group>

104

105

<arg choice="plain"><option>--comment</option>

106

<replaceable>COMMENT</replaceable></arg>

107

</group>

108

109

<arg choice="plain"><option>--expire</option>

110

111

</group>

112

127

113

<arg choice="plain"><option>--force</option></arg>

114

</group>

115

</cmdsynopsis>

116

117

<command>&COMMANDNAME;</command>

118

119

120

<replaceable>directory</replaceable></arg>

121

</group>

122

123

124

125

</group>

126

127

128

129

</group>

130

131

132

133

</group>

134

135

136

137

</group>

138

139

140

141

</group>

142

143

144

<replaceable>EMAIL</replaceable></arg>

145

</group>

146

147

148

<replaceable>COMMENT</replaceable></arg>

149

</group>

150

151

152

153

</group>

154

128

155

129

156

</group>

130

157

</cmdsynopsis>

131

158

132

159

<command>&COMMANDNAME;</command>

133

160

134

<arg choice="plain"><option>--password</option></arg>

135

136

<arg choice="plain"><option>--passfile

137

138

139

140

</group>

141

<sbr/>

142

<group>

143

<arg choice="plain"><option>--dir

144

<replaceable>DIRECTORY</replaceable></option></arg>

145

<arg choice="plain"><option>-d

146

<replaceable>DIRECTORY</replaceable></option></arg>

147

</group>

148

<sbr/>

149

<group>

150

<arg choice="plain"><option>--name

151

152

<arg choice="plain"><option>-n

153

154

</group>

155

<group>

156

157

158

</group>

159

</cmdsynopsis>

160

161

<command>&COMMANDNAME;</command>

162

161

163

162

164

165

163

</group>

166

164

</cmdsynopsis>

167

165

168

166

<command>&COMMANDNAME;</command>

169

167

168

170

169

<arg choice="plain"><option>--version</option></arg>

171

172

170

</group>

173

171

</cmdsynopsis>

174

172

</refsynopsisdiv>

175

173

176

174

177

175

<title>DESCRIPTION</title>

178

176

<para>

179

177

<command>&COMMANDNAME;</command> is a program to generate the

180

OpenPGP key used by

181

<citerefentry><refentrytitle>mandos-client</refentrytitle>

182

<manvolnum>8mandos</manvolnum></citerefentry>. The key is

178

OpenPGP keys used by

179

<citerefentry><refentrytitle>password-request</refentrytitle>

180

<manvolnum>8mandos</manvolnum></citerefentry>. The keys are

183

181

normally written to /etc/mandos for later installation into the

184

initrd image, but this, and most other things, can be changed

185

with command line options.

186

</para>

187

<para>

188

This program can also be used with the

189

<option>--password</option> or <option>--passfile</option>

190

options to generate a ready-made section for

191

<filename>clients.conf</filename> (see

192

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

193

<manvolnum>5</manvolnum></citerefentry>).

182

initrd image, but this, like most things, can be changed with

183

command line options.

194

184

</para>

195

185

</refsect1>

196

186

197

187

198

188

<title>PURPOSE</title>

189

199

190

<para>

200

191

The purpose of this is to enable <emphasis>remote and unattended

201

192

rebooting</emphasis> of client host computer with an

202

193

<emphasis>encrypted root file system</emphasis>. See <xref

203

194

linkend="overview"/> for details.

204

195

</para>

196

205

197

</refsect1>

206

198

207

199

208

200

<title>OPTIONS</title>

209

201

210

202

211

203

212

213

204

214

205

215

206

<para>

216

207

Show a help message and exit

217

208

</para>

218

209

</listitem>

219

210

</varlistentry>

220

221

222

<term><option>--dir

223

<replaceable>DIRECTORY</replaceable></option></term>

224

<term><option>-d

225

<replaceable>DIRECTORY</replaceable></option></term>

226

227

<para>

228

Target directory for key files. Default is

229

<filename class="directory">/etc/mandos</filename>.

230

</para>

231

</listitem>

232

</varlistentry>

233

234

235

<term><option>--type

236

237

<term><option>-t

238

239

240

<para>

241

Key type. Default is <quote>RSA</quote>.

242

</para>

243

</listitem>

244

</varlistentry>

245

246

247

<term><option>--length

248

249

<term><option>-l

250

251

252

<para>

253

Key length in bits. Default is 4096.

254

</para>

255

</listitem>

256

</varlistentry>

257

258

259

<term><option>--subtype

260

<replaceable>KEYTYPE</replaceable></option></term>

261

<term><option>-s

262

<replaceable>KEYTYPE</replaceable></option></term>

263

264

<para>

265

Subkey type. Default is <quote>RSA</quote> (Elgamal

211

212

213

<term><literal>-d</literal>, <literal>--dir

214

<replaceable>directory</replaceable></literal></term>

215

216

<para>

217

Target directory for key files.

218

</para>

219

</listitem>

220

</varlistentry>

221

222

223

<term><literal>-t</literal>, <literal>--type

224

225

226

<para>

227

Key type. Default is <quote>DSA</quote>.

228

</para>

229

</listitem>

230

</varlistentry>

231

232

233

<term><literal>-l</literal>, <literal>--length

234

235

236

<para>

237

Key length in bits. Default is 1024.

238

</para>

239

</listitem>

240

</varlistentry>

241

242

243

<term><literal>-s</literal>, <literal>--subtype

244

245

246

<para>

247

Subkey type. Default is <quote>ELG-E</quote> (Elgamal

266

248

encryption-only).

267

249

</para>

268

250

</listitem>

269

251

</varlistentry>

270

252

271

253

272

<term><option>--sublength

273

274

<term><option>-L

275

254

<term><literal>-L</literal>, <literal>--sublength

255

276

256

277

257

<para>

278

Subkey length in bits. Default is 4096.

258

Subkey length in bits. Default is 2048.

279

259

</para>

280

260

</listitem>

281

261

</varlistentry>

282

262

283

263

284

<term><option>--email

285

<replaceable>ADDRESS</replaceable></option></term>

286

<term><option>-e

287

<replaceable>ADDRESS</replaceable></option></term>

264

<term><literal>-e</literal>, <literal>--email</literal>

265

<replaceable>address</replaceable></term>

288

266

289

267

<para>

290

268

Email address of key. Default is empty.

291

269

</para>

292

270

</listitem>

293

271

</varlistentry>

294

272

295

273

296

<term><option>--comment

297

298

<term><option>-c

299

274

<term><literal>-c</literal>, <literal>--comment</literal>

275

<replaceable>comment</replaceable></term>

300

276

301

277

<para>

302

Comment field for key. Default is empty.

278

Comment field for key. The default value is

279

<quote><literal>Mandos client key</literal></quote>.

303

280

</para>

304

281

</listitem>

305

282

</varlistentry>

306

283

307

284

308

<term><option>--expire

309

310

<term><option>-x

311

285

<term><literal>-x</literal>, <literal>--expire</literal>

286

312

287

313

288

<para>

314

289

Key expire time. Default is no expiration. See

317

292

</para>

318

293

</listitem>

319

294

</varlistentry>

320

321

322

<term><option>--force</option></term>

323

324

325

<para>

326

Force overwriting old key.

327

</para>

328

</listitem>

329

</varlistentry>

330

331

<term><option>--password</option></term>

332

333

334

<para>

335

Prompt for a password and encrypt it with the key already

336

present in either <filename>/etc/mandos</filename> or the

337

directory specified with the <option>--dir</option>

338

option. Outputs, on standard output, a section suitable

339

for inclusion in <citerefentry><refentrytitle

340

>mandos-clients.conf</refentrytitle><manvolnum

341

>8</manvolnum></citerefentry>. The host name or the name

342

specified with the <option>--name</option> option is used

343

for the section header. All other options are ignored,

344

and no key is created.

345

</para>

346

</listitem>

347

</varlistentry>

348

349

<term><option>--passfile

350

351

<term><option>-F

352

353

354

<para>

355

The same as <option>--password</option>, but read from

356

<replaceable>FILE</replaceable>, not the terminal.

357

</para>

358

</listitem>

359

</varlistentry>

360

361

362

363

364

<para>

365

When <option>--password</option> or

366

<option>--passfile</option> is given, this option will

367

prevent <command>&COMMANDNAME;</command> from calling

368

<command>ssh-keyscan</command> to get an SSH fingerprint

369

for this host and, if successful, output suitable config

370

options to use this fingerprint as a

371

<option>checker</option> option in the output. This is

372

otherwise the default behavior.

295

296

297

<term><literal>-f</literal>, <literal>--force</literal></term>

298

299

<para>

300

Force overwriting old keys.

373

301

</para>

374

302

</listitem>

375

303

</varlistentry>

376

304

</variablelist>

377

305

</refsect1>

378

306

379

307

380

308

<title>OVERVIEW</title>

381

309

<xi:include href="overview.xml"/>

382

310

<para>

383

311

This program is a small utility to generate new OpenPGP keys for

384

new Mandos clients, and to generate sections for inclusion in

385

<filename>clients.conf</filename> on the server.

312

new Mandos clients.

386

313

</para>

387

314

</refsect1>

388

315

389

316

390

317

<title>EXIT STATUS</title>

391

318

<para>

392

The exit status will be 0 if a new key (or password, if the

393

<option>--password</option> option was used) was successfully

394

created, otherwise not.

319

The exit status will be 0 if new keys were successfully created,

320

otherwise not.

395

321

</para>

396

322

</refsect1>

397

323

399

325

<title>ENVIRONMENT</title>

400

326

401

327

402

<term><envar>TMPDIR</envar></term>

328

<term><varname>TMPDIR</varname></term>

403

329

404

330

<para>

405

331

If set, temporary files will be created here. See

411

337

</variablelist>

412

338

</refsect1>

413

339

414

340

415

341

<title>FILES</title>

416

342

<para>

417

343

Use the <option>--dir</option> option to change where

438

364

</listitem>

439

365

</varlistentry>

440

366

441

367

442

368

443

369

<para>

444

370

Temporary files will be written here if

448

374

</varlistentry>

449

375

</variablelist>

450

376

</refsect1>

451

452

453

454

455

456

457

377

378

379

380

<para>

381

None are known at this time.

382

</para>

383

</refsect1>

384

458

385

459

386

<title>EXAMPLE</title>

460

387

462

389

Normal invocation needs no options:

463

390

</para>

464

391

<para>

465

<userinput>&COMMANDNAME;</userinput>

392

<userinput>mandos-keygen</userinput>

466

393

</para>

467

394

</informalexample>

468

395

469

396

<para>

470

Create key in another directory and of another type. Force

397

Create keys in another directory and of another type. Force

471

398

overwriting old key files:

472

399

</para>

473

400

<para>

474

401

475

402

476

<userinput>&COMMANDNAME; --dir ~/keydir --type RSA --force</userinput>

477

478

</para>

479

</informalexample>

480

481

<para>

482

Prompt for a password, encrypt it with the key in <filename

483

class="directory">/etc/mandos</filename> and output a section

484

suitable for <filename>clients.conf</filename>.

485

</para>

486

<para>

487

<userinput>&COMMANDNAME; --password</userinput>

488

</para>

489

</informalexample>

490

491

<para>

492

Prompt for a password, encrypt it with the key in the

493

<filename>client-key</filename> directory and output a section

494

suitable for <filename>clients.conf</filename>.

495

</para>

496

<para>

497

498

499

<userinput>&COMMANDNAME; --password --dir client-key</userinput>

403

<userinput>mandos-keygen --dir ~/keydir --type RSA --force</userinput>

500

404

501

405

</para>

502

406

</informalexample>

503

407

</refsect1>

504

408

505

409

506

410

<title>SECURITY</title>

507

411

<para>

508

412

The <option>--type</option>, <option>--length</option>,

509

413

<option>--subtype</option>, and <option>--sublength</option>

510

options can be used to create keys of low security. If in

511

doubt, leave them to the default values.

414

options can be used to create keys of insufficient security. If

415

in doubt, leave them to the default values.

512

416

</para>

513

417

<para>

514

The key expire time is <emphasis>not</emphasis> guaranteed to be

515

honored by <citerefentry><refentrytitle>mandos</refentrytitle>

418

The key expire time is not guaranteed to be honored by

419

<citerefentry><refentrytitle>mandos</refentrytitle>

516

420

<manvolnum>8</manvolnum></citerefentry>.

517

421

</para>

518

422

</refsect1>

519

423

520

424

521

425

522

426

<para>

523

<citerefentry><refentrytitle>intro</refentrytitle>

427

<citerefentry><refentrytitle>password-request</refentrytitle>

524

428

<manvolnum>8mandos</manvolnum></citerefentry>,

429

<citerefentry><refentrytitle>mandos</refentrytitle>

430

<manvolnum>8</manvolnum></citerefentry>,

525

431

526

<manvolnum>1</manvolnum></citerefentry>,

527

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

528

<manvolnum>5</manvolnum></citerefentry>,

529

<citerefentry><refentrytitle>mandos</refentrytitle>

530

<manvolnum>8</manvolnum></citerefentry>,

531

<citerefentry><refentrytitle>mandos-client</refentrytitle>

532

<manvolnum>8mandos</manvolnum></citerefentry>,

533

<citerefentry><refentrytitle>ssh-keyscan</refentrytitle>

534

432

535

433

</para>

536

434

</refsect1>

537

435

538

436

</refentry>

539

540

541

542

543

Older »