/mandos/release : revision 96

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/release

« back to all changes in this revision

Viewing changes to mandos-keygen.xml

Committer: Teddy Hogeborn
Date: 2008-08-24 06:17:02 UTC
Revision ID: teddy@fukt.bsnet.se-20080824061702-zxrru4r1vxmx4tuq

* Makefile (PREFIX, CONFDIR, MANDIR): Use $(DESTDIR).
  (install-server, install-client): Use "install --directory" instead
                                    of mkdir.

* mandos-keygen: New options --subtype and --sublength.
  (trap): Added semicolons and backslashes.
  (gpg): Added "--enable-dsa2" to all invocations.

* mandos-keygen.xml: Changed single quotes to double quotes for
                     consistency.
  (/refentry/refentryinfo/copyright) Split copyright holders.
  (SYNOPSIS): Added "--subtype", "--sublength", "-s", and "-L".
  (OPTIONS): Document the subtype and sublength options.
  (SECURITY): Also note the "--subtype" and "--sublength" options.

files added:
plugins.d/usplash

files removed:
.bzr-builddeb

.bzr-builddeb/default.conf

.bzrignore

DBUS-API

INSTALL

NEWS

README

bugs.xml

common.ent

dbus-mandos.conf

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.examples

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/po

debian/rules

debian/source

debian/source/format

debian/source/local-options

debian/upstream

debian/upstream/signing-key.asc

debian/watch

default-mandos

init.d-mandos

initramfs-unpack

intro.xml

legalnotice.xml

mandos-ctl

mandos-ctl.xml

mandos-monitor

mandos-monitor.xml

mandos.lsm

mandos.service

network-hooks.d

network-hooks.d/bridge

network-hooks.d/bridge.conf

network-hooks.d/openvpn

network-hooks.d/openvpn.conf

network-hooks.d/wireless

network-hooks.d/wireless.conf

plugin-helpers

plugin-helpers/mandos-client-iprouteadddel.c

plugin-runner.conf

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

tmpfiles.d-mandos.conf

files renamed:
plugins.d/mandos-client.c => plugins.d/password-request.c

plugins.d/mandos-client.xml => plugins.d/password-request.xml

files modified:
Makefile

TODO

clients.conf

initramfs-tools-hook

initramfs-tools-hook-conf

initramfs-tools-script

mandos

mandos-clients.conf.xml

mandos-keygen

mandos-keygen.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.xml

overview.xml

plugin-runner.c

plugin-runner.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

Show diffs side-by-side

added added

removed removed

mandos-keygen.xml

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY VERSION "1.0">

<!ENTITY COMMANDNAME "mandos-keygen">

<!ENTITY TIMESTAMP "2017-02-23">

<!ENTITY % common SYSTEM "common.ent">

%common;

<title>Mandos Manual</title>

<title>&COMMANDNAME;</title>

<productname>Mandos</productname>

<productnumber>&version;</productnumber>

<date>&TIMESTAMP;</date>

<productname>&COMMANDNAME;</productname>

<productnumber>&VERSION;</productnumber>

<firstname>Björn</firstname>

<surname>Påhlsson</surname>

<email>belorn@recompile.se</email>

<email>belorn@fukt.bsnet.se</email>

</address>

</author>

<firstname>Teddy</firstname>

<surname>Hogeborn</surname>

<email>teddy@recompile.se</email>

<email>teddy@fukt.bsnet.se</email>

</address>

</author>

</authorgroup>

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

<xi:include href="legalnotice.xml"/>

<para>

This manual page is free software: you can redistribute it

and/or modify it under the terms of the GNU General Public

License as published by the Free Software Foundation,

either version 3 of the License, or (at your option) any

later version.

</para>

<para>

This manual page is distributed in the hope that it will

be useful, but WITHOUT ANY WARRANTY; without even the

implied warranty of MERCHANTABILITY or FITNESS FOR A

PARTICULAR PURPOSE. See the GNU General Public License

for more details.

</para>

<para>

You should have received a copy of the GNU General Public

License along with this program; If not, see

<ulink url="http://www.gnu.org/licenses/"/>.

</para>

</legalnotice>

</refentryinfo>

<refentrytitle>&COMMANDNAME;</refentrytitle>

<refname><command>&COMMANDNAME;</command></refname>

Generate key and password for Mandos client and server.

Generate keys for <citerefentry><refentrytitle>password-request

</refentrytitle><manvolnum>8mandos</manvolnum></citerefentry>

</refpurpose>

</refnamediv>

<command>&COMMANDNAME;</command>

<group>

<arg choice="plain"><option>--dir

<replaceable>DIRECTORY</replaceable></option></arg>

<arg choice="plain"><option>-d

<replaceable>DIRECTORY</replaceable></option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--type

<replaceable>KEYTYPE</replaceable></option></arg>

<arg choice="plain"><option>-t

<replaceable>KEYTYPE</replaceable></option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--length

<arg choice="plain"><option>-l

</group>

<sbr/>

<group>

<arg choice="plain"><option>--subtype

<replaceable>KEYTYPE</replaceable></option></arg>

<arg choice="plain"><option>-s

<replaceable>KEYTYPE</replaceable></option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--sublength

<arg choice="plain"><option>-L

</group>

<sbr/>

100

<group>

101

<arg choice="plain"><option>--name

102

103

<arg choice="plain"><option>-n

104

105

</group>

106

<sbr/>

107

<group>

108

<arg choice="plain"><option>--email

109

<replaceable>ADDRESS</replaceable></option></arg>

110

<arg choice="plain"><option>-e

111

<replaceable>ADDRESS</replaceable></option></arg>

112

</group>

113

<sbr/>

114

<group>

115

<arg choice="plain"><option>--comment

116

117

<arg choice="plain"><option>-c

118

119

</group>

120

<sbr/>

121

<group>

122

<arg choice="plain"><option>--expire

123

124

<arg choice="plain"><option>-x

125

126

</group>

127

<sbr/>

128

<group>

<replaceable>directory</replaceable></arg>

</group>

</group>

<arg choice="plain"><option>--length</option>

</group>

<arg choice="plain"><option>--subtype</option>

</group>

<arg choice="plain"><option>--sublength</option>

</group>

</group>

100

101

<arg choice="plain"><option>--email</option>

102

<replaceable>EMAIL</replaceable></arg>

103

</group>

104

105

<arg choice="plain"><option>--comment</option>

106

<replaceable>COMMENT</replaceable></arg>

107

</group>

108

109

<arg choice="plain"><option>--expire</option>

110

111

</group>

112

129

113

<arg choice="plain"><option>--force</option></arg>

114

</group>

115

</cmdsynopsis>

116

117

<command>&COMMANDNAME;</command>

118

119

120

<replaceable>directory</replaceable></arg>

121

</group>

122

123

124

125

</group>

126

127

128

129

</group>

130

131

132

133

</group>

134

135

136

137

</group>

138

139

140

141

</group>

142

143

144

<replaceable>EMAIL</replaceable></arg>

145

</group>

146

147

148

<replaceable>COMMENT</replaceable></arg>

149

</group>

150

151

152

153

</group>

154

130

155

131

156

</group>

132

157

</cmdsynopsis>

133

158

134

159

<command>&COMMANDNAME;</command>

135

160

136

<arg choice="plain"><option>--password</option></arg>

137

138

<arg choice="plain"><option>--passfile

139

140

141

142

</group>

143

<sbr/>

144

<group>

145

<arg choice="plain"><option>--dir

146

<replaceable>DIRECTORY</replaceable></option></arg>

147

<arg choice="plain"><option>-d

148

<replaceable>DIRECTORY</replaceable></option></arg>

149

</group>

150

<sbr/>

151

<group>

152

<arg choice="plain"><option>--name

153

154

<arg choice="plain"><option>-n

155

156

</group>

157

<group>

158

159

160

</group>

161

</cmdsynopsis>

162

163

<command>&COMMANDNAME;</command>

164

161

165

162

166

167

163

</group>

168

164

</cmdsynopsis>

169

165

170

166

<command>&COMMANDNAME;</command>

171

167

168

172

169

<arg choice="plain"><option>--version</option></arg>

173

174

170

</group>

175

171

</cmdsynopsis>

176

172

</refsynopsisdiv>

177

173

178

174

179

175

<title>DESCRIPTION</title>

180

176

<para>

181

177

<command>&COMMANDNAME;</command> is a program to generate the

182

OpenPGP key used by

183

<citerefentry><refentrytitle>mandos-client</refentrytitle>

184

<manvolnum>8mandos</manvolnum></citerefentry>. The key is

178

OpenPGP keys used by

179

<citerefentry><refentrytitle>password-request</refentrytitle>

180

<manvolnum>8mandos</manvolnum></citerefentry>. The keys are

185

181

normally written to /etc/mandos for later installation into the

186

initrd image, but this, and most other things, can be changed

187

with command line options.

188

</para>

189

<para>

190

This program can also be used with the

191

<option>--password</option> or <option>--passfile</option>

192

options to generate a ready-made section for

193

<filename>clients.conf</filename> (see

194

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

195

<manvolnum>5</manvolnum></citerefentry>).

182

initrd image, but this, like most things, can be changed with

183

command line options.

196

184

</para>

197

185

</refsect1>

198

186

199

187

200

188

<title>PURPOSE</title>

189

201

190

<para>

202

191

The purpose of this is to enable <emphasis>remote and unattended

203

192

rebooting</emphasis> of client host computer with an

204

193

<emphasis>encrypted root file system</emphasis>. See <xref

205

194

linkend="overview"/> for details.

206

195

</para>

196

207

197

</refsect1>

208

198

209

199

210

200

<title>OPTIONS</title>

211

201

212

202

213

203

214

215

204

216

205

217

206

<para>

218

207

Show a help message and exit

219

208

</para>

220

209

</listitem>

221

210

</varlistentry>

222

223

224

<term><option>--dir

225

<replaceable>DIRECTORY</replaceable></option></term>

226

<term><option>-d

227

<replaceable>DIRECTORY</replaceable></option></term>

228

229

<para>

230

Target directory for key files. Default is

231

<filename class="directory">/etc/mandos</filename>.

232

</para>

233

</listitem>

234

</varlistentry>

235

236

237

<term><option>--type

238

239

<term><option>-t

240

241

242

<para>

243

Key type. Default is <quote>RSA</quote>.

244

</para>

245

</listitem>

246

</varlistentry>

247

248

249

<term><option>--length

250

251

<term><option>-l

252

253

254

<para>

255

Key length in bits. Default is 4096.

256

</para>

257

</listitem>

258

</varlistentry>

259

260

261

<term><option>--subtype

262

<replaceable>KEYTYPE</replaceable></option></term>

263

<term><option>-s

264

<replaceable>KEYTYPE</replaceable></option></term>

265

266

<para>

267

Subkey type. Default is <quote>RSA</quote> (Elgamal

211

212

213

<term><literal>-d</literal>, <literal>--dir

214

<replaceable>directory</replaceable></literal></term>

215

216

<para>

217

Target directory for key files.

218

</para>

219

</listitem>

220

</varlistentry>

221

222

223

<term><literal>-t</literal>, <literal>--type

224

225

226

<para>

227

Key type. Default is <quote>DSA</quote>.

228

</para>

229

</listitem>

230

</varlistentry>

231

232

233

<term><literal>-l</literal>, <literal>--length

234

235

236

<para>

237

Key length in bits. Default is 1024.

238

</para>

239

</listitem>

240

</varlistentry>

241

242

243

<term><literal>-s</literal>, <literal>--subtype

244

245

246

<para>

247

Subkey type. Default is <quote>ELG-E</quote> (Elgamal

268

248

encryption-only).

269

249

</para>

270

250

</listitem>

271

251

</varlistentry>

272

252

273

253

274

<term><option>--sublength

275

276

<term><option>-L

277

254

<term><literal>-L</literal>, <literal>--sublength

255

278

256

279

257

<para>

280

Subkey length in bits. Default is 4096.

258

Subkey length in bits. Default is 2048.

281

259

</para>

282

260

</listitem>

283

261

</varlistentry>

284

262

285

263

286

<term><option>--email

287

<replaceable>ADDRESS</replaceable></option></term>

288

<term><option>-e

289

<replaceable>ADDRESS</replaceable></option></term>

264

<term><literal>-e</literal>, <literal>--email</literal>

265

<replaceable>address</replaceable></term>

290

266

291

267

<para>

292

268

Email address of key. Default is empty.

293

269

</para>

294

270

</listitem>

295

271

</varlistentry>

296

272

297

273

298

<term><option>--comment

299

300

<term><option>-c

301

274

<term><literal>-c</literal>, <literal>--comment</literal>

275

<replaceable>comment</replaceable></term>

302

276

303

277

<para>

304

Comment field for key. Default is empty.

278

Comment field for key. The default value is

279

<quote><literal>Mandos client key</literal></quote>.

305

280

</para>

306

281

</listitem>

307

282

</varlistentry>

308

283

309

284

310

<term><option>--expire

311

312

<term><option>-x

313

285

<term><literal>-x</literal>, <literal>--expire</literal>

286

314

287

315

288

<para>

316

289

Key expire time. Default is no expiration. See

319

292

</para>

320

293

</listitem>

321

294

</varlistentry>

322

323

324

<term><option>--force</option></term>

325

326

327

<para>

328

Force overwriting old key.

329

</para>

330

</listitem>

331

</varlistentry>

332

333

<term><option>--password</option></term>

334

335

336

<para>

337

Prompt for a password and encrypt it with the key already

338

present in either <filename>/etc/mandos</filename> or the

339

directory specified with the <option>--dir</option>

340

option. Outputs, on standard output, a section suitable

341

for inclusion in <citerefentry><refentrytitle

342

>mandos-clients.conf</refentrytitle><manvolnum

343

>8</manvolnum></citerefentry>. The host name or the name

344

specified with the <option>--name</option> option is used

345

for the section header. All other options are ignored,

346

and no key is created.

347

</para>

348

</listitem>

349

</varlistentry>

350

351

<term><option>--passfile

352

353

<term><option>-F

354

355

356

<para>

357

The same as <option>--password</option>, but read from

358

<replaceable>FILE</replaceable>, not the terminal.

359

</para>

360

</listitem>

361

</varlistentry>

362

363

364

365

366

<para>

367

When <option>--password</option> or

368

<option>--passfile</option> is given, this option will

369

prevent <command>&COMMANDNAME;</command> from calling

370

<command>ssh-keyscan</command> to get an SSH fingerprint

371

for this host and, if successful, output suitable config

372

options to use this fingerprint as a

373

<option>checker</option> option in the output. This is

374

otherwise the default behavior.

295

296

297

<term><literal>-f</literal>, <literal>--force</literal></term>

298

299

<para>

300

Force overwriting old keys.

375

301

</para>

376

302

</listitem>

377

303

</varlistentry>

378

304

</variablelist>

379

305

</refsect1>

380

306

381

307

382

308

<title>OVERVIEW</title>

383

309

<xi:include href="overview.xml"/>

384

310

<para>

385

311

This program is a small utility to generate new OpenPGP keys for

386

new Mandos clients, and to generate sections for inclusion in

387

<filename>clients.conf</filename> on the server.

312

new Mandos clients.

388

313

</para>

389

314

</refsect1>

390

315

391

316

392

317

<title>EXIT STATUS</title>

393

318

<para>

394

The exit status will be 0 if a new key (or password, if the

395

<option>--password</option> option was used) was successfully

396

created, otherwise not.

319

The exit status will be 0 if new keys were successfully created,

320

otherwise not.

397

321

</para>

398

322

</refsect1>

399

323

401

325

<title>ENVIRONMENT</title>

402

326

403

327

404

<term><envar>TMPDIR</envar></term>

328

<term><varname>TMPDIR</varname></term>

405

329

406

330

<para>

407

331

If set, temporary files will be created here. See

413

337

</variablelist>

414

338

</refsect1>

415

339

416

340

417

341

<title>FILES</title>

418

342

<para>

419

343

Use the <option>--dir</option> option to change where

440

364

</listitem>

441

365

</varlistentry>

442

366

443

367

444

368

445

369

<para>

446

370

Temporary files will be written here if

450

374

</varlistentry>

451

375

</variablelist>

452

376

</refsect1>

453

377

454

378

455

379

456

<xi:include href="bugs.xml"/>

380

<para>

381

None are known at this time.

382

</para>

457

383

</refsect1>

458

384

459

385

460

386

<title>EXAMPLE</title>

461

387

463

389

Normal invocation needs no options:

464

390

</para>

465

391

<para>

466

<userinput>&COMMANDNAME;</userinput>

392

<userinput>mandos-keygen</userinput>

467

393

</para>

468

394

</informalexample>

469

395

470

396

<para>

471

Create key in another directory and of another type. Force

397

Create keys in another directory and of another type. Force

472

398

overwriting old key files:

473

399

</para>

474

400

<para>

475

401

476

402

477

<userinput>&COMMANDNAME; --dir ~/keydir --type RSA --force</userinput>

478

479

</para>

480

</informalexample>

481

482

<para>

483

Prompt for a password, encrypt it with the key in <filename

484

class="directory">/etc/mandos</filename> and output a section

485

suitable for <filename>clients.conf</filename>.

486

</para>

487

<para>

488

<userinput>&COMMANDNAME; --password</userinput>

489

</para>

490

</informalexample>

491

492

<para>

493

Prompt for a password, encrypt it with the key in the

494

<filename>client-key</filename> directory and output a section

495

suitable for <filename>clients.conf</filename>.

496

</para>

497

<para>

498

499

500

<userinput>&COMMANDNAME; --password --dir client-key</userinput>

403

<userinput>mandos-keygen --dir ~/keydir --type RSA --force</userinput>

501

404

502

405

</para>

503

406

</informalexample>

504

407

</refsect1>

505

408

506

409

507

410

<title>SECURITY</title>

508

411

<para>

509

412

The <option>--type</option>, <option>--length</option>,

510

413

<option>--subtype</option>, and <option>--sublength</option>

511

options can be used to create keys of low security. If in

512

doubt, leave them to the default values.

414

options can be used to create keys of insufficient security. If

415

in doubt, leave them to the default values.

513

416

</para>

514

417

<para>

515

The key expire time is <emphasis>not</emphasis> guaranteed to be

516

honored by <citerefentry><refentrytitle>mandos</refentrytitle>

418

The key expire time is not guaranteed to be honored by

419

<citerefentry><refentrytitle>mandos</refentrytitle>

517

420

<manvolnum>8</manvolnum></citerefentry>.

518

421

</para>

519

422

</refsect1>

520

423

521

424

522

425

523

426

<para>

524

<citerefentry><refentrytitle>intro</refentrytitle>

427

<citerefentry><refentrytitle>password-request</refentrytitle>

525

428

<manvolnum>8mandos</manvolnum></citerefentry>,

429

<citerefentry><refentrytitle>mandos</refentrytitle>

430

<manvolnum>8</manvolnum></citerefentry>,

526

431

527

<manvolnum>1</manvolnum></citerefentry>,

528

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

529

<manvolnum>5</manvolnum></citerefentry>,

530

<citerefentry><refentrytitle>mandos</refentrytitle>

531

<manvolnum>8</manvolnum></citerefentry>,

532

<citerefentry><refentrytitle>mandos-client</refentrytitle>

533

<manvolnum>8mandos</manvolnum></citerefentry>,

534

<citerefentry><refentrytitle>ssh-keyscan</refentrytitle>

535

432

536

433

</para>

537

434

</refsect1>

538

435

539

436

</refentry>

540

541

542

543

544

Older »