/mandos/release

To get this branch, use:
bzr branch http://bzr.recompile.se/loggerhead/mandos/release

« back to all changes in this revision

Viewing changes to mandos-keygen.xml

  • Committer: Teddy Hogeborn
  • Date: 2008-08-24 06:17:02 UTC
  • Revision ID: teddy@fukt.bsnet.se-20080824061702-zxrru4r1vxmx4tuq
* Makefile (PREFIX, CONFDIR, MANDIR): Use $(DESTDIR).
  (install-server, install-client): Use "install --directory" instead
                                    of mkdir.

* mandos-keygen: New options --subtype and --sublength.
  (trap): Added semicolons and backslashes.
  (gpg): Added "--enable-dsa2" to all invocations.

* mandos-keygen.xml: Changed single quotes to double quotes for
                     consistency.
  (/refentry/refentryinfo/copyright) Split copyright holders.
  (SYNOPSIS): Added "--subtype", "--sublength", "-s", and "-L".
  (OPTIONS): Document the subtype and sublength options.
  (SECURITY): Also note the "--subtype" and "--sublength" options.

Show diffs side-by-side

added added

removed removed

Lines of Context:
1
1
<?xml version="1.0" encoding="UTF-8"?>
2
2
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3
3
        "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
 
4
<!ENTITY VERSION "1.0">
4
5
<!ENTITY COMMANDNAME "mandos-keygen">
5
 
<!ENTITY TIMESTAMP "2019-02-10">
6
 
<!ENTITY % common SYSTEM "common.ent">
7
 
%common;
8
6
]>
9
7
 
10
8
<refentry xmlns:xi="http://www.w3.org/2001/XInclude">
11
9
  <refentryinfo>
12
 
    <title>Mandos Manual</title>
 
10
    <title>&COMMANDNAME;</title>
13
11
    <!-- NWalsh’s docbook scripts use this to generate the footer: -->
14
 
    <productname>Mandos</productname>
15
 
    <productnumber>&version;</productnumber>
16
 
    <date>&TIMESTAMP;</date>
 
12
    <productname>&COMMANDNAME;</productname>
 
13
    <productnumber>&VERSION;</productnumber>
17
14
    <authorgroup>
18
15
      <author>
19
16
        <firstname>Björn</firstname>
20
17
        <surname>Påhlsson</surname>
21
18
        <address>
22
 
          <email>belorn@recompile.se</email>
 
19
          <email>belorn@fukt.bsnet.se</email>
23
20
        </address>
24
21
      </author>
25
22
      <author>
26
23
        <firstname>Teddy</firstname>
27
24
        <surname>Hogeborn</surname>
28
25
        <address>
29
 
          <email>teddy@recompile.se</email>
 
26
          <email>teddy@fukt.bsnet.se</email>
30
27
        </address>
31
28
      </author>
32
29
    </authorgroup>
33
30
    <copyright>
34
31
      <year>2008</year>
35
 
      <year>2009</year>
36
 
      <year>2010</year>
37
 
      <year>2011</year>
38
 
      <year>2012</year>
39
 
      <year>2013</year>
40
 
      <year>2014</year>
41
 
      <year>2015</year>
42
 
      <year>2016</year>
43
 
      <year>2017</year>
44
 
      <year>2018</year>
45
 
      <year>2019</year>
46
32
      <holder>Teddy Hogeborn</holder>
47
33
      <holder>Björn Påhlsson</holder>
48
34
    </copyright>
49
 
    <xi:include href="legalnotice.xml"/>
 
35
    <legalnotice>
 
36
      <para>
 
37
        This manual page is free software: you can redistribute it
 
38
        and/or modify it under the terms of the GNU General Public
 
39
        License as published by the Free Software Foundation,
 
40
        either version 3 of the License, or (at your option) any
 
41
        later version.
 
42
      </para>
 
43
 
 
44
      <para>
 
45
        This manual page is distributed in the hope that it will
 
46
        be useful, but WITHOUT ANY WARRANTY; without even the
 
47
        implied warranty of MERCHANTABILITY or FITNESS FOR A
 
48
        PARTICULAR PURPOSE.  See the GNU General Public License
 
49
        for more details.
 
50
      </para>
 
51
 
 
52
      <para>
 
53
        You should have received a copy of the GNU General Public
 
54
        License along with this program; If not, see
 
55
        <ulink url="http://www.gnu.org/licenses/"/>.
 
56
      </para>
 
57
    </legalnotice>
50
58
  </refentryinfo>
51
 
  
 
59
 
52
60
  <refmeta>
53
61
    <refentrytitle>&COMMANDNAME;</refentrytitle>
54
62
    <manvolnum>8</manvolnum>
57
65
  <refnamediv>
58
66
    <refname><command>&COMMANDNAME;</command></refname>
59
67
    <refpurpose>
60
 
      Generate key and password for Mandos client and server.
 
68
      Generate keys for <citerefentry><refentrytitle>password-request
 
69
      </refentrytitle><manvolnum>8mandos</manvolnum></citerefentry>
61
70
    </refpurpose>
62
71
  </refnamediv>
63
 
  
 
72
 
64
73
  <refsynopsisdiv>
65
74
    <cmdsynopsis>
66
75
      <command>&COMMANDNAME;</command>
67
 
      <group>
68
 
        <arg choice="plain"><option>--dir
69
 
        <replaceable>DIRECTORY</replaceable></option></arg>
70
 
        <arg choice="plain"><option>-d
71
 
        <replaceable>DIRECTORY</replaceable></option></arg>
72
 
      </group>
73
 
      <sbr/>
74
 
      <group>
75
 
        <arg choice="plain"><option>--type
76
 
        <replaceable>KEYTYPE</replaceable></option></arg>
77
 
        <arg choice="plain"><option>-t
78
 
        <replaceable>KEYTYPE</replaceable></option></arg>
79
 
      </group>
80
 
      <sbr/>
81
 
      <group>
82
 
        <arg choice="plain"><option>--length
83
 
        <replaceable>BITS</replaceable></option></arg>
84
 
        <arg choice="plain"><option>-l
85
 
        <replaceable>BITS</replaceable></option></arg>
86
 
      </group>
87
 
      <sbr/>
88
 
      <group>
89
 
        <arg choice="plain"><option>--subtype
90
 
        <replaceable>KEYTYPE</replaceable></option></arg>
91
 
        <arg choice="plain"><option>-s
92
 
        <replaceable>KEYTYPE</replaceable></option></arg>
93
 
      </group>
94
 
      <sbr/>
95
 
      <group>
96
 
        <arg choice="plain"><option>--sublength
97
 
        <replaceable>BITS</replaceable></option></arg>
98
 
        <arg choice="plain"><option>-L
99
 
        <replaceable>BITS</replaceable></option></arg>
100
 
      </group>
101
 
      <sbr/>
102
 
      <group>
103
 
        <arg choice="plain"><option>--name
104
 
        <replaceable>NAME</replaceable></option></arg>
105
 
        <arg choice="plain"><option>-n
106
 
        <replaceable>NAME</replaceable></option></arg>
107
 
      </group>
108
 
      <sbr/>
109
 
      <group>
110
 
        <arg choice="plain"><option>--email
111
 
        <replaceable>ADDRESS</replaceable></option></arg>
112
 
        <arg choice="plain"><option>-e
113
 
        <replaceable>ADDRESS</replaceable></option></arg>
114
 
      </group>
115
 
      <sbr/>
116
 
      <group>
117
 
        <arg choice="plain"><option>--comment
118
 
        <replaceable>TEXT</replaceable></option></arg>
119
 
        <arg choice="plain"><option>-c
120
 
        <replaceable>TEXT</replaceable></option></arg>
121
 
      </group>
122
 
      <sbr/>
123
 
      <group>
124
 
        <arg choice="plain"><option>--expire
125
 
        <replaceable>TIME</replaceable></option></arg>
126
 
        <arg choice="plain"><option>-x
127
 
        <replaceable>TIME</replaceable></option></arg>
128
 
      </group>
129
 
      <sbr/>
130
 
      <group>
131
 
        <arg choice="plain"><option>--tls-keytype
132
 
        <replaceable>KEYTYPE</replaceable></option></arg>
133
 
        <arg choice="plain"><option>-T
134
 
        <replaceable>KEYTYPE</replaceable></option></arg>
135
 
      </group>
136
 
      <sbr/>
137
 
      <group>
 
76
      <group choice="opt">
 
77
        <arg choice="plain"><option>--dir</option>
 
78
        <replaceable>directory</replaceable></arg>
 
79
      </group>
 
80
      <group choice="opt">
 
81
        <arg choice="plain"><option>--type</option>
 
82
        <replaceable>type</replaceable></arg>
 
83
      </group>
 
84
      <group choice="opt">
 
85
        <arg choice="plain"><option>--length</option>
 
86
        <replaceable>bits</replaceable></arg>
 
87
      </group>
 
88
      <group choice="opt">
 
89
        <arg choice="plain"><option>--subtype</option>
 
90
        <replaceable>type</replaceable></arg>
 
91
      </group>
 
92
      <group choice="opt">
 
93
        <arg choice="plain"><option>--sublength</option>
 
94
        <replaceable>bits</replaceable></arg>
 
95
      </group>
 
96
      <group choice="opt">
 
97
        <arg choice="plain"><option>--name</option>
 
98
        <replaceable>NAME</replaceable></arg>
 
99
      </group>
 
100
      <group choice="opt">
 
101
        <arg choice="plain"><option>--email</option>
 
102
        <replaceable>EMAIL</replaceable></arg>
 
103
      </group>
 
104
      <group choice="opt">
 
105
        <arg choice="plain"><option>--comment</option>
 
106
        <replaceable>COMMENT</replaceable></arg>
 
107
      </group>
 
108
      <group choice="opt">
 
109
        <arg choice="plain"><option>--expire</option>
 
110
        <replaceable>TIME</replaceable></arg>
 
111
      </group>
 
112
      <group choice="opt">
138
113
        <arg choice="plain"><option>--force</option></arg>
 
114
      </group>
 
115
    </cmdsynopsis>
 
116
    <cmdsynopsis>
 
117
      <command>&COMMANDNAME;</command>
 
118
      <group choice="opt">
 
119
        <arg choice="plain"><option>-d</option>
 
120
        <replaceable>directory</replaceable></arg>
 
121
      </group>
 
122
      <group choice="opt">
 
123
        <arg choice="plain"><option>-t</option>
 
124
        <replaceable>type</replaceable></arg>
 
125
      </group>
 
126
      <group choice="opt">
 
127
        <arg choice="plain"><option>-l</option>
 
128
        <replaceable>bits</replaceable></arg>
 
129
      </group>
 
130
      <group choice="opt">
 
131
        <arg choice="plain"><option>-s</option>
 
132
        <replaceable>type</replaceable></arg>
 
133
      </group>
 
134
      <group choice="opt">
 
135
        <arg choice="plain"><option>-L</option>
 
136
        <replaceable>bits</replaceable></arg>
 
137
      </group>
 
138
      <group choice="opt">
 
139
        <arg choice="plain"><option>-n</option>
 
140
        <replaceable>NAME</replaceable></arg>
 
141
      </group>
 
142
      <group choice="opt">
 
143
        <arg choice="plain"><option>-e</option>
 
144
        <replaceable>EMAIL</replaceable></arg>
 
145
      </group>
 
146
      <group choice="opt">
 
147
        <arg choice="plain"><option>-c</option>
 
148
        <replaceable>COMMENT</replaceable></arg>
 
149
      </group>
 
150
      <group choice="opt">
 
151
        <arg choice="plain"><option>-x</option>
 
152
        <replaceable>TIME</replaceable></arg>
 
153
      </group>
 
154
      <group choice="opt">
139
155
        <arg choice="plain"><option>-f</option></arg>
140
156
      </group>
141
157
    </cmdsynopsis>
142
158
    <cmdsynopsis>
143
159
      <command>&COMMANDNAME;</command>
144
160
      <group choice="req">
145
 
        <arg choice="plain"><option>--password</option></arg>
146
 
        <arg choice="plain"><option>-p</option></arg>
147
 
        <arg choice="plain"><option>--passfile
148
 
        <replaceable>FILE</replaceable></option></arg>
149
 
        <arg choice="plain"><option>-F</option>
150
 
        <replaceable>FILE</replaceable></arg>
151
 
      </group>
152
 
      <sbr/>
153
 
      <group>
154
 
        <arg choice="plain"><option>--dir
155
 
        <replaceable>DIRECTORY</replaceable></option></arg>
156
 
        <arg choice="plain"><option>-d
157
 
        <replaceable>DIRECTORY</replaceable></option></arg>
158
 
      </group>
159
 
      <sbr/>
160
 
      <group>
161
 
        <arg choice="plain"><option>--name
162
 
        <replaceable>NAME</replaceable></option></arg>
163
 
        <arg choice="plain"><option>-n
164
 
        <replaceable>NAME</replaceable></option></arg>
165
 
      </group>
166
 
      <group>
167
 
        <arg choice="plain"><option>--no-ssh</option></arg>
168
 
        <arg choice="plain"><option>-S</option></arg>
169
 
      </group>
170
 
    </cmdsynopsis>
171
 
    <cmdsynopsis>
172
 
      <command>&COMMANDNAME;</command>
173
 
      <group choice="req">
 
161
        <arg choice="plain"><option>-h</option></arg>
174
162
        <arg choice="plain"><option>--help</option></arg>
175
 
        <arg choice="plain"><option>-h</option></arg>
176
163
      </group>
177
164
    </cmdsynopsis>
178
165
    <cmdsynopsis>
179
166
      <command>&COMMANDNAME;</command>
180
167
      <group choice="req">
 
168
        <arg choice="plain"><option>-v</option></arg>
181
169
        <arg choice="plain"><option>--version</option></arg>
182
 
        <arg choice="plain"><option>-v</option></arg>
183
170
      </group>
184
171
    </cmdsynopsis>
185
172
  </refsynopsisdiv>
186
 
  
 
173
 
187
174
  <refsect1 id="description">
188
175
    <title>DESCRIPTION</title>
189
176
    <para>
190
177
      <command>&COMMANDNAME;</command> is a program to generate the
191
 
      TLS and OpenPGP keys used by
192
 
      <citerefentry><refentrytitle>mandos-client</refentrytitle>
 
178
      OpenPGP keys used by
 
179
      <citerefentry><refentrytitle>password-request</refentrytitle>
193
180
      <manvolnum>8mandos</manvolnum></citerefentry>.  The keys are
194
 
      normally written to /etc/keys/mandos for later installation into
195
 
      the initrd image, but this, and most other things, can be
196
 
      changed with command line options.
197
 
    </para>
198
 
    <para>
199
 
      This program can also be used with the
200
 
      <option>--password</option> or <option>--passfile</option>
201
 
      options to generate a ready-made section for
202
 
      <filename>clients.conf</filename> (see
203
 
      <citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>
204
 
      <manvolnum>5</manvolnum></citerefentry>).
 
181
      normally written to /etc/mandos for later installation into the
 
182
      initrd image, but this, like most things, can be changed with
 
183
      command line options.
205
184
    </para>
206
185
  </refsect1>
207
186
  
208
187
  <refsect1 id="purpose">
209
188
    <title>PURPOSE</title>
 
189
 
210
190
    <para>
211
191
      The purpose of this is to enable <emphasis>remote and unattended
212
192
      rebooting</emphasis> of client host computer with an
213
193
      <emphasis>encrypted root file system</emphasis>.  See <xref
214
194
      linkend="overview"/> for details.
215
195
    </para>
 
196
 
216
197
  </refsect1>
217
198
  
218
199
  <refsect1 id="options">
219
200
    <title>OPTIONS</title>
220
 
    
 
201
 
221
202
    <variablelist>
222
203
      <varlistentry>
223
 
        <term><option>--help</option></term>
224
 
        <term><option>-h</option></term>
 
204
        <term><literal>-h</literal>, <literal>--help</literal></term>
225
205
        <listitem>
226
206
          <para>
227
207
            Show a help message and exit
228
208
          </para>
229
209
        </listitem>
230
210
      </varlistentry>
231
 
      
232
 
      <varlistentry>
233
 
        <term><option>--dir
234
 
        <replaceable>DIRECTORY</replaceable></option></term>
235
 
        <term><option>-d
236
 
        <replaceable>DIRECTORY</replaceable></option></term>
237
 
        <listitem>
238
 
          <para>
239
 
            Target directory for key files.  Default is <filename
240
 
            class="directory">/etc/keys/mandos</filename>.
241
 
          </para>
242
 
        </listitem>
243
 
      </varlistentry>
244
 
      
245
 
      <varlistentry>
246
 
        <term><option>--type
247
 
        <replaceable>TYPE</replaceable></option></term>
248
 
        <term><option>-t
249
 
        <replaceable>TYPE</replaceable></option></term>
250
 
        <listitem>
251
 
          <para>
252
 
            OpenPGP key type.  Default is <quote>RSA</quote>.
253
 
          </para>
254
 
        </listitem>
255
 
      </varlistentry>
256
 
      
257
 
      <varlistentry>
258
 
        <term><option>--length
259
 
        <replaceable>BITS</replaceable></option></term>
260
 
        <term><option>-l
261
 
        <replaceable>BITS</replaceable></option></term>
262
 
        <listitem>
263
 
          <para>
264
 
            OpenPGP key length in bits.  Default is 4096.
265
 
          </para>
266
 
        </listitem>
267
 
      </varlistentry>
268
 
      
269
 
      <varlistentry>
270
 
        <term><option>--subtype
271
 
        <replaceable>KEYTYPE</replaceable></option></term>
272
 
        <term><option>-s
273
 
        <replaceable>KEYTYPE</replaceable></option></term>
274
 
        <listitem>
275
 
          <para>
276
 
            OpenPGP subkey type.  Default is <quote>RSA</quote>
277
 
          </para>
278
 
        </listitem>
279
 
      </varlistentry>
280
 
      
281
 
      <varlistentry>
282
 
        <term><option>--sublength
283
 
        <replaceable>BITS</replaceable></option></term>
284
 
        <term><option>-L
285
 
        <replaceable>BITS</replaceable></option></term>
286
 
        <listitem>
287
 
          <para>
288
 
            OpenPGP subkey length in bits.  Default is 4096.
289
 
          </para>
290
 
        </listitem>
291
 
      </varlistentry>
292
 
      
293
 
      <varlistentry>
294
 
        <term><option>--email
295
 
        <replaceable>ADDRESS</replaceable></option></term>
296
 
        <term><option>-e
297
 
        <replaceable>ADDRESS</replaceable></option></term>
 
211
 
 
212
      <varlistentry>
 
213
        <term><literal>-d</literal>, <literal>--dir
 
214
        <replaceable>directory</replaceable></literal></term>
 
215
        <listitem>
 
216
          <para>
 
217
            Target directory for key files.
 
218
          </para>
 
219
        </listitem>
 
220
      </varlistentry>
 
221
 
 
222
      <varlistentry>
 
223
        <term><literal>-t</literal>, <literal>--type
 
224
        <replaceable>type</replaceable></literal></term>
 
225
        <listitem>
 
226
          <para>
 
227
            Key type.  Default is <quote>DSA</quote>.
 
228
          </para>
 
229
        </listitem>
 
230
      </varlistentry>
 
231
 
 
232
      <varlistentry>
 
233
        <term><literal>-l</literal>, <literal>--length
 
234
        <replaceable>bits</replaceable></literal></term>
 
235
        <listitem>
 
236
          <para>
 
237
            Key length in bits.  Default is 1024.
 
238
          </para>
 
239
        </listitem>
 
240
      </varlistentry>
 
241
 
 
242
      <varlistentry>
 
243
        <term><literal>-s</literal>, <literal>--subtype
 
244
        <replaceable>type</replaceable></literal></term>
 
245
        <listitem>
 
246
          <para>
 
247
            Subkey type.  Default is <quote>ELG-E</quote> (Elgamal
 
248
            encryption-only).
 
249
          </para>
 
250
        </listitem>
 
251
      </varlistentry>
 
252
 
 
253
      <varlistentry>
 
254
        <term><literal>-L</literal>, <literal>--sublength
 
255
        <replaceable>bits</replaceable></literal></term>
 
256
        <listitem>
 
257
          <para>
 
258
            Subkey length in bits.  Default is 2048.
 
259
          </para>
 
260
        </listitem>
 
261
      </varlistentry>
 
262
 
 
263
      <varlistentry>
 
264
        <term><literal>-e</literal>, <literal>--email</literal>
 
265
        <replaceable>address</replaceable></term>
298
266
        <listitem>
299
267
          <para>
300
268
            Email address of key.  Default is empty.
301
269
          </para>
302
270
        </listitem>
303
271
      </varlistentry>
304
 
      
 
272
 
305
273
      <varlistentry>
306
 
        <term><option>--comment
307
 
        <replaceable>TEXT</replaceable></option></term>
308
 
        <term><option>-c
309
 
        <replaceable>TEXT</replaceable></option></term>
 
274
        <term><literal>-c</literal>, <literal>--comment</literal>
 
275
        <replaceable>comment</replaceable></term>
310
276
        <listitem>
311
277
          <para>
312
 
            Comment field for key.  Default is empty.
 
278
            Comment field for key.  The default value is
 
279
            <quote><literal>Mandos client key</literal></quote>.
313
280
          </para>
314
281
        </listitem>
315
282
      </varlistentry>
316
 
      
 
283
 
317
284
      <varlistentry>
318
 
        <term><option>--expire
319
 
        <replaceable>TIME</replaceable></option></term>
320
 
        <term><option>-x
321
 
        <replaceable>TIME</replaceable></option></term>
 
285
        <term><literal>-x</literal>, <literal>--expire</literal>
 
286
        <replaceable>time</replaceable></term>
322
287
        <listitem>
323
288
          <para>
324
289
            Key expire time.  Default is no expiration.  See
327
292
          </para>
328
293
        </listitem>
329
294
      </varlistentry>
330
 
      
331
 
      <varlistentry>
332
 
        <term><option>--tls-keytype
333
 
        <replaceable>KEYTYPE</replaceable></option></term>
334
 
        <term><option>-T
335
 
        <replaceable>KEYTYPE</replaceable></option></term>
336
 
        <listitem>
337
 
          <para>
338
 
            TLS key type.  Default is <quote>ed25519</quote>
339
 
          </para>
340
 
        </listitem>
341
 
      </varlistentry>
342
 
      
343
 
      <varlistentry>
344
 
        <term><option>--force</option></term>
345
 
        <term><option>-f</option></term>
346
 
        <listitem>
347
 
          <para>
348
 
            Force overwriting old key.
349
 
          </para>
350
 
        </listitem>
351
 
      </varlistentry>
352
 
      <varlistentry>
353
 
        <term><option>--password</option></term>
354
 
        <term><option>-p</option></term>
355
 
        <listitem>
356
 
          <para>
357
 
            Prompt for a password and encrypt it with the key already
358
 
            present in either <filename>/etc/keys/mandos</filename> or
359
 
            the directory specified with the <option>--dir</option>
360
 
            option.  Outputs, on standard output, a section suitable
361
 
            for inclusion in <citerefentry><refentrytitle
362
 
            >mandos-clients.conf</refentrytitle><manvolnum
363
 
            >8</manvolnum></citerefentry>.  The host name or the name
364
 
            specified with the <option>--name</option> option is used
365
 
            for the section header.  All other options are ignored,
366
 
            and no key is created.
367
 
          </para>
368
 
        </listitem>
369
 
      </varlistentry>
370
 
      <varlistentry>
371
 
        <term><option>--passfile
372
 
        <replaceable>FILE</replaceable></option></term>
373
 
        <term><option>-F
374
 
        <replaceable>FILE</replaceable></option></term>
375
 
        <listitem>
376
 
          <para>
377
 
            The same as <option>--password</option>, but read from
378
 
            <replaceable>FILE</replaceable>, not the terminal.
379
 
          </para>
380
 
        </listitem>
381
 
      </varlistentry>
382
 
      <varlistentry>
383
 
        <term><option>--no-ssh</option></term>
384
 
        <term><option>-S</option></term>
385
 
        <listitem>
386
 
          <para>
387
 
            When <option>--password</option> or
388
 
            <option>--passfile</option> is given, this option will
389
 
            prevent <command>&COMMANDNAME;</command> from calling
390
 
            <command>ssh-keyscan</command> to get an SSH fingerprint
391
 
            for this host and, if successful, output suitable config
392
 
            options to use this fingerprint as a
393
 
            <option>checker</option> option in the output.  This is
394
 
            otherwise the default behavior.
 
295
 
 
296
      <varlistentry>
 
297
        <term><literal>-f</literal>, <literal>--force</literal></term>
 
298
        <listitem>
 
299
          <para>
 
300
            Force overwriting old keys.
395
301
          </para>
396
302
        </listitem>
397
303
      </varlistentry>
398
304
    </variablelist>
399
305
  </refsect1>
400
 
  
 
306
 
401
307
  <refsect1 id="overview">
402
308
    <title>OVERVIEW</title>
403
309
    <xi:include href="overview.xml"/>
404
310
    <para>
405
 
      This program is a small utility to generate new TLS and OpenPGP
406
 
      keys for new Mandos clients, and to generate sections for
407
 
      inclusion in <filename>clients.conf</filename> on the server.
 
311
      This program is a small utility to generate new OpenPGP keys for
 
312
      new Mandos clients.
408
313
    </para>
409
314
  </refsect1>
410
 
  
 
315
 
411
316
  <refsect1 id="exit_status">
412
317
    <title>EXIT STATUS</title>
413
318
    <para>
414
 
      The exit status will be 0 if a new key (or password, if the
415
 
      <option>--password</option> option was used) was successfully
416
 
      created, otherwise not.
 
319
      The exit status will be 0 if new keys were successfully created,
 
320
      otherwise not.
417
321
    </para>
418
322
  </refsect1>
419
323
  
421
325
    <title>ENVIRONMENT</title>
422
326
    <variablelist>
423
327
      <varlistentry>
424
 
        <term><envar>TMPDIR</envar></term>
 
328
        <term><varname>TMPDIR</varname></term>
425
329
        <listitem>
426
330
          <para>
427
331
            If set, temporary files will be created here. See
433
337
    </variablelist>
434
338
  </refsect1>
435
339
  
436
 
  <refsect1 id="files">
 
340
  <refsect1 id="file">
437
341
    <title>FILES</title>
438
342
    <para>
439
343
      Use the <option>--dir</option> option to change where
442
346
    </para>
443
347
    <variablelist>
444
348
      <varlistentry>
445
 
        <term><filename>/etc/keys/mandos/seckey.txt</filename></term>
 
349
        <term><filename>/etc/mandos/seckey.txt</filename></term>
446
350
        <listitem>
447
351
          <para>
448
352
            OpenPGP secret key file which will be created or
451
355
        </listitem>
452
356
      </varlistentry>
453
357
      <varlistentry>
454
 
        <term><filename>/etc/keys/mandos/pubkey.txt</filename></term>
 
358
        <term><filename>/etc/mandos/pubkey.txt</filename></term>
455
359
        <listitem>
456
360
          <para>
457
361
            OpenPGP public key file which will be created or
460
364
        </listitem>
461
365
      </varlistentry>
462
366
      <varlistentry>
463
 
        <term><filename>/etc/keys/mandos/tls-privkey.pem</filename></term>
464
 
        <listitem>
465
 
          <para>
466
 
            Private key file which will be created or overwritten.
467
 
          </para>
468
 
        </listitem>
469
 
      </varlistentry>
470
 
      <varlistentry>
471
 
        <term><filename>/etc/keys/mandos/tls-pubkey.pem</filename></term>
472
 
        <listitem>
473
 
          <para>
474
 
            Public key file which will be created or overwritten.
475
 
          </para>
476
 
        </listitem>
477
 
      </varlistentry>
478
 
      <varlistentry>
479
 
        <term><filename class="directory">/tmp</filename></term>
 
367
        <term><filename>/tmp</filename></term>
480
368
        <listitem>
481
369
          <para>
482
370
            Temporary files will be written here if
486
374
      </varlistentry>
487
375
    </variablelist>
488
376
  </refsect1>
489
 
  
 
377
 
490
378
  <refsect1 id="bugs">
491
379
    <title>BUGS</title>
492
 
    <xi:include href="bugs.xml"/>
 
380
    <para>
 
381
      None are known at this time.
 
382
    </para>
493
383
  </refsect1>
494
 
  
 
384
 
495
385
  <refsect1 id="example">
496
386
    <title>EXAMPLE</title>
497
387
    <informalexample>
499
389
        Normal invocation needs no options:
500
390
      </para>
501
391
      <para>
502
 
        <userinput>&COMMANDNAME;</userinput>
 
392
        <userinput>mandos-keygen</userinput>
503
393
      </para>
504
394
    </informalexample>
505
395
    <informalexample>
506
396
      <para>
507
 
        Create key in another directory and of another type.  Force
 
397
        Create keys in another directory and of another type.  Force
508
398
        overwriting old key files:
509
399
      </para>
510
400
      <para>
511
401
 
512
402
<!-- do not wrap this line -->
513
 
<userinput>&COMMANDNAME; --dir ~/keydir --type RSA --force</userinput>
514
 
 
515
 
      </para>
516
 
    </informalexample>
517
 
    <informalexample>
518
 
      <para>
519
 
        Prompt for a password, encrypt it with the keys in <filename
520
 
        class="directory">/etc/keys/mandos</filename> and output a
521
 
        section suitable for <filename>clients.conf</filename>.
522
 
      </para>
523
 
      <para>
524
 
        <userinput>&COMMANDNAME; --password</userinput>
525
 
      </para>
526
 
    </informalexample>
527
 
    <informalexample>
528
 
      <para>
529
 
        Prompt for a password, encrypt it with the keys in the
530
 
        <filename>client-key</filename> directory and output a section
531
 
        suitable for <filename>clients.conf</filename>.
532
 
      </para>
533
 
      <para>
534
 
 
535
 
<!-- do not wrap this line -->
536
 
<userinput>&COMMANDNAME; --password --dir client-key</userinput>
 
403
<userinput>mandos-keygen --dir ~/keydir --type RSA --force</userinput>
537
404
 
538
405
      </para>
539
406
    </informalexample>
540
407
  </refsect1>
541
 
  
 
408
 
542
409
  <refsect1 id="security">
543
410
    <title>SECURITY</title>
544
411
    <para>
545
412
      The <option>--type</option>, <option>--length</option>,
546
413
      <option>--subtype</option>, and <option>--sublength</option>
547
 
      options can be used to create keys of low security.  If in
548
 
      doubt, leave them to the default values.
 
414
      options can be used to create keys of insufficient security.  If
 
415
      in doubt, leave them to the default values.
549
416
    </para>
550
417
    <para>
551
 
      The key expire time is <emphasis>not</emphasis> guaranteed to be
552
 
      honored by <citerefentry><refentrytitle>mandos</refentrytitle>
 
418
      The key expire time is not guaranteed to be honored by
 
419
      <citerefentry><refentrytitle>mandos</refentrytitle>
553
420
      <manvolnum>8</manvolnum></citerefentry>.
554
421
    </para>
555
422
  </refsect1>
556
 
  
 
423
 
557
424
  <refsect1 id="see_also">
558
425
    <title>SEE ALSO</title>
559
426
    <para>
560
 
      <citerefentry><refentrytitle>intro</refentrytitle>
 
427
      <citerefentry><refentrytitle>password-request</refentrytitle>
561
428
      <manvolnum>8mandos</manvolnum></citerefentry>,
 
429
      <citerefentry><refentrytitle>mandos</refentrytitle>
 
430
      <manvolnum>8</manvolnum></citerefentry>,
562
431
      <citerefentry><refentrytitle>gpg</refentrytitle>
563
 
      <manvolnum>1</manvolnum></citerefentry>,
564
 
      <citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>
565
 
      <manvolnum>5</manvolnum></citerefentry>,
566
 
      <citerefentry><refentrytitle>mandos</refentrytitle>
567
 
      <manvolnum>8</manvolnum></citerefentry>,
568
 
      <citerefentry><refentrytitle>mandos-client</refentrytitle>
569
 
      <manvolnum>8mandos</manvolnum></citerefentry>,
570
 
      <citerefentry><refentrytitle>ssh-keyscan</refentrytitle>
571
432
      <manvolnum>1</manvolnum></citerefentry>
572
433
    </para>
573
434
  </refsect1>
574
435
  
575
436
</refentry>
576
 
<!-- Local Variables: -->
577
 
<!-- time-stamp-start: "<!ENTITY TIMESTAMP [\"']" -->
578
 
<!-- time-stamp-end: "[\"']>" -->
579
 
<!-- time-stamp-format: "%:y-%02m-%02d" -->
580
 
<!-- End: -->