/mandos/release

To get this branch, use:
bzr branch http://bzr.recompile.se/loggerhead/mandos/release

« back to all changes in this revision

Viewing changes to mandos-keygen.xml

  • Committer: Teddy Hogeborn
  • Date: 2008-08-24 10:49:09 UTC
  • mfrom: (24.1.63 mandos)
  • Revision ID: teddy@fukt.bsnet.se-20080824104909-loh761dpgglkvos1
* mandos (fingerprint): Bug fix: Check crtverify.value, not crtverify.

* mandos-keygen (password): Also print "host = ".

* plugins.d/password-request.c (pgp_packet_decrypt): Only print
                                                     detailed result
                                                     of decryption if
                                                     it failed.

Show diffs side-by-side

added added

removed removed

Lines of Context:
1
1
<?xml version="1.0" encoding="UTF-8"?>
2
2
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3
3
        "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
 
4
<!ENTITY VERSION "1.0">
4
5
<!ENTITY COMMANDNAME "mandos-keygen">
5
 
<!ENTITY TIMESTAMP "2019-02-10">
6
 
<!ENTITY % common SYSTEM "common.ent">
7
 
%common;
8
6
]>
9
7
 
10
8
<refentry xmlns:xi="http://www.w3.org/2001/XInclude">
11
9
  <refentryinfo>
12
 
    <title>Mandos Manual</title>
 
10
    <title>&COMMANDNAME;</title>
13
11
    <!-- NWalsh’s docbook scripts use this to generate the footer: -->
14
 
    <productname>Mandos</productname>
15
 
    <productnumber>&version;</productnumber>
16
 
    <date>&TIMESTAMP;</date>
 
12
    <productname>&COMMANDNAME;</productname>
 
13
    <productnumber>&VERSION;</productnumber>
17
14
    <authorgroup>
18
15
      <author>
19
16
        <firstname>Björn</firstname>
20
17
        <surname>Påhlsson</surname>
21
18
        <address>
22
 
          <email>belorn@recompile.se</email>
 
19
          <email>belorn@fukt.bsnet.se</email>
23
20
        </address>
24
21
      </author>
25
22
      <author>
26
23
        <firstname>Teddy</firstname>
27
24
        <surname>Hogeborn</surname>
28
25
        <address>
29
 
          <email>teddy@recompile.se</email>
 
26
          <email>teddy@fukt.bsnet.se</email>
30
27
        </address>
31
28
      </author>
32
29
    </authorgroup>
33
30
    <copyright>
34
31
      <year>2008</year>
35
 
      <year>2009</year>
36
 
      <year>2010</year>
37
 
      <year>2011</year>
38
 
      <year>2012</year>
39
 
      <year>2013</year>
40
 
      <year>2014</year>
41
 
      <year>2015</year>
42
 
      <year>2016</year>
43
 
      <year>2017</year>
44
 
      <year>2018</year>
45
32
      <holder>Teddy Hogeborn</holder>
46
33
      <holder>Björn Påhlsson</holder>
47
34
    </copyright>
48
 
    <xi:include href="legalnotice.xml"/>
 
35
    <legalnotice>
 
36
      <para>
 
37
        This manual page is free software: you can redistribute it
 
38
        and/or modify it under the terms of the GNU General Public
 
39
        License as published by the Free Software Foundation,
 
40
        either version 3 of the License, or (at your option) any
 
41
        later version.
 
42
      </para>
 
43
 
 
44
      <para>
 
45
        This manual page is distributed in the hope that it will
 
46
        be useful, but WITHOUT ANY WARRANTY; without even the
 
47
        implied warranty of MERCHANTABILITY or FITNESS FOR A
 
48
        PARTICULAR PURPOSE.  See the GNU General Public License
 
49
        for more details.
 
50
      </para>
 
51
 
 
52
      <para>
 
53
        You should have received a copy of the GNU General Public
 
54
        License along with this program; If not, see
 
55
        <ulink url="http://www.gnu.org/licenses/"/>.
 
56
      </para>
 
57
    </legalnotice>
49
58
  </refentryinfo>
50
 
  
 
59
 
51
60
  <refmeta>
52
61
    <refentrytitle>&COMMANDNAME;</refentrytitle>
53
62
    <manvolnum>8</manvolnum>
56
65
  <refnamediv>
57
66
    <refname><command>&COMMANDNAME;</command></refname>
58
67
    <refpurpose>
59
 
      Generate key and password for Mandos client and server.
 
68
      Generate keys for <citerefentry><refentrytitle>password-request
 
69
      </refentrytitle><manvolnum>8mandos</manvolnum></citerefentry>
60
70
    </refpurpose>
61
71
  </refnamediv>
62
 
  
 
72
 
63
73
  <refsynopsisdiv>
64
74
    <cmdsynopsis>
65
75
      <command>&COMMANDNAME;</command>
66
 
      <group>
67
 
        <arg choice="plain"><option>--dir
68
 
        <replaceable>DIRECTORY</replaceable></option></arg>
69
 
        <arg choice="plain"><option>-d
70
 
        <replaceable>DIRECTORY</replaceable></option></arg>
71
 
      </group>
72
 
      <sbr/>
73
 
      <group>
74
 
        <arg choice="plain"><option>--type
75
 
        <replaceable>KEYTYPE</replaceable></option></arg>
76
 
        <arg choice="plain"><option>-t
77
 
        <replaceable>KEYTYPE</replaceable></option></arg>
78
 
      </group>
79
 
      <sbr/>
80
 
      <group>
81
 
        <arg choice="plain"><option>--length
82
 
        <replaceable>BITS</replaceable></option></arg>
83
 
        <arg choice="plain"><option>-l
84
 
        <replaceable>BITS</replaceable></option></arg>
85
 
      </group>
86
 
      <sbr/>
87
 
      <group>
88
 
        <arg choice="plain"><option>--subtype
89
 
        <replaceable>KEYTYPE</replaceable></option></arg>
90
 
        <arg choice="plain"><option>-s
91
 
        <replaceable>KEYTYPE</replaceable></option></arg>
92
 
      </group>
93
 
      <sbr/>
94
 
      <group>
95
 
        <arg choice="plain"><option>--sublength
96
 
        <replaceable>BITS</replaceable></option></arg>
97
 
        <arg choice="plain"><option>-L
98
 
        <replaceable>BITS</replaceable></option></arg>
99
 
      </group>
100
 
      <sbr/>
101
 
      <group>
102
 
        <arg choice="plain"><option>--name
103
 
        <replaceable>NAME</replaceable></option></arg>
104
 
        <arg choice="plain"><option>-n
105
 
        <replaceable>NAME</replaceable></option></arg>
106
 
      </group>
107
 
      <sbr/>
108
 
      <group>
109
 
        <arg choice="plain"><option>--email
110
 
        <replaceable>ADDRESS</replaceable></option></arg>
111
 
        <arg choice="plain"><option>-e
112
 
        <replaceable>ADDRESS</replaceable></option></arg>
113
 
      </group>
114
 
      <sbr/>
115
 
      <group>
116
 
        <arg choice="plain"><option>--comment
117
 
        <replaceable>TEXT</replaceable></option></arg>
118
 
        <arg choice="plain"><option>-c
119
 
        <replaceable>TEXT</replaceable></option></arg>
120
 
      </group>
121
 
      <sbr/>
122
 
      <group>
123
 
        <arg choice="plain"><option>--expire
124
 
        <replaceable>TIME</replaceable></option></arg>
125
 
        <arg choice="plain"><option>-x
126
 
        <replaceable>TIME</replaceable></option></arg>
127
 
      </group>
128
 
      <sbr/>
129
 
      <group>
130
 
        <arg choice="plain"><option>--tls-keytype
131
 
        <replaceable>KEYTYPE</replaceable></option></arg>
132
 
        <arg choice="plain"><option>-T
133
 
        <replaceable>KEYTYPE</replaceable></option></arg>
134
 
      </group>
135
 
      <sbr/>
136
 
      <group>
 
76
      <group choice="opt">
 
77
        <arg choice="plain"><option>--dir</option>
 
78
        <replaceable>directory</replaceable></arg>
 
79
      </group>
 
80
      <group choice="opt">
 
81
        <arg choice="plain"><option>--type</option>
 
82
        <replaceable>type</replaceable></arg>
 
83
      </group>
 
84
      <group choice="opt">
 
85
        <arg choice="plain"><option>--length</option>
 
86
        <replaceable>bits</replaceable></arg>
 
87
      </group>
 
88
      <group choice="opt">
 
89
        <arg choice="plain"><option>--subtype</option>
 
90
        <replaceable>type</replaceable></arg>
 
91
      </group>
 
92
      <group choice="opt">
 
93
        <arg choice="plain"><option>--sublength</option>
 
94
        <replaceable>bits</replaceable></arg>
 
95
      </group>
 
96
      <group choice="opt">
 
97
        <arg choice="plain"><option>--name</option>
 
98
        <replaceable>NAME</replaceable></arg>
 
99
      </group>
 
100
      <group choice="opt">
 
101
        <arg choice="plain"><option>--email</option>
 
102
        <replaceable>EMAIL</replaceable></arg>
 
103
      </group>
 
104
      <group choice="opt">
 
105
        <arg choice="plain"><option>--comment</option>
 
106
        <replaceable>COMMENT</replaceable></arg>
 
107
      </group>
 
108
      <group choice="opt">
 
109
        <arg choice="plain"><option>--expire</option>
 
110
        <replaceable>TIME</replaceable></arg>
 
111
      </group>
 
112
      <group choice="opt">
137
113
        <arg choice="plain"><option>--force</option></arg>
 
114
      </group>
 
115
    </cmdsynopsis>
 
116
    <cmdsynopsis>
 
117
      <command>&COMMANDNAME;</command>
 
118
      <group choice="opt">
 
119
        <arg choice="plain"><option>-d</option>
 
120
        <replaceable>directory</replaceable></arg>
 
121
      </group>
 
122
      <group choice="opt">
 
123
        <arg choice="plain"><option>-t</option>
 
124
        <replaceable>type</replaceable></arg>
 
125
      </group>
 
126
      <group choice="opt">
 
127
        <arg choice="plain"><option>-l</option>
 
128
        <replaceable>bits</replaceable></arg>
 
129
      </group>
 
130
      <group choice="opt">
 
131
        <arg choice="plain"><option>-s</option>
 
132
        <replaceable>type</replaceable></arg>
 
133
      </group>
 
134
      <group choice="opt">
 
135
        <arg choice="plain"><option>-L</option>
 
136
        <replaceable>bits</replaceable></arg>
 
137
      </group>
 
138
      <group choice="opt">
 
139
        <arg choice="plain"><option>-n</option>
 
140
        <replaceable>NAME</replaceable></arg>
 
141
      </group>
 
142
      <group choice="opt">
 
143
        <arg choice="plain"><option>-e</option>
 
144
        <replaceable>EMAIL</replaceable></arg>
 
145
      </group>
 
146
      <group choice="opt">
 
147
        <arg choice="plain"><option>-c</option>
 
148
        <replaceable>COMMENT</replaceable></arg>
 
149
      </group>
 
150
      <group choice="opt">
 
151
        <arg choice="plain"><option>-x</option>
 
152
        <replaceable>TIME</replaceable></arg>
 
153
      </group>
 
154
      <group choice="opt">
138
155
        <arg choice="plain"><option>-f</option></arg>
139
156
      </group>
140
157
    </cmdsynopsis>
141
158
    <cmdsynopsis>
142
159
      <command>&COMMANDNAME;</command>
143
160
      <group choice="req">
 
161
        <arg choice="plain"><option>-p</option></arg>
144
162
        <arg choice="plain"><option>--password</option></arg>
145
 
        <arg choice="plain"><option>-p</option></arg>
146
 
        <arg choice="plain"><option>--passfile
147
 
        <replaceable>FILE</replaceable></option></arg>
148
 
        <arg choice="plain"><option>-F</option>
149
 
        <replaceable>FILE</replaceable></arg>
150
 
      </group>
151
 
      <sbr/>
152
 
      <group>
153
 
        <arg choice="plain"><option>--dir
154
 
        <replaceable>DIRECTORY</replaceable></option></arg>
155
 
        <arg choice="plain"><option>-d
156
 
        <replaceable>DIRECTORY</replaceable></option></arg>
157
 
      </group>
158
 
      <sbr/>
159
 
      <group>
160
 
        <arg choice="plain"><option>--name
161
 
        <replaceable>NAME</replaceable></option></arg>
162
 
        <arg choice="plain"><option>-n
163
 
        <replaceable>NAME</replaceable></option></arg>
164
 
      </group>
165
 
      <group>
166
 
        <arg choice="plain"><option>--no-ssh</option></arg>
167
 
        <arg choice="plain"><option>-S</option></arg>
 
163
      </group>
 
164
      <group choice="opt">
 
165
        <arg choice="plain"><option>--dir</option>
 
166
        <replaceable>directory</replaceable></arg>
 
167
      </group>
 
168
      <group choice="opt">
 
169
        <arg choice="plain"><option>--name</option>
 
170
        <replaceable>NAME</replaceable></arg>
168
171
      </group>
169
172
    </cmdsynopsis>
170
173
    <cmdsynopsis>
171
174
      <command>&COMMANDNAME;</command>
172
175
      <group choice="req">
 
176
        <arg choice="plain"><option>-h</option></arg>
173
177
        <arg choice="plain"><option>--help</option></arg>
174
 
        <arg choice="plain"><option>-h</option></arg>
175
178
      </group>
176
179
    </cmdsynopsis>
177
180
    <cmdsynopsis>
178
181
      <command>&COMMANDNAME;</command>
179
182
      <group choice="req">
 
183
        <arg choice="plain"><option>-v</option></arg>
180
184
        <arg choice="plain"><option>--version</option></arg>
181
 
        <arg choice="plain"><option>-v</option></arg>
182
185
      </group>
183
186
    </cmdsynopsis>
184
187
  </refsynopsisdiv>
185
 
  
 
188
 
186
189
  <refsect1 id="description">
187
190
    <title>DESCRIPTION</title>
188
191
    <para>
189
192
      <command>&COMMANDNAME;</command> is a program to generate the
190
 
      TLS and OpenPGP keys used by
191
 
      <citerefentry><refentrytitle>mandos-client</refentrytitle>
 
193
      OpenPGP keys used by
 
194
      <citerefentry><refentrytitle>password-request</refentrytitle>
192
195
      <manvolnum>8mandos</manvolnum></citerefentry>.  The keys are
193
 
      normally written to /etc/keys/mandos for later installation into
194
 
      the initrd image, but this, and most other things, can be
195
 
      changed with command line options.
 
196
      normally written to /etc/mandos for later installation into the
 
197
      initrd image, but this, like most things, can be changed with
 
198
      command line options.
196
199
    </para>
197
200
    <para>
198
 
      This program can also be used with the
199
 
      <option>--password</option> or <option>--passfile</option>
200
 
      options to generate a ready-made section for
201
 
      <filename>clients.conf</filename> (see
 
201
      It can also be used to generate ready-made sections for
202
202
      <citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>
203
 
      <manvolnum>5</manvolnum></citerefentry>).
 
203
      <manvolnum>5</manvolnum></citerefentry> using the
 
204
      <option>--password</option> option.
204
205
    </para>
205
206
  </refsect1>
206
207
  
207
208
  <refsect1 id="purpose">
208
209
    <title>PURPOSE</title>
 
210
 
209
211
    <para>
210
212
      The purpose of this is to enable <emphasis>remote and unattended
211
213
      rebooting</emphasis> of client host computer with an
212
214
      <emphasis>encrypted root file system</emphasis>.  See <xref
213
215
      linkend="overview"/> for details.
214
216
    </para>
 
217
 
215
218
  </refsect1>
216
219
  
217
220
  <refsect1 id="options">
218
221
    <title>OPTIONS</title>
219
 
    
 
222
 
220
223
    <variablelist>
221
224
      <varlistentry>
222
 
        <term><option>--help</option></term>
223
 
        <term><option>-h</option></term>
 
225
        <term><literal>-h</literal>, <literal>--help</literal></term>
224
226
        <listitem>
225
227
          <para>
226
228
            Show a help message and exit
227
229
          </para>
228
230
        </listitem>
229
231
      </varlistentry>
230
 
      
231
 
      <varlistentry>
232
 
        <term><option>--dir
233
 
        <replaceable>DIRECTORY</replaceable></option></term>
234
 
        <term><option>-d
235
 
        <replaceable>DIRECTORY</replaceable></option></term>
236
 
        <listitem>
237
 
          <para>
238
 
            Target directory for key files.  Default is <filename
239
 
            class="directory">/etc/keys/mandos</filename>.
240
 
          </para>
241
 
        </listitem>
242
 
      </varlistentry>
243
 
      
244
 
      <varlistentry>
245
 
        <term><option>--type
246
 
        <replaceable>TYPE</replaceable></option></term>
247
 
        <term><option>-t
248
 
        <replaceable>TYPE</replaceable></option></term>
249
 
        <listitem>
250
 
          <para>
251
 
            OpenPGP key type.  Default is <quote>RSA</quote>.
252
 
          </para>
253
 
        </listitem>
254
 
      </varlistentry>
255
 
      
256
 
      <varlistentry>
257
 
        <term><option>--length
258
 
        <replaceable>BITS</replaceable></option></term>
259
 
        <term><option>-l
260
 
        <replaceable>BITS</replaceable></option></term>
261
 
        <listitem>
262
 
          <para>
263
 
            OpenPGP key length in bits.  Default is 4096.
264
 
          </para>
265
 
        </listitem>
266
 
      </varlistentry>
267
 
      
268
 
      <varlistentry>
269
 
        <term><option>--subtype
270
 
        <replaceable>KEYTYPE</replaceable></option></term>
271
 
        <term><option>-s
272
 
        <replaceable>KEYTYPE</replaceable></option></term>
273
 
        <listitem>
274
 
          <para>
275
 
            OpenPGP subkey type.  Default is <quote>RSA</quote>
276
 
          </para>
277
 
        </listitem>
278
 
      </varlistentry>
279
 
      
280
 
      <varlistentry>
281
 
        <term><option>--sublength
282
 
        <replaceable>BITS</replaceable></option></term>
283
 
        <term><option>-L
284
 
        <replaceable>BITS</replaceable></option></term>
285
 
        <listitem>
286
 
          <para>
287
 
            OpenPGP subkey length in bits.  Default is 4096.
288
 
          </para>
289
 
        </listitem>
290
 
      </varlistentry>
291
 
      
292
 
      <varlistentry>
293
 
        <term><option>--email
294
 
        <replaceable>ADDRESS</replaceable></option></term>
295
 
        <term><option>-e
296
 
        <replaceable>ADDRESS</replaceable></option></term>
 
232
 
 
233
      <varlistentry>
 
234
        <term><literal>-d</literal>, <literal>--dir
 
235
        <replaceable>directory</replaceable></literal></term>
 
236
        <listitem>
 
237
          <para>
 
238
            Target directory for key files.  Default is
 
239
            <filename>/etc/mandos</filename>.
 
240
          </para>
 
241
        </listitem>
 
242
      </varlistentry>
 
243
 
 
244
      <varlistentry>
 
245
        <term><literal>-t</literal>, <literal>--type
 
246
        <replaceable>type</replaceable></literal></term>
 
247
        <listitem>
 
248
          <para>
 
249
            Key type.  Default is <quote>DSA</quote>.
 
250
          </para>
 
251
        </listitem>
 
252
      </varlistentry>
 
253
 
 
254
      <varlistentry>
 
255
        <term><literal>-l</literal>, <literal>--length
 
256
        <replaceable>bits</replaceable></literal></term>
 
257
        <listitem>
 
258
          <para>
 
259
            Key length in bits.  Default is 1024.
 
260
          </para>
 
261
        </listitem>
 
262
      </varlistentry>
 
263
 
 
264
      <varlistentry>
 
265
        <term><literal>-s</literal>, <literal>--subtype
 
266
        <replaceable>type</replaceable></literal></term>
 
267
        <listitem>
 
268
          <para>
 
269
            Subkey type.  Default is <quote>ELG-E</quote> (Elgamal
 
270
            encryption-only).
 
271
          </para>
 
272
        </listitem>
 
273
      </varlistentry>
 
274
 
 
275
      <varlistentry>
 
276
        <term><literal>-L</literal>, <literal>--sublength
 
277
        <replaceable>bits</replaceable></literal></term>
 
278
        <listitem>
 
279
          <para>
 
280
            Subkey length in bits.  Default is 2048.
 
281
          </para>
 
282
        </listitem>
 
283
      </varlistentry>
 
284
 
 
285
      <varlistentry>
 
286
        <term><literal>-e</literal>, <literal>--email</literal>
 
287
        <replaceable>address</replaceable></term>
297
288
        <listitem>
298
289
          <para>
299
290
            Email address of key.  Default is empty.
300
291
          </para>
301
292
        </listitem>
302
293
      </varlistentry>
303
 
      
 
294
 
304
295
      <varlistentry>
305
 
        <term><option>--comment
306
 
        <replaceable>TEXT</replaceable></option></term>
307
 
        <term><option>-c
308
 
        <replaceable>TEXT</replaceable></option></term>
 
296
        <term><literal>-c</literal>, <literal>--comment</literal>
 
297
        <replaceable>comment</replaceable></term>
309
298
        <listitem>
310
299
          <para>
311
 
            Comment field for key.  Default is empty.
 
300
            Comment field for key.  The default value is
 
301
            <quote><literal>Mandos client key</literal></quote>.
312
302
          </para>
313
303
        </listitem>
314
304
      </varlistentry>
315
 
      
 
305
 
316
306
      <varlistentry>
317
 
        <term><option>--expire
318
 
        <replaceable>TIME</replaceable></option></term>
319
 
        <term><option>-x
320
 
        <replaceable>TIME</replaceable></option></term>
 
307
        <term><literal>-x</literal>, <literal>--expire</literal>
 
308
        <replaceable>time</replaceable></term>
321
309
        <listitem>
322
310
          <para>
323
311
            Key expire time.  Default is no expiration.  See
326
314
          </para>
327
315
        </listitem>
328
316
      </varlistentry>
329
 
      
330
 
      <varlistentry>
331
 
        <term><option>--tls-keytype
332
 
        <replaceable>KEYTYPE</replaceable></option></term>
333
 
        <term><option>-T
334
 
        <replaceable>KEYTYPE</replaceable></option></term>
335
 
        <listitem>
336
 
          <para>
337
 
            TLS key type.  Default is <quote>ed25519</quote>
338
 
          </para>
339
 
        </listitem>
340
 
      </varlistentry>
341
 
      
342
 
      <varlistentry>
343
 
        <term><option>--force</option></term>
344
 
        <term><option>-f</option></term>
345
 
        <listitem>
346
 
          <para>
347
 
            Force overwriting old key.
348
 
          </para>
349
 
        </listitem>
350
 
      </varlistentry>
351
 
      <varlistentry>
352
 
        <term><option>--password</option></term>
353
 
        <term><option>-p</option></term>
 
317
 
 
318
      <varlistentry>
 
319
        <term><literal>-f</literal>, <literal>--force</literal></term>
 
320
        <listitem>
 
321
          <para>
 
322
            Force overwriting old keys.
 
323
          </para>
 
324
        </listitem>
 
325
      </varlistentry>
 
326
      <varlistentry>
 
327
        <term><literal>-p</literal>, <literal>--password</literal
 
328
        ></term>
354
329
        <listitem>
355
330
          <para>
356
331
            Prompt for a password and encrypt it with the key already
357
 
            present in either <filename>/etc/keys/mandos</filename> or
358
 
            the directory specified with the <option>--dir</option>
 
332
            present in either <filename>/etc/mandos</filename> or the
 
333
            directory specified with the <option>--dir</option>
359
334
            option.  Outputs, on standard output, a section suitable
360
335
            for inclusion in <citerefentry><refentrytitle
361
336
            >mandos-clients.conf</refentrytitle><manvolnum
362
337
            >8</manvolnum></citerefentry>.  The host name or the name
363
338
            specified with the <option>--name</option> option is used
364
339
            for the section header.  All other options are ignored,
365
 
            and no key is created.
366
 
          </para>
367
 
        </listitem>
368
 
      </varlistentry>
369
 
      <varlistentry>
370
 
        <term><option>--passfile
371
 
        <replaceable>FILE</replaceable></option></term>
372
 
        <term><option>-F
373
 
        <replaceable>FILE</replaceable></option></term>
374
 
        <listitem>
375
 
          <para>
376
 
            The same as <option>--password</option>, but read from
377
 
            <replaceable>FILE</replaceable>, not the terminal.
378
 
          </para>
379
 
        </listitem>
380
 
      </varlistentry>
381
 
      <varlistentry>
382
 
        <term><option>--no-ssh</option></term>
383
 
        <term><option>-S</option></term>
384
 
        <listitem>
385
 
          <para>
386
 
            When <option>--password</option> or
387
 
            <option>--passfile</option> is given, this option will
388
 
            prevent <command>&COMMANDNAME;</command> from calling
389
 
            <command>ssh-keyscan</command> to get an SSH fingerprint
390
 
            for this host and, if successful, output suitable config
391
 
            options to use this fingerprint as a
392
 
            <option>checker</option> option in the output.  This is
393
 
            otherwise the default behavior.
 
340
            and no keys are created.
394
341
          </para>
395
342
        </listitem>
396
343
      </varlistentry>
397
344
    </variablelist>
398
345
  </refsect1>
399
 
  
 
346
 
400
347
  <refsect1 id="overview">
401
348
    <title>OVERVIEW</title>
402
349
    <xi:include href="overview.xml"/>
403
350
    <para>
404
 
      This program is a small utility to generate new TLS and OpenPGP
405
 
      keys for new Mandos clients, and to generate sections for
406
 
      inclusion in <filename>clients.conf</filename> on the server.
 
351
      This program is a small utility to generate new OpenPGP keys for
 
352
      new Mandos clients.
407
353
    </para>
408
354
  </refsect1>
409
 
  
 
355
 
410
356
  <refsect1 id="exit_status">
411
357
    <title>EXIT STATUS</title>
412
358
    <para>
413
 
      The exit status will be 0 if a new key (or password, if the
414
 
      <option>--password</option> option was used) was successfully
415
 
      created, otherwise not.
 
359
      The exit status will be 0 if new keys were successfully created,
 
360
      otherwise not.
416
361
    </para>
417
362
  </refsect1>
418
363
  
420
365
    <title>ENVIRONMENT</title>
421
366
    <variablelist>
422
367
      <varlistentry>
423
 
        <term><envar>TMPDIR</envar></term>
 
368
        <term><varname>TMPDIR</varname></term>
424
369
        <listitem>
425
370
          <para>
426
371
            If set, temporary files will be created here. See
432
377
    </variablelist>
433
378
  </refsect1>
434
379
  
435
 
  <refsect1 id="files">
 
380
  <refsect1 id="file">
436
381
    <title>FILES</title>
437
382
    <para>
438
383
      Use the <option>--dir</option> option to change where
441
386
    </para>
442
387
    <variablelist>
443
388
      <varlistentry>
444
 
        <term><filename>/etc/keys/mandos/seckey.txt</filename></term>
 
389
        <term><filename>/etc/mandos/seckey.txt</filename></term>
445
390
        <listitem>
446
391
          <para>
447
392
            OpenPGP secret key file which will be created or
450
395
        </listitem>
451
396
      </varlistentry>
452
397
      <varlistentry>
453
 
        <term><filename>/etc/keys/mandos/pubkey.txt</filename></term>
 
398
        <term><filename>/etc/mandos/pubkey.txt</filename></term>
454
399
        <listitem>
455
400
          <para>
456
401
            OpenPGP public key file which will be created or
459
404
        </listitem>
460
405
      </varlistentry>
461
406
      <varlistentry>
462
 
        <term><filename>/etc/keys/mandos/tls-privkey.pem</filename></term>
463
 
        <listitem>
464
 
          <para>
465
 
            Private key file which will be created or overwritten.
466
 
          </para>
467
 
        </listitem>
468
 
      </varlistentry>
469
 
      <varlistentry>
470
 
        <term><filename>/etc/keys/mandos/tls-pubkey.pem</filename></term>
471
 
        <listitem>
472
 
          <para>
473
 
            Public key file which will be created or overwritten.
474
 
          </para>
475
 
        </listitem>
476
 
      </varlistentry>
477
 
      <varlistentry>
478
 
        <term><filename class="directory">/tmp</filename></term>
 
407
        <term><filename>/tmp</filename></term>
479
408
        <listitem>
480
409
          <para>
481
410
            Temporary files will be written here if
485
414
      </varlistentry>
486
415
    </variablelist>
487
416
  </refsect1>
488
 
  
 
417
 
489
418
  <refsect1 id="bugs">
490
419
    <title>BUGS</title>
491
 
    <xi:include href="bugs.xml"/>
 
420
    <para>
 
421
      None are known at this time.
 
422
    </para>
492
423
  </refsect1>
493
 
  
 
424
 
494
425
  <refsect1 id="example">
495
426
    <title>EXAMPLE</title>
496
427
    <informalexample>
498
429
        Normal invocation needs no options:
499
430
      </para>
500
431
      <para>
501
 
        <userinput>&COMMANDNAME;</userinput>
 
432
        <userinput>mandos-keygen</userinput>
502
433
      </para>
503
434
    </informalexample>
504
435
    <informalexample>
505
436
      <para>
506
 
        Create key in another directory and of another type.  Force
 
437
        Create keys in another directory and of another type.  Force
507
438
        overwriting old key files:
508
439
      </para>
509
440
      <para>
510
441
 
511
442
<!-- do not wrap this line -->
512
 
<userinput>&COMMANDNAME; --dir ~/keydir --type RSA --force</userinput>
513
 
 
514
 
      </para>
515
 
    </informalexample>
516
 
    <informalexample>
517
 
      <para>
518
 
        Prompt for a password, encrypt it with the keys in <filename
519
 
        class="directory">/etc/keys/mandos</filename> and output a
520
 
        section suitable for <filename>clients.conf</filename>.
521
 
      </para>
522
 
      <para>
523
 
        <userinput>&COMMANDNAME; --password</userinput>
524
 
      </para>
525
 
    </informalexample>
526
 
    <informalexample>
527
 
      <para>
528
 
        Prompt for a password, encrypt it with the keys in the
529
 
        <filename>client-key</filename> directory and output a section
530
 
        suitable for <filename>clients.conf</filename>.
531
 
      </para>
532
 
      <para>
533
 
 
534
 
<!-- do not wrap this line -->
535
 
<userinput>&COMMANDNAME; --password --dir client-key</userinput>
 
443
<userinput>mandos-keygen --dir ~/keydir --type RSA --force</userinput>
536
444
 
537
445
      </para>
538
446
    </informalexample>
539
447
  </refsect1>
540
 
  
 
448
 
541
449
  <refsect1 id="security">
542
450
    <title>SECURITY</title>
543
451
    <para>
544
452
      The <option>--type</option>, <option>--length</option>,
545
453
      <option>--subtype</option>, and <option>--sublength</option>
546
 
      options can be used to create keys of low security.  If in
547
 
      doubt, leave them to the default values.
 
454
      options can be used to create keys of insufficient security.  If
 
455
      in doubt, leave them to the default values.
548
456
    </para>
549
457
    <para>
550
 
      The key expire time is <emphasis>not</emphasis> guaranteed to be
551
 
      honored by <citerefentry><refentrytitle>mandos</refentrytitle>
 
458
      The key expire time is not guaranteed to be honored by
 
459
      <citerefentry><refentrytitle>mandos</refentrytitle>
552
460
      <manvolnum>8</manvolnum></citerefentry>.
553
461
    </para>
554
462
  </refsect1>
555
 
  
 
463
 
556
464
  <refsect1 id="see_also">
557
465
    <title>SEE ALSO</title>
558
466
    <para>
559
 
      <citerefentry><refentrytitle>intro</refentrytitle>
 
467
      <citerefentry><refentrytitle>password-request</refentrytitle>
560
468
      <manvolnum>8mandos</manvolnum></citerefentry>,
 
469
      <citerefentry><refentrytitle>mandos</refentrytitle>
 
470
      <manvolnum>8</manvolnum></citerefentry>,
561
471
      <citerefentry><refentrytitle>gpg</refentrytitle>
562
 
      <manvolnum>1</manvolnum></citerefentry>,
563
 
      <citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>
564
 
      <manvolnum>5</manvolnum></citerefentry>,
565
 
      <citerefentry><refentrytitle>mandos</refentrytitle>
566
 
      <manvolnum>8</manvolnum></citerefentry>,
567
 
      <citerefentry><refentrytitle>mandos-client</refentrytitle>
568
 
      <manvolnum>8mandos</manvolnum></citerefentry>,
569
 
      <citerefentry><refentrytitle>ssh-keyscan</refentrytitle>
570
472
      <manvolnum>1</manvolnum></citerefentry>
571
473
    </para>
572
474
  </refsect1>
573
475
  
574
476
</refentry>
575
 
<!-- Local Variables: -->
576
 
<!-- time-stamp-start: "<!ENTITY TIMESTAMP [\"']" -->
577
 
<!-- time-stamp-end: "[\"']>" -->
578
 
<!-- time-stamp-format: "%:y-%02m-%02d" -->
579
 
<!-- End: -->