/mandos/trunk : revision 109

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos-keygen.xml

Committer: Teddy Hogeborn
Date: 2008-08-27 01:18:25 UTC
Revision ID: teddy@fukt.bsnet.se-20080827011825-ka3ni6xvy2ehi1y8

* .bzrignore: New.

* clients.conf ([foo]): Remove Radix-64 checksum.

* mandos (AvahiService.rename, server_state_changed,
          entry_group_state_changed): Make Avahi log messages more
                                      clear that they are about
                                      Zeroconf.
  (fingerprint): Use plain "0" instead of "ctypes.c_uint(0)".

files removed:
.bzr-builddeb

.bzr-builddeb/default.conf

INSTALL

README

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.dirs

debian/mandos.lintian-overrides

debian/rules

default-mandos

etc-plugins.d-README

init.d-mandos

legalnotice.xml

plugin-runner.conf

files renamed:
plugins.d/mandos-client.c => plugins.d/password-request.c

plugins.d/mandos-client.xml => plugins.d/password-request.xml

files modified:
.bzrignore

Makefile

TODO

initramfs-tools-hook

initramfs-tools-script

mandos

mandos-clients.conf.xml

mandos-keygen

mandos-keygen.xml

mandos-options.xml

mandos.conf.xml

mandos.xml

overview.xml

plugin-runner.c

plugin-runner.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

Show diffs side-by-side

added added

removed removed

mandos-keygen.xml

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY VERSION "1.0">

<!ENTITY COMMANDNAME "mandos-keygen">

<!ENTITY TIMESTAMP "2008-09-12">

<title>Mandos Manual</title>

<title>&COMMANDNAME;</title>

<productname>Mandos</productname>

<productname>&COMMANDNAME;</productname>

<productnumber>&VERSION;</productnumber>

<date>&TIMESTAMP;</date>

<firstname>Björn</firstname>

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

<xi:include href="legalnotice.xml"/>

<para>

This manual page is free software: you can redistribute it

and/or modify it under the terms of the GNU General Public

License as published by the Free Software Foundation,

either version 3 of the License, or (at your option) any

later version.

</para>

<para>

This manual page is distributed in the hope that it will

be useful, but WITHOUT ANY WARRANTY; without even the

implied warranty of MERCHANTABILITY or FITNESS FOR A

PARTICULAR PURPOSE. See the GNU General Public License

for more details.

</para>

<para>

You should have received a copy of the GNU General Public

License along with this program; If not, see

<ulink url="http://www.gnu.org/licenses/"/>.

</para>

</legalnotice>

</refentryinfo>

<refentrytitle>&COMMANDNAME;</refentrytitle>

<refname><command>&COMMANDNAME;</command></refname>

Generate key and password for Mandos client and server.

Generate keys for <citerefentry><refentrytitle>password-request

</refentrytitle><manvolnum>8mandos</manvolnum></citerefentry>

</refpurpose>

</refnamediv>

<command>&COMMANDNAME;</command>

<group>

<arg choice="plain"><option>--dir

<replaceable>DIRECTORY</replaceable></option></arg>

<arg choice="plain"><option>-d

<replaceable>DIRECTORY</replaceable></option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--type

<replaceable>KEYTYPE</replaceable></option></arg>

<arg choice="plain"><option>-t

<replaceable>KEYTYPE</replaceable></option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--length

<arg choice="plain"><option>-l

</group>

<sbr/>

<group>

<arg choice="plain"><option>--subtype

<replaceable>KEYTYPE</replaceable></option></arg>

<arg choice="plain"><option>-s

<replaceable>KEYTYPE</replaceable></option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--sublength

<arg choice="plain"><option>-L

</group>

<sbr/>

<group>

<arg choice="plain"><option>--name

<arg choice="plain"><option>-n

</group>

<sbr/>

<group>

<arg choice="plain"><option>--email

<replaceable>ADDRESS</replaceable></option></arg>

100

<arg choice="plain"><option>-e

101

<replaceable>ADDRESS</replaceable></option></arg>

102

</group>

103

<sbr/>

104

<group>

105

<arg choice="plain"><option>--comment

106

107

<arg choice="plain"><option>-c

108

109

</group>

110

<sbr/>

111

<group>

112

<arg choice="plain"><option>--expire

113

114

<arg choice="plain"><option>-x

115

116

</group>

117

<sbr/>

118

<arg><option>--force</option></arg>

<replaceable>directory</replaceable></arg>

</group>

</group>

<arg choice="plain"><option>--length</option>

</group>

<arg choice="plain"><option>--subtype</option>

</group>

<arg choice="plain"><option>--sublength</option>

</group>

</group>

100

101

<arg choice="plain"><option>--email</option>

102

<replaceable>EMAIL</replaceable></arg>

103

</group>

104

105

<arg choice="plain"><option>--comment</option>

106

<replaceable>COMMENT</replaceable></arg>

107

</group>

108

109

<arg choice="plain"><option>--expire</option>

110

111

</group>

112

113

<arg choice="plain"><option>--force</option></arg>

114

</group>

115

</cmdsynopsis>

116

117

<command>&COMMANDNAME;</command>

118

119

120

<replaceable>directory</replaceable></arg>

121

</group>

122

123

124

125

</group>

126

127

128

129

</group>

130

131

132

133

</group>

134

135

136

137

</group>

138

139

140

141

</group>

142

143

144

<replaceable>EMAIL</replaceable></arg>

145

</group>

146

147

148

<replaceable>COMMENT</replaceable></arg>

149

</group>

150

151

152

153

</group>

154

155

156

</group>

119

157

</cmdsynopsis>

120

158

121

159

<command>&COMMANDNAME;</command>

122

160

161

123

162

<arg choice="plain"><option>--password</option></arg>

124

125

</group>

126

<sbr/>

127

<group>

128

<arg choice="plain"><option>--dir

129

<replaceable>DIRECTORY</replaceable></option></arg>

130

<arg choice="plain"><option>-d

131

<replaceable>DIRECTORY</replaceable></option></arg>

132

</group>

133

<sbr/>

134

<group>

135

<arg choice="plain"><option>--name

136

137

<arg choice="plain"><option>-n

138

163

</group>

164

165

166

<replaceable>directory</replaceable></arg>

167

</group>

168

169

170

139

171

</group>

140

172

</cmdsynopsis>

141

173

142

174

<command>&COMMANDNAME;</command>

143

175

176

144

177

145

146

178

</group>

147

179

</cmdsynopsis>

148

180

149

181

<command>&COMMANDNAME;</command>

150

182

183

151

184

<arg choice="plain"><option>--version</option></arg>

152

153

185

</group>

154

186

</cmdsynopsis>

155

187

</refsynopsisdiv>

156

188

157

189

158

190

<title>DESCRIPTION</title>

159

191

<para>

160

192

<command>&COMMANDNAME;</command> is a program to generate the

161

OpenPGP key used by

162

<citerefentry><refentrytitle>mandos-client</refentrytitle>

163

<manvolnum>8mandos</manvolnum></citerefentry>. The key is

193

OpenPGP keys used by

194

<citerefentry><refentrytitle>password-request</refentrytitle>

195

<manvolnum>8mandos</manvolnum></citerefentry>. The keys are

164

196

normally written to /etc/mandos for later installation into the

165

initrd image, but this, and most other things, can be changed

166

with command line options.

197

initrd image, but this, like most things, can be changed with

198

command line options.

167

199

</para>

168

200

<para>

169

This program can also be used with the

170

<option>--password</option> option to generate a ready-made

171

section for <filename>clients.conf</filename> (see

201

It can also be used to generate ready-made sections for

172

202

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

173

<manvolnum>5</manvolnum></citerefentry>).

203

<manvolnum>5</manvolnum></citerefentry> using the

204

<option>--password</option> option.

174

205

</para>

175

206

</refsect1>

176

207

177

208

178

209

<title>PURPOSE</title>

210

179

211

<para>

180

212

The purpose of this is to enable <emphasis>remote and unattended

181

213

rebooting</emphasis> of client host computer with an

182

214

<emphasis>encrypted root file system</emphasis>. See <xref

183

215

linkend="overview"/> for details.

184

216

</para>

217

185

218

</refsect1>

186

219

187

220

188

221

<title>OPTIONS</title>

189

222

190

223

191

224

192

193

225

194

226

195

227

<para>

196

228

Show a help message and exit

197

229

</para>

198

230

</listitem>

199

231

</varlistentry>

200

232

201

233

202

<term><option>--dir

203

<replaceable>DIRECTORY</replaceable></option></term>

204

<term><option>-d

205

<replaceable>DIRECTORY</replaceable></option></term>

234

<term><literal>-d</literal>, <literal>--dir

235

<replaceable>directory</replaceable></literal></term>

206

236

207

237

<para>

208

238

Target directory for key files. Default is

210

240

</para>

211

241

</listitem>

212

242

</varlistentry>

213

243

214

244

215

<term><option>--type

216

217

<term><option>-t

218

245

<term><literal>-t</literal>, <literal>--type

246

219

247

220

248

<para>

221

249

Key type. Default is <quote>DSA</quote>.

222

250

</para>

223

251

</listitem>

224

252

</varlistentry>

225

253

226

254

227

<term><option>--length

228

229

<term><option>-l

230

255

<term><literal>-l</literal>, <literal>--length

256

231

257

232

258

<para>

233

259

Key length in bits. Default is 2048.

234

260

</para>

235

261

</listitem>

236

262

</varlistentry>

237

263

238

264

239

<term><option>--subtype

240

<replaceable>KEYTYPE</replaceable></option></term>

241

<term><option>-s

242

<replaceable>KEYTYPE</replaceable></option></term>

265

<term><literal>-s</literal>, <literal>--subtype

266

243

267

244

268

<para>

245

269

Subkey type. Default is <quote>ELG-E</quote> (Elgamal

247

271

</para>

248

272

</listitem>

249

273

</varlistentry>

250

274

251

275

252

<term><option>--sublength

253

254

<term><option>-L

255

276

<term><literal>-L</literal>, <literal>--sublength

277

256

278

257

279

<para>

258

280

Subkey length in bits. Default is 2048.

259

281

</para>

260

282

</listitem>

261

283

</varlistentry>

262

284

263

285

264

<term><option>--email

265

<replaceable>ADDRESS</replaceable></option></term>

266

<term><option>-e

267

<replaceable>ADDRESS</replaceable></option></term>

286

<term><literal>-e</literal>, <literal>--email</literal>

287

<replaceable>address</replaceable></term>

268

288

269

289

<para>

270

290

Email address of key. Default is empty.

271

291

</para>

272

292

</listitem>

273

293

</varlistentry>

274

294

275

295

276

<term><option>--comment

277

278

<term><option>-c

279

296

<term><literal>-c</literal>, <literal>--comment</literal>

297

<replaceable>comment</replaceable></term>

280

298

281

299

<para>

282

300

Comment field for key. The default value is

284

302

</para>

285

303

</listitem>

286

304

</varlistentry>

287

305

288

306

289

<term><option>--expire

290

291

<term><option>-x

292

307

<term><literal>-x</literal>, <literal>--expire</literal>

308

293

309

294

310

<para>

295

311

Key expire time. Default is no expiration. See

298

314

</para>

299

315

</listitem>

300

316

</varlistentry>

301

317

302

318

303

<term><option>--force</option></term>

304

319

<term><literal>-f</literal>, <literal>--force</literal></term>

305

320

306

321

<para>

307

Force overwriting old key.

322

Force overwriting old keys.

308

323

</para>

309

324

</listitem>

310

325

</varlistentry>

311

326

312

<term><option>--password</option></term>

313

327

<term><literal>-p</literal>, <literal>--password</literal

328

></term>

314

329

315

330

<para>

316

331

Prompt for a password and encrypt it with the key already

322

337

>8</manvolnum></citerefentry>. The host name or the name

323

338

specified with the <option>--name</option> option is used

324

339

for the section header. All other options are ignored,

325

and no key is created.

340

and no keys are created.

326

341

</para>

327

342

</listitem>

328

343

</varlistentry>

329

344

</variablelist>

330

345

</refsect1>

331

346

332

347

333

348

<title>OVERVIEW</title>

334

349

<xi:include href="overview.xml"/>

335

350

<para>

336

351

This program is a small utility to generate new OpenPGP keys for

337

new Mandos clients, and to generate sections for inclusion in

338

<filename>clients.conf</filename> on the server.

352

new Mandos clients.

339

353

</para>

340

354

</refsect1>

341

355

342

356

343

357

<title>EXIT STATUS</title>

344

358

<para>

345

The exit status will be 0 if a new key (or password, if the

346

<option>--password</option> option was used) was successfully

347

created, otherwise not.

359

The exit status will be 0 if new keys were successfully created,

360

otherwise not.

348

361

</para>

349

362

</refsect1>

350

363

352

365

<title>ENVIRONMENT</title>

353

366

354

367

355

<term><envar>TMPDIR</envar></term>

368

<term><varname>TMPDIR</varname></term>

356

369

357

370

<para>

358

371

If set, temporary files will be created here. See

401

414

</varlistentry>

402

415

</variablelist>

403

416

</refsect1>

404

405

406

407

408

409

410

417

418

419

420

<para>

421

None are known at this time.

422

</para>

423

</refsect1>

424

411

425

412

426

<title>EXAMPLE</title>

413

427

415

429

Normal invocation needs no options:

416

430

</para>

417

431

<para>

418

<userinput>&COMMANDNAME;</userinput>

432

<userinput>mandos-keygen</userinput>

419

433

</para>

420

434

</informalexample>

421

435

422

436

<para>

423

Create key in another directory and of another type. Force

437

Create keys in another directory and of another type. Force

424

438

overwriting old key files:

425

439

</para>

426

440

<para>

427

441

428

442

429

<userinput>&COMMANDNAME; --dir ~/keydir --type RSA --force</userinput>

430

431

</para>

432

</informalexample>

433

434

<para>

435

Prompt for a password, encrypt it with the key in

436

<filename>/etc/mandos</filename> and output a section suitable

437

for <filename>clients.conf</filename>.

438

</para>

439

<para>

440

<userinput>&COMMANDNAME; --password</userinput>

441

</para>

442

</informalexample>

443

444

<para>

445

Prompt for a password, encrypt it with the key in the

446

<filename>client-key</filename> directory and output a section

447

suitable for <filename>clients.conf</filename>.

448

</para>

449

<para>

450

451

452

<userinput>&COMMANDNAME; --password --dir client-key</userinput>

443

<userinput>mandos-keygen --dir ~/keydir --type RSA --force</userinput>

453

444

454

445

</para>

455

446

</informalexample>

456

447

</refsect1>

457

448

458

449

459

450

<title>SECURITY</title>

460

451

<para>

461

452

The <option>--type</option>, <option>--length</option>,

462

453

<option>--subtype</option>, and <option>--sublength</option>

463

options can be used to create keys of low security. If in

464

doubt, leave them to the default values.

454

options can be used to create keys of insufficient security. If

455

in doubt, leave them to the default values.

465

456

</para>

466

457

<para>

467

The key expire time is <emphasis>not</emphasis> guaranteed to be

468

honored by <citerefentry><refentrytitle>mandos</refentrytitle>

458

The key expire time is not guaranteed to be honored by

459

<citerefentry><refentrytitle>mandos</refentrytitle>

469

460

<manvolnum>8</manvolnum></citerefentry>.

470

461

</para>

471

462

</refsect1>

472

463

473

464

474

465

475

466

<para>

467

<citerefentry><refentrytitle>password-request</refentrytitle>

468

<manvolnum>8mandos</manvolnum></citerefentry>,

469

<citerefentry><refentrytitle>mandos</refentrytitle>

470

<manvolnum>8</manvolnum></citerefentry>,

476

471

477

<manvolnum>1</manvolnum></citerefentry>,

478

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

479

<manvolnum>5</manvolnum></citerefentry>,

480

<citerefentry><refentrytitle>mandos</refentrytitle>

481

<manvolnum>8</manvolnum></citerefentry>,

482

<citerefentry><refentrytitle>mandos-client</refentrytitle>

483

<manvolnum>8mandos</manvolnum></citerefentry>

472

484

473

</para>

485

474

</refsect1>

486

475

487

476

</refentry>

488

489

490

491

492

Older »