1
1
<?xml version="1.0" encoding="UTF-8"?>
2
2
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3
3
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4
<!ENTITY VERSION "1.0">
4
5
<!ENTITY COMMANDNAME "mandos-keygen">
5
<!ENTITY TIMESTAMP "2018-02-08">
6
<!ENTITY % common SYSTEM "common.ent">
10
8
<refentry xmlns:xi="http://www.w3.org/2001/XInclude">
12
<title>Mandos Manual</title>
10
<title>&COMMANDNAME;</title>
13
11
<!-- NWalsh’s docbook scripts use this to generate the footer: -->
14
<productname>Mandos</productname>
15
<productnumber>&version;</productnumber>
16
<date>&TIMESTAMP;</date>
12
<productname>&COMMANDNAME;</productname>
13
<productnumber>&VERSION;</productnumber>
19
16
<firstname>Björn</firstname>
20
17
<surname>Påhlsson</surname>
22
<email>belorn@recompile.se</email>
19
<email>belorn@fukt.bsnet.se</email>
26
23
<firstname>Teddy</firstname>
27
24
<surname>Hogeborn</surname>
29
<email>teddy@recompile.se</email>
26
<email>teddy@fukt.bsnet.se</email>
45
32
<holder>Teddy Hogeborn</holder>
46
33
<holder>Björn Påhlsson</holder>
48
<xi:include href="legalnotice.xml"/>
37
This manual page is free software: you can redistribute it
38
and/or modify it under the terms of the GNU General Public
39
License as published by the Free Software Foundation,
40
either version 3 of the License, or (at your option) any
45
This manual page is distributed in the hope that it will
46
be useful, but WITHOUT ANY WARRANTY; without even the
47
implied warranty of MERCHANTABILITY or FITNESS FOR A
48
PARTICULAR PURPOSE. See the GNU General Public License
53
You should have received a copy of the GNU General Public
54
License along with this program; If not, see
55
<ulink url="http://www.gnu.org/licenses/"/>.
52
61
<refentrytitle>&COMMANDNAME;</refentrytitle>
53
62
<manvolnum>8</manvolnum>
57
66
<refname><command>&COMMANDNAME;</command></refname>
59
Generate key and password for Mandos client and server.
68
Generate keys for <citerefentry><refentrytitle>password-request
69
</refentrytitle><manvolnum>8mandos</manvolnum></citerefentry>
65
75
<command>&COMMANDNAME;</command>
67
<arg choice="plain"><option>--dir
68
<replaceable>DIRECTORY</replaceable></option></arg>
69
<arg choice="plain"><option>-d
70
<replaceable>DIRECTORY</replaceable></option></arg>
74
<arg choice="plain"><option>--type
75
<replaceable>KEYTYPE</replaceable></option></arg>
76
<arg choice="plain"><option>-t
77
<replaceable>KEYTYPE</replaceable></option></arg>
81
<arg choice="plain"><option>--length
82
<replaceable>BITS</replaceable></option></arg>
83
<arg choice="plain"><option>-l
84
<replaceable>BITS</replaceable></option></arg>
88
<arg choice="plain"><option>--subtype
89
<replaceable>KEYTYPE</replaceable></option></arg>
90
<arg choice="plain"><option>-s
91
<replaceable>KEYTYPE</replaceable></option></arg>
95
<arg choice="plain"><option>--sublength
96
<replaceable>BITS</replaceable></option></arg>
97
<arg choice="plain"><option>-L
98
<replaceable>BITS</replaceable></option></arg>
102
<arg choice="plain"><option>--name
103
<replaceable>NAME</replaceable></option></arg>
104
<arg choice="plain"><option>-n
105
<replaceable>NAME</replaceable></option></arg>
109
<arg choice="plain"><option>--email
110
<replaceable>ADDRESS</replaceable></option></arg>
111
<arg choice="plain"><option>-e
112
<replaceable>ADDRESS</replaceable></option></arg>
116
<arg choice="plain"><option>--comment
117
<replaceable>TEXT</replaceable></option></arg>
118
<arg choice="plain"><option>-c
119
<replaceable>TEXT</replaceable></option></arg>
123
<arg choice="plain"><option>--expire
124
<replaceable>TIME</replaceable></option></arg>
125
<arg choice="plain"><option>-x
126
<replaceable>TIME</replaceable></option></arg>
77
<arg choice="plain"><option>--dir</option>
78
<replaceable>directory</replaceable></arg>
81
<arg choice="plain"><option>--type</option>
82
<replaceable>type</replaceable></arg>
85
<arg choice="plain"><option>--length</option>
86
<replaceable>bits</replaceable></arg>
89
<arg choice="plain"><option>--subtype</option>
90
<replaceable>type</replaceable></arg>
93
<arg choice="plain"><option>--sublength</option>
94
<replaceable>bits</replaceable></arg>
97
<arg choice="plain"><option>--name</option>
98
<replaceable>NAME</replaceable></arg>
101
<arg choice="plain"><option>--email</option>
102
<replaceable>EMAIL</replaceable></arg>
105
<arg choice="plain"><option>--comment</option>
106
<replaceable>COMMENT</replaceable></arg>
109
<arg choice="plain"><option>--expire</option>
110
<replaceable>TIME</replaceable></arg>
130
113
<arg choice="plain"><option>--force</option></arg>
117
<command>&COMMANDNAME;</command>
119
<arg choice="plain"><option>-d</option>
120
<replaceable>directory</replaceable></arg>
123
<arg choice="plain"><option>-t</option>
124
<replaceable>type</replaceable></arg>
127
<arg choice="plain"><option>-l</option>
128
<replaceable>bits</replaceable></arg>
131
<arg choice="plain"><option>-s</option>
132
<replaceable>type</replaceable></arg>
135
<arg choice="plain"><option>-L</option>
136
<replaceable>bits</replaceable></arg>
139
<arg choice="plain"><option>-n</option>
140
<replaceable>NAME</replaceable></arg>
143
<arg choice="plain"><option>-e</option>
144
<replaceable>EMAIL</replaceable></arg>
147
<arg choice="plain"><option>-c</option>
148
<replaceable>COMMENT</replaceable></arg>
151
<arg choice="plain"><option>-x</option>
152
<replaceable>TIME</replaceable></arg>
131
155
<arg choice="plain"><option>-f</option></arg>
135
159
<command>&COMMANDNAME;</command>
136
160
<group choice="req">
161
<arg choice="plain"><option>-p</option></arg>
137
162
<arg choice="plain"><option>--password</option></arg>
138
<arg choice="plain"><option>-p</option></arg>
139
<arg choice="plain"><option>--passfile
140
<replaceable>FILE</replaceable></option></arg>
141
<arg choice="plain"><option>-F</option>
142
<replaceable>FILE</replaceable></arg>
146
<arg choice="plain"><option>--dir
147
<replaceable>DIRECTORY</replaceable></option></arg>
148
<arg choice="plain"><option>-d
149
<replaceable>DIRECTORY</replaceable></option></arg>
153
<arg choice="plain"><option>--name
154
<replaceable>NAME</replaceable></option></arg>
155
<arg choice="plain"><option>-n
156
<replaceable>NAME</replaceable></option></arg>
159
<arg choice="plain"><option>--no-ssh</option></arg>
160
<arg choice="plain"><option>-S</option></arg>
165
<arg choice="plain"><option>--dir</option>
166
<replaceable>directory</replaceable></arg>
169
<arg choice="plain"><option>--name</option>
170
<replaceable>NAME</replaceable></arg>
164
174
<command>&COMMANDNAME;</command>
165
175
<group choice="req">
176
<arg choice="plain"><option>-h</option></arg>
166
177
<arg choice="plain"><option>--help</option></arg>
167
<arg choice="plain"><option>-h</option></arg>
171
181
<command>&COMMANDNAME;</command>
172
182
<group choice="req">
183
<arg choice="plain"><option>-v</option></arg>
173
184
<arg choice="plain"><option>--version</option></arg>
174
<arg choice="plain"><option>-v</option></arg>
177
187
</refsynopsisdiv>
179
189
<refsect1 id="description">
180
190
<title>DESCRIPTION</title>
182
192
<command>&COMMANDNAME;</command> is a program to generate the
184
<citerefentry><refentrytitle>mandos-client</refentrytitle>
185
<manvolnum>8mandos</manvolnum></citerefentry>. The key is
194
<citerefentry><refentrytitle>password-request</refentrytitle>
195
<manvolnum>8mandos</manvolnum></citerefentry>. The keys are
186
196
normally written to /etc/mandos for later installation into the
187
initrd image, but this, and most other things, can be changed
188
with command line options.
197
initrd image, but this, like most things, can be changed with
198
command line options.
191
This program can also be used with the
192
<option>--password</option> or <option>--passfile</option>
193
options to generate a ready-made section for
194
<filename>clients.conf</filename> (see
201
It can also be used to generate ready-made sections for
195
202
<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>
196
<manvolnum>5</manvolnum></citerefentry>).
203
<manvolnum>5</manvolnum></citerefentry> using the
204
<option>--password</option> option.
200
208
<refsect1 id="purpose">
201
209
<title>PURPOSE</title>
203
212
The purpose of this is to enable <emphasis>remote and unattended
204
213
rebooting</emphasis> of client host computer with an
205
214
<emphasis>encrypted root file system</emphasis>. See <xref
206
215
linkend="overview"/> for details.
210
220
<refsect1 id="options">
211
221
<title>OPTIONS</title>
215
<term><option>--help</option></term>
216
<term><option>-h</option></term>
225
<term><literal>-h</literal>, <literal>--help</literal></term>
219
228
Show a help message and exit
226
<replaceable>DIRECTORY</replaceable></option></term>
228
<replaceable>DIRECTORY</replaceable></option></term>
234
<term><literal>-d</literal>, <literal>--dir
235
<replaceable>directory</replaceable></literal></term>
231
238
Target directory for key files. Default is
232
<filename class="directory">/etc/mandos</filename>.
239
<replaceable>TYPE</replaceable></option></term>
241
<replaceable>TYPE</replaceable></option></term>
244
Key type. Default is <quote>RSA</quote>.
250
<term><option>--length
251
<replaceable>BITS</replaceable></option></term>
253
<replaceable>BITS</replaceable></option></term>
256
Key length in bits. Default is 4096.
262
<term><option>--subtype
263
<replaceable>KEYTYPE</replaceable></option></term>
265
<replaceable>KEYTYPE</replaceable></option></term>
268
Subkey type. Default is <quote>RSA</quote> (Elgamal
239
<filename>/etc/mandos</filename>.
245
<term><literal>-t</literal>, <literal>--type
246
<replaceable>type</replaceable></literal></term>
249
Key type. Default is <quote>DSA</quote>.
255
<term><literal>-l</literal>, <literal>--length
256
<replaceable>bits</replaceable></literal></term>
259
Key length in bits. Default is 2048.
265
<term><literal>-s</literal>, <literal>--subtype
266
<replaceable>type</replaceable></literal></term>
269
Subkey type. Default is <quote>ELG-E</quote> (Elgamal
269
270
encryption-only).
275
<term><option>--sublength
276
<replaceable>BITS</replaceable></option></term>
278
<replaceable>BITS</replaceable></option></term>
276
<term><literal>-L</literal>, <literal>--sublength
277
<replaceable>bits</replaceable></literal></term>
281
Subkey length in bits. Default is 4096.
280
Subkey length in bits. Default is 2048.
287
<term><option>--email
288
<replaceable>ADDRESS</replaceable></option></term>
290
<replaceable>ADDRESS</replaceable></option></term>
286
<term><literal>-e</literal>, <literal>--email</literal>
287
<replaceable>address</replaceable></term>
293
290
Email address of key. Default is empty.
299
<term><option>--comment
300
<replaceable>TEXT</replaceable></option></term>
302
<replaceable>TEXT</replaceable></option></term>
296
<term><literal>-c</literal>, <literal>--comment</literal>
297
<replaceable>comment</replaceable></term>
305
Comment field for key. Default is empty.
300
Comment field for key. The default value is
301
<quote><literal>Mandos client key</literal></quote>.
311
<term><option>--expire
312
<replaceable>TIME</replaceable></option></term>
314
<replaceable>TIME</replaceable></option></term>
307
<term><literal>-x</literal>, <literal>--expire</literal>
308
<replaceable>time</replaceable></term>
317
311
Key expire time. Default is no expiration. See
464
429
Normal invocation needs no options:
467
<userinput>&COMMANDNAME;</userinput>
432
<userinput>mandos-keygen</userinput>
469
434
</informalexample>
470
435
<informalexample>
472
Create key in another directory and of another type. Force
437
Create keys in another directory and of another type. Force
473
438
overwriting old key files:
477
442
<!-- do not wrap this line -->
478
<userinput>&COMMANDNAME; --dir ~/keydir --type RSA --force</userinput>
484
Prompt for a password, encrypt it with the key in <filename
485
class="directory">/etc/mandos</filename> and output a section
486
suitable for <filename>clients.conf</filename>.
489
<userinput>&COMMANDNAME; --password</userinput>
494
Prompt for a password, encrypt it with the key in the
495
<filename>client-key</filename> directory and output a section
496
suitable for <filename>clients.conf</filename>.
500
<!-- do not wrap this line -->
501
<userinput>&COMMANDNAME; --password --dir client-key</userinput>
443
<userinput>mandos-keygen --dir ~/keydir --type RSA --force</userinput>
504
446
</informalexample>
507
449
<refsect1 id="security">
508
450
<title>SECURITY</title>
510
452
The <option>--type</option>, <option>--length</option>,
511
453
<option>--subtype</option>, and <option>--sublength</option>
512
options can be used to create keys of low security. If in
513
doubt, leave them to the default values.
454
options can be used to create keys of insufficient security. If
455
in doubt, leave them to the default values.
516
The key expire time is <emphasis>not</emphasis> guaranteed to be
517
honored by <citerefentry><refentrytitle>mandos</refentrytitle>
458
The key expire time is not guaranteed to be honored by
459
<citerefentry><refentrytitle>mandos</refentrytitle>
518
460
<manvolnum>8</manvolnum></citerefentry>.
522
464
<refsect1 id="see_also">
523
465
<title>SEE ALSO</title>
525
<citerefentry><refentrytitle>intro</refentrytitle>
467
<citerefentry><refentrytitle>password-request</refentrytitle>
526
468
<manvolnum>8mandos</manvolnum></citerefentry>,
469
<citerefentry><refentrytitle>mandos</refentrytitle>
470
<manvolnum>8</manvolnum></citerefentry>,
527
471
<citerefentry><refentrytitle>gpg</refentrytitle>
528
<manvolnum>1</manvolnum></citerefentry>,
529
<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>
530
<manvolnum>5</manvolnum></citerefentry>,
531
<citerefentry><refentrytitle>mandos</refentrytitle>
532
<manvolnum>8</manvolnum></citerefentry>,
533
<citerefentry><refentrytitle>mandos-client</refentrytitle>
534
<manvolnum>8mandos</manvolnum></citerefentry>,
535
<citerefentry><refentrytitle>ssh-keyscan</refentrytitle>
536
472
<manvolnum>1</manvolnum></citerefentry>
541
<!-- Local Variables: -->
542
<!-- time-stamp-start: "<!ENTITY TIMESTAMP [\"']" -->
543
<!-- time-stamp-end: "[\"']>" -->
544
<!-- time-stamp-format: "%:y-%02m-%02d" -->