1
1
<?xml version="1.0" encoding="UTF-8"?>
2
2
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3
3
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4
<!ENTITY VERSION "1.0">
5
4
<!ENTITY COMMANDNAME "mandos-keygen">
6
<!ENTITY TIMESTAMP "2008-09-06">
5
<!ENTITY TIMESTAMP "2019-02-10">
6
<!ENTITY % common SYSTEM "common.ent">
9
10
<refentry xmlns:xi="http://www.w3.org/2001/XInclude">
11
12
<title>Mandos Manual</title>
12
13
<!-- NWalsh’s docbook scripts use this to generate the footer: -->
13
14
<productname>Mandos</productname>
14
<productnumber>&VERSION;</productnumber>
15
<productnumber>&version;</productnumber>
15
16
<date>&TIMESTAMP;</date>
18
19
<firstname>Björn</firstname>
19
20
<surname>Påhlsson</surname>
21
<email>belorn@fukt.bsnet.se</email>
22
<email>belorn@recompile.se</email>
25
26
<firstname>Teddy</firstname>
26
27
<surname>Hogeborn</surname>
28
<email>teddy@fukt.bsnet.se</email>
29
<email>teddy@recompile.se</email>
34
46
<holder>Teddy Hogeborn</holder>
35
47
<holder>Björn Påhlsson</holder>
37
49
<xi:include href="legalnotice.xml"/>
41
53
<refentrytitle>&COMMANDNAME;</refentrytitle>
42
54
<manvolnum>8</manvolnum>
115
127
<replaceable>TIME</replaceable></option></arg>
118
<arg><option>--force</option></arg>
131
<arg choice="plain"><option>--tls-keytype
132
<replaceable>KEYTYPE</replaceable></option></arg>
133
<arg choice="plain"><option>-T
134
<replaceable>KEYTYPE</replaceable></option></arg>
138
<arg choice="plain"><option>--force</option></arg>
139
<arg choice="plain"><option>-f</option></arg>
121
143
<command>&COMMANDNAME;</command>
122
144
<group choice="req">
123
145
<arg choice="plain"><option>--password</option></arg>
124
146
<arg choice="plain"><option>-p</option></arg>
147
<arg choice="plain"><option>--passfile
148
<replaceable>FILE</replaceable></option></arg>
149
<arg choice="plain"><option>-F</option>
150
<replaceable>FILE</replaceable></arg>
137
163
<arg choice="plain"><option>-n
138
164
<replaceable>NAME</replaceable></option></arg>
167
<arg choice="plain"><option>--no-ssh</option></arg>
168
<arg choice="plain"><option>-S</option></arg>
142
172
<command>&COMMANDNAME;</command>
158
188
<title>DESCRIPTION</title>
160
190
<command>&COMMANDNAME;</command> is a program to generate the
191
TLS and OpenPGP keys used by
162
192
<citerefentry><refentrytitle>mandos-client</refentrytitle>
163
<manvolnum>8mandos</manvolnum></citerefentry>. The key is
164
normally written to /etc/mandos for later installation into the
165
initrd image, but this, and most other things, can be changed
166
with command line options.
193
<manvolnum>8mandos</manvolnum></citerefentry>. The keys are
194
normally written to /etc/keys/mandos for later installation into
195
the initrd image, but this, and most other things, can be
196
changed with command line options.
169
199
This program can also be used with the
170
<option>--password</option> option to generate a ready-made
171
section for <filename>clients.conf</filename> (see
200
<option>--password</option> or <option>--passfile</option>
201
options to generate a ready-made section for
202
<filename>clients.conf</filename> (see
172
203
<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>
173
204
<manvolnum>5</manvolnum></citerefentry>).
205
236
<replaceable>DIRECTORY</replaceable></option></term>
208
Target directory for key files. Default is
209
<filename>/etc/mandos</filename>.
239
Target directory for key files. Default is <filename
240
class="directory">/etc/keys/mandos</filename>.
215
246
<term><option>--type
216
247
<replaceable>TYPE</replaceable></option></term>
242
273
<replaceable>KEYTYPE</replaceable></option></term>
245
Subkey type. Default is <quote>ELG-E</quote> (Elgamal
276
OpenPGP subkey type. Default is <quote>RSA</quote>
252
282
<term><option>--sublength
253
283
<replaceable>BITS</replaceable></option></term>
279
309
<replaceable>TEXT</replaceable></option></term>
282
Comment field for key. The default value is
283
<quote><literal>Mandos client key</literal></quote>.
312
Comment field for key. Default is empty.
289
318
<term><option>--expire
290
319
<replaceable>TIME</replaceable></option></term>
332
<term><option>--tls-keytype
333
<replaceable>KEYTYPE</replaceable></option></term>
335
<replaceable>KEYTYPE</replaceable></option></term>
338
TLS key type. Default is <quote>ed25519</quote>
303
344
<term><option>--force</option></term>
304
345
<term><option>-f</option></term>
316
357
Prompt for a password and encrypt it with the key already
317
present in either <filename>/etc/mandos</filename> or the
318
directory specified with the <option>--dir</option>
358
present in either <filename>/etc/keys/mandos</filename> or
359
the directory specified with the <option>--dir</option>
319
360
option. Outputs, on standard output, a section suitable
320
361
for inclusion in <citerefentry><refentrytitle
321
362
>mandos-clients.conf</refentrytitle><manvolnum
371
<term><option>--passfile
372
<replaceable>FILE</replaceable></option></term>
374
<replaceable>FILE</replaceable></option></term>
377
The same as <option>--password</option>, but read from
378
<replaceable>FILE</replaceable>, not the terminal.
383
<term><option>--no-ssh</option></term>
384
<term><option>-S</option></term>
387
When <option>--password</option> or
388
<option>--passfile</option> is given, this option will
389
prevent <command>&COMMANDNAME;</command> from calling
390
<command>ssh-keyscan</command> to get an SSH fingerprint
391
for this host and, if successful, output suitable config
392
options to use this fingerprint as a
393
<option>checker</option> option in the output. This is
394
otherwise the default behavior.
332
401
<refsect1 id="overview">
333
402
<title>OVERVIEW</title>
334
403
<xi:include href="overview.xml"/>
336
This program is a small utility to generate new OpenPGP keys for
337
new Mandos clients, and to generate sections for inclusion in
338
<filename>clients.conf</filename> on the server.
405
This program is a small utility to generate new TLS and OpenPGP
406
keys for new Mandos clients, and to generate sections for
407
inclusion in <filename>clients.conf</filename> on the server.
342
411
<refsect1 id="exit_status">
343
412
<title>EXIT STATUS</title>
394
<term><filename>/tmp</filename></term>
463
<term><filename>/etc/keys/mandos/tls-privkey.pem</filename></term>
466
Private key file which will be created or overwritten.
471
<term><filename>/etc/keys/mandos/tls-pubkey.pem</filename></term>
474
Public key file which will be created or overwritten.
479
<term><filename class="directory">/tmp</filename></term>
397
482
Temporary files will be written here if
432
516
</informalexample>
433
517
<informalexample>
435
Prompt for a password, encrypt it with the key in
436
<filename>/etc/mandos</filename> and output a section suitable
437
for <filename>clients.conf</filename>.
519
Prompt for a password, encrypt it with the keys in <filename
520
class="directory">/etc/keys/mandos</filename> and output a
521
section suitable for <filename>clients.conf</filename>.
440
524
<userinput>&COMMANDNAME; --password</userinput>
442
526
</informalexample>
443
527
<informalexample>
445
Prompt for a password, encrypt it with the key in the
529
Prompt for a password, encrypt it with the keys in the
446
530
<filename>client-key</filename> directory and output a section
447
531
suitable for <filename>clients.conf</filename>.
469
553
<manvolnum>8</manvolnum></citerefentry>.
473
557
<refsect1 id="see_also">
474
558
<title>SEE ALSO</title>
560
<citerefentry><refentrytitle>intro</refentrytitle>
561
<manvolnum>8mandos</manvolnum></citerefentry>,
476
562
<citerefentry><refentrytitle>gpg</refentrytitle>
477
563
<manvolnum>1</manvolnum></citerefentry>,
478
564
<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>
480
566
<citerefentry><refentrytitle>mandos</refentrytitle>
481
567
<manvolnum>8</manvolnum></citerefentry>,
482
568
<citerefentry><refentrytitle>mandos-client</refentrytitle>
483
<manvolnum>8mandos</manvolnum></citerefentry>
569
<manvolnum>8mandos</manvolnum></citerefentry>,
570
<citerefentry><refentrytitle>ssh-keyscan</refentrytitle>
571
<manvolnum>1</manvolnum></citerefentry>