/mandos/trunk : revision 1111

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos-keygen.xml

Committer: Teddy Hogeborn
Date: 2019-07-14 22:39:15 UTC
Revision ID: teddy@recompile.se-20190714223915-aqjkms3t3taa6tye

Only use sanitizing options when debugging

The C compiler's sanitizing options introduce code in the output
binary which is fragile and not very security conscious.  It has
become clear that sanitizing is only really meant for use while
debugging.

As a side effect, this makes compilation faster, as the Makefile, for
production builds, no longer runs the compiler repeatedly to find all
its currently supported sanitizing options.

* Makefile (DEBUG): Add "$(SANITIZE)".
  (SANITIZE): Comment out.
  (CFLAGS): Remove "$(SANITIZE)".
  (plugins.d/mandos-client): Revert back to use plain $(LINK.c), since
                             we no longer need to remove the leak
                             sanitizer by overriding CFLAGS.

files added:
DBUS-API

bugs.xml

dbus-mandos.conf

debian/mandos-client.examples

debian/mandos-client.templates

debian/mandos.templates

debian/source

debian/source/format

debian/source/local-options

debian/upstream

debian/upstream/signing-key.asc

debian/watch

initramfs-tools-conf

initramfs-tools-conf-hook

initramfs-tools-script-stop

initramfs-unpack

intro.xml

mandos-ctl

mandos-ctl.xml

mandos-monitor

mandos-monitor.xml

mandos-to-cryptroot-unlock

mandos.service

network-hooks.d

network-hooks.d/bridge

network-hooks.d/bridge.conf

network-hooks.d/openvpn

network-hooks.d/openvpn.conf

network-hooks.d/wireless

network-hooks.d/wireless.conf

plugin-helpers

plugin-helpers/mandos-client-iprouteadddel.c

plugins.d/plymouth.c

plugins.d/plymouth.xml

tmpfiles.d-mandos.conf

files removed:
debian/mandos-client.config

debian/mandos-client.templates

debian/mandos.config

debian/mandos.templates

debian/po/POTFILES.in

debian/po/sv.po

initramfs-tools-hook-conf

files modified:
.bzrignore

INSTALL

Makefile

NEWS

README

TODO

clients.conf

common.ent

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/rules

init.d-mandos

initramfs-tools-hook

initramfs-tools-script

legalnotice.xml

mandos

mandos-clients.conf.xml

mandos-keygen

mandos-keygen.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.lsm

mandos.xml

overview.xml

plugin-runner.c

plugin-runner.conf

plugin-runner.xml

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/mandos-client.c

plugins.d/mandos-client.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

Show diffs side-by-side

added added

removed removed

mandos-keygen.xml

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY COMMANDNAME "mandos-keygen">

<!ENTITY TIMESTAMP "2008-10-03">

<!ENTITY TIMESTAMP "2019-02-10">

<!ENTITY % common SYSTEM "common.ent">

%common;

<firstname>Björn</firstname>

<surname>Påhlsson</surname>

<email>belorn@fukt.bsnet.se</email>

<email>belorn@recompile.se</email>

</address>

</author>

<firstname>Teddy</firstname>

<surname>Hogeborn</surname>

<email>teddy@fukt.bsnet.se</email>

<email>teddy@recompile.se</email>

</address>

</author>

</authorgroup>

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

116

127

117

128

</group>

118

129

<sbr/>

119

<arg><option>--force</option></arg>

130

<group>

131

<arg choice="plain"><option>--tls-keytype

132

<replaceable>KEYTYPE</replaceable></option></arg>

133

<arg choice="plain"><option>-T

134

<replaceable>KEYTYPE</replaceable></option></arg>

135

</group>

136

<sbr/>

137

<group>

138

<arg choice="plain"><option>--force</option></arg>

139

140

</group>

120

141

</cmdsynopsis>

121

142

122

143

<command>&COMMANDNAME;</command>

142

163

<arg choice="plain"><option>-n

143

164

144

165

</group>

166

<group>

167

168

169

</group>

145

170

</cmdsynopsis>

146

171

147

172

<command>&COMMANDNAME;</command>

163

188

<title>DESCRIPTION</title>

164

189

<para>

165

190

<command>&COMMANDNAME;</command> is a program to generate the

166

OpenPGP key used by

191

TLS and OpenPGP keys used by

167

192

<citerefentry><refentrytitle>mandos-client</refentrytitle>

168

<manvolnum>8mandos</manvolnum></citerefentry>. The key is

169

normally written to /etc/mandos for later installation into the

170

initrd image, but this, and most other things, can be changed

171

with command line options.

193

<manvolnum>8mandos</manvolnum></citerefentry>. The keys are

194

normally written to /etc/keys/mandos for later installation into

195

the initrd image, but this, and most other things, can be

196

changed with command line options.

172

197

</para>

173

198

<para>

174

199

This program can also be used with the

211

236

<replaceable>DIRECTORY</replaceable></option></term>

212

237

213

238

<para>

214

Target directory for key files. Default is

215

<filename>/etc/mandos</filename>.

239

Target directory for key files. Default is <filename

240

class="directory">/etc/keys/mandos</filename>.

216

241

</para>

217

242

</listitem>

218

243

</varlistentry>

224

249

225

250

226

251

<para>

227

Key type. Default is <quote>DSA</quote>.

252

OpenPGP key type. Default is <quote>RSA</quote>.

228

253

</para>

229

254

</listitem>

230

255

</varlistentry>

236

261

237

262

238

263

<para>

239

Key length in bits. Default is 2048.

264

OpenPGP key length in bits. Default is 4096.

240

265

</para>

241

266

</listitem>

242

267

</varlistentry>

248

273

<replaceable>KEYTYPE</replaceable></option></term>

249

274

250

275

<para>

251

Subkey type. Default is <quote>ELG-E</quote> (Elgamal

252

encryption-only).

276

OpenPGP subkey type. Default is <quote>RSA</quote>

253

277

</para>

254

278

</listitem>

255

279

</varlistentry>

261

285

262

286

263

287

<para>

264

Subkey length in bits. Default is 2048.

288

OpenPGP subkey length in bits. Default is 4096.

265

289

</para>

266

290

</listitem>

267

291

</varlistentry>

285

309

286

310

287

311

<para>

288

Comment field for key. The default value is

289

<quote><literal>Mandos client key</literal></quote>.

312

Comment field for key. Default is empty.

290

313

</para>

291

314

</listitem>

292

315

</varlistentry>

306

329

</varlistentry>

307

330

308

331

332

<term><option>--tls-keytype

333

<replaceable>KEYTYPE</replaceable></option></term>

334

<term><option>-T

335

<replaceable>KEYTYPE</replaceable></option></term>

336

337

<para>

338

TLS key type. Default is <quote>ed25519</quote>

339

</para>

340

</listitem>

341

</varlistentry>

342

343

309

344

<term><option>--force</option></term>

310

345

311

346

320

355

321

356

<para>

322

357

Prompt for a password and encrypt it with the key already

323

present in either <filename>/etc/mandos</filename> or the

324

directory specified with the <option>--dir</option>

358

present in either <filename>/etc/keys/mandos</filename> or

359

the directory specified with the <option>--dir</option>

325

360

option. Outputs, on standard output, a section suitable

326

361

for inclusion in <citerefentry><refentrytitle

327

362

>mandos-clients.conf</refentrytitle><manvolnum

344

379

</para>

345

380

</listitem>

346

381

</varlistentry>

382

383

384

385

386

<para>

387

When <option>--password</option> or

388

<option>--passfile</option> is given, this option will

389

prevent <command>&COMMANDNAME;</command> from calling

390

<command>ssh-keyscan</command> to get an SSH fingerprint

391

for this host and, if successful, output suitable config

392

options to use this fingerprint as a

393

<option>checker</option> option in the output. This is

394

otherwise the default behavior.

395

</para>

396

</listitem>

397

</varlistentry>

347

398

</variablelist>

348

399

</refsect1>

349

400

351

402

<title>OVERVIEW</title>

352

403

<xi:include href="overview.xml"/>

353

404

<para>

354

This program is a small utility to generate new OpenPGP keys for

355

new Mandos clients, and to generate sections for inclusion in

356

<filename>clients.conf</filename> on the server.

405

This program is a small utility to generate new TLS and OpenPGP

406

keys for new Mandos clients, and to generate sections for

407

inclusion in <filename>clients.conf</filename> on the server.

357

408

</para>

358

409

</refsect1>

359

410

391

442

</para>

392

443

393

444

394

<term><filename>/etc/mandos/seckey.txt</filename></term>

445

<term><filename>/etc/keys/mandos/seckey.txt</filename></term>

395

446

396

447

<para>

397

448

OpenPGP secret key file which will be created or

400

451

</listitem>

401

452

</varlistentry>

402

453

403

<term><filename>/etc/mandos/pubkey.txt</filename></term>

454

<term><filename>/etc/keys/mandos/pubkey.txt</filename></term>

404

455

405

456

<para>

406

457

OpenPGP public key file which will be created or

409

460

</listitem>

410

461

</varlistentry>

411

462

412

463

<term><filename>/etc/keys/mandos/tls-privkey.pem</filename></term>

464

465

<para>

466

Private key file which will be created or overwritten.

467

</para>

468

</listitem>

469

</varlistentry>

470

471

<term><filename>/etc/keys/mandos/tls-pubkey.pem</filename></term>

472

473

<para>

474

Public key file which will be created or overwritten.

475

</para>

476

</listitem>

477

</varlistentry>

478

479

413

480

414

481

<para>

415

482

Temporary files will be written here if

420

487

</variablelist>

421

488

</refsect1>

422

489

423

424

425

426

427

490

491

492

<xi:include href="bugs.xml"/>

493

</refsect1>

428

494

429

495

430

496

<title>EXAMPLE</title>

450

516

</informalexample>

451

517

452

518

<para>

453

Prompt for a password, encrypt it with the key in

454

<filename>/etc/mandos</filename> and output a section suitable

455

for <filename>clients.conf</filename>.

519

Prompt for a password, encrypt it with the keys in <filename

520

class="directory">/etc/keys/mandos</filename> and output a

521

section suitable for <filename>clients.conf</filename>.

456

522

</para>

457

523

<para>

458

524

<userinput>&COMMANDNAME; --password</userinput>

460

526

</informalexample>

461

527

462

528

<para>

463

Prompt for a password, encrypt it with the key in the

529

Prompt for a password, encrypt it with the keys in the

464

530

<filename>client-key</filename> directory and output a section

465

531

suitable for <filename>clients.conf</filename>.

466

532

</para>

491

557

492

558

493

559

<para>

560

<citerefentry><refentrytitle>intro</refentrytitle>

561

<manvolnum>8mandos</manvolnum></citerefentry>,

494

562

495

563

<manvolnum>1</manvolnum></citerefentry>,

496

564

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

498

566

<citerefentry><refentrytitle>mandos</refentrytitle>

499

567

<manvolnum>8</manvolnum></citerefentry>,

500

568

<citerefentry><refentrytitle>mandos-client</refentrytitle>

501

<manvolnum>8mandos</manvolnum></citerefentry>

569

<manvolnum>8mandos</manvolnum></citerefentry>,

570

<citerefentry><refentrytitle>ssh-keyscan</refentrytitle>

571

502

572

</para>

503

573

</refsect1>

504

574

Older »