/mandos/trunk : revision 112

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos-keygen.xml

Committer: Teddy Hogeborn
Date: 2008-08-29 07:09:04 UTC
Revision ID: teddy@fukt.bsnet.se-20080829070904-i6u8xb0aueytvfii

* mandos-clients.conf.xml (/refentry/refentryinfo/title): Changed to
                                                          "Mandos
                                                          Manual".

  (/refentry/refentryinfo/productname): Changed to "Mandos".
* mandos-keygen.xml: - '' -
* mandos.conf.xml: - '' -
* mandos.xml: - '' -
* plugin-runner.xml: - '' -
* plugins.d/password-request.xml: - '' -

files added:
plugins.d/usplash

files removed:
.bzr-builddeb

.bzr-builddeb/default.conf

INSTALL

README

common.ent

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.config

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos-client.templates

debian/mandos.README.Debian

debian/mandos.config

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/mandos.templates

debian/po

debian/po/POTFILES.in

debian/po/sv.po

debian/rules

default-mandos

init.d-mandos

legalnotice.xml

plugin-runner.conf

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

files renamed:
plugins.d/mandos-client.c => plugins.d/password-request.c

plugins.d/mandos-client.xml => plugins.d/password-request.xml

files modified:
.bzrignore

Makefile

TODO

clients.conf

initramfs-tools-hook

initramfs-tools-script

mandos

mandos-clients.conf.xml

mandos-keygen

mandos-keygen.xml

mandos-options.xml

mandos.conf.xml

mandos.xml

overview.xml

plugin-runner.c

plugin-runner.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

Show diffs side-by-side

added added

removed removed

mandos-keygen.xml

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY VERSION "1.0">

<!ENTITY COMMANDNAME "mandos-keygen">

<!ENTITY TIMESTAMP "2008-10-03">

<!ENTITY % common SYSTEM "common.ent">

%common;

<!ENTITY TIMESTAMP "2008-08-29">

<title>Mandos Manual</title>

<productname>Mandos</productname>

<productnumber>&version;</productnumber>

<productnumber>&VERSION;</productnumber>

<date>&TIMESTAMP;</date>

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

<xi:include href="legalnotice.xml"/>

<para>

This manual page is free software: you can redistribute it

and/or modify it under the terms of the GNU General Public

License as published by the Free Software Foundation,

either version 3 of the License, or (at your option) any

later version.

</para>

<para>

This manual page is distributed in the hope that it will

be useful, but WITHOUT ANY WARRANTY; without even the

implied warranty of MERCHANTABILITY or FITNESS FOR A

PARTICULAR PURPOSE. See the GNU General Public License

for more details.

</para>

<para>

You should have received a copy of the GNU General Public

License along with this program; If not, see

<ulink url="http://www.gnu.org/licenses/"/>.

</para>

</legalnotice>

</refentryinfo>

<refentrytitle>&COMMANDNAME;</refentrytitle>

<refname><command>&COMMANDNAME;</command></refname>

Generate key and password for Mandos client and server.

Generate keys for <citerefentry><refentrytitle>password-request

</refentrytitle><manvolnum>8mandos</manvolnum></citerefentry>

</refpurpose>

</refnamediv>

<command>&COMMANDNAME;</command>

<group>

<arg choice="plain"><option>--dir

<replaceable>DIRECTORY</replaceable></option></arg>

<arg choice="plain"><option>-d

<replaceable>DIRECTORY</replaceable></option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--type

<replaceable>KEYTYPE</replaceable></option></arg>

<arg choice="plain"><option>-t

<replaceable>KEYTYPE</replaceable></option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--length

<arg choice="plain"><option>-l

</group>

<sbr/>

<group>

<arg choice="plain"><option>--subtype

<replaceable>KEYTYPE</replaceable></option></arg>

<arg choice="plain"><option>-s

<replaceable>KEYTYPE</replaceable></option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--sublength

<arg choice="plain"><option>-L

</group>

<sbr/>

<group>

<arg choice="plain"><option>--name

<arg choice="plain"><option>-n

</group>

<sbr/>

<group>

<arg choice="plain"><option>--email

100

<replaceable>ADDRESS</replaceable></option></arg>

101

<arg choice="plain"><option>-e

102

<replaceable>ADDRESS</replaceable></option></arg>

103

</group>

104

<sbr/>

105

<group>

106

<arg choice="plain"><option>--comment

107

108

<arg choice="plain"><option>-c

109

110

</group>

111

<sbr/>

112

<group>

113

<arg choice="plain"><option>--expire

114

115

<arg choice="plain"><option>-x

116

117

</group>

118

<sbr/>

119

<arg><option>--force</option></arg>

<replaceable>directory</replaceable></arg>

</group>

</group>

<arg choice="plain"><option>--length</option>

</group>

<arg choice="plain"><option>--subtype</option>

</group>

<arg choice="plain"><option>--sublength</option>

</group>

100

101

</group>

102

103

<arg choice="plain"><option>--email</option>

104

<replaceable>EMAIL</replaceable></arg>

105

</group>

106

107

<arg choice="plain"><option>--comment</option>

108

<replaceable>COMMENT</replaceable></arg>

109

</group>

110

111

<arg choice="plain"><option>--expire</option>

112

113

</group>

114

115

<arg choice="plain"><option>--force</option></arg>

116

</group>

117

</cmdsynopsis>

118

119

<command>&COMMANDNAME;</command>

120

121

122

<replaceable>directory</replaceable></arg>

123

</group>

124

125

126

127

</group>

128

129

130

131

</group>

132

133

134

135

</group>

136

137

138

139

</group>

140

141

142

143

</group>

144

145

146

<replaceable>EMAIL</replaceable></arg>

147

</group>

148

149

150

<replaceable>COMMENT</replaceable></arg>

151

</group>

152

153

154

155

</group>

156

157

158

</group>

120

159

</cmdsynopsis>

121

160

122

161

<command>&COMMANDNAME;</command>

123

162

163

124

164

<arg choice="plain"><option>--password</option></arg>

125

126

<arg choice="plain"><option>--passfile

127

128

129

130

</group>

131

<sbr/>

132

<group>

133

<arg choice="plain"><option>--dir

134

<replaceable>DIRECTORY</replaceable></option></arg>

135

<arg choice="plain"><option>-d

136

<replaceable>DIRECTORY</replaceable></option></arg>

137

</group>

138

<sbr/>

139

<group>

140

<arg choice="plain"><option>--name

141

142

<arg choice="plain"><option>-n

143

165

</group>

166

167

168

<replaceable>directory</replaceable></arg>

169

</group>

170

171

172

144

173

</group>

145

174

</cmdsynopsis>

146

175

147

176

<command>&COMMANDNAME;</command>

148

177

178

149

179

150

151

180

</group>

152

181

</cmdsynopsis>

153

182

154

183

<command>&COMMANDNAME;</command>

155

184

185

156

186

<arg choice="plain"><option>--version</option></arg>

157

158

187

</group>

159

188

</cmdsynopsis>

160

189

</refsynopsisdiv>

161

190

162

191

163

192

<title>DESCRIPTION</title>

164

193

<para>

165

194

<command>&COMMANDNAME;</command> is a program to generate the

166

OpenPGP key used by

167

<citerefentry><refentrytitle>mandos-client</refentrytitle>

168

<manvolnum>8mandos</manvolnum></citerefentry>. The key is

195

OpenPGP keys used by

196

<citerefentry><refentrytitle>password-request</refentrytitle>

197

<manvolnum>8mandos</manvolnum></citerefentry>. The keys are

169

198

normally written to /etc/mandos for later installation into the

170

initrd image, but this, and most other things, can be changed

171

with command line options.

199

initrd image, but this, like most things, can be changed with

200

command line options.

172

201

</para>

173

202

<para>

174

This program can also be used with the

175

<option>--password</option> or <option>--passfile</option>

176

options to generate a ready-made section for

177

<filename>clients.conf</filename> (see

203

It can also be used to generate ready-made sections for

178

204

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

179

<manvolnum>5</manvolnum></citerefentry>).

205

<manvolnum>5</manvolnum></citerefentry> using the

206

<option>--password</option> option.

180

207

</para>

181

208

</refsect1>

182

209

183

210

184

211

<title>PURPOSE</title>

212

185

213

<para>

186

214

The purpose of this is to enable <emphasis>remote and unattended

187

215

rebooting</emphasis> of client host computer with an

188

216

<emphasis>encrypted root file system</emphasis>. See <xref

189

217

linkend="overview"/> for details.

190

218

</para>

219

191

220

</refsect1>

192

221

193

222

194

223

<title>OPTIONS</title>

195

224

196

225

197

226

198

199

227

200

228

201

229

<para>

202

230

Show a help message and exit

203

231

</para>

204

232

</listitem>

205

233

</varlistentry>

206

234

207

235

208

<term><option>--dir

209

<replaceable>DIRECTORY</replaceable></option></term>

210

<term><option>-d

211

<replaceable>DIRECTORY</replaceable></option></term>

236

<term><literal>-d</literal>, <literal>--dir

237

<replaceable>directory</replaceable></literal></term>

212

238

213

239

<para>

214

240

Target directory for key files. Default is

216

242

</para>

217

243

</listitem>

218

244

</varlistentry>

219

245

220

246

221

<term><option>--type

222

223

<term><option>-t

224

247

<term><literal>-t</literal>, <literal>--type

248

225

249

226

250

<para>

227

251

Key type. Default is <quote>DSA</quote>.

228

252

</para>

229

253

</listitem>

230

254

</varlistentry>

231

255

232

256

233

<term><option>--length

234

235

<term><option>-l

236

257

<term><literal>-l</literal>, <literal>--length

258

237

259

238

260

<para>

239

261

Key length in bits. Default is 2048.

240

262

</para>

241

263

</listitem>

242

264

</varlistentry>

243

265

244

266

245

<term><option>--subtype

246

<replaceable>KEYTYPE</replaceable></option></term>

247

<term><option>-s

248

<replaceable>KEYTYPE</replaceable></option></term>

267

<term><literal>-s</literal>, <literal>--subtype

268

249

269

250

270

<para>

251

271

Subkey type. Default is <quote>ELG-E</quote> (Elgamal

253

273

</para>

254

274

</listitem>

255

275

</varlistentry>

256

276

257

277

258

<term><option>--sublength

259

260

<term><option>-L

261

278

<term><literal>-L</literal>, <literal>--sublength

279

262

280

263

281

<para>

264

282

Subkey length in bits. Default is 2048.

265

283

</para>

266

284

</listitem>

267

285

</varlistentry>

268

286

269

287

270

<term><option>--email

271

<replaceable>ADDRESS</replaceable></option></term>

272

<term><option>-e

273

<replaceable>ADDRESS</replaceable></option></term>

288

<term><literal>-e</literal>, <literal>--email</literal>

289

<replaceable>address</replaceable></term>

274

290

275

291

<para>

276

292

Email address of key. Default is empty.

277

293

</para>

278

294

</listitem>

279

295

</varlistentry>

280

296

281

297

282

<term><option>--comment

283

284

<term><option>-c

285

298

<term><literal>-c</literal>, <literal>--comment</literal>

299

<replaceable>comment</replaceable></term>

286

300

287

301

<para>

288

302

Comment field for key. The default value is

290

304

</para>

291

305

</listitem>

292

306

</varlistentry>

293

307

294

308

295

<term><option>--expire

296

297

<term><option>-x

298

309

<term><literal>-x</literal>, <literal>--expire</literal>

310

299

311

300

312

<para>

301

313

Key expire time. Default is no expiration. See

304

316

</para>

305

317

</listitem>

306

318

</varlistentry>

307

319

308

320

309

<term><option>--force</option></term>

310

321

<term><literal>-f</literal>, <literal>--force</literal></term>

311

322

312

323

<para>

313

Force overwriting old key.

324

Force overwriting old keys.

314

325

</para>

315

326

</listitem>

316

327

</varlistentry>

317

328

318

<term><option>--password</option></term>

319

329

<term><literal>-p</literal>, <literal>--password</literal

330

></term>

320

331

321

332

<para>

322

333

Prompt for a password and encrypt it with the key already

328

339

>8</manvolnum></citerefentry>. The host name or the name

329

340

specified with the <option>--name</option> option is used

330

341

for the section header. All other options are ignored,

331

and no key is created.

332

</para>

333

</listitem>

334

</varlistentry>

335

336

<term><option>--passfile

337

338

<term><option>-F

339

340

341

<para>

342

The same as <option>--password</option>, but read from

343

<replaceable>FILE</replaceable>, not the terminal.

342

and no keys are created.

344

343

</para>

345

344

</listitem>

346

345

</varlistentry>

347

346

</variablelist>

348

347

</refsect1>

349

348

350

349

351

350

<title>OVERVIEW</title>

352

351

<xi:include href="overview.xml"/>

353

352

<para>

354

353

This program is a small utility to generate new OpenPGP keys for

355

new Mandos clients, and to generate sections for inclusion in

356

<filename>clients.conf</filename> on the server.

354

new Mandos clients.

357

355

</para>

358

356

</refsect1>

359

357

360

358

361

359

<title>EXIT STATUS</title>

362

360

<para>

363

The exit status will be 0 if a new key (or password, if the

364

<option>--password</option> option was used) was successfully

365

created, otherwise not.

361

The exit status will be 0 if new keys were successfully created,

362

otherwise not.

366

363

</para>

367

364

</refsect1>

368

365

370

367

<title>ENVIRONMENT</title>

371

368

372

369

373

<term><envar>TMPDIR</envar></term>

370

<term><varname>TMPDIR</varname></term>

374

371

375

372

<para>

376

373

If set, temporary files will be created here. See

382

379

</variablelist>

383

380

</refsect1>

384

381

385

382

386

383

<title>FILES</title>

387

384

<para>

388

385

Use the <option>--dir</option> option to change where

419

416

</varlistentry>

420

417

</variablelist>

421

418

</refsect1>

422

423

424

425

426

427

428

419

420

421

422

<para>

423

None are known at this time.

424

</para>

425

</refsect1>

426

429

427

430

428

<title>EXAMPLE</title>

431

429

433

431

Normal invocation needs no options:

434

432

</para>

435

433

<para>

436

<userinput>&COMMANDNAME;</userinput>

434

<userinput>mandos-keygen</userinput>

437

435

</para>

438

436

</informalexample>

439

437

440

438

<para>

441

Create key in another directory and of another type. Force

439

Create keys in another directory and of another type. Force

442

440

overwriting old key files:

443

441

</para>

444

442

<para>

445

443

446

444

447

<userinput>&COMMANDNAME; --dir ~/keydir --type RSA --force</userinput>

448

449

</para>

450

</informalexample>

451

452

<para>

453

Prompt for a password, encrypt it with the key in

454

<filename>/etc/mandos</filename> and output a section suitable

455

for <filename>clients.conf</filename>.

456

</para>

457

<para>

458

<userinput>&COMMANDNAME; --password</userinput>

459

</para>

460

</informalexample>

461

462

<para>

463

Prompt for a password, encrypt it with the key in the

464

<filename>client-key</filename> directory and output a section

465

suitable for <filename>clients.conf</filename>.

466

</para>

467

<para>

468

469

470

<userinput>&COMMANDNAME; --password --dir client-key</userinput>

445

<userinput>mandos-keygen --dir ~/keydir --type RSA --force</userinput>

471

446

472

447

</para>

473

448

</informalexample>

474

449

</refsect1>

475

450

476

451

477

452

<title>SECURITY</title>

478

453

<para>

479

454

The <option>--type</option>, <option>--length</option>,

480

455

<option>--subtype</option>, and <option>--sublength</option>

481

options can be used to create keys of low security. If in

482

doubt, leave them to the default values.

456

options can be used to create keys of insufficient security. If

457

in doubt, leave them to the default values.

483

458

</para>

484

459

<para>

485

The key expire time is <emphasis>not</emphasis> guaranteed to be

486

honored by <citerefentry><refentrytitle>mandos</refentrytitle>

460

The key expire time is not guaranteed to be honored by

461

<citerefentry><refentrytitle>mandos</refentrytitle>

487

462

<manvolnum>8</manvolnum></citerefentry>.

488

463

</para>

489

464

</refsect1>

490

465

491

466

492

467

493

468

<para>

469

<citerefentry><refentrytitle>password-request</refentrytitle>

470

<manvolnum>8mandos</manvolnum></citerefentry>,

471

<citerefentry><refentrytitle>mandos</refentrytitle>

472

<manvolnum>8</manvolnum></citerefentry>,

494

473

495

<manvolnum>1</manvolnum></citerefentry>,

496

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

497

<manvolnum>5</manvolnum></citerefentry>,

498

<citerefentry><refentrytitle>mandos</refentrytitle>

499

<manvolnum>8</manvolnum></citerefentry>,

500

<citerefentry><refentrytitle>mandos-client</refentrytitle>

501

<manvolnum>8mandos</manvolnum></citerefentry>

474

502

475

</para>

503

476

</refsect1>

504

477

Older »