57
68
<refname><command>&COMMANDNAME;</command></refname>
59
Generate key and password for Mandos client and server.
70
Generate keys for <citerefentry><refentrytitle>password-request
71
</refentrytitle><manvolnum>8mandos</manvolnum></citerefentry>
65
77
<command>&COMMANDNAME;</command>
67
<arg choice="plain"><option>--dir
68
<replaceable>DIRECTORY</replaceable></option></arg>
69
<arg choice="plain"><option>-d
70
<replaceable>DIRECTORY</replaceable></option></arg>
74
<arg choice="plain"><option>--type
75
<replaceable>KEYTYPE</replaceable></option></arg>
76
<arg choice="plain"><option>-t
77
<replaceable>KEYTYPE</replaceable></option></arg>
81
<arg choice="plain"><option>--length
82
<replaceable>BITS</replaceable></option></arg>
83
<arg choice="plain"><option>-l
84
<replaceable>BITS</replaceable></option></arg>
88
<arg choice="plain"><option>--subtype
89
<replaceable>KEYTYPE</replaceable></option></arg>
90
<arg choice="plain"><option>-s
91
<replaceable>KEYTYPE</replaceable></option></arg>
95
<arg choice="plain"><option>--sublength
96
<replaceable>BITS</replaceable></option></arg>
97
<arg choice="plain"><option>-L
98
<replaceable>BITS</replaceable></option></arg>
102
<arg choice="plain"><option>--name
103
<replaceable>NAME</replaceable></option></arg>
104
<arg choice="plain"><option>-n
105
<replaceable>NAME</replaceable></option></arg>
109
<arg choice="plain"><option>--email
110
<replaceable>ADDRESS</replaceable></option></arg>
111
<arg choice="plain"><option>-e
112
<replaceable>ADDRESS</replaceable></option></arg>
116
<arg choice="plain"><option>--comment
117
<replaceable>TEXT</replaceable></option></arg>
118
<arg choice="plain"><option>-c
119
<replaceable>TEXT</replaceable></option></arg>
123
<arg choice="plain"><option>--expire
124
<replaceable>TIME</replaceable></option></arg>
125
<arg choice="plain"><option>-x
126
<replaceable>TIME</replaceable></option></arg>
79
<arg choice="plain"><option>--dir</option>
80
<replaceable>directory</replaceable></arg>
83
<arg choice="plain"><option>--type</option>
84
<replaceable>type</replaceable></arg>
87
<arg choice="plain"><option>--length</option>
88
<replaceable>bits</replaceable></arg>
91
<arg choice="plain"><option>--subtype</option>
92
<replaceable>type</replaceable></arg>
95
<arg choice="plain"><option>--sublength</option>
96
<replaceable>bits</replaceable></arg>
99
<arg choice="plain"><option>--name</option>
100
<replaceable>NAME</replaceable></arg>
103
<arg choice="plain"><option>--email</option>
104
<replaceable>EMAIL</replaceable></arg>
107
<arg choice="plain"><option>--comment</option>
108
<replaceable>COMMENT</replaceable></arg>
111
<arg choice="plain"><option>--expire</option>
112
<replaceable>TIME</replaceable></arg>
130
115
<arg choice="plain"><option>--force</option></arg>
119
<command>&COMMANDNAME;</command>
121
<arg choice="plain"><option>-d</option>
122
<replaceable>directory</replaceable></arg>
125
<arg choice="plain"><option>-t</option>
126
<replaceable>type</replaceable></arg>
129
<arg choice="plain"><option>-l</option>
130
<replaceable>bits</replaceable></arg>
133
<arg choice="plain"><option>-s</option>
134
<replaceable>type</replaceable></arg>
137
<arg choice="plain"><option>-L</option>
138
<replaceable>bits</replaceable></arg>
141
<arg choice="plain"><option>-n</option>
142
<replaceable>NAME</replaceable></arg>
145
<arg choice="plain"><option>-e</option>
146
<replaceable>EMAIL</replaceable></arg>
149
<arg choice="plain"><option>-c</option>
150
<replaceable>COMMENT</replaceable></arg>
153
<arg choice="plain"><option>-x</option>
154
<replaceable>TIME</replaceable></arg>
131
157
<arg choice="plain"><option>-f</option></arg>
135
161
<command>&COMMANDNAME;</command>
136
162
<group choice="req">
163
<arg choice="plain"><option>-p</option></arg>
137
164
<arg choice="plain"><option>--password</option></arg>
138
<arg choice="plain"><option>-p</option></arg>
139
<arg choice="plain"><option>--passfile
140
<replaceable>FILE</replaceable></option></arg>
141
<arg choice="plain"><option>-F</option>
142
<replaceable>FILE</replaceable></arg>
146
<arg choice="plain"><option>--dir
147
<replaceable>DIRECTORY</replaceable></option></arg>
148
<arg choice="plain"><option>-d
149
<replaceable>DIRECTORY</replaceable></option></arg>
153
<arg choice="plain"><option>--name
154
<replaceable>NAME</replaceable></option></arg>
155
<arg choice="plain"><option>-n
156
<replaceable>NAME</replaceable></option></arg>
159
<arg choice="plain"><option>--no-ssh</option></arg>
160
<arg choice="plain"><option>-S</option></arg>
167
<arg choice="plain"><option>--dir</option>
168
<replaceable>directory</replaceable></arg>
171
<arg choice="plain"><option>--name</option>
172
<replaceable>NAME</replaceable></arg>
164
176
<command>&COMMANDNAME;</command>
165
177
<group choice="req">
178
<arg choice="plain"><option>-h</option></arg>
166
179
<arg choice="plain"><option>--help</option></arg>
167
<arg choice="plain"><option>-h</option></arg>
171
183
<command>&COMMANDNAME;</command>
172
184
<group choice="req">
185
<arg choice="plain"><option>-v</option></arg>
173
186
<arg choice="plain"><option>--version</option></arg>
174
<arg choice="plain"><option>-v</option></arg>
177
189
</refsynopsisdiv>
179
191
<refsect1 id="description">
180
192
<title>DESCRIPTION</title>
182
194
<command>&COMMANDNAME;</command> is a program to generate the
184
<citerefentry><refentrytitle>mandos-client</refentrytitle>
185
<manvolnum>8mandos</manvolnum></citerefentry>. The key is
196
<citerefentry><refentrytitle>password-request</refentrytitle>
197
<manvolnum>8mandos</manvolnum></citerefentry>. The keys are
186
198
normally written to /etc/mandos for later installation into the
187
initrd image, but this, and most other things, can be changed
188
with command line options.
199
initrd image, but this, like most things, can be changed with
200
command line options.
191
This program can also be used with the
192
<option>--password</option> or <option>--passfile</option>
193
options to generate a ready-made section for
194
<filename>clients.conf</filename> (see
203
It can also be used to generate ready-made sections for
195
204
<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>
196
<manvolnum>5</manvolnum></citerefentry>).
205
<manvolnum>5</manvolnum></citerefentry> using the
206
<option>--password</option> option.
200
210
<refsect1 id="purpose">
201
211
<title>PURPOSE</title>
203
214
The purpose of this is to enable <emphasis>remote and unattended
204
215
rebooting</emphasis> of client host computer with an
205
216
<emphasis>encrypted root file system</emphasis>. See <xref
206
217
linkend="overview"/> for details.
210
222
<refsect1 id="options">
211
223
<title>OPTIONS</title>
215
<term><option>--help</option></term>
216
<term><option>-h</option></term>
227
<term><literal>-h</literal>, <literal>--help</literal></term>
219
230
Show a help message and exit
226
<replaceable>DIRECTORY</replaceable></option></term>
228
<replaceable>DIRECTORY</replaceable></option></term>
236
<term><literal>-d</literal>, <literal>--dir
237
<replaceable>directory</replaceable></literal></term>
231
240
Target directory for key files. Default is
232
<filename class="directory">/etc/mandos</filename>.
239
<replaceable>TYPE</replaceable></option></term>
241
<replaceable>TYPE</replaceable></option></term>
244
Key type. Default is <quote>RSA</quote>.
250
<term><option>--length
251
<replaceable>BITS</replaceable></option></term>
253
<replaceable>BITS</replaceable></option></term>
256
Key length in bits. Default is 4096.
262
<term><option>--subtype
263
<replaceable>KEYTYPE</replaceable></option></term>
265
<replaceable>KEYTYPE</replaceable></option></term>
268
Subkey type. Default is <quote>RSA</quote> (Elgamal
241
<filename>/etc/mandos</filename>.
247
<term><literal>-t</literal>, <literal>--type
248
<replaceable>type</replaceable></literal></term>
251
Key type. Default is <quote>DSA</quote>.
257
<term><literal>-l</literal>, <literal>--length
258
<replaceable>bits</replaceable></literal></term>
261
Key length in bits. Default is 2048.
267
<term><literal>-s</literal>, <literal>--subtype
268
<replaceable>type</replaceable></literal></term>
271
Subkey type. Default is <quote>ELG-E</quote> (Elgamal
269
272
encryption-only).
275
<term><option>--sublength
276
<replaceable>BITS</replaceable></option></term>
278
<replaceable>BITS</replaceable></option></term>
278
<term><literal>-L</literal>, <literal>--sublength
279
<replaceable>bits</replaceable></literal></term>
281
Subkey length in bits. Default is 4096.
282
Subkey length in bits. Default is 2048.
287
<term><option>--email
288
<replaceable>ADDRESS</replaceable></option></term>
290
<replaceable>ADDRESS</replaceable></option></term>
288
<term><literal>-e</literal>, <literal>--email</literal>
289
<replaceable>address</replaceable></term>
293
292
Email address of key. Default is empty.
299
<term><option>--comment
300
<replaceable>TEXT</replaceable></option></term>
302
<replaceable>TEXT</replaceable></option></term>
298
<term><literal>-c</literal>, <literal>--comment</literal>
299
<replaceable>comment</replaceable></term>
305
Comment field for key. Default is empty.
302
Comment field for key. The default value is
303
<quote><literal>Mandos client key</literal></quote>.
311
<term><option>--expire
312
<replaceable>TIME</replaceable></option></term>
314
<replaceable>TIME</replaceable></option></term>
309
<term><literal>-x</literal>, <literal>--expire</literal>
310
<replaceable>time</replaceable></term>
317
313
Key expire time. Default is no expiration. See
464
431
Normal invocation needs no options:
467
<userinput>&COMMANDNAME;</userinput>
434
<userinput>mandos-keygen</userinput>
469
436
</informalexample>
470
437
<informalexample>
472
Create key in another directory and of another type. Force
439
Create keys in another directory and of another type. Force
473
440
overwriting old key files:
477
444
<!-- do not wrap this line -->
478
<userinput>&COMMANDNAME; --dir ~/keydir --type RSA --force</userinput>
484
Prompt for a password, encrypt it with the key in <filename
485
class="directory">/etc/mandos</filename> and output a section
486
suitable for <filename>clients.conf</filename>.
489
<userinput>&COMMANDNAME; --password</userinput>
494
Prompt for a password, encrypt it with the key in the
495
<filename>client-key</filename> directory and output a section
496
suitable for <filename>clients.conf</filename>.
500
<!-- do not wrap this line -->
501
<userinput>&COMMANDNAME; --password --dir client-key</userinput>
445
<userinput>mandos-keygen --dir ~/keydir --type RSA --force</userinput>
504
448
</informalexample>
507
451
<refsect1 id="security">
508
452
<title>SECURITY</title>
510
454
The <option>--type</option>, <option>--length</option>,
511
455
<option>--subtype</option>, and <option>--sublength</option>
512
options can be used to create keys of low security. If in
513
doubt, leave them to the default values.
456
options can be used to create keys of insufficient security. If
457
in doubt, leave them to the default values.
516
The key expire time is <emphasis>not</emphasis> guaranteed to be
517
honored by <citerefentry><refentrytitle>mandos</refentrytitle>
460
The key expire time is not guaranteed to be honored by
461
<citerefentry><refentrytitle>mandos</refentrytitle>
518
462
<manvolnum>8</manvolnum></citerefentry>.
522
466
<refsect1 id="see_also">
523
467
<title>SEE ALSO</title>
525
<citerefentry><refentrytitle>intro</refentrytitle>
469
<citerefentry><refentrytitle>password-request</refentrytitle>
526
470
<manvolnum>8mandos</manvolnum></citerefentry>,
471
<citerefentry><refentrytitle>mandos</refentrytitle>
472
<manvolnum>8</manvolnum></citerefentry>,
527
473
<citerefentry><refentrytitle>gpg</refentrytitle>
528
<manvolnum>1</manvolnum></citerefentry>,
529
<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>
530
<manvolnum>5</manvolnum></citerefentry>,
531
<citerefentry><refentrytitle>mandos</refentrytitle>
532
<manvolnum>8</manvolnum></citerefentry>,
533
<citerefentry><refentrytitle>mandos-client</refentrytitle>
534
<manvolnum>8mandos</manvolnum></citerefentry>,
535
<citerefentry><refentrytitle>ssh-keyscan</refentrytitle>
536
474
<manvolnum>1</manvolnum></citerefentry>