/mandos/trunk : revision 1131

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos-keygen.xml

Committer: Teddy Hogeborn
Date: 2019-07-29 16:35:53 UTC
Revision ID: teddy@recompile.se-20190729163553-1i442i2cbx64c537

Make tests and man page examples match

Make the tests test_manual_page_example[1-5] match exactly what is
written in the manual page, and add comments to manual page as
reminders to keep tests and manual page examples in sync.

* mandos-ctl (Test_commands_from_options.test_manual_page_example_1):
  Remove "--verbose" option, since the manual does not have it as the
  first example, and change assertion to match.
* mandos-ctl.xml (EXAMPLE): Add comments to all examples documenting
  which test function they correspond to.  Also remove unnecessary
  quotes from option arguments in fourth example, and clarify language
  slightly in fifth example.

files added:
.bzr-builddeb

.bzr-builddeb/default.conf

.bzrignore

DBUS-API

INSTALL

NEWS

README

bugs.xml

common.ent

dbus-mandos.conf

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.examples

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos-client.templates

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/mandos.templates

debian/po

debian/po/POTFILES.in

debian/po/templates.pot

debian/rules

debian/source

debian/source/format

debian/source/lintian-overrides

debian/source/local-options

debian/tests

debian/tests/control

debian/upstream

debian/upstream/signing-key.asc

debian/watch

default-mandos

dracut-module

dracut-module/ask-password-mandos.path

dracut-module/ask-password-mandos.service

dracut-module/cmdline-mandos.sh

dracut-module/module-setup.sh

dracut-module/password-agent.c

dracut-module/password-agent.xml

init.d-mandos

initramfs-tools-conf

initramfs-tools-conf-hook

initramfs-tools-script-stop

initramfs-unpack

intro.xml

legalnotice.xml

mandos-ctl

mandos-ctl.xml

mandos-monitor

mandos-monitor.xml

mandos-options.xml

mandos-to-cryptroot-unlock

mandos.lsm

mandos.service

network-hooks.d

network-hooks.d/bridge

network-hooks.d/bridge.conf

network-hooks.d/openvpn

network-hooks.d/openvpn.conf

network-hooks.d/wireless

network-hooks.d/wireless.conf

plugin-helpers

plugin-helpers/mandos-client-iprouteadddel.c

plugin-runner.conf

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

tmpfiles.d-mandos.conf

files removed:
initramfs-tools-hook-conf

plugins.d/usplash

files renamed:
plugins.d/password-request.c => plugins.d/mandos-client.c

plugins.d/password-request.xml => plugins.d/mandos-client.xml

files modified:
Makefile

TODO

clients.conf

initramfs-tools-hook

initramfs-tools-script

mandos

mandos-clients.conf.xml

mandos-keygen

mandos-keygen.xml

mandos.conf

mandos.conf.xml

mandos.xml

overview.xml

plugin-runner.c

plugin-runner.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

Show diffs side-by-side

added added

removed removed

mandos-keygen.xml

<?xml version='1.0' encoding='UTF-8'?>

<?xml-stylesheet type="text/xsl"

href="http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl"?>

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY VERSION "1.0">

<!ENTITY COMMANDNAME "mandos-keygen">

<!ENTITY TIMESTAMP "2019-07-18">

<!ENTITY % common SYSTEM "common.ent">

%common;

<title>&COMMANDNAME;</title>

<productname>&COMMANDNAME;</productname>

<productnumber>&VERSION;</productnumber>

<title>Mandos Manual</title>

<productname>Mandos</productname>

<productnumber>&version;</productnumber>

<date>&TIMESTAMP;</date>

<firstname>Björn</firstname>

<surname>Påhlsson</surname>

<email>belorn@fukt.bsnet.se</email>

<email>belorn@recompile.se</email>

</address>

</author>

<firstname>Teddy</firstname>

<surname>Hogeborn</surname>

<email>teddy@fukt.bsnet.se</email>

<email>teddy@recompile.se</email>

</address>

</author>

</authorgroup>

<holder>Teddy Hogeborn & Björn Påhlsson</holder>

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

<para>

This manual page is free software: you can redistribute it

and/or modify it under the terms of the GNU General Public

License as published by the Free Software Foundation,

either version 3 of the License, or (at your option) any

later version.

</para>

<para>

This manual page is distributed in the hope that it will

be useful, but WITHOUT ANY WARRANTY; without even the

implied warranty of MERCHANTABILITY or FITNESS FOR A

PARTICULAR PURPOSE. See the GNU General Public License

for more details.

</para>

<para>

You should have received a copy of the GNU General Public

License along with this program; If not, see

<ulink url="http://www.gnu.org/licenses/"/>.

</para>

</legalnotice>

<xi:include href="legalnotice.xml"/>

</refentryinfo>

<refentrytitle>&COMMANDNAME;</refentrytitle>

<refname><command>&COMMANDNAME;</command></refname>

Generate keys for <citerefentry><refentrytitle>password-request

</refentrytitle><manvolnum>8mandos</manvolnum></citerefentry>

Generate key and password for Mandos client and server.

</refpurpose>

</refnamediv>

<command>&COMMANDNAME;</command>

<replaceable>directory</replaceable></arg>

</group>

</group>

<arg choice="plain"><option>--length</option>

</group>

</group>

<arg choice="plain"><option>--email</option>

<replaceable>EMAIL</replaceable></arg>

</group>

<arg choice="plain"><option>--comment</option>

<replaceable>COMMENT</replaceable></arg>

100

</group>

101

102

<arg choice="plain"><option>--expire</option>

103

104

</group>

105

<group>

<arg choice="plain"><option>--dir

<replaceable>DIRECTORY</replaceable></option></arg>

<arg choice="plain"><option>-d

<replaceable>DIRECTORY</replaceable></option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--type

<replaceable>KEYTYPE</replaceable></option></arg>

<arg choice="plain"><option>-t

<replaceable>KEYTYPE</replaceable></option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--length

<arg choice="plain"><option>-l

</group>

<sbr/>

<group>

<arg choice="plain"><option>--subtype

<replaceable>KEYTYPE</replaceable></option></arg>

<arg choice="plain"><option>-s

<replaceable>KEYTYPE</replaceable></option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--sublength

<arg choice="plain"><option>-L

100

</group>

101

<sbr/>

102

<group>

103

<arg choice="plain"><option>--name

104

105

<arg choice="plain"><option>-n

106

107

</group>

108

<sbr/>

109

<group>

110

<arg choice="plain"><option>--email

111

<replaceable>ADDRESS</replaceable></option></arg>

112

<arg choice="plain"><option>-e

113

<replaceable>ADDRESS</replaceable></option></arg>

114

</group>

115

<sbr/>

116

<group>

117

<arg choice="plain"><option>--comment

118

119

<arg choice="plain"><option>-c

120

121

</group>

122

<sbr/>

123

<group>

124

<arg choice="plain"><option>--expire

125

126

<arg choice="plain"><option>-x

127

128

</group>

129

<sbr/>

130

<group>

131

<arg choice="plain"><option>--tls-keytype

132

<replaceable>KEYTYPE</replaceable></option></arg>

133

<arg choice="plain"><option>-T

134

<replaceable>KEYTYPE</replaceable></option></arg>

135

</group>

136

<sbr/>

137

<group>

106

138

<arg choice="plain"><option>--force</option></arg>

107

</group>

108

</cmdsynopsis>

109

110

<command>&COMMANDNAME;</command>

111

112

113

<replaceable>directory</replaceable></arg>

114

</group>

115

116

117

118

</group>

119

120

121

122

</group>

123

124

125

126

</group>

127

128

129

<replaceable>EMAIL</replaceable></arg>

130

</group>

131

132

133

<replaceable>COMMENT</replaceable></arg>

134

</group>

135

136

137

138

</group>

139

140

139

141

140

</group>

142

141

</cmdsynopsis>

143

142

144

143

<command>&COMMANDNAME;</command>

145

144

146

147

148

</group>

149

</cmdsynopsis>

150

151

<command>&COMMANDNAME;</command>

152

153

154

<arg choice='plain'><option>--version</option></arg>

145

<arg choice="plain"><option>--password</option></arg>

146

147

<arg choice="plain"><option>--passfile

148

149

150

151

</group>

152

<sbr/>

153

<group>

154

<arg choice="plain"><option>--dir

155

<replaceable>DIRECTORY</replaceable></option></arg>

156

<arg choice="plain"><option>-d

157

<replaceable>DIRECTORY</replaceable></option></arg>

158

</group>

159

<sbr/>

160

<group>

161

<arg choice="plain"><option>--name

162

163

<arg choice="plain"><option>-n

164

165

</group>

166

<group>

167

168

169

</group>

170

</cmdsynopsis>

171

172

<command>&COMMANDNAME;</command>

173

174

175

176

</group>

177

</cmdsynopsis>

178

179

<command>&COMMANDNAME;</command>

180

181

<arg choice="plain"><option>--version</option></arg>

182

155

183

</group>

156

184

</cmdsynopsis>

157

185

</refsynopsisdiv>

158

186

159

187

160

188

<title>DESCRIPTION</title>

161

189

<para>

162

190

<command>&COMMANDNAME;</command> is a program to generate the

163

OpenPGP keys used by

164

<citerefentry><refentrytitle>password-request</refentrytitle>

191

TLS and OpenPGP keys used by

192

<citerefentry><refentrytitle>mandos-client</refentrytitle>

165

193

<manvolnum>8mandos</manvolnum></citerefentry>. The keys are

166

normally written to /etc/mandos for later installation into the

167

initrd image, but this, like most things, can be changed with

168

command line options.

194

normally written to /etc/keys/mandos for later installation into

195

the initrd image, but this, and most other things, can be

196

changed with command line options.

197

</para>

198

<para>

199

This program can also be used with the

200

<option>--password</option> or <option>--passfile</option>

201

options to generate a ready-made section for

202

<filename>clients.conf</filename> (see

203

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

204

<manvolnum>5</manvolnum></citerefentry>).

205

</para>

206

</refsect1>

207

208

209

<title>PURPOSE</title>

210

<para>

211

The purpose of this is to enable <emphasis>remote and unattended

212

rebooting</emphasis> of client host computer with an

213

<emphasis>encrypted root file system</emphasis>. See <xref

214

linkend="overview"/> for details.

169

215

</para>

170

216

</refsect1>

171

217

172

218

173

219

<title>OPTIONS</title>

174

220

175

221

176

222

177

223

224

178

225

179

226

<para>

180

227

Show a help message and exit

181

228

</para>

182

229

</listitem>

183

230

</varlistentry>

184

185

186

<term><literal>-d</literal>, <literal>--dir

187

<replaceable>directory</replaceable></literal></term>

188

189

<para>

190

Target directory for key files.

191

</para>

192

</listitem>

193

</varlistentry>

194

195

196

<term><literal>-t</literal>, <literal>--type

197

198

199

<para>

200

Key type. Default is DSA.

201

</para>

202

</listitem>

203

</varlistentry>

204

205

206

<term><literal>-l</literal>, <literal>--length

207

208

209

<para>

210

Key length in bits. Default is 1024.

211

</para>

212

</listitem>

213

</varlistentry>

214

215

216

<term><literal>-e</literal>, <literal>--email</literal>

217

<replaceable>address</replaceable></term>

231

232

233

<term><option>--dir

234

<replaceable>DIRECTORY</replaceable></option></term>

235

<term><option>-d

236

<replaceable>DIRECTORY</replaceable></option></term>

237

238

<para>

239

Target directory for key files. Default is <filename

240

class="directory">/etc/keys/mandos</filename>.

241

</para>

242

</listitem>

243

</varlistentry>

244

245

246

<term><option>--type

247

248

<term><option>-t

249

250

251

<para>

252

OpenPGP key type. Default is <quote>RSA</quote>.

253

</para>

254

</listitem>

255

</varlistentry>

256

257

258

<term><option>--length

259

260

<term><option>-l

261

262

263

<para>

264

OpenPGP key length in bits. Default is 4096.

265

</para>

266

</listitem>

267

</varlistentry>

268

269

270

<term><option>--subtype

271

<replaceable>KEYTYPE</replaceable></option></term>

272

<term><option>-s

273

<replaceable>KEYTYPE</replaceable></option></term>

274

275

<para>

276

OpenPGP subkey type. Default is <quote>RSA</quote>

277

</para>

278

</listitem>

279

</varlistentry>

280

281

282

<term><option>--sublength

283

284

<term><option>-L

285

286

287

<para>

288

OpenPGP subkey length in bits. Default is 4096.

289

</para>

290

</listitem>

291

</varlistentry>

292

293

294

<term><option>--email

295

<replaceable>ADDRESS</replaceable></option></term>

296

<term><option>-e

297

<replaceable>ADDRESS</replaceable></option></term>

218

298

219

299

<para>

220

300

Email address of key. Default is empty.

221

301

</para>

222

302

</listitem>

223

303

</varlistentry>

224

304

225

305

226

<term><literal>-c</literal>, <literal>--comment</literal>

227

<replaceable>comment</replaceable></term>

306

<term><option>--comment

307

308

<term><option>-c

309

228

310

229

311

<para>

230

Comment field for key. The default value is

231

"<literal>Mandos client key</literal>".

312

Comment field for key. Default is empty.

232

313

</para>

233

314

</listitem>

234

315

</varlistentry>

235

316

236

317

237

<term><literal>-x</literal>, <literal>--expire</literal>

238

318

<term><option>--expire

319

320

<term><option>-x

321

239

322

240

323

<para>

241

324

Key expire time. Default is no expiration. See

244

327

</para>

245

328

</listitem>

246

329

</varlistentry>

247

248

249

<term><literal>-f</literal>, <literal>--force</literal></term>

250

251

<para>

252

Force overwriting old keys.

330

331

332

<term><option>--tls-keytype

333

<replaceable>KEYTYPE</replaceable></option></term>

334

<term><option>-T

335

<replaceable>KEYTYPE</replaceable></option></term>

336

337

<para>

338

TLS key type. Default is <quote>ed25519</quote>

339

</para>

340

</listitem>

341

</varlistentry>

342

343

344

<term><option>--force</option></term>

345

346

347

<para>

348

Force overwriting old key.

349

</para>

350

</listitem>

351

</varlistentry>

352

353

<term><option>--password</option></term>

354

355

356

<para>

357

Prompt for a password and encrypt it with the key already

358

present in either <filename>/etc/keys/mandos</filename> or

359

the directory specified with the <option>--dir</option>

360

option. Outputs, on standard output, a section suitable

361

for inclusion in <citerefentry><refentrytitle

362

>mandos-clients.conf</refentrytitle><manvolnum

363

>8</manvolnum></citerefentry>. The host name or the name

364

specified with the <option>--name</option> option is used

365

for the section header. All other options are ignored,

366

and no key is created. Note: white space is stripped from

367

the beginning and from the end of the password; See <xref

368

linkend="bugs"/>.

369

</para>

370

</listitem>

371

</varlistentry>

372

373

<term><option>--passfile

374

375

<term><option>-F

376

377

378

<para>

379

The same as <option>--password</option>, but read from

380

<replaceable>FILE</replaceable>, not the terminal, and

381

white space is not stripped from the password in any way.

382

</para>

383

</listitem>

384

</varlistentry>

385

386

387

388

389

<para>

390

When <option>--password</option> or

391

<option>--passfile</option> is given, this option will

392

prevent <command>&COMMANDNAME;</command> from calling

393

<command>ssh-keyscan</command> to get an SSH fingerprint

394

for this host and, if successful, output suitable config

395

options to use this fingerprint as a

396

<option>checker</option> option in the output. This is

397

otherwise the default behavior.

253

398

</para>

254

399

</listitem>

255

400

</varlistentry>

256

401

</variablelist>

257

402

</refsect1>

258

403

404

405

<title>OVERVIEW</title>

406

<xi:include href="overview.xml"/>

407

<para>

408

This program is a small utility to generate new TLS and OpenPGP

409

keys for new Mandos clients, and to generate sections for

410

inclusion in <filename>clients.conf</filename> on the server.

411

</para>

412

</refsect1>

413

259

414

260

415

<title>EXIT STATUS</title>

261

416

<para>

417

The exit status will be 0 if a new key (or password, if the

418

<option>--password</option> option was used) was successfully

419

created, otherwise not.

262

420

</para>

263

421

</refsect1>

264

422

265

423

424

<title>ENVIRONMENT</title>

425

426

427

<term><envar>TMPDIR</envar></term>

428

429

<para>

430

If set, temporary files will be created here. See

431

<citerefentry><refentrytitle>mktemp</refentrytitle>

432

<manvolnum>1</manvolnum></citerefentry>.

433

</para>

434

</listitem>

435

</varlistentry>

436

</variablelist>

437

</refsect1>

438

439

266

440

<title>FILES</title>

267

441

<para>

442

Use the <option>--dir</option> option to change where

443

<command>&COMMANDNAME;</command> will write the key files. The

444

default file names are shown here.

268

445

</para>

446

447

448

<term><filename>/etc/keys/mandos/seckey.txt</filename></term>

449

450

<para>

451

OpenPGP secret key file which will be created or

452

overwritten.

453

</para>

454

</listitem>

455

</varlistentry>

456

457

<term><filename>/etc/keys/mandos/pubkey.txt</filename></term>

458

459

<para>

460

OpenPGP public key file which will be created or

461

overwritten.

462

</para>

463

</listitem>

464

</varlistentry>

465

466

<term><filename>/etc/keys/mandos/tls-privkey.pem</filename></term>

467

468

<para>

469

Private key file which will be created or overwritten.

470

</para>

471

</listitem>

472

</varlistentry>

473

474

<term><filename>/etc/keys/mandos/tls-pubkey.pem</filename></term>

475

476

<para>

477

Public key file which will be created or overwritten.

478

</para>

479

</listitem>

480

</varlistentry>

481

482

483

484

<para>

485

Temporary files will be written here if

486

<varname>TMPDIR</varname> is not set.

487

</para>

488

</listitem>

489

</varlistentry>

490

</variablelist>

269

491

</refsect1>

270

492

271

493

272

494

273

495

<para>

274

</para>

275

</refsect1>

276

277

278

<title>EXAMPLES</title>

279

<para>

280

</para>

281

</refsect1>

282

496

The <option>--password</option>/<option>-p</option> option

497

strips white space from the start and from the end of the

498

password before using it. If this is a problem, use the

499

<option>--passfile</option> option instead, which does not do

500

this.

501

</para>

502

<xi:include href="bugs.xml"/>

503

</refsect1>

504

505

506

<title>EXAMPLE</title>

507

508

<para>

509

Normal invocation needs no options:

510

</para>

511

<para>

512

<userinput>&COMMANDNAME;</userinput>

513

</para>

514

</informalexample>

515

516

<para>

517

Create key in another directory and of another type. Force

518

overwriting old key files:

519

</para>

520

<para>

521

522

523

<userinput>&COMMANDNAME; --dir ~/keydir --type RSA --force</userinput>

524

525

</para>

526

</informalexample>

527

528

<para>

529

Prompt for a password, encrypt it with the keys in <filename

530

class="directory">/etc/keys/mandos</filename> and output a

531

section suitable for <filename>clients.conf</filename>.

532

</para>

533

<para>

534

<userinput>&COMMANDNAME; --password</userinput>

535

</para>

536

</informalexample>

537

538

<para>

539

Prompt for a password, encrypt it with the keys in the

540

<filename>client-key</filename> directory and output a section

541

suitable for <filename>clients.conf</filename>.

542

</para>

543

<para>

544

545

546

<userinput>&COMMANDNAME; --password --dir client-key</userinput>

547

548

</para>

549

</informalexample>

550

</refsect1>

551

283

552

284

553

<title>SECURITY</title>

285

554

<para>

555

The <option>--type</option>, <option>--length</option>,

556

<option>--subtype</option>, and <option>--sublength</option>

557

options can be used to create keys of low security. If in

558

doubt, leave them to the default values.

559

</para>

560

<para>

561

The key expire time is <emphasis>not</emphasis> guaranteed to be

562

honored by <citerefentry><refentrytitle>mandos</refentrytitle>

563

<manvolnum>8</manvolnum></citerefentry>.

286

564

</para>

287

565

</refsect1>

288

566

289

567

290

568

291

569

<para>

292

<citerefentry><refentrytitle>password-request</refentrytitle>

570

<citerefentry><refentrytitle>intro</refentrytitle>

293

571

<manvolnum>8mandos</manvolnum></citerefentry>,

572

573

<manvolnum>1</manvolnum></citerefentry>,

574

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

575

<manvolnum>5</manvolnum></citerefentry>,

294

576

<citerefentry><refentrytitle>mandos</refentrytitle>

295

<manvolnum>8</manvolnum></citerefentry>, and

296

577

<manvolnum>8</manvolnum></citerefentry>,

578

<citerefentry><refentrytitle>mandos-client</refentrytitle>

579

<manvolnum>8mandos</manvolnum></citerefentry>,

580

<citerefentry><refentrytitle>ssh-keyscan</refentrytitle>

297

581

298

582

</para>

299

583

</refsect1>

300

584

301

585

</refentry>

586

587

588

589

590

Older »