/mandos/trunk : revision 114

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos-keygen.xml

Committer: Teddy Hogeborn
Date: 2008-08-29 07:30:17 UTC
Revision ID: teddy@fukt.bsnet.se-20080829073017-tvryowganbf75zp5

* mandos-clients.conf.xml (SEE ALSO): Alphabetized, as per
                                      man-pages(7).
* mandos-keygen.xml: - '' -
* mandos.conf.xml: - '' -
* mandos.xml: - '' -
* plugin-runner.xml: - '' -
* plugins.d/password-request.xml (SEE ALSO): Changed from an
                                             <itemizedlist> to a
                                             <para>, as per
                                             man-pages(7).  Also
                                             alphabetize.

files added:
initramfs-tools-hook-conf

plugins.d/usplash

files removed:
.bzr-builddeb

.bzr-builddeb/default.conf

DBUS-API

INSTALL

NEWS

README

bugs.xml

common.ent

dbus-mandos.conf

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.examples

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/po

debian/rules

debian/source

debian/source/format

debian/source/local-options

debian/upstream

debian/upstream/signing-key.asc

debian/watch

default-mandos

init.d-mandos

initramfs-tools-conf

initramfs-tools-script-stop

initramfs-unpack

intro.xml

legalnotice.xml

mandos-ctl

mandos-ctl.xml

mandos-monitor

mandos-monitor.xml

mandos-to-cryptroot-unlock

mandos.lsm

mandos.service

network-hooks.d

network-hooks.d/bridge

network-hooks.d/bridge.conf

network-hooks.d/openvpn

network-hooks.d/openvpn.conf

network-hooks.d/wireless

network-hooks.d/wireless.conf

plugin-helpers

plugin-helpers/mandos-client-iprouteadddel.c

plugin-runner.conf

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

tmpfiles.d-mandos.conf

files renamed:
plugins.d/mandos-client.c => plugins.d/password-request.c

plugins.d/mandos-client.xml => plugins.d/password-request.xml

files modified:
.bzrignore

Makefile

TODO

clients.conf

initramfs-tools-hook

initramfs-tools-script

mandos

mandos-clients.conf.xml

mandos-keygen

mandos-keygen.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.xml

overview.xml

plugin-runner.c

plugin-runner.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

Show diffs side-by-side

added added

removed removed

mandos-keygen.xml

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY VERSION "1.0">

<!ENTITY COMMANDNAME "mandos-keygen">

<!ENTITY TIMESTAMP "2019-02-10">

<!ENTITY % common SYSTEM "common.ent">

%common;

<!ENTITY TIMESTAMP "2008-08-29">

<title>Mandos Manual</title>

<productname>Mandos</productname>

<productnumber>&version;</productnumber>

<productnumber>&VERSION;</productnumber>

<date>&TIMESTAMP;</date>

<firstname>Björn</firstname>

<surname>Påhlsson</surname>

<email>belorn@recompile.se</email>

<email>belorn@fukt.bsnet.se</email>

</address>

</author>

<firstname>Teddy</firstname>

<surname>Hogeborn</surname>

<email>teddy@recompile.se</email>

<email>teddy@fukt.bsnet.se</email>

</address>

</author>

</authorgroup>

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

<xi:include href="legalnotice.xml"/>

<para>

This manual page is free software: you can redistribute it

and/or modify it under the terms of the GNU General Public

License as published by the Free Software Foundation,

either version 3 of the License, or (at your option) any

later version.

</para>

<para>

This manual page is distributed in the hope that it will

be useful, but WITHOUT ANY WARRANTY; without even the

implied warranty of MERCHANTABILITY or FITNESS FOR A

PARTICULAR PURPOSE. See the GNU General Public License

for more details.

</para>

<para>

You should have received a copy of the GNU General Public

License along with this program; If not, see

<ulink url="http://www.gnu.org/licenses/"/>.

</para>

</legalnotice>

</refentryinfo>

<refentrytitle>&COMMANDNAME;</refentrytitle>

<refname><command>&COMMANDNAME;</command></refname>

Generate key and password for Mandos client and server.

Generate keys for <citerefentry><refentrytitle>password-request

</refentrytitle><manvolnum>8mandos</manvolnum></citerefentry>

</refpurpose>

</refnamediv>

<command>&COMMANDNAME;</command>

<group>

<arg choice="plain"><option>--dir

<replaceable>DIRECTORY</replaceable></option></arg>

<arg choice="plain"><option>-d

<replaceable>DIRECTORY</replaceable></option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--type

<replaceable>KEYTYPE</replaceable></option></arg>

<arg choice="plain"><option>-t

<replaceable>KEYTYPE</replaceable></option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--length

<arg choice="plain"><option>-l

</group>

<sbr/>

<group>

<arg choice="plain"><option>--subtype

<replaceable>KEYTYPE</replaceable></option></arg>

<arg choice="plain"><option>-s

<replaceable>KEYTYPE</replaceable></option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--sublength

<arg choice="plain"><option>-L

</group>

100

<sbr/>

101

<group>

102

<arg choice="plain"><option>--name

103

104

<arg choice="plain"><option>-n

105

106

</group>

107

<sbr/>

108

<group>

109

<arg choice="plain"><option>--email

110

<replaceable>ADDRESS</replaceable></option></arg>

111

<arg choice="plain"><option>-e

112

<replaceable>ADDRESS</replaceable></option></arg>

113

</group>

114

<sbr/>

115

<group>

116

<arg choice="plain"><option>--comment

117

118

<arg choice="plain"><option>-c

119

120

</group>

121

<sbr/>

122

<group>

123

<arg choice="plain"><option>--expire

124

125

<arg choice="plain"><option>-x

126

127

</group>

128

<sbr/>

129

<group>

130

<arg choice="plain"><option>--tls-keytype

131

<replaceable>KEYTYPE</replaceable></option></arg>

132

<arg choice="plain"><option>-T

133

<replaceable>KEYTYPE</replaceable></option></arg>

134

</group>

135

<sbr/>

136

<group>

<replaceable>directory</replaceable></arg>

</group>

</group>

<arg choice="plain"><option>--length</option>

</group>

<arg choice="plain"><option>--subtype</option>

</group>

<arg choice="plain"><option>--sublength</option>

</group>

100

101

</group>

102

103

<arg choice="plain"><option>--email</option>

104

<replaceable>EMAIL</replaceable></arg>

105

</group>

106

107

<arg choice="plain"><option>--comment</option>

108

<replaceable>COMMENT</replaceable></arg>

109

</group>

110

111

<arg choice="plain"><option>--expire</option>

112

113

</group>

114

137

115

<arg choice="plain"><option>--force</option></arg>

116

</group>

117

</cmdsynopsis>

118

119

<command>&COMMANDNAME;</command>

120

121

122

<replaceable>directory</replaceable></arg>

123

</group>

124

125

126

127

</group>

128

129

130

131

</group>

132

133

134

135

</group>

136

137

138

139

</group>

140

141

142

143

</group>

144

145

146

<replaceable>EMAIL</replaceable></arg>

147

</group>

148

149

150

<replaceable>COMMENT</replaceable></arg>

151

</group>

152

153

154

155

</group>

156

138

157

139

158

</group>

140

159

</cmdsynopsis>

141

160

142

161

<command>&COMMANDNAME;</command>

143

162

163

144

164

<arg choice="plain"><option>--password</option></arg>

145

146

<arg choice="plain"><option>--passfile

147

148

149

150

</group>

151

<sbr/>

152

<group>

153

<arg choice="plain"><option>--dir

154

<replaceable>DIRECTORY</replaceable></option></arg>

155

<arg choice="plain"><option>-d

156

<replaceable>DIRECTORY</replaceable></option></arg>

157

</group>

158

<sbr/>

159

<group>

160

<arg choice="plain"><option>--name

161

162

<arg choice="plain"><option>-n

163

164

</group>

165

<group>

166

167

165

</group>

166

167

168

<replaceable>directory</replaceable></arg>

169

</group>

170

171

172

168

173

</group>

169

174

</cmdsynopsis>

170

175

171

176

<command>&COMMANDNAME;</command>

172

177

178

173

179

174

175

180

</group>

176

181

</cmdsynopsis>

177

182

178

183

<command>&COMMANDNAME;</command>

179

184

185

180

186

<arg choice="plain"><option>--version</option></arg>

181

182

187

</group>

183

188

</cmdsynopsis>

184

189

</refsynopsisdiv>

185

190

186

191

187

192

<title>DESCRIPTION</title>

188

193

<para>

189

194

<command>&COMMANDNAME;</command> is a program to generate the

190

TLS and OpenPGP keys used by

191

<citerefentry><refentrytitle>mandos-client</refentrytitle>

195

OpenPGP keys used by

196

<citerefentry><refentrytitle>password-request</refentrytitle>

192

197

<manvolnum>8mandos</manvolnum></citerefentry>. The keys are

193

normally written to /etc/keys/mandos for later installation into

194

the initrd image, but this, and most other things, can be

195

changed with command line options.

198

normally written to /etc/mandos for later installation into the

199

initrd image, but this, like most things, can be changed with

200

command line options.

196

201

</para>

197

202

<para>

198

This program can also be used with the

199

<option>--password</option> or <option>--passfile</option>

200

options to generate a ready-made section for

201

<filename>clients.conf</filename> (see

203

It can also be used to generate ready-made sections for

202

204

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

203

<manvolnum>5</manvolnum></citerefentry>).

205

<manvolnum>5</manvolnum></citerefentry> using the

206

<option>--password</option> option.

204

207

</para>

205

208

</refsect1>

206

209

207

210

208

211

<title>PURPOSE</title>

212

209

213

<para>

210

214

The purpose of this is to enable <emphasis>remote and unattended

211

215

rebooting</emphasis> of client host computer with an

212

216

<emphasis>encrypted root file system</emphasis>. See <xref

213

217

linkend="overview"/> for details.

214

218

</para>

219

215

220

</refsect1>

216

221

217

222

218

223

<title>OPTIONS</title>

219

224

220

225

221

226

222

223

227

224

228

225

229

<para>

226

230

Show a help message and exit

227

231

</para>

228

232

</listitem>

229

233

</varlistentry>

230

231

232

<term><option>--dir

233

<replaceable>DIRECTORY</replaceable></option></term>

234

<term><option>-d

235

<replaceable>DIRECTORY</replaceable></option></term>

236

237

<para>

238

Target directory for key files. Default is <filename

239

class="directory">/etc/keys/mandos</filename>.

240

</para>

241

</listitem>

242

</varlistentry>

243

244

245

<term><option>--type

246

247

<term><option>-t

248

249

250

<para>

251

OpenPGP key type. Default is <quote>RSA</quote>.

252

</para>

253

</listitem>

254

</varlistentry>

255

256

257

<term><option>--length

258

259

<term><option>-l

260

261

262

<para>

263

OpenPGP key length in bits. Default is 4096.

264

</para>

265

</listitem>

266

</varlistentry>

267

268

269

<term><option>--subtype

270

<replaceable>KEYTYPE</replaceable></option></term>

271

<term><option>-s

272

<replaceable>KEYTYPE</replaceable></option></term>

273

274

<para>

275

OpenPGP subkey type. Default is <quote>RSA</quote>

276

</para>

277

</listitem>

278

</varlistentry>

279

280

281

<term><option>--sublength

282

283

<term><option>-L

284

285

286

<para>

287

OpenPGP subkey length in bits. Default is 4096.

288

</para>

289

</listitem>

290

</varlistentry>

291

292

293

<term><option>--email

294

<replaceable>ADDRESS</replaceable></option></term>

295

<term><option>-e

296

<replaceable>ADDRESS</replaceable></option></term>

234

235

236

<term><literal>-d</literal>, <literal>--dir

237

<replaceable>directory</replaceable></literal></term>

238

239

<para>

240

Target directory for key files. Default is

241

<filename>/etc/mandos</filename>.

242

</para>

243

</listitem>

244

</varlistentry>

245

246

247

<term><literal>-t</literal>, <literal>--type

248

249

250

<para>

251

Key type. Default is <quote>DSA</quote>.

252

</para>

253

</listitem>

254

</varlistentry>

255

256

257

<term><literal>-l</literal>, <literal>--length

258

259

260

<para>

261

Key length in bits. Default is 2048.

262

</para>

263

</listitem>

264

</varlistentry>

265

266

267

<term><literal>-s</literal>, <literal>--subtype

268

269

270

<para>

271

Subkey type. Default is <quote>ELG-E</quote> (Elgamal

272

encryption-only).

273

</para>

274

</listitem>

275

</varlistentry>

276

277

278

<term><literal>-L</literal>, <literal>--sublength

279

280

281

<para>

282

Subkey length in bits. Default is 2048.

283

</para>

284

</listitem>

285

</varlistentry>

286

287

288

<term><literal>-e</literal>, <literal>--email</literal>

289

<replaceable>address</replaceable></term>

297

290

298

291

<para>

299

292

Email address of key. Default is empty.

300

293

</para>

301

294

</listitem>

302

295

</varlistentry>

303

296

304

297

305

<term><option>--comment

306

307

<term><option>-c

308

298

<term><literal>-c</literal>, <literal>--comment</literal>

299

<replaceable>comment</replaceable></term>

309

300

310

301

<para>

311

Comment field for key. Default is empty.

302

Comment field for key. The default value is

303

<quote><literal>Mandos client key</literal></quote>.

312

304

</para>

313

305

</listitem>

314

306

</varlistentry>

315

307

316

308

317

<term><option>--expire

318

319

<term><option>-x

320

309

<term><literal>-x</literal>, <literal>--expire</literal>

310

321

311

322

312

<para>

323

313

Key expire time. Default is no expiration. See

326

316

</para>

327

317

</listitem>

328

318

</varlistentry>

329

330

331

<term><option>--tls-keytype

332

<replaceable>KEYTYPE</replaceable></option></term>

333

<term><option>-T

334

<replaceable>KEYTYPE</replaceable></option></term>

335

336

<para>

337

TLS key type. Default is <quote>ed25519</quote>

338

</para>

339

</listitem>

340

</varlistentry>

341

342

343

<term><option>--force</option></term>

344

345

346

<para>

347

Force overwriting old key.

348

</para>

349

</listitem>

350

</varlistentry>

351

352

<term><option>--password</option></term>

353

319

320

321

<term><literal>-f</literal>, <literal>--force</literal></term>

322

323

<para>

324

Force overwriting old keys.

325

</para>

326

</listitem>

327

</varlistentry>

328

329

<term><literal>-p</literal>, <literal>--password</literal

330

></term>

354

331

355

332

<para>

356

333

Prompt for a password and encrypt it with the key already

357

present in either <filename>/etc/keys/mandos</filename> or

358

the directory specified with the <option>--dir</option>

334

present in either <filename>/etc/mandos</filename> or the

335

directory specified with the <option>--dir</option>

359

336

option. Outputs, on standard output, a section suitable

360

337

for inclusion in <citerefentry><refentrytitle

361

338

>mandos-clients.conf</refentrytitle><manvolnum

362

339

>8</manvolnum></citerefentry>. The host name or the name

363

340

specified with the <option>--name</option> option is used

364

341

for the section header. All other options are ignored,

365

and no key is created.

366

</para>

367

</listitem>

368

</varlistentry>

369

370

<term><option>--passfile

371

372

<term><option>-F

373

374

375

<para>

376

The same as <option>--password</option>, but read from

377

<replaceable>FILE</replaceable>, not the terminal.

378

</para>

379

</listitem>

380

</varlistentry>

381

382

383

384

385

<para>

386

When <option>--password</option> or

387

<option>--passfile</option> is given, this option will

388

prevent <command>&COMMANDNAME;</command> from calling

389

<command>ssh-keyscan</command> to get an SSH fingerprint

390

for this host and, if successful, output suitable config

391

options to use this fingerprint as a

392

<option>checker</option> option in the output. This is

393

otherwise the default behavior.

342

and no keys are created.

394

343

</para>

395

344

</listitem>

396

345

</varlistentry>

397

346

</variablelist>

398

347

</refsect1>

399

348

400

349

401

350

<title>OVERVIEW</title>

402

351

<xi:include href="overview.xml"/>

403

352

<para>

404

This program is a small utility to generate new TLS and OpenPGP

405

keys for new Mandos clients, and to generate sections for

406

inclusion in <filename>clients.conf</filename> on the server.

353

This program is a small utility to generate new OpenPGP keys for

354

new Mandos clients.

407

355

</para>

408

356

</refsect1>

409

357

410

358

411

359

<title>EXIT STATUS</title>

412

360

<para>

413

The exit status will be 0 if a new key (or password, if the

414

<option>--password</option> option was used) was successfully

415

created, otherwise not.

361

The exit status will be 0 if new keys were successfully created,

362

otherwise not.

416

363

</para>

417

364

</refsect1>

418

365

420

367

<title>ENVIRONMENT</title>

421

368

422

369

423

<term><envar>TMPDIR</envar></term>

370

<term><varname>TMPDIR</varname></term>

424

371

425

372

<para>

426

373

If set, temporary files will be created here. See

432

379

</variablelist>

433

380

</refsect1>

434

381

435

382

436

383

<title>FILES</title>

437

384

<para>

438

385

Use the <option>--dir</option> option to change where

441

388

</para>

442

389

443

390

444

<term><filename>/etc/keys/mandos/seckey.txt</filename></term>

391

<term><filename>/etc/mandos/seckey.txt</filename></term>

445

392

446

393

<para>

447

394

OpenPGP secret key file which will be created or

450

397

</listitem>

451

398

</varlistentry>

452

399

453

<term><filename>/etc/keys/mandos/pubkey.txt</filename></term>

400

<term><filename>/etc/mandos/pubkey.txt</filename></term>

454

401

455

402

<para>

456

403

OpenPGP public key file which will be created or

459

406

</listitem>

460

407

</varlistentry>

461

408

462

<term><filename>/etc/keys/mandos/tls-privkey.pem</filename></term>

463

464

<para>

465

Private key file which will be created or overwritten.

466

</para>

467

</listitem>

468

</varlistentry>

469

470

<term><filename>/etc/keys/mandos/tls-pubkey.pem</filename></term>

471

472

<para>

473

Public key file which will be created or overwritten.

474

</para>

475

</listitem>

476

</varlistentry>

477

478

409

479

410

480

411

<para>

481

412

Temporary files will be written here if

485

416

</varlistentry>

486

417

</variablelist>

487

418

</refsect1>

488

419

489

420

490

421

491

<xi:include href="bugs.xml"/>

422

<para>

423

None are known at this time.

424

</para>

492

425

</refsect1>

493

426

494

427

495

428

<title>EXAMPLE</title>

496

429

503

436

</informalexample>

504

437

505

438

<para>

506

Create key in another directory and of another type. Force

439

Create keys in another directory and of another type. Force

507

440

overwriting old key files:

508

441

</para>

509

442

<para>

513

446

514

447

</para>

515

448

</informalexample>

516

517

<para>

518

Prompt for a password, encrypt it with the keys in <filename

519

class="directory">/etc/keys/mandos</filename> and output a

520

section suitable for <filename>clients.conf</filename>.

521

</para>

522

<para>

523

<userinput>&COMMANDNAME; --password</userinput>

524

</para>

525

</informalexample>

526

527

<para>

528

Prompt for a password, encrypt it with the keys in the

529

<filename>client-key</filename> directory and output a section

530

suitable for <filename>clients.conf</filename>.

531

</para>

532

<para>

533

534

535

<userinput>&COMMANDNAME; --password --dir client-key</userinput>

536

537

</para>

538

</informalexample>

539

449

</refsect1>

540

450

541

451

542

452

<title>SECURITY</title>

543

453

<para>

544

454

The <option>--type</option>, <option>--length</option>,

545

455

<option>--subtype</option>, and <option>--sublength</option>

546

options can be used to create keys of low security. If in

547

doubt, leave them to the default values.

456

options can be used to create keys of insufficient security. If

457

in doubt, leave them to the default values.

548

458

</para>

549

459

<para>

550

The key expire time is <emphasis>not</emphasis> guaranteed to be

551

honored by <citerefentry><refentrytitle>mandos</refentrytitle>

460

The key expire time is not guaranteed to be honored by

461

<citerefentry><refentrytitle>mandos</refentrytitle>

552

462

<manvolnum>8</manvolnum></citerefentry>.

553

463

</para>

554

464

</refsect1>

555

465

556

466

557

467

558

468

<para>

559

<citerefentry><refentrytitle>intro</refentrytitle>

560

<manvolnum>8mandos</manvolnum></citerefentry>,

561

469

562

470

<manvolnum>1</manvolnum></citerefentry>,

563

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

564

<manvolnum>5</manvolnum></citerefentry>,

565

471

<citerefentry><refentrytitle>mandos</refentrytitle>

566

472

<manvolnum>8</manvolnum></citerefentry>,

567

<citerefentry><refentrytitle>mandos-client</refentrytitle>

568

<manvolnum>8mandos</manvolnum></citerefentry>,

569

<citerefentry><refentrytitle>ssh-keyscan</refentrytitle>

570

473

<citerefentry><refentrytitle>password-request</refentrytitle>

474

<manvolnum>8mandos</manvolnum></citerefentry>

571

475

</para>

572

476

</refsect1>

573

477

Older »