/mandos/trunk : revision 119

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos-keygen.xml

Committer: Teddy Hogeborn
Date: 2008-08-30 18:45:41 UTC
Revision ID: teddy@fukt.bsnet.se-20080830184541-j8zru4q0rlz5a0hw

* mandos-clients.conf.xml (SYNOPSIS): Remove line breaks.
  (OPTIONS): Add <option> tags.  Moved option name to outside
             <literal>.  Moved synopsis to inside <term> tags.
             Removed <synopsis> tags.  Improve wording of "secfile"
             option.
  (EXPANSION): Improved wording slightly.

* mandos-options.xml (interface): Improve wording.

* mandos.conf.xml (SYNOPSIS): Remove line breaks.
  (OPTIONS): Add <option> tags.  Moved option name to outside
             <literal>.  Moved synopsis to inside <term> tags.
             Removed <synopsis> tags.

files added:
initramfs-tools-hook-conf

plugins.d/usplash

files removed:
.bzr-builddeb

.bzr-builddeb/default.conf

DBUS-API

INSTALL

NEWS

README

bugs.xml

common.ent

dbus-mandos.conf

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.examples

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos-client.templates

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/mandos.templates

debian/po

debian/po/POTFILES.in

debian/po/de.po

debian/po/en_US.po

debian/po/fr.po

debian/po/nl.po

debian/po/pt.po

debian/po/sv.po

debian/po/templates.pot

debian/rules

debian/source

debian/source/format

debian/source/lintian-overrides

debian/source/local-options

debian/tests

debian/tests/control

debian/upstream

debian/upstream/metadata

debian/upstream/signing-key.asc

debian/watch

default-mandos

dracut-module

dracut-module/ask-password-mandos.path

dracut-module/ask-password-mandos.service

dracut-module/cmdline-mandos.sh

dracut-module/module-setup.sh

dracut-module/password-agent.c

dracut-module/password-agent.xml

init.d-mandos

initramfs-tools-conf

initramfs-tools-conf-hook

initramfs-tools-script-stop

initramfs-unpack

intro.xml

legalnotice.xml

mandos-ctl

mandos-ctl.xml

mandos-monitor

mandos-monitor.xml

mandos-to-cryptroot-unlock

mandos.lsm

mandos.service

network-hooks.d

network-hooks.d/bridge

network-hooks.d/bridge.conf

network-hooks.d/openvpn

network-hooks.d/openvpn.conf

network-hooks.d/wireless

network-hooks.d/wireless.conf

plugin-helpers

plugin-helpers/mandos-client-iprouteadddel.c

plugin-runner.conf

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

sysusers.d-mandos.conf

tmpfiles.d-mandos.conf

files renamed:
plugins.d/mandos-client.c => plugins.d/password-request.c

plugins.d/mandos-client.xml => plugins.d/password-request.xml

files modified:
.bzrignore

Makefile

TODO

clients.conf

initramfs-tools-hook

initramfs-tools-script

mandos

mandos-clients.conf.xml

mandos-keygen

mandos-keygen.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.xml

overview.xml

plugin-runner.c

plugin-runner.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

Show diffs side-by-side

added added

removed removed

mandos-keygen.xml

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY VERSION "1.0">

<!ENTITY COMMANDNAME "mandos-keygen">

<!ENTITY TIMESTAMP "2019-07-18">

<!ENTITY % common SYSTEM "common.ent">

%common;

<!ENTITY TIMESTAMP "2008-08-30">

<title>Mandos Manual</title>

<productname>Mandos</productname>

<productnumber>&version;</productnumber>

<productnumber>&VERSION;</productnumber>

<date>&TIMESTAMP;</date>

<firstname>Björn</firstname>

<surname>Påhlsson</surname>

<email>belorn@recompile.se</email>

<email>belorn@fukt.bsnet.se</email>

</address>

</author>

<firstname>Teddy</firstname>

<surname>Hogeborn</surname>

<email>teddy@recompile.se</email>

<email>teddy@fukt.bsnet.se</email>

</address>

</author>

</authorgroup>

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

<xi:include href="legalnotice.xml"/>

<para>

This manual page is free software: you can redistribute it

and/or modify it under the terms of the GNU General Public

License as published by the Free Software Foundation,

either version 3 of the License, or (at your option) any

later version.

</para>

<para>

This manual page is distributed in the hope that it will

be useful, but WITHOUT ANY WARRANTY; without even the

implied warranty of MERCHANTABILITY or FITNESS FOR A

PARTICULAR PURPOSE. See the GNU General Public License

for more details.

</para>

<para>

You should have received a copy of the GNU General Public

License along with this program; If not, see

<ulink url="http://www.gnu.org/licenses/"/>.

</para>

</legalnotice>

</refentryinfo>

<refentrytitle>&COMMANDNAME;</refentrytitle>

<refname><command>&COMMANDNAME;</command></refname>

Generate key and password for Mandos client and server.

Generate keys for <citerefentry><refentrytitle>password-request

</refentrytitle><manvolnum>8mandos</manvolnum></citerefentry>

</refpurpose>

</refnamediv>

<command>&COMMANDNAME;</command>

127

138

128

139

</group>

129

140

<sbr/>

130

<group>

131

<arg choice="plain"><option>--tls-keytype

132

<replaceable>KEYTYPE</replaceable></option></arg>

133

<arg choice="plain"><option>-T

134

<replaceable>KEYTYPE</replaceable></option></arg>

135

</group>

136

<sbr/>

137

<group>

138

<arg choice="plain"><option>--force</option></arg>

139

140

</group>

141

<arg><option>--force</option></arg>

141

142

</cmdsynopsis>

142

143

143

144

<command>&COMMANDNAME;</command>

144

145

146

145

147

<arg choice="plain"><option>--password</option></arg>

146

147

<arg choice="plain"><option>--passfile

148

149

150

151

148

</group>

152

149

<sbr/>

153

150

<group>

163

160

<arg choice="plain"><option>-n

164

161

165

162

</group>

166

<group>

167

168

169

</group>

170

163

</cmdsynopsis>

171

164

172

165

<command>&COMMANDNAME;</command>

173

166

167

174

168

175

176

169

</group>

177

170

</cmdsynopsis>

178

171

179

172

<command>&COMMANDNAME;</command>

180

173

174

181

175

<arg choice="plain"><option>--version</option></arg>

182

183

176

</group>

184

177

</cmdsynopsis>

185

178

</refsynopsisdiv>

186

179

187

180

188

181

<title>DESCRIPTION</title>

189

182

<para>

190

183

<command>&COMMANDNAME;</command> is a program to generate the

191

TLS and OpenPGP keys used by

192

<citerefentry><refentrytitle>mandos-client</refentrytitle>

184

OpenPGP keys used by

185

<citerefentry><refentrytitle>password-request</refentrytitle>

193

186

<manvolnum>8mandos</manvolnum></citerefentry>. The keys are

194

normally written to /etc/keys/mandos for later installation into

195

the initrd image, but this, and most other things, can be

196

changed with command line options.

187

normally written to /etc/mandos for later installation into the

188

initrd image, but this, like most things, can be changed with

189

command line options.

197

190

</para>

198

191

<para>

199

This program can also be used with the

200

<option>--password</option> or <option>--passfile</option>

201

options to generate a ready-made section for

202

<filename>clients.conf</filename> (see

192

It can also be used to generate ready-made sections for

203

193

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

204

<manvolnum>5</manvolnum></citerefentry>).

194

<manvolnum>5</manvolnum></citerefentry> using the

195

<option>--password</option> option.

205

196

</para>

206

197

</refsect1>

207

198

208

199

209

200

<title>PURPOSE</title>

201

210

202

<para>

211

203

The purpose of this is to enable <emphasis>remote and unattended

212

204

rebooting</emphasis> of client host computer with an

213

205

<emphasis>encrypted root file system</emphasis>. See <xref

214

206

linkend="overview"/> for details.

215

207

</para>

208

216

209

</refsect1>

217

210

218

211

219

212

<title>OPTIONS</title>

220

213

221

214

222

215

223

224

216

225

217

226

218

<para>

227

219

Show a help message and exit

228

220

</para>

229

221

</listitem>

230

222

</varlistentry>

231

232

233

<term><option>--dir

234

<replaceable>DIRECTORY</replaceable></option></term>

235

<term><option>-d

236

<replaceable>DIRECTORY</replaceable></option></term>

237

238

<para>

239

Target directory for key files. Default is <filename

240

class="directory">/etc/keys/mandos</filename>.

241

</para>

242

</listitem>

243

</varlistentry>

244

245

246

<term><option>--type

247

248

<term><option>-t

249

250

251

<para>

252

OpenPGP key type. Default is <quote>RSA</quote>.

253

</para>

254

</listitem>

255

</varlistentry>

256

257

258

<term><option>--length

259

260

<term><option>-l

261

262

263

<para>

264

OpenPGP key length in bits. Default is 4096.

265

</para>

266

</listitem>

267

</varlistentry>

268

269

270

<term><option>--subtype

271

<replaceable>KEYTYPE</replaceable></option></term>

272

<term><option>-s

273

<replaceable>KEYTYPE</replaceable></option></term>

274

275

<para>

276

OpenPGP subkey type. Default is <quote>RSA</quote>

277

</para>

278

</listitem>

279

</varlistentry>

280

281

282

<term><option>--sublength

283

284

<term><option>-L

285

286

287

<para>

288

OpenPGP subkey length in bits. Default is 4096.

289

</para>

290

</listitem>

291

</varlistentry>

292

293

294

<term><option>--email

295

<replaceable>ADDRESS</replaceable></option></term>

296

<term><option>-e

297

<replaceable>ADDRESS</replaceable></option></term>

223

224

225

<term><literal>-d</literal>, <literal>--dir

226

<replaceable>directory</replaceable></literal></term>

227

228

<para>

229

Target directory for key files. Default is

230

<filename>/etc/mandos</filename>.

231

</para>

232

</listitem>

233

</varlistentry>

234

235

236

<term><literal>-t</literal>, <literal>--type

237

238

239

<para>

240

Key type. Default is <quote>DSA</quote>.

241

</para>

242

</listitem>

243

</varlistentry>

244

245

246

<term><literal>-l</literal>, <literal>--length

247

248

249

<para>

250

Key length in bits. Default is 2048.

251

</para>

252

</listitem>

253

</varlistentry>

254

255

256

<term><literal>-s</literal>, <literal>--subtype

257

258

259

<para>

260

Subkey type. Default is <quote>ELG-E</quote> (Elgamal

261

encryption-only).

262

</para>

263

</listitem>

264

</varlistentry>

265

266

267

<term><literal>-L</literal>, <literal>--sublength

268

269

270

<para>

271

Subkey length in bits. Default is 2048.

272

</para>

273

</listitem>

274

</varlistentry>

275

276

277

<term><literal>-e</literal>, <literal>--email</literal>

278

<replaceable>address</replaceable></term>

298

279

299

280

<para>

300

281

Email address of key. Default is empty.

301

282

</para>

302

283

</listitem>

303

284

</varlistentry>

304

285

305

286

306

<term><option>--comment

307

308

<term><option>-c

309

287

<term><literal>-c</literal>, <literal>--comment</literal>

288

<replaceable>comment</replaceable></term>

310

289

311

290

<para>

312

Comment field for key. Default is empty.

291

Comment field for key. The default value is

292

<quote><literal>Mandos client key</literal></quote>.

313

293

</para>

314

294

</listitem>

315

295

</varlistentry>

316

296

317

297

318

<term><option>--expire

319

320

<term><option>-x

321

298

<term><literal>-x</literal>, <literal>--expire</literal>

299

322

300

323

301

<para>

324

302

Key expire time. Default is no expiration. See

327

305

</para>

328

306

</listitem>

329

307

</varlistentry>

330

331

332

<term><option>--tls-keytype

333

<replaceable>KEYTYPE</replaceable></option></term>

334

<term><option>-T

335

<replaceable>KEYTYPE</replaceable></option></term>

336

337

<para>

338

TLS key type. Default is <quote>ed25519</quote>

339

</para>

340

</listitem>

341

</varlistentry>

342

343

344

<term><option>--force</option></term>

345

346

347

<para>

348

Force overwriting old key.

349

</para>

350

</listitem>

351

</varlistentry>

352

353

<term><option>--password</option></term>

354

308

309

310

<term><literal>-f</literal>, <literal>--force</literal></term>

311

312

<para>

313

Force overwriting old keys.

314

</para>

315

</listitem>

316

</varlistentry>

317

318

<term><literal>-p</literal>, <literal>--password</literal

319

></term>

355

320

356

321

<para>

357

322

Prompt for a password and encrypt it with the key already

358

present in either <filename>/etc/keys/mandos</filename> or

359

the directory specified with the <option>--dir</option>

323

present in either <filename>/etc/mandos</filename> or the

324

directory specified with the <option>--dir</option>

360

325

option. Outputs, on standard output, a section suitable

361

326

for inclusion in <citerefentry><refentrytitle

362

327

>mandos-clients.conf</refentrytitle><manvolnum

363

328

>8</manvolnum></citerefentry>. The host name or the name

364

329

specified with the <option>--name</option> option is used

365

330

for the section header. All other options are ignored,

366

and no key is created. Note: white space is stripped from

367

the beginning and from the end of the password; See <xref

368

linkend="bugs"/>.

369

</para>

370

</listitem>

371

</varlistentry>

372

373

<term><option>--passfile

374

375

<term><option>-F

376

377

378

<para>

379

The same as <option>--password</option>, but read from

380

<replaceable>FILE</replaceable>, not the terminal, and

381

white space is not stripped from the password in any way.

382

</para>

383

</listitem>

384

</varlistentry>

385

386

387

388

389

<para>

390

When <option>--password</option> or

391

<option>--passfile</option> is given, this option will

392

prevent <command>&COMMANDNAME;</command> from calling

393

<command>ssh-keyscan</command> to get an SSH fingerprint

394

for this host and, if successful, output suitable config

395

options to use this fingerprint as a

396

<option>checker</option> option in the output. This is

397

otherwise the default behavior.

331

and no keys are created.

398

332

</para>

399

333

</listitem>

400

334

</varlistentry>

401

335

</variablelist>

402

336

</refsect1>

403

337

404

338

405

339

<title>OVERVIEW</title>

406

340

<xi:include href="overview.xml"/>

407

341

<para>

408

This program is a small utility to generate new TLS and OpenPGP

409

keys for new Mandos clients, and to generate sections for

410

inclusion in <filename>clients.conf</filename> on the server.

342

This program is a small utility to generate new OpenPGP keys for

343

new Mandos clients.

411

344

</para>

412

345

</refsect1>

413

346

414

347

415

348

<title>EXIT STATUS</title>

416

349

<para>

417

The exit status will be 0 if a new key (or password, if the

418

<option>--password</option> option was used) was successfully

419

created, otherwise not.

350

The exit status will be 0 if new keys were successfully created,

351

otherwise not.

420

352

</para>

421

353

</refsect1>

422

354

436

368

</variablelist>

437

369

</refsect1>

438

370

439

371

440

372

<title>FILES</title>

441

373

<para>

442

374

Use the <option>--dir</option> option to change where

445

377

</para>

446

378

447

379

448

<term><filename>/etc/keys/mandos/seckey.txt</filename></term>

380

<term><filename>/etc/mandos/seckey.txt</filename></term>

449

381

450

382

<para>

451

383

OpenPGP secret key file which will be created or

454

386

</listitem>

455

387

</varlistentry>

456

388

457

<term><filename>/etc/keys/mandos/pubkey.txt</filename></term>

389

<term><filename>/etc/mandos/pubkey.txt</filename></term>

458

390

459

391

<para>

460

392

OpenPGP public key file which will be created or

463

395

</listitem>

464

396

</varlistentry>

465

397

466

<term><filename>/etc/keys/mandos/tls-privkey.pem</filename></term>

467

468

<para>

469

Private key file which will be created or overwritten.

470

</para>

471

</listitem>

472

</varlistentry>

473

474

<term><filename>/etc/keys/mandos/tls-pubkey.pem</filename></term>

475

476

<para>

477

Public key file which will be created or overwritten.

478

</para>

479

</listitem>

480

</varlistentry>

481

482

398

483

399

484

400

<para>

485

401

Temporary files will be written here if

489

405

</varlistentry>

490

406

</variablelist>

491

407

</refsect1>

492

408

493

409

494

410

495

411

<para>

496

The <option>--password</option>/<option>-p</option> option

497

strips white space from the start and from the end of the

498

password before using it. If this is a problem, use the

499

<option>--passfile</option> option instead, which does not do

500

this.

412

None are known at this time.

501

413

</para>

502

<xi:include href="bugs.xml"/>

503

414

</refsect1>

504

415

505

416

506

417

<title>EXAMPLE</title>

507

418

514

425

</informalexample>

515

426

516

427

<para>

517

Create key in another directory and of another type. Force

428

Create keys in another directory and of another type. Force

518

429

overwriting old key files:

519

430

</para>

520

431

<para>

524

435

525

436

</para>

526

437

</informalexample>

527

528

<para>

529

Prompt for a password, encrypt it with the keys in <filename

530

class="directory">/etc/keys/mandos</filename> and output a

531

section suitable for <filename>clients.conf</filename>.

532

</para>

533

<para>

534

<userinput>&COMMANDNAME; --password</userinput>

535

</para>

536

</informalexample>

537

538

<para>

539

Prompt for a password, encrypt it with the keys in the

540

<filename>client-key</filename> directory and output a section

541

suitable for <filename>clients.conf</filename>.

542

</para>

543

<para>

544

545

546

<userinput>&COMMANDNAME; --password --dir client-key</userinput>

547

548

</para>

549

</informalexample>

550

438

</refsect1>

551

439

552

440

553

441

<title>SECURITY</title>

554

442

<para>

555

443

The <option>--type</option>, <option>--length</option>,

556

444

<option>--subtype</option>, and <option>--sublength</option>

557

options can be used to create keys of low security. If in

558

doubt, leave them to the default values.

445

options can be used to create keys of insufficient security. If

446

in doubt, leave them to the default values.

559

447

</para>

560

448

<para>

561

The key expire time is <emphasis>not</emphasis> guaranteed to be

562

honored by <citerefentry><refentrytitle>mandos</refentrytitle>

449

The key expire time is not guaranteed to be honored by

450

<citerefentry><refentrytitle>mandos</refentrytitle>

563

451

<manvolnum>8</manvolnum></citerefentry>.

564

452

</para>

565

453

</refsect1>

566

454

567

455

568

456

569

457

<para>

570

<citerefentry><refentrytitle>intro</refentrytitle>

571

<manvolnum>8mandos</manvolnum></citerefentry>,

572

458

573

459

<manvolnum>1</manvolnum></citerefentry>,

574

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

575

<manvolnum>5</manvolnum></citerefentry>,

576

460

<citerefentry><refentrytitle>mandos</refentrytitle>

577

461

<manvolnum>8</manvolnum></citerefentry>,

578

<citerefentry><refentrytitle>mandos-client</refentrytitle>

579

<manvolnum>8mandos</manvolnum></citerefentry>,

580

<citerefentry><refentrytitle>ssh-keyscan</refentrytitle>

581

462

<citerefentry><refentrytitle>password-request</refentrytitle>

463

<manvolnum>8mandos</manvolnum></citerefentry>

582

464

</para>

583

465

</refsect1>

584

466

Older »