/mandos/trunk : revision 121

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos-keygen.xml

Committer: Teddy Hogeborn
Date: 2008-08-30 19:49:24 UTC
Revision ID: teddy@fukt.bsnet.se-20080830194924-f4liqq8wxajlbshn

* plugin-runner.xml (NAME): Improved wording.
  (SYNOPSIS): Use <option> and <replaceable> tags.  Unify short and
              long options.  Add "--global-envs" and "--envs-for"
              options.

files added:
plugins.d/usplash

files removed:
.bzr-builddeb

.bzr-builddeb/default.conf

DBUS-API

INSTALL

NEWS

README

common.ent

dbus-mandos.conf

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.examples

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/po

debian/rules

debian/source

debian/source/format

debian/source/local-options

debian/upstream

debian/upstream/signing-key.asc

debian/watch

default-mandos

init.d-mandos

initramfs-unpack

intro.xml

legalnotice.xml

mandos-ctl

mandos-ctl.xml

mandos-monitor

mandos-monitor.xml

mandos.lsm

mandos.service

network-hooks.d

network-hooks.d/bridge

network-hooks.d/bridge.conf

network-hooks.d/openvpn

network-hooks.d/openvpn.conf

network-hooks.d/wireless

network-hooks.d/wireless.conf

plugin-helpers

plugin-helpers/mandos-client-iprouteadddel.c

plugin-runner.conf

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

files renamed:
plugins.d/mandos-client.c => plugins.d/password-request.c

plugins.d/mandos-client.xml => plugins.d/password-request.xml

files modified:
.bzrignore

Makefile

TODO

clients.conf

initramfs-tools-hook

initramfs-tools-hook-conf

initramfs-tools-script

mandos

mandos-clients.conf.xml

mandos-keygen

mandos-keygen.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.xml

overview.xml

plugin-runner.c

plugin-runner.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

Show diffs side-by-side

added added

removed removed

mandos-keygen.xml

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY VERSION "1.0">

<!ENTITY COMMANDNAME "mandos-keygen">

<!ENTITY TIMESTAMP "2016-02-28">

<!ENTITY % common SYSTEM "common.ent">

%common;

<!ENTITY TIMESTAMP "2008-08-30">

<title>Mandos Manual</title>

<productname>Mandos</productname>

<productnumber>&version;</productnumber>

<productnumber>&VERSION;</productnumber>

<date>&TIMESTAMP;</date>

<firstname>Björn</firstname>

<surname>Påhlsson</surname>

<email>belorn@recompile.se</email>

<email>belorn@fukt.bsnet.se</email>

</address>

</author>

<firstname>Teddy</firstname>

<surname>Hogeborn</surname>

<email>teddy@recompile.se</email>

<email>teddy@fukt.bsnet.se</email>

</address>

</author>

</authorgroup>

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

<xi:include href="legalnotice.xml"/>

<para>

This manual page is free software: you can redistribute it

and/or modify it under the terms of the GNU General Public

License as published by the Free Software Foundation,

either version 3 of the License, or (at your option) any

later version.

</para>

<para>

This manual page is distributed in the hope that it will

be useful, but WITHOUT ANY WARRANTY; without even the

implied warranty of MERCHANTABILITY or FITNESS FOR A

PARTICULAR PURPOSE. See the GNU General Public License

for more details.

</para>

<para>

You should have received a copy of the GNU General Public

License along with this program; If not, see

<ulink url="http://www.gnu.org/licenses/"/>.

</para>

</legalnotice>

</refentryinfo>

<refentrytitle>&COMMANDNAME;</refentrytitle>

<refname><command>&COMMANDNAME;</command></refname>

Generate key and password for Mandos client and server.

Generate keys for <citerefentry><refentrytitle>password-request

</refentrytitle><manvolnum>8mandos</manvolnum></citerefentry>

</refpurpose>

</refnamediv>

<command>&COMMANDNAME;</command>

124

138

125

139

</group>

126

140

<sbr/>

127

<group>

128

<arg choice="plain"><option>--force</option></arg>

129

130

</group>

141

<arg><option>--force</option></arg>

131

142

</cmdsynopsis>

132

143

133

144

<command>&COMMANDNAME;</command>

134

145

146

135

147

<arg choice="plain"><option>--password</option></arg>

136

137

<arg choice="plain"><option>--passfile

138

139

140

141

148

</group>

142

149

<sbr/>

143

150

<group>

153

160

<arg choice="plain"><option>-n

154

161

155

162

</group>

156

<group>

157

158

159

</group>

160

163

</cmdsynopsis>

161

164

162

165

<command>&COMMANDNAME;</command>

163

166

167

164

168

165

166

169

</group>

167

170

</cmdsynopsis>

168

171

169

172

<command>&COMMANDNAME;</command>

170

173

174

171

175

<arg choice="plain"><option>--version</option></arg>

172

173

176

</group>

174

177

</cmdsynopsis>

175

178

</refsynopsisdiv>

176

179

177

180

178

181

<title>DESCRIPTION</title>

179

182

<para>

180

183

<command>&COMMANDNAME;</command> is a program to generate the

181

OpenPGP key used by

182

<citerefentry><refentrytitle>mandos-client</refentrytitle>

183

<manvolnum>8mandos</manvolnum></citerefentry>. The key is

184

OpenPGP keys used by

185

<citerefentry><refentrytitle>password-request</refentrytitle>

186

<manvolnum>8mandos</manvolnum></citerefentry>. The keys are

184

187

normally written to /etc/mandos for later installation into the

185

initrd image, but this, and most other things, can be changed

186

with command line options.

188

initrd image, but this, like most things, can be changed with

189

command line options.

187

190

</para>

188

191

<para>

189

This program can also be used with the

190

<option>--password</option> or <option>--passfile</option>

191

options to generate a ready-made section for

192

<filename>clients.conf</filename> (see

192

It can also be used to generate ready-made sections for

193

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

194

<manvolnum>5</manvolnum></citerefentry>).

194

<manvolnum>5</manvolnum></citerefentry> using the

195

<option>--password</option> option.

195

196

</para>

196

197

</refsect1>

197

198

199

199

200

<title>PURPOSE</title>

201

200

202

<para>

201

203

The purpose of this is to enable <emphasis>remote and unattended

202

204

rebooting</emphasis> of client host computer with an

203

205

<emphasis>encrypted root file system</emphasis>. See <xref

204

206

linkend="overview"/> for details.

205

207

</para>

208

206

209

</refsect1>

207

210

208

211

209

212

<title>OPTIONS</title>

210

213

211

214

212

215

213

214

216

215

217

216

218

<para>

217

219

Show a help message and exit

218

220

</para>

219

221

</listitem>

220

222

</varlistentry>

221

223

222

224

223

<term><option>--dir

224

<replaceable>DIRECTORY</replaceable></option></term>

225

<term><option>-d

226

<replaceable>DIRECTORY</replaceable></option></term>

225

<term><literal>-d</literal>, <literal>--dir

226

<replaceable>directory</replaceable></literal></term>

227

228

<para>

229

Target directory for key files. Default is

230

<filename class="directory">/etc/mandos</filename>.

231

</para>

232

</listitem>

233

</varlistentry>

234

235

236

<term><option>--type

237

238

<term><option>-t

239

240

241

<para>

242

Key type. Default is <quote>RSA</quote>.

243

</para>

244

</listitem>

245

</varlistentry>

246

247

248

<term><option>--length

249

250

<term><option>-l

251

252

253

<para>

254

Key length in bits. Default is 4096.

255

</para>

256

</listitem>

257

</varlistentry>

258

259

260

<term><option>--subtype

261

<replaceable>KEYTYPE</replaceable></option></term>

262

<term><option>-s

263

<replaceable>KEYTYPE</replaceable></option></term>

264

265

<para>

266

Subkey type. Default is <quote>RSA</quote> (Elgamal

230

<filename>/etc/mandos</filename>.

231

</para>

232

</listitem>

233

</varlistentry>

234

235

236

<term><literal>-t</literal>, <literal>--type

237

238

239

<para>

240

Key type. Default is <quote>DSA</quote>.

241

</para>

242

</listitem>

243

</varlistentry>

244

245

246

<term><literal>-l</literal>, <literal>--length

247

248

249

<para>

250

Key length in bits. Default is 2048.

251

</para>

252

</listitem>

253

</varlistentry>

254

255

256

<term><literal>-s</literal>, <literal>--subtype

257

258

259

<para>

260

Subkey type. Default is <quote>ELG-E</quote> (Elgamal

267

261

encryption-only).

268

262

</para>

269

263

</listitem>

270

264

</varlistentry>

271

265

272

266

273

<term><option>--sublength

274

275

<term><option>-L

276

267

<term><literal>-L</literal>, <literal>--sublength

268

277

269

278

270

<para>

279

Subkey length in bits. Default is 4096.

271

Subkey length in bits. Default is 2048.

280

272

</para>

281

273

</listitem>

282

274

</varlistentry>

283

275

284

276

285

<term><option>--email

286

<replaceable>ADDRESS</replaceable></option></term>

287

<term><option>-e

288

<replaceable>ADDRESS</replaceable></option></term>

277

<term><literal>-e</literal>, <literal>--email</literal>

278

<replaceable>address</replaceable></term>

289

279

290

280

<para>

291

281

Email address of key. Default is empty.

292

282

</para>

293

283

</listitem>

294

284

</varlistentry>

295

285

296

286

297

<term><option>--comment

298

299

<term><option>-c

300

287

<term><literal>-c</literal>, <literal>--comment</literal>

288

<replaceable>comment</replaceable></term>

301

289

302

290

<para>

303

Comment field for key. Default is empty.

291

Comment field for key. The default value is

292

<quote><literal>Mandos client key</literal></quote>.

304

293

</para>

305

294

</listitem>

306

295

</varlistentry>

307

296

308

297

309

<term><option>--expire

310

311

<term><option>-x

312

298

<term><literal>-x</literal>, <literal>--expire</literal>

299

313

300

314

301

<para>

315

302

Key expire time. Default is no expiration. See

318

305

</para>

319

306

</listitem>

320

307

</varlistentry>

321

308

322

309

323

<term><option>--force</option></term>

324

310

<term><literal>-f</literal>, <literal>--force</literal></term>

325

311

326

312

<para>

327

Force overwriting old key.

313

Force overwriting old keys.

328

314

</para>

329

315

</listitem>

330

316

</varlistentry>

331

317

332

<term><option>--password</option></term>

333

318

<term><literal>-p</literal>, <literal>--password</literal

319

></term>

334

320

335

321

<para>

336

322

Prompt for a password and encrypt it with the key already

342

328

>8</manvolnum></citerefentry>. The host name or the name

343

329

specified with the <option>--name</option> option is used

344

330

for the section header. All other options are ignored,

345

and no key is created.

346

</para>

347

</listitem>

348

</varlistentry>

349

350

<term><option>--passfile

351

352

<term><option>-F

353

354

355

<para>

356

The same as <option>--password</option>, but read from

357

<replaceable>FILE</replaceable>, not the terminal.

358

</para>

359

</listitem>

360

</varlistentry>

361

362

363

364

365

<para>

366

When <option>--password</option> or

367

<option>--passfile</option> is given, this option will

368

prevent <command>&COMMANDNAME;</command> from calling

369

<command>ssh-keyscan</command> to get an SSH fingerprint

370

for this host and, if successful, output suitable config

371

options to use this fingerprint as a

372

<option>checker</option> option in the output. This is

373

otherwise the default behavior.

331

and no keys are created.

374

332

</para>

375

333

</listitem>

376

334

</varlistentry>

377

335

</variablelist>

378

336

</refsect1>

379

337

380

338

381

339

<title>OVERVIEW</title>

382

340

<xi:include href="overview.xml"/>

383

341

<para>

384

342

This program is a small utility to generate new OpenPGP keys for

385

new Mandos clients, and to generate sections for inclusion in

386

<filename>clients.conf</filename> on the server.

343

new Mandos clients.

387

344

</para>

388

345

</refsect1>

389

346

390

347

391

348

<title>EXIT STATUS</title>

392

349

<para>

393

The exit status will be 0 if a new key (or password, if the

394

<option>--password</option> option was used) was successfully

395

created, otherwise not.

350

The exit status will be 0 if new keys were successfully created,

351

otherwise not.

396

352

</para>

397

353

</refsect1>

398

354

412

368

</variablelist>

413

369

</refsect1>

414

370

415

371

416

372

<title>FILES</title>

417

373

<para>

418

374

Use the <option>--dir</option> option to change where

439

395

</listitem>

440

396

</varlistentry>

441

397

442

398

443

399

444

400

<para>

445

401

Temporary files will be written here if

449

405

</varlistentry>

450

406

</variablelist>

451

407

</refsect1>

452

453

454

455

456

457

458

408

409

410

411

<para>

412

None are known at this time.

413

</para>

414

</refsect1>

415

459

416

460

417

<title>EXAMPLE</title>

461

418

468

425

</informalexample>

469

426

470

427

<para>

471

Create key in another directory and of another type. Force

428

Create keys in another directory and of another type. Force

472

429

overwriting old key files:

473

430

</para>

474

431

<para>

478

435

479

436

</para>

480

437

</informalexample>

481

482

<para>

483

Prompt for a password, encrypt it with the key in <filename

484

class="directory">/etc/mandos</filename> and output a section

485

suitable for <filename>clients.conf</filename>.

486

</para>

487

<para>

488

<userinput>&COMMANDNAME; --password</userinput>

489

</para>

490

</informalexample>

491

492

<para>

493

Prompt for a password, encrypt it with the key in the

494

<filename>client-key</filename> directory and output a section

495

suitable for <filename>clients.conf</filename>.

496

</para>

497

<para>

498

499

500

<userinput>&COMMANDNAME; --password --dir client-key</userinput>

501

502

</para>

503

</informalexample>

504

438

</refsect1>

505

439

506

440

507

441

<title>SECURITY</title>

508

442

<para>

509

443

The <option>--type</option>, <option>--length</option>,

510

444

<option>--subtype</option>, and <option>--sublength</option>

511

options can be used to create keys of low security. If in

512

doubt, leave them to the default values.

445

options can be used to create keys of insufficient security. If

446

in doubt, leave them to the default values.

513

447

</para>

514

448

<para>

515

The key expire time is <emphasis>not</emphasis> guaranteed to be

516

honored by <citerefentry><refentrytitle>mandos</refentrytitle>

449

The key expire time is not guaranteed to be honored by

450

<citerefentry><refentrytitle>mandos</refentrytitle>

517

451

<manvolnum>8</manvolnum></citerefentry>.

518

452

</para>

519

453

</refsect1>

520

454

521

455

522

456

523

457

<para>

524

<citerefentry><refentrytitle>intro</refentrytitle>

525

<manvolnum>8mandos</manvolnum></citerefentry>,

526

458

527

459

<manvolnum>1</manvolnum></citerefentry>,

528

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

529

<manvolnum>5</manvolnum></citerefentry>,

530

460

<citerefentry><refentrytitle>mandos</refentrytitle>

531

461

<manvolnum>8</manvolnum></citerefentry>,

532

<citerefentry><refentrytitle>mandos-client</refentrytitle>

533

<manvolnum>8mandos</manvolnum></citerefentry>,

534

<citerefentry><refentrytitle>ssh-keyscan</refentrytitle>

535

462

<citerefentry><refentrytitle>password-request</refentrytitle>

463

<manvolnum>8mandos</manvolnum></citerefentry>

536

464

</para>

537

465

</refsect1>

538

466

Older »