/mandos/trunk : revision 121

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos-keygen.xml

Committer: Teddy Hogeborn
Date: 2008-08-30 19:49:24 UTC
Revision ID: teddy@fukt.bsnet.se-20080830194924-f4liqq8wxajlbshn

* plugin-runner.xml (NAME): Improved wording.
  (SYNOPSIS): Use <option> and <replaceable> tags.  Unify short and
              long options.  Add "--global-envs" and "--envs-for"
              options.

files added:
plugins.d/usplash

files removed:
.bzr-builddeb

.bzr-builddeb/default.conf

DBUS-API

INSTALL

NEWS

README

bugs.xml

common.ent

dbus-mandos.conf

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.examples

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/po

debian/rules

debian/source

debian/source/format

debian/source/local-options

debian/upstream

debian/upstream/signing-key.asc

debian/watch

default-mandos

init.d-mandos

initramfs-unpack

intro.xml

legalnotice.xml

mandos-ctl

mandos-ctl.xml

mandos-monitor

mandos-monitor.xml

mandos.lsm

mandos.service

network-hooks.d

network-hooks.d/bridge

network-hooks.d/bridge.conf

network-hooks.d/openvpn

network-hooks.d/openvpn.conf

network-hooks.d/wireless

network-hooks.d/wireless.conf

plugin-helpers

plugin-helpers/mandos-client-iprouteadddel.c

plugin-runner.conf

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

tmpfiles.d-mandos.conf

files renamed:
plugins.d/mandos-client.c => plugins.d/password-request.c

plugins.d/mandos-client.xml => plugins.d/password-request.xml

files modified:
.bzrignore

Makefile

TODO

clients.conf

initramfs-tools-hook

initramfs-tools-hook-conf

initramfs-tools-script

mandos

mandos-clients.conf.xml

mandos-keygen

mandos-keygen.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.xml

overview.xml

plugin-runner.c

plugin-runner.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

Show diffs side-by-side

added added

removed removed

mandos-keygen.xml

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY VERSION "1.0">

<!ENTITY COMMANDNAME "mandos-keygen">

<!ENTITY TIMESTAMP "2017-02-23">

<!ENTITY % common SYSTEM "common.ent">

%common;

<!ENTITY TIMESTAMP "2008-08-30">

<title>Mandos Manual</title>

<productname>Mandos</productname>

<productnumber>&version;</productnumber>

<productnumber>&VERSION;</productnumber>

<date>&TIMESTAMP;</date>

<firstname>Björn</firstname>

<surname>Påhlsson</surname>

<email>belorn@recompile.se</email>

<email>belorn@fukt.bsnet.se</email>

</address>

</author>

<firstname>Teddy</firstname>

<surname>Hogeborn</surname>

<email>teddy@recompile.se</email>

<email>teddy@fukt.bsnet.se</email>

</address>

</author>

</authorgroup>

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

<xi:include href="legalnotice.xml"/>

<para>

This manual page is free software: you can redistribute it

and/or modify it under the terms of the GNU General Public

License as published by the Free Software Foundation,

either version 3 of the License, or (at your option) any

later version.

</para>

<para>

This manual page is distributed in the hope that it will

be useful, but WITHOUT ANY WARRANTY; without even the

implied warranty of MERCHANTABILITY or FITNESS FOR A

PARTICULAR PURPOSE. See the GNU General Public License

for more details.

</para>

<para>

You should have received a copy of the GNU General Public

License along with this program; If not, see

<ulink url="http://www.gnu.org/licenses/"/>.

</para>

</legalnotice>

</refentryinfo>

<refentrytitle>&COMMANDNAME;</refentrytitle>

<refname><command>&COMMANDNAME;</command></refname>

Generate key and password for Mandos client and server.

Generate keys for <citerefentry><refentrytitle>password-request

</refentrytitle><manvolnum>8mandos</manvolnum></citerefentry>

</refpurpose>

</refnamediv>

<command>&COMMANDNAME;</command>

125

138

126

139

</group>

127

140

<sbr/>

128

<group>

129

<arg choice="plain"><option>--force</option></arg>

130

131

</group>

141

<arg><option>--force</option></arg>

132

142

</cmdsynopsis>

133

143

134

144

<command>&COMMANDNAME;</command>

135

145

146

136

147

<arg choice="plain"><option>--password</option></arg>

137

138

<arg choice="plain"><option>--passfile

139

140

141

142

148

</group>

143

149

<sbr/>

144

150

<group>

154

160

<arg choice="plain"><option>-n

155

161

156

162

</group>

157

<group>

158

159

160

</group>

161

163

</cmdsynopsis>

162

164

163

165

<command>&COMMANDNAME;</command>

164

166

167

165

168

166

167

169

</group>

168

170

</cmdsynopsis>

169

171

170

172

<command>&COMMANDNAME;</command>

171

173

174

172

175

<arg choice="plain"><option>--version</option></arg>

173

174

176

</group>

175

177

</cmdsynopsis>

176

178

</refsynopsisdiv>

177

179

178

180

179

181

<title>DESCRIPTION</title>

180

182

<para>

181

183

<command>&COMMANDNAME;</command> is a program to generate the

182

OpenPGP key used by

183

<citerefentry><refentrytitle>mandos-client</refentrytitle>

184

<manvolnum>8mandos</manvolnum></citerefentry>. The key is

184

OpenPGP keys used by

185

<citerefentry><refentrytitle>password-request</refentrytitle>

186

<manvolnum>8mandos</manvolnum></citerefentry>. The keys are

185

187

normally written to /etc/mandos for later installation into the

186

initrd image, but this, and most other things, can be changed

187

with command line options.

188

initrd image, but this, like most things, can be changed with

189

command line options.

188

190

</para>

189

191

<para>

190

This program can also be used with the

191

<option>--password</option> or <option>--passfile</option>

192

options to generate a ready-made section for

193

<filename>clients.conf</filename> (see

192

It can also be used to generate ready-made sections for

194

193

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

195

<manvolnum>5</manvolnum></citerefentry>).

194

<manvolnum>5</manvolnum></citerefentry> using the

195

<option>--password</option> option.

196

</para>

197

</refsect1>

198

199

200

<title>PURPOSE</title>

201

202

<para>

202

203

The purpose of this is to enable <emphasis>remote and unattended

203

204

rebooting</emphasis> of client host computer with an

204

205

<emphasis>encrypted root file system</emphasis>. See <xref

205

206

linkend="overview"/> for details.

206

207

</para>

208

207

209

</refsect1>

208

210

209

211

210

212

<title>OPTIONS</title>

211

213

212

214

213

215

214

215

216

216

217

217

218

<para>

218

219

Show a help message and exit

219

220

</para>

220

221

</listitem>

221

222

</varlistentry>

222

223

224

224

<term><option>--dir

225

<replaceable>DIRECTORY</replaceable></option></term>

226

<term><option>-d

227

<replaceable>DIRECTORY</replaceable></option></term>

225

<term><literal>-d</literal>, <literal>--dir

226

<replaceable>directory</replaceable></literal></term>

228

227

229

228

<para>

230

229

Target directory for key files. Default is

231

<filename class="directory">/etc/mandos</filename>.

232

</para>

233

</listitem>

234

</varlistentry>

235

236

237

<term><option>--type

238

239

<term><option>-t

240

241

242

<para>

243

Key type. Default is <quote>RSA</quote>.

244

</para>

245

</listitem>

246

</varlistentry>

247

248

249

<term><option>--length

250

251

<term><option>-l

252

253

254

<para>

255

Key length in bits. Default is 4096.

256

</para>

257

</listitem>

258

</varlistentry>

259

260

261

<term><option>--subtype

262

<replaceable>KEYTYPE</replaceable></option></term>

263

<term><option>-s

264

<replaceable>KEYTYPE</replaceable></option></term>

265

266

<para>

267

Subkey type. Default is <quote>RSA</quote> (Elgamal

230

<filename>/etc/mandos</filename>.

231

</para>

232

</listitem>

233

</varlistentry>

234

235

236

<term><literal>-t</literal>, <literal>--type

237

238

239

<para>

240

Key type. Default is <quote>DSA</quote>.

241

</para>

242

</listitem>

243

</varlistentry>

244

245

246

<term><literal>-l</literal>, <literal>--length

247

248

249

<para>

250

Key length in bits. Default is 2048.

251

</para>

252

</listitem>

253

</varlistentry>

254

255

256

<term><literal>-s</literal>, <literal>--subtype

257

258

259

<para>

260

Subkey type. Default is <quote>ELG-E</quote> (Elgamal

268

261

encryption-only).

269

262

</para>

270

263

</listitem>

271

264

</varlistentry>

272

265

273

266

274

<term><option>--sublength

275

276

<term><option>-L

277

267

<term><literal>-L</literal>, <literal>--sublength

268

278

269

279

270

<para>

280

Subkey length in bits. Default is 4096.

271

Subkey length in bits. Default is 2048.

281

272

</para>

282

273

</listitem>

283

274

</varlistentry>

284

275

285

276

286

<term><option>--email

287

<replaceable>ADDRESS</replaceable></option></term>

288

<term><option>-e

289

<replaceable>ADDRESS</replaceable></option></term>

277

<term><literal>-e</literal>, <literal>--email</literal>

278

<replaceable>address</replaceable></term>

290

279

291

280

<para>

292

281

Email address of key. Default is empty.

293

282

</para>

294

283

</listitem>

295

284

</varlistentry>

296

285

297

286

298

<term><option>--comment

299

300

<term><option>-c

301

287

<term><literal>-c</literal>, <literal>--comment</literal>

288

<replaceable>comment</replaceable></term>

302

289

303

290

<para>

304

Comment field for key. Default is empty.

291

Comment field for key. The default value is

292

<quote><literal>Mandos client key</literal></quote>.

305

293

</para>

306

294

</listitem>

307

295

</varlistentry>

308

296

309

297

310

<term><option>--expire

311

312

<term><option>-x

313

298

<term><literal>-x</literal>, <literal>--expire</literal>

299

314

300

315

301

<para>

316

302

Key expire time. Default is no expiration. See

319

305

</para>

320

306

</listitem>

321

307

</varlistentry>

322

308

323

309

324

<term><option>--force</option></term>

325

310

<term><literal>-f</literal>, <literal>--force</literal></term>

326

311

327

312

<para>

328

Force overwriting old key.

313

Force overwriting old keys.

329

314

</para>

330

315

</listitem>

331

316

</varlistentry>

332

317

333

<term><option>--password</option></term>

334

318

<term><literal>-p</literal>, <literal>--password</literal

319

></term>

335

320

336

321

<para>

337

322

Prompt for a password and encrypt it with the key already

343

328

>8</manvolnum></citerefentry>. The host name or the name

344

329

specified with the <option>--name</option> option is used

345

330

for the section header. All other options are ignored,

346

and no key is created.

347

</para>

348

</listitem>

349

</varlistentry>

350

351

<term><option>--passfile

352

353

<term><option>-F

354

355

356

<para>

357

The same as <option>--password</option>, but read from

358

<replaceable>FILE</replaceable>, not the terminal.

359

</para>

360

</listitem>

361

</varlistentry>

362

363

364

365

366

<para>

367

When <option>--password</option> or

368

<option>--passfile</option> is given, this option will

369

prevent <command>&COMMANDNAME;</command> from calling

370

<command>ssh-keyscan</command> to get an SSH fingerprint

371

for this host and, if successful, output suitable config

372

options to use this fingerprint as a

373

<option>checker</option> option in the output. This is

374

otherwise the default behavior.

331

and no keys are created.

375

332

</para>

376

333

</listitem>

377

334

</varlistentry>

378

335

</variablelist>

379

336

</refsect1>

380

337

381

338

382

339

<title>OVERVIEW</title>

383

340

<xi:include href="overview.xml"/>

384

341

<para>

385

342

This program is a small utility to generate new OpenPGP keys for

386

new Mandos clients, and to generate sections for inclusion in

387

<filename>clients.conf</filename> on the server.

343

new Mandos clients.

388

344

</para>

389

345

</refsect1>

390

346

391

347

392

348

<title>EXIT STATUS</title>

393

349

<para>

394

The exit status will be 0 if a new key (or password, if the

395

<option>--password</option> option was used) was successfully

396

created, otherwise not.

350

The exit status will be 0 if new keys were successfully created,

351

otherwise not.

397

352

</para>

398

353

</refsect1>

399

354

413

368

</variablelist>

414

369

</refsect1>

415

370

416

371

417

372

<title>FILES</title>

418

373

<para>

419

374

Use the <option>--dir</option> option to change where

440

395

</listitem>

441

396

</varlistentry>

442

397

443

398

444

399

445

400

<para>

446

401

Temporary files will be written here if

450

405

</varlistentry>

451

406

</variablelist>

452

407

</refsect1>

453

408

454

409

455

410

456

<xi:include href="bugs.xml"/>

411

<para>

412

None are known at this time.

413

</para>

457

414

</refsect1>

458

415

459

416

460

417

<title>EXAMPLE</title>

461

418

468

425

</informalexample>

469

426

470

427

<para>

471

Create key in another directory and of another type. Force

428

Create keys in another directory and of another type. Force

472

429

overwriting old key files:

473

430

</para>

474

431

<para>

478

435

479

436

</para>

480

437

</informalexample>

481

482

<para>

483

Prompt for a password, encrypt it with the key in <filename

484

class="directory">/etc/mandos</filename> and output a section

485

suitable for <filename>clients.conf</filename>.

486

</para>

487

<para>

488

<userinput>&COMMANDNAME; --password</userinput>

489

</para>

490

</informalexample>

491

492

<para>

493

Prompt for a password, encrypt it with the key in the

494

<filename>client-key</filename> directory and output a section

495

suitable for <filename>clients.conf</filename>.

496

</para>

497

<para>

498

499

500

<userinput>&COMMANDNAME; --password --dir client-key</userinput>

501

502

</para>

503

</informalexample>

504

438

</refsect1>

505

439

506

440

507

441

<title>SECURITY</title>

508

442

<para>

509

443

The <option>--type</option>, <option>--length</option>,

510

444

<option>--subtype</option>, and <option>--sublength</option>

511

options can be used to create keys of low security. If in

512

doubt, leave them to the default values.

445

options can be used to create keys of insufficient security. If

446

in doubt, leave them to the default values.

513

447

</para>

514

448

<para>

515

The key expire time is <emphasis>not</emphasis> guaranteed to be

516

honored by <citerefentry><refentrytitle>mandos</refentrytitle>

449

The key expire time is not guaranteed to be honored by

450

<citerefentry><refentrytitle>mandos</refentrytitle>

517

451

<manvolnum>8</manvolnum></citerefentry>.

518

452

</para>

519

453

</refsect1>

520

454

521

455

522

456

523

457

<para>

524

<citerefentry><refentrytitle>intro</refentrytitle>

525

<manvolnum>8mandos</manvolnum></citerefentry>,

526

458

527

459

<manvolnum>1</manvolnum></citerefentry>,

528

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

529

<manvolnum>5</manvolnum></citerefentry>,

530

460

<citerefentry><refentrytitle>mandos</refentrytitle>

531

461

<manvolnum>8</manvolnum></citerefentry>,

532

<citerefentry><refentrytitle>mandos-client</refentrytitle>

533

<manvolnum>8mandos</manvolnum></citerefentry>,

534

<citerefentry><refentrytitle>ssh-keyscan</refentrytitle>

535

462

<citerefentry><refentrytitle>password-request</refentrytitle>

463

<manvolnum>8mandos</manvolnum></citerefentry>

536

464

</para>

537

465

</refsect1>

538

466

Older »