3
3
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4
4
<!ENTITY VERSION "1.0">
5
5
<!ENTITY COMMANDNAME "mandos-keygen">
6
<!ENTITY TIMESTAMP "2008-09-03">
6
<!ENTITY TIMESTAMP "2008-08-31">
9
9
<refentry xmlns:xi="http://www.w3.org/2001/XInclude">
34
34
<holder>Teddy Hogeborn</holder>
35
35
<holder>Björn Påhlsson</holder>
37
<xi:include href="legalnotice.xml"/>
39
This manual page is free software: you can redistribute it
40
and/or modify it under the terms of the GNU General Public
41
License as published by the Free Software Foundation,
42
either version 3 of the License, or (at your option) any
47
This manual page is distributed in the hope that it will
48
be useful, but WITHOUT ANY WARRANTY; without even the
49
implied warranty of MERCHANTABILITY or FITNESS FOR A
50
PARTICULAR PURPOSE. See the GNU General Public License
55
You should have received a copy of the GNU General Public
56
License along with this program; If not, see
57
<ulink url="http://www.gnu.org/licenses/"/>.
46
68
<refname><command>&COMMANDNAME;</command></refname>
48
Generate key and password for Mandos client and server.
70
Generate keys for <citerefentry><refentrytitle>password-request
71
</refentrytitle><manvolnum>8mandos</manvolnum></citerefentry>
155
178
</refsynopsisdiv>
157
180
<refsect1 id="description">
158
181
<title>DESCRIPTION</title>
160
183
<command>&COMMANDNAME;</command> is a program to generate the
162
185
<citerefentry><refentrytitle>password-request</refentrytitle>
163
<manvolnum>8mandos</manvolnum></citerefentry>. The key is
186
<manvolnum>8mandos</manvolnum></citerefentry>. The keys are
164
187
normally written to /etc/mandos for later installation into the
165
initrd image, but this, and most other things, can be changed
166
with command line options.
188
initrd image, but this, like most things, can be changed with
189
command line options.
169
This program can also be used with the
170
<option>--password</option> option to generate a ready-made
171
section for <filename>clients.conf</filename> (see
192
It can also be used to generate ready-made sections for
172
193
<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>
173
<manvolnum>5</manvolnum></citerefentry>).
194
<manvolnum>5</manvolnum></citerefentry> using the
195
<option>--password</option> option.
177
199
<refsect1 id="purpose">
178
200
<title>PURPOSE</title>
180
203
The purpose of this is to enable <emphasis>remote and unattended
181
204
rebooting</emphasis> of client host computer with an
182
205
<emphasis>encrypted root file system</emphasis>. See <xref
183
206
linkend="overview"/> for details.
187
211
<refsect1 id="options">
188
212
<title>OPTIONS</title>
192
<term><option>--help</option></term>
193
<term><option>-h</option></term>
216
<term><literal>-h</literal>, <literal>--help</literal></term>
196
219
Show a help message and exit
203
<replaceable>DIRECTORY</replaceable></option></term>
205
<replaceable>DIRECTORY</replaceable></option></term>
225
<term><literal>-d</literal>, <literal>--dir
226
<replaceable>directory</replaceable></literal></term>
208
229
Target directory for key files. Default is
216
<replaceable>TYPE</replaceable></option></term>
218
<replaceable>TYPE</replaceable></option></term>
236
<term><literal>-t</literal>, <literal>--type
237
<replaceable>type</replaceable></literal></term>
221
240
Key type. Default is <quote>DSA</quote>.
227
<term><option>--length
228
<replaceable>BITS</replaceable></option></term>
230
<replaceable>BITS</replaceable></option></term>
246
<term><literal>-l</literal>, <literal>--length
247
<replaceable>bits</replaceable></literal></term>
233
250
Key length in bits. Default is 2048.
239
<term><option>--subtype
240
<replaceable>KEYTYPE</replaceable></option></term>
242
<replaceable>KEYTYPE</replaceable></option></term>
256
<term><literal>-s</literal>, <literal>--subtype
257
<replaceable>type</replaceable></literal></term>
245
260
Subkey type. Default is <quote>ELG-E</quote> (Elgamal
252
<term><option>--sublength
253
<replaceable>BITS</replaceable></option></term>
255
<replaceable>BITS</replaceable></option></term>
267
<term><literal>-L</literal>, <literal>--sublength
268
<replaceable>bits</replaceable></literal></term>
258
271
Subkey length in bits. Default is 2048.
264
<term><option>--email
265
<replaceable>ADDRESS</replaceable></option></term>
267
<replaceable>ADDRESS</replaceable></option></term>
277
<term><literal>-e</literal>, <literal>--email</literal>
278
<replaceable>address</replaceable></term>
270
281
Email address of key. Default is empty.
276
<term><option>--comment
277
<replaceable>TEXT</replaceable></option></term>
279
<replaceable>TEXT</replaceable></option></term>
287
<term><literal>-c</literal>, <literal>--comment</literal>
288
<replaceable>comment</replaceable></term>
282
291
Comment field for key. The default value is
289
<term><option>--expire
290
<replaceable>TIME</replaceable></option></term>
292
<replaceable>TIME</replaceable></option></term>
298
<term><literal>-x</literal>, <literal>--expire</literal>
299
<replaceable>time</replaceable></term>
295
302
Key expire time. Default is no expiration. See
303
<term><option>--force</option></term>
304
<term><option>-f</option></term>
310
<term><literal>-f</literal>, <literal>--force</literal></term>
307
Force overwriting old key.
313
Force overwriting old keys.
312
<term><option>--password</option></term>
313
<term><option>-p</option></term>
318
<term><literal>-p</literal>, <literal>--password</literal
316
322
Prompt for a password and encrypt it with the key already
334
340
<xi:include href="overview.xml"/>
336
342
This program is a small utility to generate new OpenPGP keys for
337
new Mandos clients, and to generate sections for inclusion in
338
<filename>clients.conf</filename> on the server.
342
347
<refsect1 id="exit_status">
343
348
<title>EXIT STATUS</title>
345
The exit status will be 0 if a new key (or password, if the
346
<option>--password</option> option was used) was successfully
347
created, otherwise not.
350
The exit status will be 0 if new keys were successfully created,
432
437
</informalexample>
435
Prompt for a password, encrypt it with the key in
436
<filename>/etc/mandos</filename> and output a section suitable
437
for <filename>clients.conf</filename>.
440
<userinput>&COMMANDNAME; --password</userinput>
445
Prompt for a password, encrypt it with the key in the
446
<filename>client-key</filename> directory and output a section
447
suitable for <filename>clients.conf</filename>.
451
<!-- do not wrap this line -->
452
<userinput>&COMMANDNAME; --password --dir client-key</userinput>
458
440
<refsect1 id="security">
461
443
The <option>--type</option>, <option>--length</option>,
462
444
<option>--subtype</option>, and <option>--sublength</option>
463
options can be used to create keys of low security. If in
464
doubt, leave them to the default values.
445
options can be used to create keys of insufficient security. If
446
in doubt, leave them to the default values.
467
The key expire time is <emphasis>not</emphasis> guaranteed to be
468
honored by <citerefentry><refentrytitle>mandos</refentrytitle>
449
The key expire time is not guaranteed to be honored by
450
<citerefentry><refentrytitle>mandos</refentrytitle>
469
451
<manvolnum>8</manvolnum></citerefentry>.
476
458
<citerefentry><refentrytitle>gpg</refentrytitle>
477
459
<manvolnum>1</manvolnum></citerefentry>,
478
<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>
479
<manvolnum>5</manvolnum></citerefentry>,
480
460
<citerefentry><refentrytitle>mandos</refentrytitle>
481
461
<manvolnum>8</manvolnum></citerefentry>,
482
462
<citerefentry><refentrytitle>password-request</refentrytitle>