1
1
<?xml version="1.0" encoding="UTF-8"?>
2
2
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3
3
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4
<!ENTITY VERSION "1.0">
4
5
<!ENTITY COMMANDNAME "mandos-keygen">
5
<!ENTITY TIMESTAMP "2009-01-04">
6
<!ENTITY % common SYSTEM "common.ent">
6
<!ENTITY TIMESTAMP "2008-08-31">
10
9
<refentry xmlns:xi="http://www.w3.org/2001/XInclude">
12
11
<title>Mandos Manual</title>
13
12
<!-- NWalsh’s docbook scripts use this to generate the footer: -->
14
13
<productname>Mandos</productname>
15
<productnumber>&version;</productnumber>
14
<productnumber>&VERSION;</productnumber>
16
15
<date>&TIMESTAMP;</date>
36
34
<holder>Teddy Hogeborn</holder>
37
35
<holder>Björn Påhlsson</holder>
39
<xi:include href="legalnotice.xml"/>
39
This manual page is free software: you can redistribute it
40
and/or modify it under the terms of the GNU General Public
41
License as published by the Free Software Foundation,
42
either version 3 of the License, or (at your option) any
47
This manual page is distributed in the hope that it will
48
be useful, but WITHOUT ANY WARRANTY; without even the
49
implied warranty of MERCHANTABILITY or FITNESS FOR A
50
PARTICULAR PURPOSE. See the GNU General Public License
55
You should have received a copy of the GNU General Public
56
License along with this program; If not, see
57
<ulink url="http://www.gnu.org/licenses/"/>.
43
63
<refentrytitle>&COMMANDNAME;</refentrytitle>
44
64
<manvolnum>8</manvolnum>
48
68
<refname><command>&COMMANDNAME;</command></refname>
50
Generate key and password for Mandos client and server.
70
Generate keys for <citerefentry><refentrytitle>password-request
71
</refentrytitle><manvolnum>8mandos</manvolnum></citerefentry>
56
77
<command>&COMMANDNAME;</command>
124
145
<group choice="req">
125
146
<arg choice="plain"><option>--password</option></arg>
126
147
<arg choice="plain"><option>-p</option></arg>
127
<arg choice="plain"><option>--passfile
128
<replaceable>FILE</replaceable></option></arg>
129
<arg choice="plain"><option>-F</option>
130
<replaceable>FILE</replaceable></arg>
161
178
</refsynopsisdiv>
163
180
<refsect1 id="description">
164
181
<title>DESCRIPTION</title>
166
183
<command>&COMMANDNAME;</command> is a program to generate the
168
<citerefentry><refentrytitle>mandos-client</refentrytitle>
169
<manvolnum>8mandos</manvolnum></citerefentry>. The key is
185
<citerefentry><refentrytitle>password-request</refentrytitle>
186
<manvolnum>8mandos</manvolnum></citerefentry>. The keys are
170
187
normally written to /etc/mandos for later installation into the
171
initrd image, but this, and most other things, can be changed
172
with command line options.
188
initrd image, but this, like most things, can be changed with
189
command line options.
175
This program can also be used with the
176
<option>--password</option> or <option>--passfile</option>
177
options to generate a ready-made section for
178
<filename>clients.conf</filename> (see
192
It can also be used to generate ready-made sections for
179
193
<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>
180
<manvolnum>5</manvolnum></citerefentry>).
194
<manvolnum>5</manvolnum></citerefentry> using the
195
<option>--password</option> option.
184
199
<refsect1 id="purpose">
185
200
<title>PURPOSE</title>
187
203
The purpose of this is to enable <emphasis>remote and unattended
188
204
rebooting</emphasis> of client host computer with an
189
205
<emphasis>encrypted root file system</emphasis>. See <xref
190
206
linkend="overview"/> for details.
194
211
<refsect1 id="options">
195
212
<title>OPTIONS</title>
199
<term><option>--help</option></term>
200
<term><option>-h</option></term>
216
<term><literal>-h</literal>, <literal>--help</literal></term>
203
219
Show a help message and exit
210
<replaceable>DIRECTORY</replaceable></option></term>
212
<replaceable>DIRECTORY</replaceable></option></term>
225
<term><literal>-d</literal>, <literal>--dir
226
<replaceable>directory</replaceable></literal></term>
215
229
Target directory for key files. Default is
223
<replaceable>TYPE</replaceable></option></term>
225
<replaceable>TYPE</replaceable></option></term>
236
<term><literal>-t</literal>, <literal>--type
237
<replaceable>type</replaceable></literal></term>
228
240
Key type. Default is <quote>DSA</quote>.
234
<term><option>--length
235
<replaceable>BITS</replaceable></option></term>
237
<replaceable>BITS</replaceable></option></term>
246
<term><literal>-l</literal>, <literal>--length
247
<replaceable>bits</replaceable></literal></term>
240
250
Key length in bits. Default is 2048.
246
<term><option>--subtype
247
<replaceable>KEYTYPE</replaceable></option></term>
249
<replaceable>KEYTYPE</replaceable></option></term>
256
<term><literal>-s</literal>, <literal>--subtype
257
<replaceable>type</replaceable></literal></term>
252
260
Subkey type. Default is <quote>ELG-E</quote> (Elgamal
259
<term><option>--sublength
260
<replaceable>BITS</replaceable></option></term>
262
<replaceable>BITS</replaceable></option></term>
267
<term><literal>-L</literal>, <literal>--sublength
268
<replaceable>bits</replaceable></literal></term>
265
271
Subkey length in bits. Default is 2048.
271
<term><option>--email
272
<replaceable>ADDRESS</replaceable></option></term>
274
<replaceable>ADDRESS</replaceable></option></term>
277
<term><literal>-e</literal>, <literal>--email</literal>
278
<replaceable>address</replaceable></term>
277
281
Email address of key. Default is empty.
283
<term><option>--comment
284
<replaceable>TEXT</replaceable></option></term>
286
<replaceable>TEXT</replaceable></option></term>
287
<term><literal>-c</literal>, <literal>--comment</literal>
288
<replaceable>comment</replaceable></term>
289
291
Comment field for key. The default value is
296
<term><option>--expire
297
<replaceable>TIME</replaceable></option></term>
299
<replaceable>TIME</replaceable></option></term>
298
<term><literal>-x</literal>, <literal>--expire</literal>
299
<replaceable>time</replaceable></term>
302
302
Key expire time. Default is no expiration. See
310
<term><option>--force</option></term>
311
<term><option>-f</option></term>
310
<term><literal>-f</literal>, <literal>--force</literal></term>
314
Force overwriting old key.
313
Force overwriting old keys.
319
<term><option>--password</option></term>
320
<term><option>-p</option></term>
318
<term><literal>-p</literal>, <literal>--password</literal
323
322
Prompt for a password and encrypt it with the key already
329
328
>8</manvolnum></citerefentry>. The host name or the name
330
329
specified with the <option>--name</option> option is used
331
330
for the section header. All other options are ignored,
332
and no key is created.
337
<term><option>--passfile
338
<replaceable>FILE</replaceable></option></term>
340
<replaceable>FILE</replaceable></option></term>
343
The same as <option>--password</option>, but read from
344
<replaceable>FILE</replaceable>, not the terminal.
331
and no keys are created.
351
338
<refsect1 id="overview">
352
339
<title>OVERVIEW</title>
353
340
<xi:include href="overview.xml"/>
355
342
This program is a small utility to generate new OpenPGP keys for
356
new Mandos clients, and to generate sections for inclusion in
357
<filename>clients.conf</filename> on the server.
361
347
<refsect1 id="exit_status">
362
348
<title>EXIT STATUS</title>
364
The exit status will be 0 if a new key (or password, if the
365
<option>--password</option> option was used) was successfully
366
created, otherwise not.
350
The exit status will be 0 if new keys were successfully created,
451
437
</informalexample>
454
Prompt for a password, encrypt it with the key in
455
<filename>/etc/mandos</filename> and output a section suitable
456
for <filename>clients.conf</filename>.
459
<userinput>&COMMANDNAME; --password</userinput>
464
Prompt for a password, encrypt it with the key in the
465
<filename>client-key</filename> directory and output a section
466
suitable for <filename>clients.conf</filename>.
470
<!-- do not wrap this line -->
471
<userinput>&COMMANDNAME; --password --dir client-key</userinput>
477
440
<refsect1 id="security">
478
441
<title>SECURITY</title>
480
443
The <option>--type</option>, <option>--length</option>,
481
444
<option>--subtype</option>, and <option>--sublength</option>
482
options can be used to create keys of low security. If in
483
doubt, leave them to the default values.
445
options can be used to create keys of insufficient security. If
446
in doubt, leave them to the default values.
486
The key expire time is <emphasis>not</emphasis> guaranteed to be
487
honored by <citerefentry><refentrytitle>mandos</refentrytitle>
449
The key expire time is not guaranteed to be honored by
450
<citerefentry><refentrytitle>mandos</refentrytitle>
488
451
<manvolnum>8</manvolnum></citerefentry>.
492
455
<refsect1 id="see_also">
493
456
<title>SEE ALSO</title>
495
458
<citerefentry><refentrytitle>gpg</refentrytitle>
496
459
<manvolnum>1</manvolnum></citerefentry>,
497
<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>
498
<manvolnum>5</manvolnum></citerefentry>,
499
460
<citerefentry><refentrytitle>mandos</refentrytitle>
500
461
<manvolnum>8</manvolnum></citerefentry>,
501
<citerefentry><refentrytitle>mandos-client</refentrytitle>
462
<citerefentry><refentrytitle>password-request</refentrytitle>
502
463
<manvolnum>8mandos</manvolnum></citerefentry>