/mandos/trunk : revision 1229

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos-keygen.xml

Committer: teddy at recompile
Date: 2020-12-03 20:30:45 UTC
Revision ID: teddy@recompile.se-20201203203045-iqd6nq9y5nwalh1x

Minor fix of a test function

In dracut-module/password-agent, the test function
test_send_password_to_socket_EMSGSIZE() (which tests that the
send_password_to_socket() task function aborts properly when getting
EMSGSIZE when writing to the password socket), part of the test code
is supposed to find a message size which definitely does trigger
EMSGSIZE when send()ing to a socket.  Without a "break" in the proper
place, however, the size given is always exactly 1024 bytes too large.

This is very probably not a problem, since a too large message will
still be too large if it is increased by 1024 bytes, and send(2) in
practice checks the size before reading the buffer.  The biggest issue
would be if some version of send(2) would try to look at the last 1024
bytes of the message buffer before checking the message size; this
would then lead to a buffer over-read when running this test function.
(But even then there would be no security implications since the tests
are not run in the normal operation of the program.)

* dracut-module/password-agent.c
  (test_send_password_to_socket_EMSGSIZE): Break out early when ssret
  < 0 and errno == EMSGSIZE; don't allow loop to increase message_size
  again.

files added:
DBUS-API

NEWS

bugs.xml

dbus-mandos.conf

debian/mandos-client.examples

debian/mandos-client.templates

debian/mandos.templates

debian/po/POTFILES.in

debian/po/de.po

debian/po/en_US.po

debian/po/fr.po

debian/po/nl.po

debian/po/pt.po

debian/po/sv.po

debian/po/templates.pot

debian/source

debian/source/format

debian/source/lintian-overrides

debian/source/local-options

debian/tests

debian/tests/control

debian/upstream

debian/upstream/metadata

debian/upstream/signing-key.asc

debian/watch

dracut-module

dracut-module/ask-password-mandos.path

dracut-module/ask-password-mandos.service

dracut-module/cmdline-mandos.sh

dracut-module/module-setup.sh

dracut-module/password-agent.c

dracut-module/password-agent.xml

initramfs-tools-conf

initramfs-tools-conf-hook

initramfs-tools-script-stop

initramfs-unpack

intro.xml

mandos-ctl

mandos-ctl.xml

mandos-monitor

mandos-monitor.xml

mandos-to-cryptroot-unlock

mandos.lsm

mandos.service

network-hooks.d

network-hooks.d/bridge

network-hooks.d/bridge.conf

network-hooks.d/openvpn

network-hooks.d/openvpn.conf

network-hooks.d/wireless

network-hooks.d/wireless.conf

plugin-helpers

plugin-helpers/mandos-client-iprouteadddel.c

plugins.d/plymouth.c

plugins.d/plymouth.xml

sysusers.d-mandos.conf

tmpfiles.d-mandos.conf

files removed:
debian/mandos-client.config

debian/mandos-client.templates

debian/mandos.config

debian/mandos.templates

debian/po/POTFILES.in

debian/po/sv.po

initramfs-tools-hook-conf

files modified:
.bzrignore

INSTALL

Makefile

README

TODO

clients.conf

common.ent

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/rules

init.d-mandos

initramfs-tools-hook

initramfs-tools-script

legalnotice.xml

mandos

mandos-clients.conf.xml

mandos-keygen

mandos-keygen.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.xml

overview.xml

plugin-runner.c

plugin-runner.conf

plugin-runner.xml

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/mandos-client.c

plugins.d/mandos-client.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

Show diffs side-by-side

added added

removed removed

mandos-keygen.xml

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY COMMANDNAME "mandos-keygen">

<!ENTITY TIMESTAMP "2008-10-03">

<!ENTITY TIMESTAMP "2019-07-18">

<!ENTITY % common SYSTEM "common.ent">

%common;

<firstname>Björn</firstname>

<surname>Påhlsson</surname>

<email>belorn@fukt.bsnet.se</email>

<email>belorn@recompile.se</email>

</address>

</author>

<firstname>Teddy</firstname>

<surname>Hogeborn</surname>

<email>teddy@fukt.bsnet.se</email>

<email>teddy@recompile.se</email>

</address>

</author>

</authorgroup>

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

116

127

117

128

</group>

118

129

<sbr/>

119

<arg><option>--force</option></arg>

130

<group>

131

<arg choice="plain"><option>--tls-keytype

132

<replaceable>KEYTYPE</replaceable></option></arg>

133

<arg choice="plain"><option>-T

134

<replaceable>KEYTYPE</replaceable></option></arg>

135

</group>

136

<sbr/>

137

<group>

138

<arg choice="plain"><option>--force</option></arg>

139

140

</group>

120

141

</cmdsynopsis>

121

142

122

143

<command>&COMMANDNAME;</command>

142

163

<arg choice="plain"><option>-n

143

164

144

165

</group>

166

<group>

167

168

169

</group>

145

170

</cmdsynopsis>

146

171

147

172

<command>&COMMANDNAME;</command>

163

188

<title>DESCRIPTION</title>

164

189

<para>

165

190

<command>&COMMANDNAME;</command> is a program to generate the

166

OpenPGP key used by

191

TLS and OpenPGP keys used by

167

192

<citerefentry><refentrytitle>mandos-client</refentrytitle>

168

<manvolnum>8mandos</manvolnum></citerefentry>. The key is

169

normally written to /etc/mandos for later installation into the

170

initrd image, but this, and most other things, can be changed

171

with command line options.

193

<manvolnum>8mandos</manvolnum></citerefentry>. The keys are

194

normally written to /etc/keys/mandos for later installation into

195

the initrd image, but this, and most other things, can be

196

changed with command line options.

172

197

</para>

173

198

<para>

174

199

This program can also be used with the

211

236

<replaceable>DIRECTORY</replaceable></option></term>

212

237

213

238

<para>

214

Target directory for key files. Default is

215

<filename>/etc/mandos</filename>.

239

Target directory for key files. Default is <filename

240

class="directory">/etc/keys/mandos</filename>.

216

241

</para>

217

242

</listitem>

218

243

</varlistentry>

224

249

225

250

226

251

<para>

227

Key type. Default is <quote>DSA</quote>.

252

OpenPGP key type. Default is <quote>RSA</quote>.

228

253

</para>

229

254

</listitem>

230

255

</varlistentry>

236

261

237

262

238

263

<para>

239

Key length in bits. Default is 2048.

264

OpenPGP key length in bits. Default is 4096.

240

265

</para>

241

266

</listitem>

242

267

</varlistentry>

248

273

<replaceable>KEYTYPE</replaceable></option></term>

249

274

250

275

<para>

251

Subkey type. Default is <quote>ELG-E</quote> (Elgamal

252

encryption-only).

276

OpenPGP subkey type. Default is <quote>RSA</quote>

253

277

</para>

254

278

</listitem>

255

279

</varlistentry>

261

285

262

286

263

287

<para>

264

Subkey length in bits. Default is 2048.

288

OpenPGP subkey length in bits. Default is 4096.

265

289

</para>

266

290

</listitem>

267

291

</varlistentry>

285

309

286

310

287

311

<para>

288

Comment field for key. The default value is

289

<quote><literal>Mandos client key</literal></quote>.

312

Comment field for key. Default is empty.

290

313

</para>

291

314

</listitem>

292

315

</varlistentry>

306

329

</varlistentry>

307

330

308

331

332

<term><option>--tls-keytype

333

<replaceable>KEYTYPE</replaceable></option></term>

334

<term><option>-T

335

<replaceable>KEYTYPE</replaceable></option></term>

336

337

<para>

338

TLS key type. Default is <quote>ed25519</quote>

339

</para>

340

</listitem>

341

</varlistentry>

342

343

309

344

<term><option>--force</option></term>

310

345

311

346

320

355

321

356

<para>

322

357

Prompt for a password and encrypt it with the key already

323

present in either <filename>/etc/mandos</filename> or the

324

directory specified with the <option>--dir</option>

358

present in either <filename>/etc/keys/mandos</filename> or

359

the directory specified with the <option>--dir</option>

325

360

option. Outputs, on standard output, a section suitable

326

361

for inclusion in <citerefentry><refentrytitle

327

362

>mandos-clients.conf</refentrytitle><manvolnum

328

363

>8</manvolnum></citerefentry>. The host name or the name

329

364

specified with the <option>--name</option> option is used

330

365

for the section header. All other options are ignored,

331

and no key is created.

366

and no key is created. Note: white space is stripped from

367

the beginning and from the end of the password; See <xref

368

linkend="bugs"/>.

332

369

</para>

333

370

</listitem>

334

371

</varlistentry>

340

377

341

378

<para>

342

379

The same as <option>--password</option>, but read from

343

<replaceable>FILE</replaceable>, not the terminal.

380

<replaceable>FILE</replaceable>, not the terminal, and

381

white space is not stripped from the password in any way.

382

</para>

383

</listitem>

384

</varlistentry>

385

386

387

388

389

<para>

390

When <option>--password</option> or

391

<option>--passfile</option> is given, this option will

392

prevent <command>&COMMANDNAME;</command> from calling

393

<command>ssh-keyscan</command> to get an SSH fingerprint

394

for this host and, if successful, output suitable config

395

options to use this fingerprint as a

396

<option>checker</option> option in the output. This is

397

otherwise the default behavior.

344

398

</para>

345

399

</listitem>

346

400

</varlistentry>

351

405

<title>OVERVIEW</title>

352

406

<xi:include href="overview.xml"/>

353

407

<para>

354

This program is a small utility to generate new OpenPGP keys for

355

new Mandos clients, and to generate sections for inclusion in

356

<filename>clients.conf</filename> on the server.

408

This program is a small utility to generate new TLS and OpenPGP

409

keys for new Mandos clients, and to generate sections for

410

inclusion in <filename>clients.conf</filename> on the server.

357

411

</para>

358

412

</refsect1>

359

413

391

445

</para>

392

446

393

447

394

<term><filename>/etc/mandos/seckey.txt</filename></term>

448

<term><filename>/etc/keys/mandos/seckey.txt</filename></term>

395

449

396

450

<para>

397

451

OpenPGP secret key file which will be created or

400

454

</listitem>

401

455

</varlistentry>

402

456

403

<term><filename>/etc/mandos/pubkey.txt</filename></term>

457

<term><filename>/etc/keys/mandos/pubkey.txt</filename></term>

404

458

405

459

<para>

406

460

OpenPGP public key file which will be created or

409

463

</listitem>

410

464

</varlistentry>

411

465

412

466

<term><filename>/etc/keys/mandos/tls-privkey.pem</filename></term>

467

468

<para>

469

Private key file which will be created or overwritten.

470

</para>

471

</listitem>

472

</varlistentry>

473

474

<term><filename>/etc/keys/mandos/tls-pubkey.pem</filename></term>

475

476

<para>

477

Public key file which will be created or overwritten.

478

</para>

479

</listitem>

480

</varlistentry>

481

482

413

483

414

484

<para>

415

485

Temporary files will be written here if

420

490

</variablelist>

421

491

</refsect1>

422

492

423

424

425

426

427

493

494

495

<para>

496

The <option>--password</option>/<option>-p</option> option

497

strips white space from the start and from the end of the

498

password before using it. If this is a problem, use the

499

<option>--passfile</option> option instead, which does not do

500

this.

501

</para>

502

<xi:include href="bugs.xml"/>

503

</refsect1>

428

504

429

505

430

506

<title>EXAMPLE</title>

450

526

</informalexample>

451

527

452

528

<para>

453

Prompt for a password, encrypt it with the key in

454

<filename>/etc/mandos</filename> and output a section suitable

455

for <filename>clients.conf</filename>.

529

Prompt for a password, encrypt it with the keys in <filename

530

class="directory">/etc/keys/mandos</filename> and output a

531

section suitable for <filename>clients.conf</filename>.

456

532

</para>

457

533

<para>

458

534

<userinput>&COMMANDNAME; --password</userinput>

460

536

</informalexample>

461

537

462

538

<para>

463

Prompt for a password, encrypt it with the key in the

539

Prompt for a password, encrypt it with the keys in the

464

540

<filename>client-key</filename> directory and output a section

465

541

suitable for <filename>clients.conf</filename>.

466

542

</para>

491

567

492

568

493

569

<para>

570

<citerefentry><refentrytitle>intro</refentrytitle>

571

<manvolnum>8mandos</manvolnum></citerefentry>,

494

572

495

573

<manvolnum>1</manvolnum></citerefentry>,

496

574

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

498

576

<citerefentry><refentrytitle>mandos</refentrytitle>

499

577

<manvolnum>8</manvolnum></citerefentry>,

500

578

<citerefentry><refentrytitle>mandos-client</refentrytitle>

501

<manvolnum>8mandos</manvolnum></citerefentry>

579

<manvolnum>8mandos</manvolnum></citerefentry>,

580

<citerefentry><refentrytitle>ssh-keyscan</refentrytitle>

581

502

582

</para>

503

583

</refsect1>

504

584

Older »