3
3
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4
4
<!ENTITY VERSION "1.0">
5
5
<!ENTITY COMMANDNAME "mandos-keygen">
6
<!ENTITY TIMESTAMP "2008-08-30">
6
<!ENTITY TIMESTAMP "2008-08-31">
9
9
<refentry xmlns:xi="http://www.w3.org/2001/XInclude">
68
68
<refname><command>&COMMANDNAME;</command></refname>
70
Generate keys for <citerefentry><refentrytitle>password-request
71
</refentrytitle><manvolnum>8mandos</manvolnum></citerefentry>
70
Generate key and password for Mandos client and server.
165
164
<command>&COMMANDNAME;</command>
166
165
<group choice="req">
166
<arg choice="plain"><option>--help</option></arg>
167
167
<arg choice="plain"><option>-h</option></arg>
168
<arg choice="plain"><option>--help</option></arg>
172
171
<command>&COMMANDNAME;</command>
173
172
<group choice="req">
173
<arg choice="plain"><option>--version</option></arg>
174
174
<arg choice="plain"><option>-v</option></arg>
175
<arg choice="plain"><option>--version</option></arg>
178
177
</refsynopsisdiv>
180
179
<refsect1 id="description">
181
180
<title>DESCRIPTION</title>
183
182
<command>&COMMANDNAME;</command> is a program to generate the
185
184
<citerefentry><refentrytitle>password-request</refentrytitle>
186
<manvolnum>8mandos</manvolnum></citerefentry>. The keys are
185
<manvolnum>8mandos</manvolnum></citerefentry>. The key is
187
186
normally written to /etc/mandos for later installation into the
188
initrd image, but this, like most things, can be changed with
189
command line options.
187
initrd image, but this, and most other things, can be changed
188
with command line options.
192
It can also be used to generate ready-made sections for
191
This program can also be used with the
192
<option>--password</option> option to generate a ready-made
193
section for <filename>clients.conf</filename> (see
193
194
<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>
194
<manvolnum>5</manvolnum></citerefentry> using the
195
<option>--password</option> option.
195
<manvolnum>5</manvolnum></citerefentry>).
199
199
<refsect1 id="purpose">
200
200
<title>PURPOSE</title>
203
202
The purpose of this is to enable <emphasis>remote and unattended
204
203
rebooting</emphasis> of client host computer with an
205
204
<emphasis>encrypted root file system</emphasis>. See <xref
206
205
linkend="overview"/> for details.
211
209
<refsect1 id="options">
212
210
<title>OPTIONS</title>
216
<term><literal>-h</literal>, <literal>--help</literal></term>
214
<term><option>--help</option></term>
215
<term><option>-h</option></term>
219
218
Show a help message and exit
225
<term><literal>-d</literal>, <literal>--dir
226
<replaceable>directory</replaceable></literal></term>
225
<replaceable>DIRECTORY</replaceable></option></term>
227
<replaceable>DIRECTORY</replaceable></option></term>
229
230
Target directory for key files. Default is
236
<term><literal>-t</literal>, <literal>--type
237
<replaceable>type</replaceable></literal></term>
238
<replaceable>TYPE</replaceable></option></term>
240
<replaceable>TYPE</replaceable></option></term>
240
243
Key type. Default is <quote>DSA</quote>.
246
<term><literal>-l</literal>, <literal>--length
247
<replaceable>bits</replaceable></literal></term>
249
<term><option>--length
250
<replaceable>BITS</replaceable></option></term>
252
<replaceable>BITS</replaceable></option></term>
250
255
Key length in bits. Default is 2048.
256
<term><literal>-s</literal>, <literal>--subtype
257
<replaceable>type</replaceable></literal></term>
261
<term><option>--subtype
262
<replaceable>KEYTYPE</replaceable></option></term>
264
<replaceable>KEYTYPE</replaceable></option></term>
260
267
Subkey type. Default is <quote>ELG-E</quote> (Elgamal
267
<term><literal>-L</literal>, <literal>--sublength
268
<replaceable>bits</replaceable></literal></term>
274
<term><option>--sublength
275
<replaceable>BITS</replaceable></option></term>
277
<replaceable>BITS</replaceable></option></term>
271
280
Subkey length in bits. Default is 2048.
277
<term><literal>-e</literal>, <literal>--email</literal>
278
<replaceable>address</replaceable></term>
286
<term><option>--email
287
<replaceable>ADDRESS</replaceable></option></term>
289
<replaceable>ADDRESS</replaceable></option></term>
281
292
Email address of key. Default is empty.
287
<term><literal>-c</literal>, <literal>--comment</literal>
288
<replaceable>comment</replaceable></term>
298
<term><option>--comment
299
<replaceable>TEXT</replaceable></option></term>
301
<replaceable>TEXT</replaceable></option></term>
291
304
Comment field for key. The default value is
298
<term><literal>-x</literal>, <literal>--expire</literal>
299
<replaceable>time</replaceable></term>
311
<term><option>--expire
312
<replaceable>TIME</replaceable></option></term>
314
<replaceable>TIME</replaceable></option></term>
302
317
Key expire time. Default is no expiration. See
310
<term><literal>-f</literal>, <literal>--force</literal></term>
325
<term><option>--force</option></term>
326
<term><option>-f</option></term>
313
Force overwriting old keys.
329
Force overwriting old key.
318
<term><literal>-p</literal>, <literal>--password</literal
334
<term><option>--password</option></term>
335
<term><option>-p</option></term>
322
338
Prompt for a password and encrypt it with the key already
340
356
<xi:include href="overview.xml"/>
342
358
This program is a small utility to generate new OpenPGP keys for
359
new Mandos clients, and to generate sections for inclusion in
360
<filename>clients.conf</filename> on the server.
347
364
<refsect1 id="exit_status">
348
365
<title>EXIT STATUS</title>
350
The exit status will be 0 if new keys were successfully created,
367
The exit status will be 0 if a new key (or password, if the
368
<option>--password</option> option was used) was successfully
369
created, otherwise not.
437
455
</informalexample>
458
Prompt for a password, encrypt it with the key in
459
<filename>/etc/mandos</filename> and output a section suitable
460
for <filename>clients.conf</filename>.
463
<userinput>&COMMANDNAME; --password</userinput>
468
Prompt for a password, encrypt it with the key in the
469
<filename>client-key</filename> directory and output a section
470
suitable for <filename>clients.conf</filename>.
474
<!-- do not wrap this line -->
475
<userinput>&COMMANDNAME; --password --dir client-key</userinput>
440
481
<refsect1 id="security">
443
484
The <option>--type</option>, <option>--length</option>,
444
485
<option>--subtype</option>, and <option>--sublength</option>
445
options can be used to create keys of insufficient security. If
446
in doubt, leave them to the default values.
486
options can be used to create keys of low security. If in
487
doubt, leave them to the default values.
449
The key expire time is not guaranteed to be honored by
450
<citerefentry><refentrytitle>mandos</refentrytitle>
490
The key expire time is <emphasis>not</emphasis> guaranteed to be
491
honored by <citerefentry><refentrytitle>mandos</refentrytitle>
451
492
<manvolnum>8</manvolnum></citerefentry>.
458
499
<citerefentry><refentrytitle>gpg</refentrytitle>
459
500
<manvolnum>1</manvolnum></citerefentry>,
501
<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>
502
<manvolnum>5</manvolnum></citerefentry>,
460
503
<citerefentry><refentrytitle>mandos</refentrytitle>
461
504
<manvolnum>8</manvolnum></citerefentry>,
462
505
<citerefentry><refentrytitle>password-request</refentrytitle>