/mandos/trunk

To get this branch, use:
bzr branch http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos-keygen.xml

  • Committer: Teddy Hogeborn
  • Date: 2024-11-24 00:44:25 UTC
  • Revision ID: teddy@recompile.se-20241124004425-6k3y0ir1ksyjq3c4
mandos-keygen: Show warning about old OpenSSH versions

When generating a config file snippet on the Mandos client system
using mandos-keygen, and the default ssh-keyscan checker is used, and
if the OpenSSH version is 9.8 or later, the "checker" command
generated for the config file on the Mandos server will include the
"-q" option for ssh-keyscan.  This option did not exist on ssh-keyscan
from OpenSSH older than version 9.8.  Therefore, if the Mandos
*server* is running an older version of OpenSSH, where ssh-keyscan
does not support the "-q" option, this option must be removed from the
generated "checker" setting.  Since we cannot know if this is the case
when running mandos-keygen on the Mandos client system, we print this
information as a comment above the generated "checker" setting.

* mandos-keygen: Show warning if the new "-q" options was used with
  ssh-keyscan in the generated "checker" setting.

Show diffs side-by-side

added added

removed removed

Lines of Context:
1
1
<?xml version="1.0" encoding="UTF-8"?>
2
2
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3
3
        "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4
 
<!ENTITY VERSION "1.0">
5
4
<!ENTITY COMMANDNAME "mandos-keygen">
 
5
<!ENTITY TIMESTAMP "2019-07-18">
 
6
<!ENTITY % common SYSTEM "common.ent">
 
7
%common;
6
8
]>
7
9
 
8
10
<refentry xmlns:xi="http://www.w3.org/2001/XInclude">
9
11
  <refentryinfo>
10
 
    <title>&COMMANDNAME;</title>
 
12
    <title>Mandos Manual</title>
11
13
    <!-- NWalsh’s docbook scripts use this to generate the footer: -->
12
 
    <productname>&COMMANDNAME;</productname>
13
 
    <productnumber>&VERSION;</productnumber>
 
14
    <productname>Mandos</productname>
 
15
    <productnumber>&version;</productnumber>
 
16
    <date>&TIMESTAMP;</date>
14
17
    <authorgroup>
15
18
      <author>
16
19
        <firstname>Björn</firstname>
17
20
        <surname>Påhlsson</surname>
18
21
        <address>
19
 
          <email>belorn@fukt.bsnet.se</email>
 
22
          <email>belorn@recompile.se</email>
20
23
        </address>
21
24
      </author>
22
25
      <author>
23
26
        <firstname>Teddy</firstname>
24
27
        <surname>Hogeborn</surname>
25
28
        <address>
26
 
          <email>teddy@fukt.bsnet.se</email>
 
29
          <email>teddy@recompile.se</email>
27
30
        </address>
28
31
      </author>
29
32
    </authorgroup>
30
33
    <copyright>
31
34
      <year>2008</year>
 
35
      <year>2009</year>
 
36
      <year>2010</year>
 
37
      <year>2011</year>
 
38
      <year>2012</year>
 
39
      <year>2013</year>
 
40
      <year>2014</year>
 
41
      <year>2015</year>
 
42
      <year>2016</year>
 
43
      <year>2017</year>
 
44
      <year>2018</year>
 
45
      <year>2019</year>
32
46
      <holder>Teddy Hogeborn</holder>
33
47
      <holder>Björn Påhlsson</holder>
34
48
    </copyright>
35
 
    <legalnotice>
36
 
      <para>
37
 
        This manual page is free software: you can redistribute it
38
 
        and/or modify it under the terms of the GNU General Public
39
 
        License as published by the Free Software Foundation,
40
 
        either version 3 of the License, or (at your option) any
41
 
        later version.
42
 
      </para>
43
 
 
44
 
      <para>
45
 
        This manual page is distributed in the hope that it will
46
 
        be useful, but WITHOUT ANY WARRANTY; without even the
47
 
        implied warranty of MERCHANTABILITY or FITNESS FOR A
48
 
        PARTICULAR PURPOSE.  See the GNU General Public License
49
 
        for more details.
50
 
      </para>
51
 
 
52
 
      <para>
53
 
        You should have received a copy of the GNU General Public
54
 
        License along with this program; If not, see
55
 
        <ulink url="http://www.gnu.org/licenses/"/>.
56
 
      </para>
57
 
    </legalnotice>
 
49
    <xi:include href="legalnotice.xml"/>
58
50
  </refentryinfo>
59
 
 
 
51
  
60
52
  <refmeta>
61
53
    <refentrytitle>&COMMANDNAME;</refentrytitle>
62
54
    <manvolnum>8</manvolnum>
65
57
  <refnamediv>
66
58
    <refname><command>&COMMANDNAME;</command></refname>
67
59
    <refpurpose>
68
 
      Generate keys for <citerefentry><refentrytitle>password-request
69
 
      </refentrytitle><manvolnum>8mandos</manvolnum></citerefentry>
 
60
      Generate key and password for Mandos client and server.
70
61
    </refpurpose>
71
62
  </refnamediv>
72
 
 
 
63
  
73
64
  <refsynopsisdiv>
74
65
    <cmdsynopsis>
75
66
      <command>&COMMANDNAME;</command>
76
 
      <group choice="opt">
77
 
        <arg choice="plain"><option>--dir</option>
78
 
        <replaceable>directory</replaceable></arg>
79
 
      </group>
80
 
      <group choice="opt">
81
 
        <arg choice="plain"><option>--type</option>
82
 
        <replaceable>type</replaceable></arg>
83
 
      </group>
84
 
      <group choice="opt">
85
 
        <arg choice="plain"><option>--length</option>
86
 
        <replaceable>bits</replaceable></arg>
87
 
      </group>
88
 
      <group choice="opt">
89
 
        <arg choice="plain"><option>--subtype</option>
90
 
        <replaceable>type</replaceable></arg>
91
 
      </group>
92
 
      <group choice="opt">
93
 
        <arg choice="plain"><option>--sublength</option>
94
 
        <replaceable>bits</replaceable></arg>
95
 
      </group>
96
 
      <group choice="opt">
97
 
        <arg choice="plain"><option>--name</option>
98
 
        <replaceable>NAME</replaceable></arg>
99
 
      </group>
100
 
      <group choice="opt">
101
 
        <arg choice="plain"><option>--email</option>
102
 
        <replaceable>EMAIL</replaceable></arg>
103
 
      </group>
104
 
      <group choice="opt">
105
 
        <arg choice="plain"><option>--comment</option>
106
 
        <replaceable>COMMENT</replaceable></arg>
107
 
      </group>
108
 
      <group choice="opt">
109
 
        <arg choice="plain"><option>--expire</option>
110
 
        <replaceable>TIME</replaceable></arg>
111
 
      </group>
112
 
      <group choice="opt">
 
67
      <group>
 
68
        <arg choice="plain"><option>--dir
 
69
        <replaceable>DIRECTORY</replaceable></option></arg>
 
70
        <arg choice="plain"><option>-d
 
71
        <replaceable>DIRECTORY</replaceable></option></arg>
 
72
      </group>
 
73
      <sbr/>
 
74
      <group>
 
75
        <arg choice="plain"><option>--type
 
76
        <replaceable>KEYTYPE</replaceable></option></arg>
 
77
        <arg choice="plain"><option>-t
 
78
        <replaceable>KEYTYPE</replaceable></option></arg>
 
79
      </group>
 
80
      <sbr/>
 
81
      <group>
 
82
        <arg choice="plain"><option>--length
 
83
        <replaceable>BITS</replaceable></option></arg>
 
84
        <arg choice="plain"><option>-l
 
85
        <replaceable>BITS</replaceable></option></arg>
 
86
      </group>
 
87
      <sbr/>
 
88
      <group>
 
89
        <arg choice="plain"><option>--subtype
 
90
        <replaceable>KEYTYPE</replaceable></option></arg>
 
91
        <arg choice="plain"><option>-s
 
92
        <replaceable>KEYTYPE</replaceable></option></arg>
 
93
      </group>
 
94
      <sbr/>
 
95
      <group>
 
96
        <arg choice="plain"><option>--sublength
 
97
        <replaceable>BITS</replaceable></option></arg>
 
98
        <arg choice="plain"><option>-L
 
99
        <replaceable>BITS</replaceable></option></arg>
 
100
      </group>
 
101
      <sbr/>
 
102
      <group>
 
103
        <arg choice="plain"><option>--name
 
104
        <replaceable>NAME</replaceable></option></arg>
 
105
        <arg choice="plain"><option>-n
 
106
        <replaceable>NAME</replaceable></option></arg>
 
107
      </group>
 
108
      <sbr/>
 
109
      <group>
 
110
        <arg choice="plain"><option>--email
 
111
        <replaceable>ADDRESS</replaceable></option></arg>
 
112
        <arg choice="plain"><option>-e
 
113
        <replaceable>ADDRESS</replaceable></option></arg>
 
114
      </group>
 
115
      <sbr/>
 
116
      <group>
 
117
        <arg choice="plain"><option>--comment
 
118
        <replaceable>TEXT</replaceable></option></arg>
 
119
        <arg choice="plain"><option>-c
 
120
        <replaceable>TEXT</replaceable></option></arg>
 
121
      </group>
 
122
      <sbr/>
 
123
      <group>
 
124
        <arg choice="plain"><option>--expire
 
125
        <replaceable>TIME</replaceable></option></arg>
 
126
        <arg choice="plain"><option>-x
 
127
        <replaceable>TIME</replaceable></option></arg>
 
128
      </group>
 
129
      <sbr/>
 
130
      <group>
 
131
        <arg choice="plain"><option>--tls-keytype
 
132
        <replaceable>KEYTYPE</replaceable></option></arg>
 
133
        <arg choice="plain"><option>-T
 
134
        <replaceable>KEYTYPE</replaceable></option></arg>
 
135
      </group>
 
136
      <sbr/>
 
137
      <group>
113
138
        <arg choice="plain"><option>--force</option></arg>
114
 
      </group>
115
 
    </cmdsynopsis>
116
 
    <cmdsynopsis>
117
 
      <command>&COMMANDNAME;</command>
118
 
      <group choice="opt">
119
 
        <arg choice="plain"><option>-d</option>
120
 
        <replaceable>directory</replaceable></arg>
121
 
      </group>
122
 
      <group choice="opt">
123
 
        <arg choice="plain"><option>-t</option>
124
 
        <replaceable>type</replaceable></arg>
125
 
      </group>
126
 
      <group choice="opt">
127
 
        <arg choice="plain"><option>-l</option>
128
 
        <replaceable>bits</replaceable></arg>
129
 
      </group>
130
 
      <group choice="opt">
131
 
        <arg choice="plain"><option>-s</option>
132
 
        <replaceable>type</replaceable></arg>
133
 
      </group>
134
 
      <group choice="opt">
135
 
        <arg choice="plain"><option>-L</option>
136
 
        <replaceable>bits</replaceable></arg>
137
 
      </group>
138
 
      <group choice="opt">
139
 
        <arg choice="plain"><option>-n</option>
140
 
        <replaceable>NAME</replaceable></arg>
141
 
      </group>
142
 
      <group choice="opt">
143
 
        <arg choice="plain"><option>-e</option>
144
 
        <replaceable>EMAIL</replaceable></arg>
145
 
      </group>
146
 
      <group choice="opt">
147
 
        <arg choice="plain"><option>-c</option>
148
 
        <replaceable>COMMENT</replaceable></arg>
149
 
      </group>
150
 
      <group choice="opt">
151
 
        <arg choice="plain"><option>-x</option>
152
 
        <replaceable>TIME</replaceable></arg>
153
 
      </group>
154
 
      <group choice="opt">
155
139
        <arg choice="plain"><option>-f</option></arg>
156
140
      </group>
157
141
    </cmdsynopsis>
158
142
    <cmdsynopsis>
159
143
      <command>&COMMANDNAME;</command>
160
144
      <group choice="req">
 
145
        <arg choice="plain"><option>--password</option></arg>
161
146
        <arg choice="plain"><option>-p</option></arg>
162
 
        <arg choice="plain"><option>--password</option></arg>
163
 
      </group>
164
 
      <group choice="opt">
165
 
        <arg choice="plain"><option>--dir</option>
166
 
        <replaceable>directory</replaceable></arg>
167
 
      </group>
168
 
      <group choice="opt">
169
 
        <arg choice="plain"><option>--name</option>
170
 
        <replaceable>NAME</replaceable></arg>
 
147
        <arg choice="plain"><option>--passfile
 
148
        <replaceable>FILE</replaceable></option></arg>
 
149
        <arg choice="plain"><option>-F</option>
 
150
        <replaceable>FILE</replaceable></arg>
 
151
      </group>
 
152
      <sbr/>
 
153
      <group>
 
154
        <arg choice="plain"><option>--dir
 
155
        <replaceable>DIRECTORY</replaceable></option></arg>
 
156
        <arg choice="plain"><option>-d
 
157
        <replaceable>DIRECTORY</replaceable></option></arg>
 
158
      </group>
 
159
      <sbr/>
 
160
      <group>
 
161
        <arg choice="plain"><option>--name
 
162
        <replaceable>NAME</replaceable></option></arg>
 
163
        <arg choice="plain"><option>-n
 
164
        <replaceable>NAME</replaceable></option></arg>
 
165
      </group>
 
166
      <group>
 
167
        <arg choice="plain"><option>--no-ssh</option></arg>
 
168
        <arg choice="plain"><option>-S</option></arg>
171
169
      </group>
172
170
    </cmdsynopsis>
173
171
    <cmdsynopsis>
174
172
      <command>&COMMANDNAME;</command>
175
173
      <group choice="req">
 
174
        <arg choice="plain"><option>--help</option></arg>
176
175
        <arg choice="plain"><option>-h</option></arg>
177
 
        <arg choice="plain"><option>--help</option></arg>
178
176
      </group>
179
177
    </cmdsynopsis>
180
178
    <cmdsynopsis>
181
179
      <command>&COMMANDNAME;</command>
182
180
      <group choice="req">
 
181
        <arg choice="plain"><option>--version</option></arg>
183
182
        <arg choice="plain"><option>-v</option></arg>
184
 
        <arg choice="plain"><option>--version</option></arg>
185
183
      </group>
186
184
    </cmdsynopsis>
187
185
  </refsynopsisdiv>
188
 
 
 
186
  
189
187
  <refsect1 id="description">
190
188
    <title>DESCRIPTION</title>
191
189
    <para>
192
190
      <command>&COMMANDNAME;</command> is a program to generate the
193
 
      OpenPGP keys used by
194
 
      <citerefentry><refentrytitle>password-request</refentrytitle>
 
191
      TLS and OpenPGP keys used by
 
192
      <citerefentry><refentrytitle>mandos-client</refentrytitle>
195
193
      <manvolnum>8mandos</manvolnum></citerefentry>.  The keys are
196
 
      normally written to /etc/mandos for later installation into the
197
 
      initrd image, but this, like most things, can be changed with
198
 
      command line options.
 
194
      normally written to /etc/keys/mandos for later installation into
 
195
      the initrd image, but this, and most other things, can be
 
196
      changed with command line options.
199
197
    </para>
200
198
    <para>
201
 
      It can also be used to generate ready-made sections for
 
199
      This program can also be used with the
 
200
      <option>--password</option> or <option>--passfile</option>
 
201
      options to generate a ready-made section for
 
202
      <filename>clients.conf</filename> (see
202
203
      <citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>
203
 
      <manvolnum>5</manvolnum></citerefentry> using the
204
 
      <option>--password</option> option.
 
204
      <manvolnum>5</manvolnum></citerefentry>).
205
205
    </para>
206
206
  </refsect1>
207
207
  
208
208
  <refsect1 id="purpose">
209
209
    <title>PURPOSE</title>
210
 
 
211
210
    <para>
212
211
      The purpose of this is to enable <emphasis>remote and unattended
213
212
      rebooting</emphasis> of client host computer with an
214
213
      <emphasis>encrypted root file system</emphasis>.  See <xref
215
214
      linkend="overview"/> for details.
216
215
    </para>
217
 
 
218
216
  </refsect1>
219
217
  
220
218
  <refsect1 id="options">
221
219
    <title>OPTIONS</title>
222
 
 
 
220
    
223
221
    <variablelist>
224
222
      <varlistentry>
225
 
        <term><literal>-h</literal>, <literal>--help</literal></term>
 
223
        <term><option>--help</option></term>
 
224
        <term><option>-h</option></term>
226
225
        <listitem>
227
226
          <para>
228
227
            Show a help message and exit
229
228
          </para>
230
229
        </listitem>
231
230
      </varlistentry>
232
 
 
233
 
      <varlistentry>
234
 
        <term><literal>-d</literal>, <literal>--dir
235
 
        <replaceable>directory</replaceable></literal></term>
236
 
        <listitem>
237
 
          <para>
238
 
            Target directory for key files.  Default is
239
 
            <filename>/etc/mandos</filename>.
240
 
          </para>
241
 
        </listitem>
242
 
      </varlistentry>
243
 
 
244
 
      <varlistentry>
245
 
        <term><literal>-t</literal>, <literal>--type
246
 
        <replaceable>type</replaceable></literal></term>
247
 
        <listitem>
248
 
          <para>
249
 
            Key type.  Default is <quote>DSA</quote>.
250
 
          </para>
251
 
        </listitem>
252
 
      </varlistentry>
253
 
 
254
 
      <varlistentry>
255
 
        <term><literal>-l</literal>, <literal>--length
256
 
        <replaceable>bits</replaceable></literal></term>
257
 
        <listitem>
258
 
          <para>
259
 
            Key length in bits.  Default is 2048.
260
 
          </para>
261
 
        </listitem>
262
 
      </varlistentry>
263
 
 
264
 
      <varlistentry>
265
 
        <term><literal>-s</literal>, <literal>--subtype
266
 
        <replaceable>type</replaceable></literal></term>
267
 
        <listitem>
268
 
          <para>
269
 
            Subkey type.  Default is <quote>ELG-E</quote> (Elgamal
270
 
            encryption-only).
271
 
          </para>
272
 
        </listitem>
273
 
      </varlistentry>
274
 
 
275
 
      <varlistentry>
276
 
        <term><literal>-L</literal>, <literal>--sublength
277
 
        <replaceable>bits</replaceable></literal></term>
278
 
        <listitem>
279
 
          <para>
280
 
            Subkey length in bits.  Default is 2048.
281
 
          </para>
282
 
        </listitem>
283
 
      </varlistentry>
284
 
 
285
 
      <varlistentry>
286
 
        <term><literal>-e</literal>, <literal>--email</literal>
287
 
        <replaceable>address</replaceable></term>
 
231
      
 
232
      <varlistentry>
 
233
        <term><option>--dir
 
234
        <replaceable>DIRECTORY</replaceable></option></term>
 
235
        <term><option>-d
 
236
        <replaceable>DIRECTORY</replaceable></option></term>
 
237
        <listitem>
 
238
          <para>
 
239
            Target directory for key files.  Default is <filename
 
240
            class="directory">/etc/keys/mandos</filename>.
 
241
          </para>
 
242
        </listitem>
 
243
      </varlistentry>
 
244
      
 
245
      <varlistentry>
 
246
        <term><option>--type
 
247
        <replaceable>TYPE</replaceable></option></term>
 
248
        <term><option>-t
 
249
        <replaceable>TYPE</replaceable></option></term>
 
250
        <listitem>
 
251
          <para>
 
252
            OpenPGP key type.  Default is <quote>RSA</quote>.
 
253
          </para>
 
254
        </listitem>
 
255
      </varlistentry>
 
256
      
 
257
      <varlistentry>
 
258
        <term><option>--length
 
259
        <replaceable>BITS</replaceable></option></term>
 
260
        <term><option>-l
 
261
        <replaceable>BITS</replaceable></option></term>
 
262
        <listitem>
 
263
          <para>
 
264
            OpenPGP key length in bits.  Default is 4096.
 
265
          </para>
 
266
        </listitem>
 
267
      </varlistentry>
 
268
      
 
269
      <varlistentry>
 
270
        <term><option>--subtype
 
271
        <replaceable>KEYTYPE</replaceable></option></term>
 
272
        <term><option>-s
 
273
        <replaceable>KEYTYPE</replaceable></option></term>
 
274
        <listitem>
 
275
          <para>
 
276
            OpenPGP subkey type.  Default is <quote>RSA</quote>
 
277
          </para>
 
278
        </listitem>
 
279
      </varlistentry>
 
280
      
 
281
      <varlistentry>
 
282
        <term><option>--sublength
 
283
        <replaceable>BITS</replaceable></option></term>
 
284
        <term><option>-L
 
285
        <replaceable>BITS</replaceable></option></term>
 
286
        <listitem>
 
287
          <para>
 
288
            OpenPGP subkey length in bits.  Default is 4096.
 
289
          </para>
 
290
        </listitem>
 
291
      </varlistentry>
 
292
      
 
293
      <varlistentry>
 
294
        <term><option>--email
 
295
        <replaceable>ADDRESS</replaceable></option></term>
 
296
        <term><option>-e
 
297
        <replaceable>ADDRESS</replaceable></option></term>
288
298
        <listitem>
289
299
          <para>
290
300
            Email address of key.  Default is empty.
291
301
          </para>
292
302
        </listitem>
293
303
      </varlistentry>
294
 
 
 
304
      
295
305
      <varlistentry>
296
 
        <term><literal>-c</literal>, <literal>--comment</literal>
297
 
        <replaceable>comment</replaceable></term>
 
306
        <term><option>--comment
 
307
        <replaceable>TEXT</replaceable></option></term>
 
308
        <term><option>-c
 
309
        <replaceable>TEXT</replaceable></option></term>
298
310
        <listitem>
299
311
          <para>
300
 
            Comment field for key.  The default value is
301
 
            <quote><literal>Mandos client key</literal></quote>.
 
312
            Comment field for key.  Default is empty.
302
313
          </para>
303
314
        </listitem>
304
315
      </varlistentry>
305
 
 
 
316
      
306
317
      <varlistentry>
307
 
        <term><literal>-x</literal>, <literal>--expire</literal>
308
 
        <replaceable>time</replaceable></term>
 
318
        <term><option>--expire
 
319
        <replaceable>TIME</replaceable></option></term>
 
320
        <term><option>-x
 
321
        <replaceable>TIME</replaceable></option></term>
309
322
        <listitem>
310
323
          <para>
311
324
            Key expire time.  Default is no expiration.  See
314
327
          </para>
315
328
        </listitem>
316
329
      </varlistentry>
317
 
 
318
 
      <varlistentry>
319
 
        <term><literal>-f</literal>, <literal>--force</literal></term>
320
 
        <listitem>
321
 
          <para>
322
 
            Force overwriting old keys.
323
 
          </para>
324
 
        </listitem>
325
 
      </varlistentry>
326
 
      <varlistentry>
327
 
        <term><literal>-p</literal>, <literal>--password</literal
328
 
        ></term>
 
330
      
 
331
      <varlistentry>
 
332
        <term><option>--tls-keytype
 
333
        <replaceable>KEYTYPE</replaceable></option></term>
 
334
        <term><option>-T
 
335
        <replaceable>KEYTYPE</replaceable></option></term>
 
336
        <listitem>
 
337
          <para>
 
338
            TLS key type.  Default is <quote>ed25519</quote>
 
339
          </para>
 
340
        </listitem>
 
341
      </varlistentry>
 
342
      
 
343
      <varlistentry>
 
344
        <term><option>--force</option></term>
 
345
        <term><option>-f</option></term>
 
346
        <listitem>
 
347
          <para>
 
348
            Force overwriting old key.
 
349
          </para>
 
350
        </listitem>
 
351
      </varlistentry>
 
352
      <varlistentry>
 
353
        <term><option>--password</option></term>
 
354
        <term><option>-p</option></term>
329
355
        <listitem>
330
356
          <para>
331
357
            Prompt for a password and encrypt it with the key already
332
 
            present in either <filename>/etc/mandos</filename> or the
333
 
            directory specified with the <option>--dir</option>
 
358
            present in either <filename>/etc/keys/mandos</filename> or
 
359
            the directory specified with the <option>--dir</option>
334
360
            option.  Outputs, on standard output, a section suitable
335
361
            for inclusion in <citerefentry><refentrytitle
336
362
            >mandos-clients.conf</refentrytitle><manvolnum
337
363
            >8</manvolnum></citerefentry>.  The host name or the name
338
364
            specified with the <option>--name</option> option is used
339
365
            for the section header.  All other options are ignored,
340
 
            and no keys are created.
 
366
            and no key is created.  Note: white space is stripped from
 
367
            the beginning and from the end of the password; See <xref
 
368
            linkend="bugs"/>.
 
369
          </para>
 
370
        </listitem>
 
371
      </varlistentry>
 
372
      <varlistentry>
 
373
        <term><option>--passfile
 
374
        <replaceable>FILE</replaceable></option></term>
 
375
        <term><option>-F
 
376
        <replaceable>FILE</replaceable></option></term>
 
377
        <listitem>
 
378
          <para>
 
379
            The same as <option>--password</option>, but read from
 
380
            <replaceable>FILE</replaceable>, not the terminal, and
 
381
            white space is not stripped from the password in any way.
 
382
          </para>
 
383
        </listitem>
 
384
      </varlistentry>
 
385
      <varlistentry>
 
386
        <term><option>--no-ssh</option></term>
 
387
        <term><option>-S</option></term>
 
388
        <listitem>
 
389
          <para>
 
390
            When <option>--password</option> or
 
391
            <option>--passfile</option> is given, this option will
 
392
            prevent <command>&COMMANDNAME;</command> from calling
 
393
            <command>ssh-keyscan</command> to get an SSH fingerprint
 
394
            for this host and, if successful, output suitable config
 
395
            options to use this fingerprint as a
 
396
            <option>checker</option> option in the output.  This is
 
397
            otherwise the default behavior.
341
398
          </para>
342
399
        </listitem>
343
400
      </varlistentry>
344
401
    </variablelist>
345
402
  </refsect1>
346
 
 
 
403
  
347
404
  <refsect1 id="overview">
348
405
    <title>OVERVIEW</title>
349
406
    <xi:include href="overview.xml"/>
350
407
    <para>
351
 
      This program is a small utility to generate new OpenPGP keys for
352
 
      new Mandos clients.
 
408
      This program is a small utility to generate new TLS and OpenPGP
 
409
      keys for new Mandos clients, and to generate sections for
 
410
      inclusion in <filename>clients.conf</filename> on the server.
353
411
    </para>
354
412
  </refsect1>
355
 
 
 
413
  
356
414
  <refsect1 id="exit_status">
357
415
    <title>EXIT STATUS</title>
358
416
    <para>
359
 
      The exit status will be 0 if new keys were successfully created,
360
 
      otherwise not.
 
417
      The exit status will be 0 if a new key (or password, if the
 
418
      <option>--password</option> option was used) was successfully
 
419
      created, otherwise not.
361
420
    </para>
362
421
  </refsect1>
363
422
  
365
424
    <title>ENVIRONMENT</title>
366
425
    <variablelist>
367
426
      <varlistentry>
368
 
        <term><varname>TMPDIR</varname></term>
 
427
        <term><envar>TMPDIR</envar></term>
369
428
        <listitem>
370
429
          <para>
371
430
            If set, temporary files will be created here. See
377
436
    </variablelist>
378
437
  </refsect1>
379
438
  
380
 
  <refsect1 id="file">
 
439
  <refsect1 id="files">
381
440
    <title>FILES</title>
382
441
    <para>
383
442
      Use the <option>--dir</option> option to change where
386
445
    </para>
387
446
    <variablelist>
388
447
      <varlistentry>
389
 
        <term><filename>/etc/mandos/seckey.txt</filename></term>
 
448
        <term><filename>/etc/keys/mandos/seckey.txt</filename></term>
390
449
        <listitem>
391
450
          <para>
392
451
            OpenPGP secret key file which will be created or
395
454
        </listitem>
396
455
      </varlistentry>
397
456
      <varlistentry>
398
 
        <term><filename>/etc/mandos/pubkey.txt</filename></term>
 
457
        <term><filename>/etc/keys/mandos/pubkey.txt</filename></term>
399
458
        <listitem>
400
459
          <para>
401
460
            OpenPGP public key file which will be created or
404
463
        </listitem>
405
464
      </varlistentry>
406
465
      <varlistentry>
407
 
        <term><filename>/tmp</filename></term>
 
466
        <term><filename>/etc/keys/mandos/tls-privkey.pem</filename></term>
 
467
        <listitem>
 
468
          <para>
 
469
            Private key file which will be created or overwritten.
 
470
          </para>
 
471
        </listitem>
 
472
      </varlistentry>
 
473
      <varlistentry>
 
474
        <term><filename>/etc/keys/mandos/tls-pubkey.pem</filename></term>
 
475
        <listitem>
 
476
          <para>
 
477
            Public key file which will be created or overwritten.
 
478
          </para>
 
479
        </listitem>
 
480
      </varlistentry>
 
481
      <varlistentry>
 
482
        <term><filename class="directory">/tmp</filename></term>
408
483
        <listitem>
409
484
          <para>
410
485
            Temporary files will be written here if
414
489
      </varlistentry>
415
490
    </variablelist>
416
491
  </refsect1>
417
 
 
 
492
  
418
493
  <refsect1 id="bugs">
419
494
    <title>BUGS</title>
420
495
    <para>
421
 
      None are known at this time.
 
496
      The <option>--password</option>/<option>-p</option> option
 
497
      strips white space from the start and from the end of the
 
498
      password before using it.  If this is a problem, use the
 
499
      <option>--passfile</option> option instead, which does not do
 
500
      this.
422
501
    </para>
 
502
    <xi:include href="bugs.xml"/>
423
503
  </refsect1>
424
 
 
 
504
  
425
505
  <refsect1 id="example">
426
506
    <title>EXAMPLE</title>
427
507
    <informalexample>
429
509
        Normal invocation needs no options:
430
510
      </para>
431
511
      <para>
432
 
        <userinput>mandos-keygen</userinput>
 
512
        <userinput>&COMMANDNAME;</userinput>
433
513
      </para>
434
514
    </informalexample>
435
515
    <informalexample>
436
516
      <para>
437
 
        Create keys in another directory and of another type.  Force
 
517
        Create key in another directory and of another type.  Force
438
518
        overwriting old key files:
439
519
      </para>
440
520
      <para>
441
521
 
442
522
<!-- do not wrap this line -->
443
 
<userinput>mandos-keygen --dir ~/keydir --type RSA --force</userinput>
 
523
<userinput>&COMMANDNAME; --dir ~/keydir --type RSA --force</userinput>
 
524
 
 
525
      </para>
 
526
    </informalexample>
 
527
    <informalexample>
 
528
      <para>
 
529
        Prompt for a password, encrypt it with the keys in <filename
 
530
        class="directory">/etc/keys/mandos</filename> and output a
 
531
        section suitable for <filename>clients.conf</filename>.
 
532
      </para>
 
533
      <para>
 
534
        <userinput>&COMMANDNAME; --password</userinput>
 
535
      </para>
 
536
    </informalexample>
 
537
    <informalexample>
 
538
      <para>
 
539
        Prompt for a password, encrypt it with the keys in the
 
540
        <filename>client-key</filename> directory and output a section
 
541
        suitable for <filename>clients.conf</filename>.
 
542
      </para>
 
543
      <para>
 
544
 
 
545
<!-- do not wrap this line -->
 
546
<userinput>&COMMANDNAME; --password --dir client-key</userinput>
444
547
 
445
548
      </para>
446
549
    </informalexample>
447
550
  </refsect1>
448
 
 
 
551
  
449
552
  <refsect1 id="security">
450
553
    <title>SECURITY</title>
451
554
    <para>
452
555
      The <option>--type</option>, <option>--length</option>,
453
556
      <option>--subtype</option>, and <option>--sublength</option>
454
 
      options can be used to create keys of insufficient security.  If
455
 
      in doubt, leave them to the default values.
 
557
      options can be used to create keys of low security.  If in
 
558
      doubt, leave them to the default values.
456
559
    </para>
457
560
    <para>
458
 
      The key expire time is not guaranteed to be honored by
459
 
      <citerefentry><refentrytitle>mandos</refentrytitle>
 
561
      The key expire time is <emphasis>not</emphasis> guaranteed to be
 
562
      honored by <citerefentry><refentrytitle>mandos</refentrytitle>
460
563
      <manvolnum>8</manvolnum></citerefentry>.
461
564
    </para>
462
565
  </refsect1>
463
 
 
 
566
  
464
567
  <refsect1 id="see_also">
465
568
    <title>SEE ALSO</title>
466
569
    <para>
467
 
      <citerefentry><refentrytitle>password-request</refentrytitle>
 
570
      <citerefentry><refentrytitle>intro</refentrytitle>
468
571
      <manvolnum>8mandos</manvolnum></citerefentry>,
 
572
      <citerefentry><refentrytitle>gpg</refentrytitle>
 
573
      <manvolnum>1</manvolnum></citerefentry>,
 
574
      <citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>
 
575
      <manvolnum>5</manvolnum></citerefentry>,
469
576
      <citerefentry><refentrytitle>mandos</refentrytitle>
470
577
      <manvolnum>8</manvolnum></citerefentry>,
471
 
      <citerefentry><refentrytitle>gpg</refentrytitle>
 
578
      <citerefentry><refentrytitle>mandos-client</refentrytitle>
 
579
      <manvolnum>8mandos</manvolnum></citerefentry>,
 
580
      <citerefentry><refentrytitle>ssh-keyscan</refentrytitle>
472
581
      <manvolnum>1</manvolnum></citerefentry>
473
582
    </para>
474
583
  </refsect1>
475
584
  
476
585
</refentry>
 
586
<!-- Local Variables: -->
 
587
<!-- time-stamp-start: "<!ENTITY TIMESTAMP [\"']" -->
 
588
<!-- time-stamp-end: "[\"']>" -->
 
589
<!-- time-stamp-format: "%:y-%02m-%02d" -->
 
590
<!-- End: -->