/mandos/trunk : revision 163

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos-keygen.xml

Committer: Teddy Hogeborn
Date: 2008-09-05 16:24:33 UTC
Revision ID: teddy@fukt.bsnet.se-20080905162433-58fgx91ae9foxlh1

* Makefile (PIDDIR, USER, GROUP): Removed.
  (install-server): Do not create $(PIDDIR).
  (uninstall-server): Do not remove $(PIDDIR).

* init.d-mandos (PIDFILE): Changed to "/var/run/$NAME.pid".

* mandos (IPv6_TCPServer.enabled): New attribute.
  (IPv6_TCPServer.server_activate): Only call method of superclass if
                                    "self.enabled".
  (IPv6_TCPServer.enable): Set "self.enabled" to True.
  (main): Create client Set() early.  Create IPv6_TCPServer object
          early.  Switch to user and group "mandos", "nobody" or
          65534, if possible.  Enable IPv6_TCPServer *after* switching
          user.

* mandos-keygen (KEYDIR): Changed to "/etc/keys/mandos".

* mandos.xml (FILES): Changed PID file.
  (SECURITY): The server does need to be privileged, but switches to a
              non-privileged user.

* plugin-runner.xml (EXAMPLE): Changed long example to something more
                               realistic.

files added:
initramfs-tools-hook-conf

plugins.d/usplash

files removed:
.bzr-builddeb

.bzr-builddeb/default.conf

DBUS-API

INSTALL

NEWS

bugs.xml

common.ent

dbus-mandos.conf

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.examples

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos-client.templates

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/mandos.templates

debian/po

debian/po/POTFILES.in

debian/po/de.po

debian/po/en_US.po

debian/po/fr.po

debian/po/nl.po

debian/po/pt.po

debian/po/sv.po

debian/po/templates.pot

debian/rules

debian/source

debian/source/format

debian/source/lintian-overrides

debian/source/local-options

debian/tests

debian/tests/control

debian/upstream

debian/upstream/metadata

debian/upstream/signing-key.asc

debian/watch

dracut-module

dracut-module/ask-password-mandos.path

dracut-module/ask-password-mandos.service

dracut-module/cmdline-mandos.sh

dracut-module/module-setup.sh

dracut-module/password-agent.c

dracut-module/password-agent.xml

initramfs-tools-conf

initramfs-tools-conf-hook

initramfs-tools-script-stop

initramfs-unpack

intro.xml

mandos-ctl

mandos-ctl.xml

mandos-monitor

mandos-monitor.xml

mandos-to-cryptroot-unlock

mandos.lsm

mandos.service

network-hooks.d

network-hooks.d/bridge

network-hooks.d/bridge.conf

network-hooks.d/openvpn

network-hooks.d/openvpn.conf

network-hooks.d/wireless

network-hooks.d/wireless.conf

plugin-helpers

plugin-helpers/mandos-client-iprouteadddel.c

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

sysusers.d-mandos.conf

tmpfiles.d-mandos.conf

files renamed:
plugins.d/mandos-client.c => plugins.d/password-request.c

plugins.d/mandos-client.xml => plugins.d/password-request.xml

files modified:
.bzrignore

Makefile

README

TODO

clients.conf

default-mandos

init.d-mandos

initramfs-tools-hook

initramfs-tools-script

legalnotice.xml

mandos

mandos-clients.conf.xml

mandos-keygen

mandos-keygen.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.xml

overview.xml

plugin-runner.c

plugin-runner.conf

plugin-runner.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

Show diffs side-by-side

added added

removed removed

mandos-keygen.xml

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY VERSION "1.0">

<!ENTITY COMMANDNAME "mandos-keygen">

<!ENTITY TIMESTAMP "2019-07-18">

<!ENTITY % common SYSTEM "common.ent">

%common;

<!ENTITY TIMESTAMP "2008-09-03">

<title>Mandos Manual</title>

<productname>Mandos</productname>

<productnumber>&version;</productnumber>

<productnumber>&VERSION;</productnumber>

<date>&TIMESTAMP;</date>

<firstname>Björn</firstname>

<surname>Påhlsson</surname>

<email>belorn@recompile.se</email>

<email>belorn@fukt.bsnet.se</email>

</address>

</author>

<firstname>Teddy</firstname>

<surname>Hogeborn</surname>

<email>teddy@recompile.se</email>

<email>teddy@fukt.bsnet.se</email>

</address>

</author>

</authorgroup>

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

<xi:include href="legalnotice.xml"/>

</refentryinfo>

<refentrytitle>&COMMANDNAME;</refentrytitle>

Generate key and password for Mandos client and server.

</refpurpose>

</refnamediv>

<command>&COMMANDNAME;</command>

127

115

128

116

</group>

129

117

<sbr/>

130

<group>

131

<arg choice="plain"><option>--tls-keytype

132

<replaceable>KEYTYPE</replaceable></option></arg>

133

<arg choice="plain"><option>-T

134

<replaceable>KEYTYPE</replaceable></option></arg>

135

</group>

136

<sbr/>

137

<group>

138

<arg choice="plain"><option>--force</option></arg>

139

140

</group>

118

<arg><option>--force</option></arg>

141

119

</cmdsynopsis>

142

120

143

121

<command>&COMMANDNAME;</command>

144

122

145

123

<arg choice="plain"><option>--password</option></arg>

146

124

147

<arg choice="plain"><option>--passfile

148

149

150

151

125

</group>

152

126

<sbr/>

153

127

<group>

163

137

<arg choice="plain"><option>-n

164

138

165

139

</group>

166

<group>

167

168

169

</group>

170

140

</cmdsynopsis>

171

141

172

142

<command>&COMMANDNAME;</command>

188

158

<title>DESCRIPTION</title>

189

159

<para>

190

160

<command>&COMMANDNAME;</command> is a program to generate the

191

TLS and OpenPGP keys used by

192

<citerefentry><refentrytitle>mandos-client</refentrytitle>

193

<manvolnum>8mandos</manvolnum></citerefentry>. The keys are

194

normally written to /etc/keys/mandos for later installation into

195

the initrd image, but this, and most other things, can be

196

changed with command line options.

161

OpenPGP key used by

162

<citerefentry><refentrytitle>password-request</refentrytitle>

163

<manvolnum>8mandos</manvolnum></citerefentry>. The key is

164

normally written to /etc/mandos for later installation into the

165

initrd image, but this, and most other things, can be changed

166

with command line options.

197

167

</para>

198

168

<para>

199

169

This program can also be used with the

200

<option>--password</option> or <option>--passfile</option>

201

options to generate a ready-made section for

202

<filename>clients.conf</filename> (see

170

<option>--password</option> option to generate a ready-made

171

section for <filename>clients.conf</filename> (see

203

172

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

204

173

<manvolnum>5</manvolnum></citerefentry>).

205

174

</para>

228

197

</para>

229

198

</listitem>

230

199

</varlistentry>

231

200

232

201

233

202

<term><option>--dir

234

203

<replaceable>DIRECTORY</replaceable></option></term>

236

205

<replaceable>DIRECTORY</replaceable></option></term>

237

206

238

207

<para>

239

Target directory for key files. Default is <filename

240

class="directory">/etc/keys/mandos</filename>.

208

Target directory for key files. Default is

209

<filename>/etc/mandos</filename>.

241

210

</para>

242

211

</listitem>

243

212

</varlistentry>

244

213

245

214

246

215

<term><option>--type

247

216

249

218

250

219

251

220

<para>

252

OpenPGP key type. Default is <quote>RSA</quote>.

221

Key type. Default is <quote>DSA</quote>.

253

222

</para>

254

223

</listitem>

255

224

</varlistentry>

256

225

257

226

258

227

<term><option>--length

259

228

261

230

262

231

263

232

<para>

264

OpenPGP key length in bits. Default is 4096.

233

Key length in bits. Default is 2048.

265

234

</para>

266

235

</listitem>

267

236

</varlistentry>

268

237

269

238

270

239

<term><option>--subtype

271

240

<replaceable>KEYTYPE</replaceable></option></term>

273

242

<replaceable>KEYTYPE</replaceable></option></term>

274

243

275

244

<para>

276

OpenPGP subkey type. Default is <quote>RSA</quote>

245

Subkey type. Default is <quote>ELG-E</quote> (Elgamal

246

encryption-only).

277

247

</para>

278

248

</listitem>

279

249

</varlistentry>

280

250

281

251

282

252

<term><option>--sublength

283

253

285

255

286

256

287

257

<para>

288

OpenPGP subkey length in bits. Default is 4096.

258

Subkey length in bits. Default is 2048.

289

259

</para>

290

260

</listitem>

291

261

</varlistentry>

292

262

293

263

294

264

<term><option>--email

295

265

<replaceable>ADDRESS</replaceable></option></term>

301

271

</para>

302

272

</listitem>

303

273

</varlistentry>

304

274

305

275

306

276

<term><option>--comment

307

277

309

279

310

280

311

281

<para>

312

Comment field for key. Default is empty.

282

Comment field for key. The default value is

283

<quote><literal>Mandos client key</literal></quote>.

313

284

</para>

314

285

</listitem>

315

286

</varlistentry>

316

287

317

288

318

289

<term><option>--expire

319

290

327

298

</para>

328

299

</listitem>

329

300

</varlistentry>

330

331

332

<term><option>--tls-keytype

333

<replaceable>KEYTYPE</replaceable></option></term>

334

<term><option>-T

335

<replaceable>KEYTYPE</replaceable></option></term>

336

337

<para>

338

TLS key type. Default is <quote>ed25519</quote>

339

</para>

340

</listitem>

341

</varlistentry>

342

301

343

302

344

303

<term><option>--force</option></term>

345

304

355

314

356

315

<para>

357

316

Prompt for a password and encrypt it with the key already

358

present in either <filename>/etc/keys/mandos</filename> or

359

the directory specified with the <option>--dir</option>

317

present in either <filename>/etc/mandos</filename> or the

318

directory specified with the <option>--dir</option>

360

319

option. Outputs, on standard output, a section suitable

361

320

for inclusion in <citerefentry><refentrytitle

362

321

>mandos-clients.conf</refentrytitle><manvolnum

363

322

>8</manvolnum></citerefentry>. The host name or the name

364

323

specified with the <option>--name</option> option is used

365

324

for the section header. All other options are ignored,

366

and no key is created. Note: white space is stripped from

367

the beginning and from the end of the password; See <xref

368

linkend="bugs"/>.

369

</para>

370

</listitem>

371

</varlistentry>

372

373

<term><option>--passfile

374

375

<term><option>-F

376

377

378

<para>

379

The same as <option>--password</option>, but read from

380

<replaceable>FILE</replaceable>, not the terminal, and

381

white space is not stripped from the password in any way.

382

</para>

383

</listitem>

384

</varlistentry>

385

386

387

388

389

<para>

390

When <option>--password</option> or

391

<option>--passfile</option> is given, this option will

392

prevent <command>&COMMANDNAME;</command> from calling

393

<command>ssh-keyscan</command> to get an SSH fingerprint

394

for this host and, if successful, output suitable config

395

options to use this fingerprint as a

396

<option>checker</option> option in the output. This is

397

otherwise the default behavior.

325

and no key is created.

398

326

</para>

399

327

</listitem>

400

328

</varlistentry>

401

329

</variablelist>

402

330

</refsect1>

403

331

404

332

405

333

<title>OVERVIEW</title>

406

334

<xi:include href="overview.xml"/>

407

335

<para>

408

This program is a small utility to generate new TLS and OpenPGP

409

keys for new Mandos clients, and to generate sections for

410

inclusion in <filename>clients.conf</filename> on the server.

336

This program is a small utility to generate new OpenPGP keys for

337

new Mandos clients, and to generate sections for inclusion in

338

<filename>clients.conf</filename> on the server.

411

339

</para>

412

340

</refsect1>

413

341

414

342

415

343

<title>EXIT STATUS</title>

416

344

<para>

436

364

</variablelist>

437

365

</refsect1>

438

366

439

367

440

368

<title>FILES</title>

441

369

<para>

442

370

Use the <option>--dir</option> option to change where

445

373

</para>

446

374

447

375

448

<term><filename>/etc/keys/mandos/seckey.txt</filename></term>

376

<term><filename>/etc/mandos/seckey.txt</filename></term>

449

377

450

378

<para>

451

379

OpenPGP secret key file which will be created or

454

382

</listitem>

455

383

</varlistentry>

456

384

457

<term><filename>/etc/keys/mandos/pubkey.txt</filename></term>

385

<term><filename>/etc/mandos/pubkey.txt</filename></term>

458

386

459

387

<para>

460

388

OpenPGP public key file which will be created or

463

391

</listitem>

464

392

</varlistentry>

465

393

466

<term><filename>/etc/keys/mandos/tls-privkey.pem</filename></term>

467

468

<para>

469

Private key file which will be created or overwritten.

470

</para>

471

</listitem>

472

</varlistentry>

473

474

<term><filename>/etc/keys/mandos/tls-pubkey.pem</filename></term>

475

476

<para>

477

Public key file which will be created or overwritten.

478

</para>

479

</listitem>

480

</varlistentry>

481

482

394

483

395

484

396

<para>

485

397

Temporary files will be written here if

489

401

</varlistentry>

490

402

</variablelist>

491

403

</refsect1>

492

493

494

495

<para>

496

The <option>--password</option>/<option>-p</option> option

497

strips white space from the start and from the end of the

498

password before using it. If this is a problem, use the

499

<option>--passfile</option> option instead, which does not do

500

this.

501

</para>

502

<xi:include href="bugs.xml"/>

503

</refsect1>

504

404

405

406

407

408

409

410

505

411

506

412

<title>EXAMPLE</title>

507

413

526

432

</informalexample>

527

433

528

434

<para>

529

Prompt for a password, encrypt it with the keys in <filename

530

class="directory">/etc/keys/mandos</filename> and output a

531

section suitable for <filename>clients.conf</filename>.

435

Prompt for a password, encrypt it with the key in

436

<filename>/etc/mandos</filename> and output a section suitable

437

for <filename>clients.conf</filename>.

532

438

</para>

533

439

<para>

534

440

<userinput>&COMMANDNAME; --password</userinput>

536

442

</informalexample>

537

443

538

444

<para>

539

Prompt for a password, encrypt it with the keys in the

445

Prompt for a password, encrypt it with the key in the

540

446

<filename>client-key</filename> directory and output a section

541

447

suitable for <filename>clients.conf</filename>.

542

448

</para>

548

454

</para>

549

455

</informalexample>

550

456

</refsect1>

551

457

552

458

553

459

<title>SECURITY</title>

554

460

<para>

563

469

<manvolnum>8</manvolnum></citerefentry>.

564

470

</para>

565

471

</refsect1>

566

472

567

473

568

474

569

475

<para>

570

<citerefentry><refentrytitle>intro</refentrytitle>

571

<manvolnum>8mandos</manvolnum></citerefentry>,

572

476

573

477

<manvolnum>1</manvolnum></citerefentry>,

574

478

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

575

479

<manvolnum>5</manvolnum></citerefentry>,

576

480

<citerefentry><refentrytitle>mandos</refentrytitle>

577

481

<manvolnum>8</manvolnum></citerefentry>,

578

<citerefentry><refentrytitle>mandos-client</refentrytitle>

579

<manvolnum>8mandos</manvolnum></citerefentry>,

580

<citerefentry><refentrytitle>ssh-keyscan</refentrytitle>

581

482

<citerefentry><refentrytitle>password-request</refentrytitle>

483

<manvolnum>8mandos</manvolnum></citerefentry>

582

484

</para>

583

485

</refsect1>

584

486

Older »