/mandos/trunk : revision 172

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos-keygen.xml

Committer: Teddy Hogeborn
Date: 2008-09-06 16:33:08 UTC
Revision ID: teddy@fukt.bsnet.se-20080906163308-ciy82qw6jollqrjd

* plugins.d/mandos-client.xml (NAME, OVERVIEW, EXIT STATUS): Improved
wording.

files added:
etc-plugins.d-README

initramfs-tools-hook-conf

plugins.d/usplash

files removed:
.bzr-builddeb

.bzr-builddeb/default.conf

DBUS-API

INSTALL

NEWS

bugs.xml

common.ent

dbus-mandos.conf

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.examples

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos-client.templates

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/mandos.templates

debian/po

debian/rules

debian/source

debian/source/format

debian/source/local-options

debian/upstream

debian/upstream/signing-key.asc

debian/watch

initramfs-tools-conf

initramfs-tools-conf-hook

initramfs-tools-script-stop

initramfs-unpack

intro.xml

mandos-ctl

mandos-ctl.xml

mandos-monitor

mandos-monitor.xml

mandos-to-cryptroot-unlock

mandos.lsm

mandos.service

network-hooks.d

network-hooks.d/bridge

network-hooks.d/bridge.conf

network-hooks.d/openvpn

network-hooks.d/openvpn.conf

network-hooks.d/wireless

network-hooks.d/wireless.conf

plugin-helpers

plugin-helpers/mandos-client-iprouteadddel.c

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

tmpfiles.d-mandos.conf

files modified:
.bzrignore

Makefile

README

TODO

clients.conf

default-mandos

init.d-mandos

initramfs-tools-hook

initramfs-tools-script

legalnotice.xml

mandos

mandos-clients.conf.xml

mandos-keygen

mandos-keygen.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.xml

overview.xml

plugin-runner.c

plugin-runner.conf

plugin-runner.xml

plugins.d/mandos-client.c

plugins.d/mandos-client.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

Show diffs side-by-side

added added

removed removed

mandos-keygen.xml

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY VERSION "1.0">

<!ENTITY COMMANDNAME "mandos-keygen">

<!ENTITY TIMESTAMP "2019-02-10">

<!ENTITY % common SYSTEM "common.ent">

%common;

<!ENTITY TIMESTAMP "2008-09-06">

<title>Mandos Manual</title>

<productname>Mandos</productname>

<productnumber>&version;</productnumber>

<productnumber>&VERSION;</productnumber>

<date>&TIMESTAMP;</date>

<firstname>Björn</firstname>

<surname>Påhlsson</surname>

<email>belorn@recompile.se</email>

<email>belorn@fukt.bsnet.se</email>

</address>

</author>

<firstname>Teddy</firstname>

<surname>Hogeborn</surname>

<email>teddy@recompile.se</email>

<email>teddy@fukt.bsnet.se</email>

</address>

</author>

</authorgroup>

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

<xi:include href="legalnotice.xml"/>

</refentryinfo>

<refentrytitle>&COMMANDNAME;</refentrytitle>

Generate key and password for Mandos client and server.

</refpurpose>

</refnamediv>

<command>&COMMANDNAME;</command>

127

115

128

116

</group>

129

117

<sbr/>

130

<group>

131

<arg choice="plain"><option>--tls-keytype

132

<replaceable>KEYTYPE</replaceable></option></arg>

133

<arg choice="plain"><option>-T

134

<replaceable>KEYTYPE</replaceable></option></arg>

135

</group>

136

<sbr/>

137

<group>

138

<arg choice="plain"><option>--force</option></arg>

139

140

</group>

118

<arg><option>--force</option></arg>

141

119

</cmdsynopsis>

142

120

143

121

<command>&COMMANDNAME;</command>

144

122

145

123

<arg choice="plain"><option>--password</option></arg>

146

124

147

<arg choice="plain"><option>--passfile

148

149

150

151

125

</group>

152

126

<sbr/>

153

127

<group>

163

137

<arg choice="plain"><option>-n

164

138

165

139

</group>

166

<group>

167

168

169

</group>

170

140

</cmdsynopsis>

171

141

172

142

<command>&COMMANDNAME;</command>

188

158

<title>DESCRIPTION</title>

189

159

<para>

190

160

<command>&COMMANDNAME;</command> is a program to generate the

191

TLS and OpenPGP keys used by

161

OpenPGP key used by

192

162

<citerefentry><refentrytitle>mandos-client</refentrytitle>

193

<manvolnum>8mandos</manvolnum></citerefentry>. The keys are

194

normally written to /etc/keys/mandos for later installation into

195

the initrd image, but this, and most other things, can be

196

changed with command line options.

163

<manvolnum>8mandos</manvolnum></citerefentry>. The key is

164

normally written to /etc/mandos for later installation into the

165

initrd image, but this, and most other things, can be changed

166

with command line options.

197

167

</para>

198

168

<para>

199

169

This program can also be used with the

200

<option>--password</option> or <option>--passfile</option>

201

options to generate a ready-made section for

202

<filename>clients.conf</filename> (see

170

<option>--password</option> option to generate a ready-made

171

section for <filename>clients.conf</filename> (see

203

172

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

204

173

<manvolnum>5</manvolnum></citerefentry>).

205

174

</para>

228

197

</para>

229

198

</listitem>

230

199

</varlistentry>

231

200

232

201

233

202

<term><option>--dir

234

203

<replaceable>DIRECTORY</replaceable></option></term>

236

205

<replaceable>DIRECTORY</replaceable></option></term>

237

206

238

207

<para>

239

Target directory for key files. Default is <filename

240

class="directory">/etc/keys/mandos</filename>.

208

Target directory for key files. Default is

209

<filename>/etc/mandos</filename>.

241

210

</para>

242

211

</listitem>

243

212

</varlistentry>

244

213

245

214

246

215

<term><option>--type

247

216

249

218

250

219

251

220

<para>

252

OpenPGP key type. Default is <quote>RSA</quote>.

221

Key type. Default is <quote>DSA</quote>.

253

222

</para>

254

223

</listitem>

255

224

</varlistentry>

256

225

257

226

258

227

<term><option>--length

259

228

261

230

262

231

263

232

<para>

264

OpenPGP key length in bits. Default is 4096.

233

Key length in bits. Default is 2048.

265

234

</para>

266

235

</listitem>

267

236

</varlistentry>

268

237

269

238

270

239

<term><option>--subtype

271

240

<replaceable>KEYTYPE</replaceable></option></term>

273

242

<replaceable>KEYTYPE</replaceable></option></term>

274

243

275

244

<para>

276

OpenPGP subkey type. Default is <quote>RSA</quote>

245

Subkey type. Default is <quote>ELG-E</quote> (Elgamal

246

encryption-only).

277

247

</para>

278

248

</listitem>

279

249

</varlistentry>

280

250

281

251

282

252

<term><option>--sublength

283

253

285

255

286

256

287

257

<para>

288

OpenPGP subkey length in bits. Default is 4096.

258

Subkey length in bits. Default is 2048.

289

259

</para>

290

260

</listitem>

291

261

</varlistentry>

292

262

293

263

294

264

<term><option>--email

295

265

<replaceable>ADDRESS</replaceable></option></term>

301

271

</para>

302

272

</listitem>

303

273

</varlistentry>

304

274

305

275

306

276

<term><option>--comment

307

277

309

279

310

280

311

281

<para>

312

Comment field for key. Default is empty.

282

Comment field for key. The default value is

283

<quote><literal>Mandos client key</literal></quote>.

313

284

</para>

314

285

</listitem>

315

286

</varlistentry>

316

287

317

288

318

289

<term><option>--expire

319

290

327

298

</para>

328

299

</listitem>

329

300

</varlistentry>

330

331

332

<term><option>--tls-keytype

333

<replaceable>KEYTYPE</replaceable></option></term>

334

<term><option>-T

335

<replaceable>KEYTYPE</replaceable></option></term>

336

337

<para>

338

TLS key type. Default is <quote>ed25519</quote>

339

</para>

340

</listitem>

341

</varlistentry>

342

301

343

302

344

303

<term><option>--force</option></term>

345

304

355

314

356

315

<para>

357

316

Prompt for a password and encrypt it with the key already

358

present in either <filename>/etc/keys/mandos</filename> or

359

the directory specified with the <option>--dir</option>

317

present in either <filename>/etc/mandos</filename> or the

318

directory specified with the <option>--dir</option>

360

319

option. Outputs, on standard output, a section suitable

361

320

for inclusion in <citerefentry><refentrytitle

362

321

>mandos-clients.conf</refentrytitle><manvolnum

367

326

</para>

368

327

</listitem>

369

328

</varlistentry>

370

371

<term><option>--passfile

372

373

<term><option>-F

374

375

376

<para>

377

The same as <option>--password</option>, but read from

378

<replaceable>FILE</replaceable>, not the terminal.

379

</para>

380

</listitem>

381

</varlistentry>

382

383

384

385

386

<para>

387

When <option>--password</option> or

388

<option>--passfile</option> is given, this option will

389

prevent <command>&COMMANDNAME;</command> from calling

390

<command>ssh-keyscan</command> to get an SSH fingerprint

391

for this host and, if successful, output suitable config

392

options to use this fingerprint as a

393

<option>checker</option> option in the output. This is

394

otherwise the default behavior.

395

</para>

396

</listitem>

397

</varlistentry>

398

329

</variablelist>

399

330

</refsect1>

400

331

401

332

402

333

<title>OVERVIEW</title>

403

334

<xi:include href="overview.xml"/>

404

335

<para>

405

This program is a small utility to generate new TLS and OpenPGP

406

keys for new Mandos clients, and to generate sections for

407

inclusion in <filename>clients.conf</filename> on the server.

336

This program is a small utility to generate new OpenPGP keys for

337

new Mandos clients, and to generate sections for inclusion in

338

<filename>clients.conf</filename> on the server.

408

339

</para>

409

340

</refsect1>

410

341

411

342

412

343

<title>EXIT STATUS</title>

413

344

<para>

433

364

</variablelist>

434

365

</refsect1>

435

366

436

367

437

368

<title>FILES</title>

438

369

<para>

439

370

Use the <option>--dir</option> option to change where

442

373

</para>

443

374

444

375

445

<term><filename>/etc/keys/mandos/seckey.txt</filename></term>

376

<term><filename>/etc/mandos/seckey.txt</filename></term>

446

377

447

378

<para>

448

379

OpenPGP secret key file which will be created or

451

382

</listitem>

452

383

</varlistentry>

453

384

454

<term><filename>/etc/keys/mandos/pubkey.txt</filename></term>

385

<term><filename>/etc/mandos/pubkey.txt</filename></term>

455

386

456

387

<para>

457

388

OpenPGP public key file which will be created or

460

391

</listitem>

461

392

</varlistentry>

462

393

463

<term><filename>/etc/keys/mandos/tls-privkey.pem</filename></term>

464

465

<para>

466

Private key file which will be created or overwritten.

467

</para>

468

</listitem>

469

</varlistentry>

470

471

<term><filename>/etc/keys/mandos/tls-pubkey.pem</filename></term>

472

473

<para>

474

Public key file which will be created or overwritten.

475

</para>

476

</listitem>

477

</varlistentry>

478

479

394

480

395

481

396

<para>

482

397

Temporary files will be written here if

486

401

</varlistentry>

487

402

</variablelist>

488

403

</refsect1>

489

490

491

492

<xi:include href="bugs.xml"/>

493

</refsect1>

494

404

405

406

407

408

409

410

495

411

496

412

<title>EXAMPLE</title>

497

413

516

432

</informalexample>

517

433

518

434

<para>

519

Prompt for a password, encrypt it with the keys in <filename

520

class="directory">/etc/keys/mandos</filename> and output a

521

section suitable for <filename>clients.conf</filename>.

435

Prompt for a password, encrypt it with the key in

436

<filename>/etc/mandos</filename> and output a section suitable

437

for <filename>clients.conf</filename>.

522

438

</para>

523

439

<para>

524

440

<userinput>&COMMANDNAME; --password</userinput>

526

442

</informalexample>

527

443

528

444

<para>

529

Prompt for a password, encrypt it with the keys in the

445

Prompt for a password, encrypt it with the key in the

530

446

<filename>client-key</filename> directory and output a section

531

447

suitable for <filename>clients.conf</filename>.

532

448

</para>

538

454

</para>

539

455

</informalexample>

540

456

</refsect1>

541

457

542

458

543

459

<title>SECURITY</title>

544

460

<para>

553

469

<manvolnum>8</manvolnum></citerefentry>.

554

470

</para>

555

471

</refsect1>

556

472

557

473

558

474

559

475

<para>

560

<citerefentry><refentrytitle>intro</refentrytitle>

561

<manvolnum>8mandos</manvolnum></citerefentry>,

562

476

563

477

<manvolnum>1</manvolnum></citerefentry>,

564

478

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

566

480

<citerefentry><refentrytitle>mandos</refentrytitle>

567

481

<manvolnum>8</manvolnum></citerefentry>,

568

482

<citerefentry><refentrytitle>mandos-client</refentrytitle>

569

<manvolnum>8mandos</manvolnum></citerefentry>,

570

<citerefentry><refentrytitle>ssh-keyscan</refentrytitle>

571

483

<manvolnum>8mandos</manvolnum></citerefentry>

572

484

</para>

573

485

</refsect1>

574

486

Older »