/mandos/trunk : revision 177

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos-keygen.xml

Committer: Teddy Hogeborn
Date: 2008-09-07 09:36:35 UTC
Revision ID: teddy@fukt.bsnet.se-20080907093635-yg1y272yv53dijhp

* Makefile (CONFDIR): Changed to be the same ("/etc/mandos") in both a
                      /usr/local install and a package install.
  (KEYDIR): Changed /usr/local install value to be "/etc/mandos/keys".
  (INITRAMFSTOOLS): Use $(DESTDIR) in /usr/local value too.

* initramfs-tools-hook: Look in "/etc/mandos/keys" too.

files added:
etc-plugins.d-README

initramfs-tools-hook-conf

plugins.d/usplash

files removed:
.bzr-builddeb

.bzr-builddeb/default.conf

DBUS-API

INSTALL

NEWS

bugs.xml

common.ent

dbus-mandos.conf

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.examples

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos-client.templates

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/mandos.templates

debian/po

debian/rules

debian/source

debian/source/format

debian/source/local-options

debian/upstream

debian/upstream/signing-key.asc

debian/watch

initramfs-tools-conf

initramfs-tools-script-stop

initramfs-unpack

intro.xml

mandos-ctl

mandos-ctl.xml

mandos-monitor

mandos-monitor.xml

mandos-to-cryptroot-unlock

mandos.lsm

mandos.service

network-hooks.d

network-hooks.d/bridge

network-hooks.d/bridge.conf

network-hooks.d/openvpn

network-hooks.d/openvpn.conf

network-hooks.d/wireless

network-hooks.d/wireless.conf

plugin-helpers

plugin-helpers/mandos-client-iprouteadddel.c

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

tmpfiles.d-mandos.conf

files modified:
.bzrignore

Makefile

README

TODO

clients.conf

default-mandos

init.d-mandos

initramfs-tools-hook

initramfs-tools-script

legalnotice.xml

mandos

mandos-clients.conf.xml

mandos-keygen

mandos-keygen.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.xml

overview.xml

plugin-runner.c

plugin-runner.conf

plugin-runner.xml

plugins.d/mandos-client.c

plugins.d/mandos-client.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

Show diffs side-by-side

added added

removed removed

mandos-keygen.xml

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY VERSION "1.0">

<!ENTITY COMMANDNAME "mandos-keygen">

<!ENTITY TIMESTAMP "2019-02-10">

<!ENTITY % common SYSTEM "common.ent">

%common;

<!ENTITY TIMESTAMP "2008-09-06">

<title>Mandos Manual</title>

<productname>Mandos</productname>

<productnumber>&version;</productnumber>

<productnumber>&VERSION;</productnumber>

<date>&TIMESTAMP;</date>

<firstname>Björn</firstname>

<surname>Påhlsson</surname>

<email>belorn@recompile.se</email>

<email>belorn@fukt.bsnet.se</email>

</address>

</author>

<firstname>Teddy</firstname>

<surname>Hogeborn</surname>

<email>teddy@recompile.se</email>

<email>teddy@fukt.bsnet.se</email>

</address>

</author>

</authorgroup>

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

<xi:include href="legalnotice.xml"/>

</refentryinfo>

<refentrytitle>&COMMANDNAME;</refentrytitle>

Generate key and password for Mandos client and server.

</refpurpose>

</refnamediv>

<command>&COMMANDNAME;</command>

126

115

127

116

</group>

128

117

<sbr/>

129

<group>

130

<arg choice="plain"><option>--tls-keytype

131

<replaceable>KEYTYPE</replaceable></option></arg>

132

<arg choice="plain"><option>-T

133

<replaceable>KEYTYPE</replaceable></option></arg>

134

</group>

135

<sbr/>

136

<group>

137

<arg choice="plain"><option>--force</option></arg>

138

139

</group>

118

<arg><option>--force</option></arg>

140

119

</cmdsynopsis>

141

120

142

121

<command>&COMMANDNAME;</command>

143

122

144

123

<arg choice="plain"><option>--password</option></arg>

145

124

146

<arg choice="plain"><option>--passfile

147

148

149

150

125

</group>

151

126

<sbr/>

152

127

<group>

162

137

<arg choice="plain"><option>-n

163

138

164

139

</group>

165

<group>

166

167

168

</group>

169

140

</cmdsynopsis>

170

141

171

142

<command>&COMMANDNAME;</command>

187

158

<title>DESCRIPTION</title>

188

159

<para>

189

160

<command>&COMMANDNAME;</command> is a program to generate the

190

TLS and OpenPGP keys used by

161

OpenPGP key used by

191

162

<citerefentry><refentrytitle>mandos-client</refentrytitle>

192

<manvolnum>8mandos</manvolnum></citerefentry>. The keys are

193

normally written to /etc/keys/mandos for later installation into

194

the initrd image, but this, and most other things, can be

195

changed with command line options.

163

<manvolnum>8mandos</manvolnum></citerefentry>. The key is

164

normally written to /etc/mandos for later installation into the

165

initrd image, but this, and most other things, can be changed

166

with command line options.

196

167

</para>

197

168

<para>

198

169

This program can also be used with the

199

<option>--password</option> or <option>--passfile</option>

200

options to generate a ready-made section for

201

<filename>clients.conf</filename> (see

170

<option>--password</option> option to generate a ready-made

171

section for <filename>clients.conf</filename> (see

202

172

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

203

173

<manvolnum>5</manvolnum></citerefentry>).

204

174

</para>

227

197

</para>

228

198

</listitem>

229

199

</varlistentry>

230

200

231

201

232

202

<term><option>--dir

233

203

<replaceable>DIRECTORY</replaceable></option></term>

235

205

<replaceable>DIRECTORY</replaceable></option></term>

236

206

237

207

<para>

238

Target directory for key files. Default is <filename

239

class="directory">/etc/keys/mandos</filename>.

208

Target directory for key files. Default is

209

<filename>/etc/mandos</filename>.

240

210

</para>

241

211

</listitem>

242

212

</varlistentry>

243

213

244

214

245

215

<term><option>--type

246

216

248

218

249

219

250

220

<para>

251

OpenPGP key type. Default is <quote>RSA</quote>.

221

Key type. Default is <quote>DSA</quote>.

252

222

</para>

253

223

</listitem>

254

224

</varlistentry>

255

225

256

226

257

227

<term><option>--length

258

228

260

230

261

231

262

232

<para>

263

OpenPGP key length in bits. Default is 4096.

233

Key length in bits. Default is 2048.

264

234

</para>

265

235

</listitem>

266

236

</varlistentry>

267

237

268

238

269

239

<term><option>--subtype

270

240

<replaceable>KEYTYPE</replaceable></option></term>

272

242

<replaceable>KEYTYPE</replaceable></option></term>

273

243

274

244

<para>

275

OpenPGP subkey type. Default is <quote>RSA</quote>

245

Subkey type. Default is <quote>ELG-E</quote> (Elgamal

246

encryption-only).

276

247

</para>

277

248

</listitem>

278

249

</varlistentry>

279

250

280

251

281

252

<term><option>--sublength

282

253

284

255

285

256

286

257

<para>

287

OpenPGP subkey length in bits. Default is 4096.

258

Subkey length in bits. Default is 2048.

288

259

</para>

289

260

</listitem>

290

261

</varlistentry>

291

262

292

263

293

264

<term><option>--email

294

265

<replaceable>ADDRESS</replaceable></option></term>

300

271

</para>

301

272

</listitem>

302

273

</varlistentry>

303

274

304

275

305

276

<term><option>--comment

306

277

308

279

309

280

310

281

<para>

311

Comment field for key. Default is empty.

282

Comment field for key. The default value is

283

<quote><literal>Mandos client key</literal></quote>.

312

284

</para>

313

285

</listitem>

314

286

</varlistentry>

315

287

316

288

317

289

<term><option>--expire

318

290

326

298

</para>

327

299

</listitem>

328

300

</varlistentry>

329

330

331

<term><option>--tls-keytype

332

<replaceable>KEYTYPE</replaceable></option></term>

333

<term><option>-T

334

<replaceable>KEYTYPE</replaceable></option></term>

335

336

<para>

337

TLS key type. Default is <quote>ed25519</quote>

338

</para>

339

</listitem>

340

</varlistentry>

341

301

342

302

343

303

<term><option>--force</option></term>

344

304

354

314

355

315

<para>

356

316

Prompt for a password and encrypt it with the key already

357

present in either <filename>/etc/keys/mandos</filename> or

358

the directory specified with the <option>--dir</option>

317

present in either <filename>/etc/mandos</filename> or the

318

directory specified with the <option>--dir</option>

359

319

option. Outputs, on standard output, a section suitable

360

320

for inclusion in <citerefentry><refentrytitle

361

321

>mandos-clients.conf</refentrytitle><manvolnum

366

326

</para>

367

327

</listitem>

368

328

</varlistentry>

369

370

<term><option>--passfile

371

372

<term><option>-F

373

374

375

<para>

376

The same as <option>--password</option>, but read from

377

<replaceable>FILE</replaceable>, not the terminal.

378

</para>

379

</listitem>

380

</varlistentry>

381

382

383

384

385

<para>

386

When <option>--password</option> or

387

<option>--passfile</option> is given, this option will

388

prevent <command>&COMMANDNAME;</command> from calling

389

<command>ssh-keyscan</command> to get an SSH fingerprint

390

for this host and, if successful, output suitable config

391

options to use this fingerprint as a

392

<option>checker</option> option in the output. This is

393

otherwise the default behavior.

394

</para>

395

</listitem>

396

</varlistentry>

397

329

</variablelist>

398

330

</refsect1>

399

331

400

332

401

333

<title>OVERVIEW</title>

402

334

<xi:include href="overview.xml"/>

403

335

<para>

404

This program is a small utility to generate new TLS and OpenPGP

405

keys for new Mandos clients, and to generate sections for

406

inclusion in <filename>clients.conf</filename> on the server.

336

This program is a small utility to generate new OpenPGP keys for

337

new Mandos clients, and to generate sections for inclusion in

338

<filename>clients.conf</filename> on the server.

407

339

</para>

408

340

</refsect1>

409

341

410

342

411

343

<title>EXIT STATUS</title>

412

344

<para>

432

364

</variablelist>

433

365

</refsect1>

434

366

435

367

436

368

<title>FILES</title>

437

369

<para>

438

370

Use the <option>--dir</option> option to change where

441

373

</para>

442

374

443

375

444

<term><filename>/etc/keys/mandos/seckey.txt</filename></term>

376

<term><filename>/etc/mandos/seckey.txt</filename></term>

445

377

446

378

<para>

447

379

OpenPGP secret key file which will be created or

450

382

</listitem>

451

383

</varlistentry>

452

384

453

<term><filename>/etc/keys/mandos/pubkey.txt</filename></term>

385

<term><filename>/etc/mandos/pubkey.txt</filename></term>

454

386

455

387

<para>

456

388

OpenPGP public key file which will be created or

459

391

</listitem>

460

392

</varlistentry>

461

393

462

<term><filename>/etc/keys/mandos/tls-privkey.pem</filename></term>

463

464

<para>

465

Private key file which will be created or overwritten.

466

</para>

467

</listitem>

468

</varlistentry>

469

470

<term><filename>/etc/keys/mandos/tls-pubkey.pem</filename></term>

471

472

<para>

473

Public key file which will be created or overwritten.

474

</para>

475

</listitem>

476

</varlistentry>

477

478

394

479

395

480

396

<para>

481

397

Temporary files will be written here if

485

401

</varlistentry>

486

402

</variablelist>

487

403

</refsect1>

488

489

490

491

<xi:include href="bugs.xml"/>

492

</refsect1>

493

404

405

406

407

408

409

410

494

411

495

412

<title>EXAMPLE</title>

496

413

515

432

</informalexample>

516

433

517

434

<para>

518

Prompt for a password, encrypt it with the keys in <filename

519

class="directory">/etc/keys/mandos</filename> and output a

520

section suitable for <filename>clients.conf</filename>.

435

Prompt for a password, encrypt it with the key in

436

<filename>/etc/mandos</filename> and output a section suitable

437

for <filename>clients.conf</filename>.

521

438

</para>

522

439

<para>

523

440

<userinput>&COMMANDNAME; --password</userinput>

525

442

</informalexample>

526

443

527

444

<para>

528

Prompt for a password, encrypt it with the keys in the

445

Prompt for a password, encrypt it with the key in the

529

446

<filename>client-key</filename> directory and output a section

530

447

suitable for <filename>clients.conf</filename>.

531

448

</para>

537

454

</para>

538

455

</informalexample>

539

456

</refsect1>

540

457

541

458

542

459

<title>SECURITY</title>

543

460

<para>

552

469

<manvolnum>8</manvolnum></citerefentry>.

553

470

</para>

554

471

</refsect1>

555

472

556

473

557

474

558

475

<para>

559

<citerefentry><refentrytitle>intro</refentrytitle>

560

<manvolnum>8mandos</manvolnum></citerefentry>,

561

476

562

477

<manvolnum>1</manvolnum></citerefentry>,

563

478

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

565

480

<citerefentry><refentrytitle>mandos</refentrytitle>

566

481

<manvolnum>8</manvolnum></citerefentry>,

567

482

<citerefentry><refentrytitle>mandos-client</refentrytitle>

568

<manvolnum>8mandos</manvolnum></citerefentry>,

569

<citerefentry><refentrytitle>ssh-keyscan</refentrytitle>

570

483

<manvolnum>8mandos</manvolnum></citerefentry>

571

484

</para>

572

485

</refsect1>

573

486

Older »