/mandos/trunk : revision 185

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos-keygen.xml

Committer: Teddy Hogeborn
Date: 2008-09-17 00:34:09 UTC
Revision ID: teddy@fukt.bsnet.se-20080917003409-bxbjsc4o69nx40t6

* .bzr-builddeb/default.conf: New.

* Makefile (install-server): Do not create directories that
                             should already be present in a
                             normal system.
  (install-client-nokey): - '' -  Also specify non-executable
                          mode for "initramfs-tools-hook-conf".

* README: Improved wording.  Use real copyright mark.

* debian/changelog: New.
* debian/compat: - '' -
* debian/control: - '' -
* debian/copyright: - '' -
* debian/mandos-client.README.Debian: - '' -
* debian/mandos-client.dirs: - '' -
* debian/mandos-client.lintian-overrides: - '' -
* debian/mandos-client.postinst: - '' -
* debian/mandos-client.postrm: - '' -
* debian/mandos.dirs: - '' -
* debian/mandos.lintian-overrides: - '' -
* debian/rules: - '' -
* default-mandos: - '' -

files added:
.bzr-builddeb

.bzr-builddeb/default.conf

INSTALL

README

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.dirs

debian/mandos.lintian-overrides

debian/rules

default-mandos

etc-plugins.d-README

init.d-mandos

legalnotice.xml

plugin-runner.conf

files renamed:
plugins.d/password-request.c => plugins.d/mandos-client.c

plugins.d/password-request.xml => plugins.d/mandos-client.xml

files modified:
.bzrignore

Makefile

TODO

initramfs-tools-hook

initramfs-tools-script

mandos

mandos-clients.conf.xml

mandos-keygen

mandos-keygen.xml

mandos-options.xml

mandos.conf.xml

mandos.xml

overview.xml

plugin-runner.c

plugin-runner.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

Show diffs side-by-side

added added

removed removed

mandos-keygen.xml

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY VERSION "1.0">

<!ENTITY COMMANDNAME "mandos-keygen">

<!ENTITY TIMESTAMP "2008-08-29">

<!ENTITY TIMESTAMP "2008-09-12">

<title>&COMMANDNAME;</title>

<title>Mandos Manual</title>

<productname>&COMMANDNAME;</productname>

<productname>Mandos</productname>

<productnumber>&VERSION;</productnumber>

<date>&TIMESTAMP;</date>

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

<para>

This manual page is free software: you can redistribute it

and/or modify it under the terms of the GNU General Public

License as published by the Free Software Foundation,

either version 3 of the License, or (at your option) any

later version.

</para>

<para>

This manual page is distributed in the hope that it will

be useful, but WITHOUT ANY WARRANTY; without even the

implied warranty of MERCHANTABILITY or FITNESS FOR A

PARTICULAR PURPOSE. See the GNU General Public License

for more details.

</para>

<para>

You should have received a copy of the GNU General Public

License along with this program; If not, see

<ulink url="http://www.gnu.org/licenses/"/>.

</para>

</legalnotice>

<xi:include href="legalnotice.xml"/>

</refentryinfo>

<refentrytitle>&COMMANDNAME;</refentrytitle>

<refname><command>&COMMANDNAME;</command></refname>

Generate keys for <citerefentry><refentrytitle>password-request

</refentrytitle><manvolnum>8mandos</manvolnum></citerefentry>

Generate key and password for Mandos client and server.

</refpurpose>

</refnamediv>

<command>&COMMANDNAME;</command>

<replaceable>directory</replaceable></arg>

</group>

</group>

<arg choice="plain"><option>--length</option>

</group>

<arg choice="plain"><option>--subtype</option>

</group>

<arg choice="plain"><option>--sublength</option>

</group>

100

101

</group>

102

103

<arg choice="plain"><option>--email</option>

104

<replaceable>EMAIL</replaceable></arg>

105

</group>

106

107

<arg choice="plain"><option>--comment</option>

108

<replaceable>COMMENT</replaceable></arg>

109

</group>

110

111

<arg choice="plain"><option>--expire</option>

112

113

</group>

114

115

<arg choice="plain"><option>--force</option></arg>

116

</group>

117

</cmdsynopsis>

118

119

<command>&COMMANDNAME;</command>

120

121

122

<replaceable>directory</replaceable></arg>

123

</group>

124

125

126

127

</group>

128

129

130

131

</group>

132

133

134

135

</group>

136

137

138

139

</group>

140

141

142

143

</group>

144

145

146

<replaceable>EMAIL</replaceable></arg>

147

</group>

148

149

150

<replaceable>COMMENT</replaceable></arg>

151

</group>

152

153

154

155

</group>

156

157

158

</group>

<group>

<arg choice="plain"><option>--dir

<replaceable>DIRECTORY</replaceable></option></arg>

<arg choice="plain"><option>-d

<replaceable>DIRECTORY</replaceable></option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--type

<replaceable>KEYTYPE</replaceable></option></arg>

<arg choice="plain"><option>-t

<replaceable>KEYTYPE</replaceable></option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--length

<arg choice="plain"><option>-l

</group>

<sbr/>

<group>

<arg choice="plain"><option>--subtype

<replaceable>KEYTYPE</replaceable></option></arg>

<arg choice="plain"><option>-s

<replaceable>KEYTYPE</replaceable></option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--sublength

<arg choice="plain"><option>-L

</group>

<sbr/>

<group>

<arg choice="plain"><option>--name

<arg choice="plain"><option>-n

</group>

<sbr/>

<group>

<arg choice="plain"><option>--email

<replaceable>ADDRESS</replaceable></option></arg>

100

<arg choice="plain"><option>-e

101

<replaceable>ADDRESS</replaceable></option></arg>

102

</group>

103

<sbr/>

104

<group>

105

<arg choice="plain"><option>--comment

106

107

<arg choice="plain"><option>-c

108

109

</group>

110

<sbr/>

111

<group>

112

<arg choice="plain"><option>--expire

113

114

<arg choice="plain"><option>-x

115

116

</group>

117

<sbr/>

118

<arg><option>--force</option></arg>

159

119

</cmdsynopsis>

160

120

161

121

<command>&COMMANDNAME;</command>

162

122

123

<arg choice="plain"><option>--password</option></arg>

163

124

164

<arg choice="plain"><option>--password</option></arg>

165

</group>

166

167

168

<replaceable>directory</replaceable></arg>

169

</group>

170

171

172

125

</group>

126

<sbr/>

127

<group>

128

<arg choice="plain"><option>--dir

129

<replaceable>DIRECTORY</replaceable></option></arg>

130

<arg choice="plain"><option>-d

131

<replaceable>DIRECTORY</replaceable></option></arg>

132

</group>

133

<sbr/>

134

<group>

135

<arg choice="plain"><option>--name

136

137

<arg choice="plain"><option>-n

138

173

139

</group>

174

140

</cmdsynopsis>

175

141

176

142

<command>&COMMANDNAME;</command>

177

143

144

178

145

179

180

146

</group>

181

147

</cmdsynopsis>

182

148

183

149

<command>&COMMANDNAME;</command>

184

150

151

<arg choice="plain"><option>--version</option></arg>

185

152

186

<arg choice="plain"><option>--version</option></arg>

187

153

</group>

188

154

</cmdsynopsis>

189

155

</refsynopsisdiv>

190

156

191

157

192

158

<title>DESCRIPTION</title>

193

159

<para>

194

160

<command>&COMMANDNAME;</command> is a program to generate the

195

OpenPGP keys used by

196

<citerefentry><refentrytitle>password-request</refentrytitle>

197

<manvolnum>8mandos</manvolnum></citerefentry>. The keys are

161

OpenPGP key used by

162

<citerefentry><refentrytitle>mandos-client</refentrytitle>

163

<manvolnum>8mandos</manvolnum></citerefentry>. The key is

198

164

normally written to /etc/mandos for later installation into the

199

initrd image, but this, like most things, can be changed with

200

command line options.

165

initrd image, but this, and most other things, can be changed

166

with command line options.

201

167

</para>

202

168

<para>

203

It can also be used to generate ready-made sections for

169

This program can also be used with the

170

<option>--password</option> option to generate a ready-made

171

section for <filename>clients.conf</filename> (see

204

172

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

205

<manvolnum>5</manvolnum></citerefentry> using the

206

<option>--password</option> option.

173

<manvolnum>5</manvolnum></citerefentry>).

207

174

</para>

208

175

</refsect1>

209

176

210

177

211

178

<title>PURPOSE</title>

212

213

179

<para>

214

180

The purpose of this is to enable <emphasis>remote and unattended

215

181

rebooting</emphasis> of client host computer with an

216

182

<emphasis>encrypted root file system</emphasis>. See <xref

217

183

linkend="overview"/> for details.

218

184

</para>

219

220

185

</refsect1>

221

186

222

187

223

188

<title>OPTIONS</title>

224

189

225

190

226

191

227

192

193

228

194

229

195

<para>

230

196

Show a help message and exit

231

197

</para>

232

198

</listitem>

233

199

</varlistentry>

234

200

235

201

236

<term><literal>-d</literal>, <literal>--dir

237

<replaceable>directory</replaceable></literal></term>

202

<term><option>--dir

203

<replaceable>DIRECTORY</replaceable></option></term>

204

<term><option>-d

205

<replaceable>DIRECTORY</replaceable></option></term>

238

206

239

207

<para>

240

208

Target directory for key files. Default is

242

210

</para>

243

211

</listitem>

244

212

</varlistentry>

245

213

246

214

247

<term><literal>-t</literal>, <literal>--type

248

215

<term><option>--type

216

217

<term><option>-t

218

249

219

250

220

<para>

251

221

Key type. Default is <quote>DSA</quote>.

252

222

</para>

253

223

</listitem>

254

224

</varlistentry>

255

225

256

226

257

<term><literal>-l</literal>, <literal>--length

258

227

<term><option>--length

228

229

<term><option>-l

230

259

231

260

232

<para>

261

233

Key length in bits. Default is 2048.

262

234

</para>

263

235

</listitem>

264

236

</varlistentry>

265

237

266

238

267

<term><literal>-s</literal>, <literal>--subtype

268

239

<term><option>--subtype

240

<replaceable>KEYTYPE</replaceable></option></term>

241

<term><option>-s

242

<replaceable>KEYTYPE</replaceable></option></term>

269

243

270

244

<para>

271

245

Subkey type. Default is <quote>ELG-E</quote> (Elgamal

273

247

</para>

274

248

</listitem>

275

249

</varlistentry>

276

250

277

251

278

<term><literal>-L</literal>, <literal>--sublength

279

252

<term><option>--sublength

253

254

<term><option>-L

255

280

256

281

257

<para>

282

258

Subkey length in bits. Default is 2048.

283

259

</para>

284

260

</listitem>

285

261

</varlistentry>

286

262

287

263

288

<term><literal>-e</literal>, <literal>--email</literal>

289

<replaceable>address</replaceable></term>

264

<term><option>--email

265

<replaceable>ADDRESS</replaceable></option></term>

266

<term><option>-e

267

<replaceable>ADDRESS</replaceable></option></term>

290

268

291

269

<para>

292

270

Email address of key. Default is empty.

293

271

</para>

294

272

</listitem>

295

273

</varlistentry>

296

274

297

275

298

<term><literal>-c</literal>, <literal>--comment</literal>

299

<replaceable>comment</replaceable></term>

276

<term><option>--comment

277

278

<term><option>-c

279

300

280

301

281

<para>

302

282

Comment field for key. The default value is

304

284

</para>

305

285

</listitem>

306

286

</varlistentry>

307

287

308

288

309

<term><literal>-x</literal>, <literal>--expire</literal>

310

289

<term><option>--expire

290

291

<term><option>-x

292

311

293

312

294

<para>

313

295

Key expire time. Default is no expiration. See

316

298

</para>

317

299

</listitem>

318

300

</varlistentry>

319

301

320

302

321

<term><literal>-f</literal>, <literal>--force</literal></term>

303

<term><option>--force</option></term>

304

322

305

323

306

<para>

324

Force overwriting old keys.

307

Force overwriting old key.

325

308

</para>

326

309

</listitem>

327

310

</varlistentry>

328

311

329

<term><literal>-p</literal>, <literal>--password</literal

330

></term>

312

<term><option>--password</option></term>

313

331

314

332

315

<para>

333

316

Prompt for a password and encrypt it with the key already

339

322

>8</manvolnum></citerefentry>. The host name or the name

340

323

specified with the <option>--name</option> option is used

341

324

for the section header. All other options are ignored,

342

and no keys are created.

325

and no key is created.

343

326

</para>

344

327

</listitem>

345

328

</varlistentry>

346

329

</variablelist>

347

330

</refsect1>

348

331

349

332

350

333

<title>OVERVIEW</title>

351

334

<xi:include href="overview.xml"/>

352

335

<para>

353

336

This program is a small utility to generate new OpenPGP keys for

354

new Mandos clients.

337

new Mandos clients, and to generate sections for inclusion in

338

<filename>clients.conf</filename> on the server.

355

339

</para>

356

340

</refsect1>

357

341

358

342

359

343

<title>EXIT STATUS</title>

360

344

<para>

361

The exit status will be 0 if new keys were successfully created,

362

otherwise not.

345

The exit status will be 0 if a new key (or password, if the

346

<option>--password</option> option was used) was successfully

347

created, otherwise not.

363

348

</para>

364

349

</refsect1>

365

350

367

352

<title>ENVIRONMENT</title>

368

353

369

354

370

<term><varname>TMPDIR</varname></term>

355

<term><envar>TMPDIR</envar></term>

371

356

372

357

<para>

373

358

If set, temporary files will be created here. See

416

401

</varlistentry>

417

402

</variablelist>

418

403

</refsect1>

419

420

421

422

<para>

423

None are known at this time.

424

</para>

425

</refsect1>

426

404

405

406

407

408

409

410

427

411

428

412

<title>EXAMPLE</title>

429

413

431

415

Normal invocation needs no options:

432

416

</para>

433

417

<para>

434

<userinput>mandos-keygen</userinput>

418

<userinput>&COMMANDNAME;</userinput>

435

419

</para>

436

420

</informalexample>

437

421

438

422

<para>

439

Create keys in another directory and of another type. Force

423

Create key in another directory and of another type. Force

440

424

overwriting old key files:

441

425

</para>

442

426

<para>

443

427

444

428

445

<userinput>mandos-keygen --dir ~/keydir --type RSA --force</userinput>

429

<userinput>&COMMANDNAME; --dir ~/keydir --type RSA --force</userinput>

430

431

</para>

432

</informalexample>

433

434

<para>

435

Prompt for a password, encrypt it with the key in

436

<filename>/etc/mandos</filename> and output a section suitable

437

for <filename>clients.conf</filename>.

438

</para>

439

<para>

440

<userinput>&COMMANDNAME; --password</userinput>

441

</para>

442

</informalexample>

443

444

<para>

445

Prompt for a password, encrypt it with the key in the

446

<filename>client-key</filename> directory and output a section

447

suitable for <filename>clients.conf</filename>.

448

</para>

449

<para>

450

451

452

<userinput>&COMMANDNAME; --password --dir client-key</userinput>

446

453

447

454

</para>

448

455

</informalexample>

449

456

</refsect1>

450

457

451

458

452

459

<title>SECURITY</title>

453

460

<para>

454

461

The <option>--type</option>, <option>--length</option>,

455

462

<option>--subtype</option>, and <option>--sublength</option>

456

options can be used to create keys of insufficient security. If

457

in doubt, leave them to the default values.

463

options can be used to create keys of low security. If in

464

doubt, leave them to the default values.

458

465

</para>

459

466

<para>

460

The key expire time is not guaranteed to be honored by

461

<citerefentry><refentrytitle>mandos</refentrytitle>

467

The key expire time is <emphasis>not</emphasis> guaranteed to be

468

honored by <citerefentry><refentrytitle>mandos</refentrytitle>

462

469

<manvolnum>8</manvolnum></citerefentry>.

463

470

</para>

464

471

</refsect1>

465

472

466

473

467

474

468

475

<para>

469

<citerefentry><refentrytitle>password-request</refentrytitle>

470

<manvolnum>8mandos</manvolnum></citerefentry>,

476

477

<manvolnum>1</manvolnum></citerefentry>,

478

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

479

<manvolnum>5</manvolnum></citerefentry>,

471

480

<citerefentry><refentrytitle>mandos</refentrytitle>

472

481

<manvolnum>8</manvolnum></citerefentry>,

473

474

482

<citerefentry><refentrytitle>mandos-client</refentrytitle>

483

<manvolnum>8mandos</manvolnum></citerefentry>

475

484

</para>

476

485

</refsect1>

477

486

Older »