/mandos/trunk : revision 200

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos-keygen.xml

Committer: Teddy Hogeborn
Date: 2008-09-21 12:04:02 UTC
Revision ID: teddy@fukt.bsnet.se-20080921120402-mgd2jl8xo634jw18

* Makefile: Put the init script before avahi-daemon.

* debian/mandos.prerm: Bug fix: stop mandos, not ssh.

* debian/rules (install-indep): Put the init script before
avahi-daemon.

* init.d/mandos: Require "avahi-daemon".

files added:
.bzr-builddeb

.bzr-builddeb/default.conf

INSTALL

README

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.config

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos-client.templates

debian/mandos.README.Debian

debian/mandos.config

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/mandos.templates

debian/po

debian/po/POTFILES.in

debian/po/sv.po

debian/rules

default-mandos

init.d-mandos

legalnotice.xml

plugin-runner.conf

files renamed:
plugins.d/password-request.c => plugins.d/mandos-client.c

plugins.d/password-request.xml => plugins.d/mandos-client.xml

files modified:
.bzrignore

Makefile

TODO

initramfs-tools-hook

initramfs-tools-script

mandos

mandos-clients.conf.xml

mandos-keygen

mandos-keygen.xml

mandos-options.xml

mandos.conf.xml

mandos.xml

overview.xml

plugin-runner.c

plugin-runner.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

Show diffs side-by-side

added added

removed removed

mandos-keygen.xml

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY VERSION "1.0">

<!ENTITY COMMANDNAME "mandos-keygen">

<!ENTITY TIMESTAMP "2008-08-30">

<!ENTITY TIMESTAMP "2008-09-20">

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

<para>

This manual page is free software: you can redistribute it

and/or modify it under the terms of the GNU General Public

License as published by the Free Software Foundation,

either version 3 of the License, or (at your option) any

later version.

</para>

<para>

This manual page is distributed in the hope that it will

be useful, but WITHOUT ANY WARRANTY; without even the

implied warranty of MERCHANTABILITY or FITNESS FOR A

PARTICULAR PURPOSE. See the GNU General Public License

for more details.

</para>

<para>

You should have received a copy of the GNU General Public

License along with this program; If not, see

<ulink url="http://www.gnu.org/licenses/"/>.

</para>

</legalnotice>

<xi:include href="legalnotice.xml"/>

</refentryinfo>

<refentrytitle>&COMMANDNAME;</refentrytitle>

<refname><command>&COMMANDNAME;</command></refname>

Generate keys for <citerefentry><refentrytitle>password-request

</refentrytitle><manvolnum>8mandos</manvolnum></citerefentry>

Generate key and password for Mandos client and server.

</refpurpose>

</refnamediv>

<command>&COMMANDNAME;</command>

<replaceable>directory</replaceable></arg>

</group>

</group>

<arg choice="plain"><option>--length</option>

</group>

<arg choice="plain"><option>--subtype</option>

</group>

<arg choice="plain"><option>--sublength</option>

</group>

100

101

</group>

102

103

<arg choice="plain"><option>--email</option>

104

<replaceable>EMAIL</replaceable></arg>

105

</group>

106

107

<arg choice="plain"><option>--comment</option>

108

<replaceable>COMMENT</replaceable></arg>

109

</group>

110

111

<arg choice="plain"><option>--expire</option>

112

113

</group>

114

115

<arg choice="plain"><option>--force</option></arg>

116

</group>

117

</cmdsynopsis>

118

119

<command>&COMMANDNAME;</command>

120

121

122

<replaceable>directory</replaceable></arg>

123

</group>

124

125

126

127

</group>

128

129

130

131

</group>

132

133

134

135

</group>

136

137

138

139

</group>

140

141

142

143

</group>

144

145

146

<replaceable>EMAIL</replaceable></arg>

147

</group>

148

149

150

<replaceable>COMMENT</replaceable></arg>

151

</group>

152

153

154

155

</group>

156

157

158

</group>

<group>

<arg choice="plain"><option>--dir

<replaceable>DIRECTORY</replaceable></option></arg>

<arg choice="plain"><option>-d

<replaceable>DIRECTORY</replaceable></option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--type

<replaceable>KEYTYPE</replaceable></option></arg>

<arg choice="plain"><option>-t

<replaceable>KEYTYPE</replaceable></option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--length

<arg choice="plain"><option>-l

</group>

<sbr/>

<group>

<arg choice="plain"><option>--subtype

<replaceable>KEYTYPE</replaceable></option></arg>

<arg choice="plain"><option>-s

<replaceable>KEYTYPE</replaceable></option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--sublength

<arg choice="plain"><option>-L

</group>

<sbr/>

<group>

<arg choice="plain"><option>--name

<arg choice="plain"><option>-n

</group>

<sbr/>

<group>

<arg choice="plain"><option>--email

<replaceable>ADDRESS</replaceable></option></arg>

100

<arg choice="plain"><option>-e

101

<replaceable>ADDRESS</replaceable></option></arg>

102

</group>

103

<sbr/>

104

<group>

105

<arg choice="plain"><option>--comment

106

107

<arg choice="plain"><option>-c

108

109

</group>

110

<sbr/>

111

<group>

112

<arg choice="plain"><option>--expire

113

114

<arg choice="plain"><option>-x

115

116

</group>

117

<sbr/>

118

<arg><option>--force</option></arg>

159

119

</cmdsynopsis>

160

120

161

121

<command>&COMMANDNAME;</command>

162

122

123

<arg choice="plain"><option>--password</option></arg>

163

124

164

<arg choice="plain"><option>--password</option></arg>

165

</group>

166

167

168

<replaceable>directory</replaceable></arg>

169

</group>

170

171

172

125

<arg choice="plain"><option>--passfile

126

127

128

129

</group>

130

<sbr/>

131

<group>

132

<arg choice="plain"><option>--dir

133

<replaceable>DIRECTORY</replaceable></option></arg>

134

<arg choice="plain"><option>-d

135

<replaceable>DIRECTORY</replaceable></option></arg>

136

</group>

137

<sbr/>

138

<group>

139

<arg choice="plain"><option>--name

140

141

<arg choice="plain"><option>-n

142

173

143

</group>

174

144

</cmdsynopsis>

175

145

176

146

<command>&COMMANDNAME;</command>

177

147

148

178

149

179

180

150

</group>

181

151

</cmdsynopsis>

182

152

183

153

<command>&COMMANDNAME;</command>

184

154

155

<arg choice="plain"><option>--version</option></arg>

185

156

186

<arg choice="plain"><option>--version</option></arg>

187

157

</group>

188

158

</cmdsynopsis>

189

159

</refsynopsisdiv>

190

160

191

161

192

162

<title>DESCRIPTION</title>

193

163

<para>

194

164

<command>&COMMANDNAME;</command> is a program to generate the

195

OpenPGP keys used by

196

<citerefentry><refentrytitle>password-request</refentrytitle>

197

<manvolnum>8mandos</manvolnum></citerefentry>. The keys are

165

OpenPGP key used by

166

<citerefentry><refentrytitle>mandos-client</refentrytitle>

167

<manvolnum>8mandos</manvolnum></citerefentry>. The key is

198

168

normally written to /etc/mandos for later installation into the

199

initrd image, but this, like most things, can be changed with

200

command line options.

169

initrd image, but this, and most other things, can be changed

170

with command line options.

201

171

</para>

202

172

<para>

203

It can also be used to generate ready-made sections for

173

This program can also be used with the

174

<option>--password</option> or <option>--passfile</option>

175

options to generate a ready-made section for

176

<filename>clients.conf</filename> (see

204

177

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

205

<manvolnum>5</manvolnum></citerefentry> using the

206

<option>--password</option> option.

178

<manvolnum>5</manvolnum></citerefentry>).

207

179

</para>

208

180

</refsect1>

209

181

210

182

211

183

<title>PURPOSE</title>

212

213

184

<para>

214

185

The purpose of this is to enable <emphasis>remote and unattended

215

186

rebooting</emphasis> of client host computer with an

216

187

<emphasis>encrypted root file system</emphasis>. See <xref

217

188

linkend="overview"/> for details.

218

189

</para>

219

220

190

</refsect1>

221

191

222

192

223

193

<title>OPTIONS</title>

224

194

225

195

226

196

227

197

198

228

199

229

200

<para>

230

201

Show a help message and exit

231

202

</para>

232

203

</listitem>

233

204

</varlistentry>

234

205

235

206

236

<term><literal>-d</literal>, <literal>--dir

237

<replaceable>directory</replaceable></literal></term>

207

<term><option>--dir

208

<replaceable>DIRECTORY</replaceable></option></term>

209

<term><option>-d

210

<replaceable>DIRECTORY</replaceable></option></term>

238

211

239

212

<para>

240

213

Target directory for key files. Default is

242

215

</para>

243

216

</listitem>

244

217

</varlistentry>

245

218

246

219

247

<term><literal>-t</literal>, <literal>--type

248

220

<term><option>--type

221

222

<term><option>-t

223

249

224

250

225

<para>

251

226

Key type. Default is <quote>DSA</quote>.

252

227

</para>

253

228

</listitem>

254

229

</varlistentry>

255

230

256

231

257

<term><literal>-l</literal>, <literal>--length

258

232

<term><option>--length

233

234

<term><option>-l

235

259

236

260

237

<para>

261

238

Key length in bits. Default is 2048.

262

239

</para>

263

240

</listitem>

264

241

</varlistentry>

265

242

266

243

267

<term><literal>-s</literal>, <literal>--subtype

268

244

<term><option>--subtype

245

<replaceable>KEYTYPE</replaceable></option></term>

246

<term><option>-s

247

<replaceable>KEYTYPE</replaceable></option></term>

269

248

270

249

<para>

271

250

Subkey type. Default is <quote>ELG-E</quote> (Elgamal

273

252

</para>

274

253

</listitem>

275

254

</varlistentry>

276

255

277

256

278

<term><literal>-L</literal>, <literal>--sublength

279

257

<term><option>--sublength

258

259

<term><option>-L

260

280

261

281

262

<para>

282

263

Subkey length in bits. Default is 2048.

283

264

</para>

284

265

</listitem>

285

266

</varlistentry>

286

267

287

268

288

<term><literal>-e</literal>, <literal>--email</literal>

289

<replaceable>address</replaceable></term>

269

<term><option>--email

270

<replaceable>ADDRESS</replaceable></option></term>

271

<term><option>-e

272

<replaceable>ADDRESS</replaceable></option></term>

290

273

291

274

<para>

292

275

Email address of key. Default is empty.

293

276

</para>

294

277

</listitem>

295

278

</varlistentry>

296

279

297

280

298

<term><literal>-c</literal>, <literal>--comment</literal>

299

<replaceable>comment</replaceable></term>

281

<term><option>--comment

282

283

<term><option>-c

284

300

285

301

286

<para>

302

287

Comment field for key. The default value is

304

289

</para>

305

290

</listitem>

306

291

</varlistentry>

307

292

308

293

309

<term><literal>-x</literal>, <literal>--expire</literal>

310

294

<term><option>--expire

295

296

<term><option>-x

297

311

298

312

299

<para>

313

300

Key expire time. Default is no expiration. See

316

303

</para>

317

304

</listitem>

318

305

</varlistentry>

319

306

320

307

321

<term><literal>-f</literal>, <literal>--force</literal></term>

308

<term><option>--force</option></term>

309

322

310

323

311

<para>

324

Force overwriting old keys.

312

Force overwriting old key.

325

313

</para>

326

314

</listitem>

327

315

</varlistentry>

328

316

329

<term><literal>-p</literal>, <literal>--password</literal

330

></term>

317

<term><option>--password</option></term>

318

331

319

332

320

<para>

333

321

Prompt for a password and encrypt it with the key already

339

327

>8</manvolnum></citerefentry>. The host name or the name

340

328

specified with the <option>--name</option> option is used

341

329

for the section header. All other options are ignored,

342

and no keys are created.

330

and no key is created.

331

</para>

332

</listitem>

333

</varlistentry>

334

335

<term><option>--passfile

336

337

<term><option>-F

338

339

340

<para>

341

The same as <option>--password</option>, but read from

342

<replaceable>FILE</replaceable>, not the terminal.

343

</para>

344

</listitem>

345

</varlistentry>

346

</variablelist>

347

</refsect1>

348

349

350

<title>OVERVIEW</title>

351

<xi:include href="overview.xml"/>

352

<para>

353

This program is a small utility to generate new OpenPGP keys for

354

new Mandos clients.

354

new Mandos clients, and to generate sections for inclusion in

355

<filename>clients.conf</filename> on the server.

355

356

</para>

356

357

</refsect1>

357

358

359

359

360

<title>EXIT STATUS</title>

360

361

<para>

361

The exit status will be 0 if new keys were successfully created,

362

otherwise not.

362

The exit status will be 0 if a new key (or password, if the

363

<option>--password</option> option was used) was successfully

364

created, otherwise not.

363

365

</para>

364

366

</refsect1>

365

367

416

418

</varlistentry>

417

419

</variablelist>

418

420

</refsect1>

419

420

421

422

<para>

423

None are known at this time.

424

</para>

425

</refsect1>

426

421

422

423

424

425

426

427

428

428

429

<title>EXAMPLE</title>

429

430

436

437

</informalexample>

437

438

438

439

<para>

439

Create keys in another directory and of another type. Force

440

Create key in another directory and of another type. Force

440

441

overwriting old key files:

441

442

</para>

442

443

<para>

446

447

448

</para>

448

449

</informalexample>

450

451

<para>

452

Prompt for a password, encrypt it with the key in

453

<filename>/etc/mandos</filename> and output a section suitable

454

for <filename>clients.conf</filename>.

455

</para>

456

<para>

457

<userinput>&COMMANDNAME; --password</userinput>

458

</para>

459

</informalexample>

460

461

<para>

462

Prompt for a password, encrypt it with the key in the

463

<filename>client-key</filename> directory and output a section

464

suitable for <filename>clients.conf</filename>.

465

</para>

466

<para>

467

468

469

<userinput>&COMMANDNAME; --password --dir client-key</userinput>

470

471

</para>

472

</informalexample>

449

473

</refsect1>

450

474

451

475

452

476

<title>SECURITY</title>

453

477

<para>

454

478

The <option>--type</option>, <option>--length</option>,

455

479

<option>--subtype</option>, and <option>--sublength</option>

456

options can be used to create keys of insufficient security. If

457

in doubt, leave them to the default values.

480

options can be used to create keys of low security. If in

481

doubt, leave them to the default values.

458

482

</para>

459

483

<para>

460

The key expire time is not guaranteed to be honored by

461

<citerefentry><refentrytitle>mandos</refentrytitle>

484

The key expire time is <emphasis>not</emphasis> guaranteed to be

485

honored by <citerefentry><refentrytitle>mandos</refentrytitle>

462

486

<manvolnum>8</manvolnum></citerefentry>.

463

487

</para>

464

488

</refsect1>

465

489

466

490

467

491

468

492

<para>

469

493

470

494

<manvolnum>1</manvolnum></citerefentry>,

495

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

496

<manvolnum>5</manvolnum></citerefentry>,

471

497

<citerefentry><refentrytitle>mandos</refentrytitle>

472

498

<manvolnum>8</manvolnum></citerefentry>,

473

<citerefentry><refentrytitle>password-request</refentrytitle>

499

<citerefentry><refentrytitle>mandos-client</refentrytitle>

474

500

<manvolnum>8mandos</manvolnum></citerefentry>

475

501

</para>

476

502

</refsect1>

Older »