/mandos/trunk : revision 216

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos-keygen.xml

Committer: Teddy Hogeborn
Date: 2008-09-30 03:19:39 UTC
Revision ID: teddy@fukt.bsnet.se-20080930031939-t72se4dhr632o9ct

* Makefile: Add HTML rules for manual pages.
  (DOCBOOKTOHTML, HTMLPOST): New commands.
  (htmldocs): New file list.
  (html, install-html): New targets.
  (.PHONY, clean): Added "html".

* README (The Plugin System): New section; describe plugin system.

* debian/control (Uploaders): New field.

* mandos-options.xml (servicename): Improve wording.

* plugins.d/mandos-client.xml (SECURITY): Improve wording.

files added:
.bzr-builddeb

.bzr-builddeb/default.conf

.bzrignore

INSTALL

README

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.config

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos-client.templates

debian/mandos.README.Debian

debian/mandos.config

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/mandos.templates

debian/po

debian/po/POTFILES.in

debian/po/sv.po

debian/rules

default-mandos

init.d-mandos

legalnotice.xml

plugin-runner.conf

plugins.d/askpass-fifo.c

plugins.d/splashy.c

plugins.d/usplash.c

files removed:
plugins.d/usplash

files renamed:
plugins.d/password-request.c => plugins.d/mandos-client.c

plugins.d/password-request.xml => plugins.d/mandos-client.xml

files modified:
Makefile

TODO

clients.conf

initramfs-tools-hook

initramfs-tools-script

mandos

mandos-clients.conf.xml

mandos-keygen

mandos-keygen.xml

mandos-options.xml

mandos.conf.xml

mandos.xml

overview.xml

plugin-runner.c

plugin-runner.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

Show diffs side-by-side

added added

removed removed

mandos-keygen.xml

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY VERSION "1.0">

<!ENTITY COMMANDNAME "mandos-keygen">

<!ENTITY TIMESTAMP "2008-09-20">

<title>&COMMANDNAME;</title>

<title>Mandos Manual</title>

<productname>&COMMANDNAME;</productname>

<productname>Mandos</productname>

<productnumber>&VERSION;</productnumber>

<date>&TIMESTAMP;</date>

<firstname>Björn</firstname>

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

<para>

This manual page is free software: you can redistribute it

and/or modify it under the terms of the GNU General Public

License as published by the Free Software Foundation,

either version 3 of the License, or (at your option) any

later version.

</para>

<para>

This manual page is distributed in the hope that it will

be useful, but WITHOUT ANY WARRANTY; without even the

implied warranty of MERCHANTABILITY or FITNESS FOR A

PARTICULAR PURPOSE. See the GNU General Public License

for more details.

</para>

<para>

You should have received a copy of the GNU General Public

License along with this program; If not, see

<ulink url="http://www.gnu.org/licenses/"/>.

</para>

</legalnotice>

<xi:include href="legalnotice.xml"/>

</refentryinfo>

<refentrytitle>&COMMANDNAME;</refentrytitle>

<refname><command>&COMMANDNAME;</command></refname>

Generate keys for <citerefentry><refentrytitle>password-request

</refentrytitle><manvolnum>8mandos</manvolnum></citerefentry>

Generate key and password for Mandos client and server.

</refpurpose>

</refnamediv>

<command>&COMMANDNAME;</command>

<replaceable>directory</replaceable></arg>

</group>

</group>

<arg choice="plain"><option>--length</option>

</group>

<arg choice="plain"><option>--subtype</option>

</group>

<arg choice="plain"><option>--sublength</option>

</group>

</group>

100

101

<arg choice="plain"><option>--email</option>

102

<replaceable>EMAIL</replaceable></arg>

103

</group>

104

105

<arg choice="plain"><option>--comment</option>

106

<replaceable>COMMENT</replaceable></arg>

107

</group>

108

109

<arg choice="plain"><option>--expire</option>

110

111

</group>

112

113

<arg choice="plain"><option>--force</option></arg>

114

</group>

115

</cmdsynopsis>

116

117

<command>&COMMANDNAME;</command>

118

119

120

<replaceable>directory</replaceable></arg>

121

</group>

122

123

124

125

</group>

126

127

128

129

</group>

130

131

132

133

</group>

134

135

136

137

</group>

138

139

140

141

</group>

142

143

144

<replaceable>EMAIL</replaceable></arg>

145

</group>

146

147

148

<replaceable>COMMENT</replaceable></arg>

149

</group>

150

151

152

153

</group>

154

155

156

</group>

<group>

<arg choice="plain"><option>--dir

<replaceable>DIRECTORY</replaceable></option></arg>

<arg choice="plain"><option>-d

<replaceable>DIRECTORY</replaceable></option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--type

<replaceable>KEYTYPE</replaceable></option></arg>

<arg choice="plain"><option>-t

<replaceable>KEYTYPE</replaceable></option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--length

<arg choice="plain"><option>-l

</group>

<sbr/>

<group>

<arg choice="plain"><option>--subtype

<replaceable>KEYTYPE</replaceable></option></arg>

<arg choice="plain"><option>-s

<replaceable>KEYTYPE</replaceable></option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--sublength

<arg choice="plain"><option>-L

</group>

<sbr/>

<group>

<arg choice="plain"><option>--name

<arg choice="plain"><option>-n

</group>

<sbr/>

<group>

<arg choice="plain"><option>--email

<replaceable>ADDRESS</replaceable></option></arg>

100

<arg choice="plain"><option>-e

101

<replaceable>ADDRESS</replaceable></option></arg>

102

</group>

103

<sbr/>

104

<group>

105

<arg choice="plain"><option>--comment

106

107

<arg choice="plain"><option>-c

108

109

</group>

110

<sbr/>

111

<group>

112

<arg choice="plain"><option>--expire

113

114

<arg choice="plain"><option>-x

115

116

</group>

117

<sbr/>

118

<arg><option>--force</option></arg>

157

119

</cmdsynopsis>

158

120

159

121

<command>&COMMANDNAME;</command>

160

122

123

<arg choice="plain"><option>--password</option></arg>

161

124

162

<arg choice="plain"><option>--password</option></arg>

163

</group>

164

165

166

<replaceable>directory</replaceable></arg>

167

</group>

168

169

170

125

<arg choice="plain"><option>--passfile

126

127

128

129

</group>

130

<sbr/>

131

<group>

132

<arg choice="plain"><option>--dir

133

<replaceable>DIRECTORY</replaceable></option></arg>

134

<arg choice="plain"><option>-d

135

<replaceable>DIRECTORY</replaceable></option></arg>

136

</group>

137

<sbr/>

138

<group>

139

<arg choice="plain"><option>--name

140

141

<arg choice="plain"><option>-n

142

171

143

</group>

172

144

</cmdsynopsis>

173

145

174

146

<command>&COMMANDNAME;</command>

175

147

148

176

149

177

178

150

</group>

179

151

</cmdsynopsis>

180

152

181

153

<command>&COMMANDNAME;</command>

182

154

155

<arg choice="plain"><option>--version</option></arg>

183

156

184

<arg choice="plain"><option>--version</option></arg>

185

157

</group>

186

158

</cmdsynopsis>

187

159

</refsynopsisdiv>

188

160

189

161

190

162

<title>DESCRIPTION</title>

191

163

<para>

192

164

<command>&COMMANDNAME;</command> is a program to generate the

193

OpenPGP keys used by

194

<citerefentry><refentrytitle>password-request</refentrytitle>

195

<manvolnum>8mandos</manvolnum></citerefentry>. The keys are

165

OpenPGP key used by

166

<citerefentry><refentrytitle>mandos-client</refentrytitle>

167

<manvolnum>8mandos</manvolnum></citerefentry>. The key is

196

168

normally written to /etc/mandos for later installation into the

197

initrd image, but this, like most things, can be changed with

198

command line options.

169

initrd image, but this, and most other things, can be changed

170

with command line options.

199

171

</para>

200

172

<para>

201

It can also be used to generate ready-made sections for

173

This program can also be used with the

174

<option>--password</option> or <option>--passfile</option>

175

options to generate a ready-made section for

176

<filename>clients.conf</filename> (see

202

177

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

203

<manvolnum>5</manvolnum></citerefentry> using the

204

<option>--password</option> option.

178

<manvolnum>5</manvolnum></citerefentry>).

205

179

</para>

206

180

</refsect1>

207

181

208

182

209

183

<title>PURPOSE</title>

210

211

184

<para>

212

185

The purpose of this is to enable <emphasis>remote and unattended

213

186

rebooting</emphasis> of client host computer with an

214

187

<emphasis>encrypted root file system</emphasis>. See <xref

215

188

linkend="overview"/> for details.

216

189

</para>

217

218

190

</refsect1>

219

191

220

192

221

193

<title>OPTIONS</title>

222

194

223

195

224

196

225

197

198

226

199

227

200

<para>

228

201

Show a help message and exit

229

202

</para>

230

203

</listitem>

231

204

</varlistentry>

232

205

233

206

234

<term><literal>-d</literal>, <literal>--dir

235

<replaceable>directory</replaceable></literal></term>

207

<term><option>--dir

208

<replaceable>DIRECTORY</replaceable></option></term>

209

<term><option>-d

210

<replaceable>DIRECTORY</replaceable></option></term>

236

211

237

212

<para>

238

213

Target directory for key files. Default is

240

215

</para>

241

216

</listitem>

242

217

</varlistentry>

243

218

244

219

245

<term><literal>-t</literal>, <literal>--type

246

220

<term><option>--type

221

222

<term><option>-t

223

247

224

248

225

<para>

249

226

Key type. Default is <quote>DSA</quote>.

250

227

</para>

251

228

</listitem>

252

229

</varlistentry>

253

230

254

231

255

<term><literal>-l</literal>, <literal>--length

256

232

<term><option>--length

233

234

<term><option>-l

235

257

236

258

237

<para>

259

238

Key length in bits. Default is 2048.

260

239

</para>

261

240

</listitem>

262

241

</varlistentry>

263

242

264

243

265

<term><literal>-s</literal>, <literal>--subtype

266

244

<term><option>--subtype

245

<replaceable>KEYTYPE</replaceable></option></term>

246

<term><option>-s

247

<replaceable>KEYTYPE</replaceable></option></term>

267

248

268

249

<para>

269

250

Subkey type. Default is <quote>ELG-E</quote> (Elgamal

271

252

</para>

272

253

</listitem>

273

254

</varlistentry>

274

255

275

256

276

<term><literal>-L</literal>, <literal>--sublength

277

257

<term><option>--sublength

258

259

<term><option>-L

260

278

261

279

262

<para>

280

263

Subkey length in bits. Default is 2048.

281

264

</para>

282

265

</listitem>

283

266

</varlistentry>

284

267

285

268

286

<term><literal>-e</literal>, <literal>--email</literal>

287

<replaceable>address</replaceable></term>

269

<term><option>--email

270

<replaceable>ADDRESS</replaceable></option></term>

271

<term><option>-e

272

<replaceable>ADDRESS</replaceable></option></term>

288

273

289

274

<para>

290

275

Email address of key. Default is empty.

291

276

</para>

292

277

</listitem>

293

278

</varlistentry>

294

279

295

280

296

<term><literal>-c</literal>, <literal>--comment</literal>

297

<replaceable>comment</replaceable></term>

281

<term><option>--comment

282

283

<term><option>-c

284

298

285

299

286

<para>

300

287

Comment field for key. The default value is

302

289

</para>

303

290

</listitem>

304

291

</varlistentry>

305

292

306

293

307

<term><literal>-x</literal>, <literal>--expire</literal>

308

294

<term><option>--expire

295

296

<term><option>-x

297

309

298

310

299

<para>

311

300

Key expire time. Default is no expiration. See

314

303

</para>

315

304

</listitem>

316

305

</varlistentry>

317

306

318

307

319

<term><literal>-f</literal>, <literal>--force</literal></term>

308

<term><option>--force</option></term>

309

320

310

321

311

<para>

322

Force overwriting old keys.

312

Force overwriting old key.

323

313

</para>

324

314

</listitem>

325

315

</varlistentry>

326

316

327

<term><literal>-p</literal>, <literal>--password</literal

328

></term>

317

<term><option>--password</option></term>

318

329

319

330

320

<para>

331

321

Prompt for a password and encrypt it with the key already

337

327

>8</manvolnum></citerefentry>. The host name or the name

338

328

specified with the <option>--name</option> option is used

339

329

for the section header. All other options are ignored,

340

and no keys are created.

330

and no key is created.

331

</para>

332

</listitem>

333

</varlistentry>

334

335

<term><option>--passfile

336

337

<term><option>-F

338

339

340

<para>

341

The same as <option>--password</option>, but read from

342

<replaceable>FILE</replaceable>, not the terminal.

341

343

</para>

342

344

</listitem>

343

345

</varlistentry>

344

346

</variablelist>

345

347

</refsect1>

346

348

347

349

348

350

<title>OVERVIEW</title>

349

351

<xi:include href="overview.xml"/>

350

352

<para>

351

353

This program is a small utility to generate new OpenPGP keys for

352

new Mandos clients.

354

new Mandos clients, and to generate sections for inclusion in

355

<filename>clients.conf</filename> on the server.

353

356

</para>

354

357

</refsect1>

355

358

356

359

357

360

<title>EXIT STATUS</title>

358

361

<para>

359

The exit status will be 0 if new keys were successfully created,

360

otherwise not.

362

The exit status will be 0 if a new key (or password, if the

363

<option>--password</option> option was used) was successfully

364

created, otherwise not.

361

365

</para>

362

366

</refsect1>

363

367

365

369

<title>ENVIRONMENT</title>

366

370

367

371

368

<term><varname>TMPDIR</varname></term>

372

<term><envar>TMPDIR</envar></term>

369

373

370

374

<para>

371

375

If set, temporary files will be created here. See

414

418

</varlistentry>

415

419

</variablelist>

416

420

</refsect1>

417

418

419

420

<para>

421

None are known at this time.

422

</para>

423

</refsect1>

424

421

422

423

424

425

426

427

425

428

426

429

<title>EXAMPLE</title>

427

430

429

432

Normal invocation needs no options:

430

433

</para>

431

434

<para>

432

<userinput>mandos-keygen</userinput>

435

<userinput>&COMMANDNAME;</userinput>

433

436

</para>

434

437

</informalexample>

435

438

436

439

<para>

437

Create keys in another directory and of another type. Force

440

Create key in another directory and of another type. Force

438

441

overwriting old key files:

439

442

</para>

440

443

<para>

441

444

442

445

443

<userinput>mandos-keygen --dir ~/keydir --type RSA --force</userinput>

446

<userinput>&COMMANDNAME; --dir ~/keydir --type RSA --force</userinput>

447

448

</para>

449

</informalexample>

450

451

<para>

452

Prompt for a password, encrypt it with the key in

453

<filename>/etc/mandos</filename> and output a section suitable

454

for <filename>clients.conf</filename>.

455

</para>

456

<para>

457

<userinput>&COMMANDNAME; --password</userinput>

458

</para>

459

</informalexample>

460

461

<para>

462

Prompt for a password, encrypt it with the key in the

463

<filename>client-key</filename> directory and output a section

464

suitable for <filename>clients.conf</filename>.

465

</para>

466

<para>

467

468

469

<userinput>&COMMANDNAME; --password --dir client-key</userinput>

444

470

445

471

</para>

446

472

</informalexample>

447

473

</refsect1>

448

474

449

475

450

476

<title>SECURITY</title>

451

477

<para>

452

478

The <option>--type</option>, <option>--length</option>,

453

479

<option>--subtype</option>, and <option>--sublength</option>

454

options can be used to create keys of insufficient security. If

455

in doubt, leave them to the default values.

480

options can be used to create keys of low security. If in

481

doubt, leave them to the default values.

456

482

</para>

457

483

<para>

458

The key expire time is not guaranteed to be honored by

459

<citerefentry><refentrytitle>mandos</refentrytitle>

484

The key expire time is <emphasis>not</emphasis> guaranteed to be

485

honored by <citerefentry><refentrytitle>mandos</refentrytitle>

460

486

<manvolnum>8</manvolnum></citerefentry>.

461

487

</para>

462

488

</refsect1>

463

489

464

490

465

491

466

492

<para>

467

<citerefentry><refentrytitle>password-request</refentrytitle>

468

<manvolnum>8mandos</manvolnum></citerefentry>,

493

494

<manvolnum>1</manvolnum></citerefentry>,

495

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

496

<manvolnum>5</manvolnum></citerefentry>,

469

497

<citerefentry><refentrytitle>mandos</refentrytitle>

470

498

<manvolnum>8</manvolnum></citerefentry>,

471

472

499

<citerefentry><refentrytitle>mandos-client</refentrytitle>

500

<manvolnum>8mandos</manvolnum></citerefentry>

473

501

</para>

474

502

</refsect1>

475

503

476

504

</refentry>

505

506

507

508

509

Older »