/mandos/trunk : revision 223

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos-keygen.xml

Committer: Teddy Hogeborn
Date: 2008-10-03 09:32:30 UTC
Revision ID: teddy@fukt.bsnet.se-20081003093230-rshn19e0c19zz12i

* .bzrignore (plugins.d/askpass-fifo): Added.

* Makefile (FORTIFY): Added "-fstack-protector-all".
  (mandos, mandos-keygen): Use more strict regexps when updating the
                           version number.

* mandos (Client.__init__): Use os.path.expandvars() and
                            os.path.expanduser() on the "secfile"
                            config value.

* plugins.d/splashy.c: Update comments and order of #include's.
  (main): Check user and group when looking for running splashy
          process.  Do not ignore ENOENT from execl().  Use _exit()
          instead of "return" when an error happens in child
          processes.  Bug fix: Only wait for splashy_update
          completion if it was started.  Bug fix: detect failing
          waitpid().  Only kill splashy_update if it is running.  Do
          the killing of the old splashy process before the fork().
          Do setsid() and setuid(geteuid()) before starting the new
          splashy.  Report failing execl().

* plugins.d/usplash.c: Update comments and order of #include's.
  (main): Check user and group when looking for running usplash
          process.  Do not report execv() error if interrupted by a
          signal.

files added:
.bzr-builddeb

.bzr-builddeb/default.conf

.bzrignore

INSTALL

README

common.ent

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.config

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos-client.templates

debian/mandos.README.Debian

debian/mandos.config

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/mandos.templates

debian/po

debian/po/POTFILES.in

debian/po/sv.po

debian/rules

default-mandos

init.d-mandos

legalnotice.xml

mandos-options.xml

plugin-runner.conf

plugins.d/askpass-fifo.c

plugins.d/splashy.c

plugins.d/usplash.c

files removed:
plugins.d/usplash

files renamed:
plugins.d/password-request.c => plugins.d/mandos-client.c

plugins.d/password-request.xml => plugins.d/mandos-client.xml

files modified:
Makefile

TODO

clients.conf

initramfs-tools-hook

initramfs-tools-script

mandos

mandos-clients.conf.xml

mandos-keygen

mandos-keygen.xml

mandos.conf

mandos.conf.xml

mandos.xml

overview.xml

plugin-runner.c

plugin-runner.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

Show diffs side-by-side

added added

removed removed

mandos-keygen.xml

<?xml version='1.0' encoding='UTF-8'?>

<?xml-stylesheet type="text/xsl"

href="http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl"?>

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY VERSION "1.0">

<!ENTITY COMMANDNAME "mandos-keygen">

<!ENTITY TIMESTAMP "2008-09-30">

<!ENTITY % common SYSTEM "common.ent">

%common;

<title>&COMMANDNAME;</title>

<productname>&COMMANDNAME;</productname>

<productnumber>&VERSION;</productnumber>

<title>Mandos Manual</title>

<productname>Mandos</productname>

<productnumber>&version;</productnumber>

<date>&TIMESTAMP;</date>

<firstname>Björn</firstname>

</authorgroup>

<holder>Teddy Hogeborn & Björn Påhlsson</holder>

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

<para>

This manual page is free software: you can redistribute it

and/or modify it under the terms of the GNU General Public

License as published by the Free Software Foundation,

either version 3 of the License, or (at your option) any

later version.

</para>

<para>

This manual page is distributed in the hope that it will

be useful, but WITHOUT ANY WARRANTY; without even the

implied warranty of MERCHANTABILITY or FITNESS FOR A

PARTICULAR PURPOSE. See the GNU General Public License

for more details.

</para>

<para>

You should have received a copy of the GNU General Public

License along with this program; If not, see

<ulink url="http://www.gnu.org/licenses/"/>.

</para>

</legalnotice>

<xi:include href="legalnotice.xml"/>

</refentryinfo>

<refentrytitle>&COMMANDNAME;</refentrytitle>

<refname><command>&COMMANDNAME;</command></refname>

Generate keys for <citerefentry><refentrytitle>password-request

</refentrytitle><manvolnum>8mandos</manvolnum></citerefentry>

Generate key and password for Mandos client and server.

</refpurpose>

</refnamediv>

<command>&COMMANDNAME;</command>

<replaceable>directory</replaceable></arg>

</group>

</group>

<arg choice="plain"><option>--length</option>

</group>

</group>

<arg choice="plain"><option>--email</option>

<replaceable>EMAIL</replaceable></arg>

</group>

<arg choice="plain"><option>--comment</option>

<replaceable>COMMENT</replaceable></arg>

100

</group>

101

102

<arg choice="plain"><option>--expire</option>

103

104

</group>

105

106

<arg choice="plain"><option>--force</option></arg>

107

</group>

108

</cmdsynopsis>

109

110

<command>&COMMANDNAME;</command>

111

112

113

<replaceable>directory</replaceable></arg>

114

</group>

115

116

117

118

</group>

119

120

121

122

</group>

123

124

125

126

</group>

127

128

129

<replaceable>EMAIL</replaceable></arg>

130

</group>

131

132

133

<replaceable>COMMENT</replaceable></arg>

134

</group>

135

136

137

138

</group>

139

140

141

</group>

142

</cmdsynopsis>

143

144

<command>&COMMANDNAME;</command>

145

146

147

148

</group>

149

</cmdsynopsis>

150

151

<command>&COMMANDNAME;</command>

152

153

154

<arg choice='plain'><option>--version</option></arg>

<group>

<arg choice="plain"><option>--dir

<replaceable>DIRECTORY</replaceable></option></arg>

<arg choice="plain"><option>-d

<replaceable>DIRECTORY</replaceable></option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--type

<replaceable>KEYTYPE</replaceable></option></arg>

<arg choice="plain"><option>-t

<replaceable>KEYTYPE</replaceable></option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--length

<arg choice="plain"><option>-l

</group>

<sbr/>

<group>

<arg choice="plain"><option>--subtype

<replaceable>KEYTYPE</replaceable></option></arg>

<arg choice="plain"><option>-s

<replaceable>KEYTYPE</replaceable></option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--sublength

<arg choice="plain"><option>-L

</group>

<sbr/>

<group>

<arg choice="plain"><option>--name

<arg choice="plain"><option>-n

</group>

<sbr/>

<group>

<arg choice="plain"><option>--email

100

<replaceable>ADDRESS</replaceable></option></arg>

101

<arg choice="plain"><option>-e

102

<replaceable>ADDRESS</replaceable></option></arg>

103

</group>

104

<sbr/>

105

<group>

106

<arg choice="plain"><option>--comment

107

108

<arg choice="plain"><option>-c

109

110

</group>

111

<sbr/>

112

<group>

113

<arg choice="plain"><option>--expire

114

115

<arg choice="plain"><option>-x

116

117

</group>

118

<sbr/>

119

<arg><option>--force</option></arg>

120

</cmdsynopsis>

121

122

<command>&COMMANDNAME;</command>

123

124

<arg choice="plain"><option>--password</option></arg>

125

126

<arg choice="plain"><option>--passfile

127

128

129

130

</group>

131

<sbr/>

132

<group>

133

<arg choice="plain"><option>--dir

134

<replaceable>DIRECTORY</replaceable></option></arg>

135

<arg choice="plain"><option>-d

136

<replaceable>DIRECTORY</replaceable></option></arg>

137

</group>

138

<sbr/>

139

<group>

140

<arg choice="plain"><option>--name

141

142

<arg choice="plain"><option>-n

143

144

</group>

145

</cmdsynopsis>

146

147

<command>&COMMANDNAME;</command>

148

149

150

151

</group>

152

</cmdsynopsis>

153

154

<command>&COMMANDNAME;</command>

155

156

<arg choice="plain"><option>--version</option></arg>

157

155

158

</group>

156

159

</cmdsynopsis>

157

160

</refsynopsisdiv>

158

161

159

162

160

163

<title>DESCRIPTION</title>

161

164

<para>

162

165

<command>&COMMANDNAME;</command> is a program to generate the

163

OpenPGP keys used by

164

<citerefentry><refentrytitle>password-request</refentrytitle>

165

<manvolnum>8mandos</manvolnum></citerefentry>. The keys are

166

OpenPGP key used by

167

<citerefentry><refentrytitle>mandos-client</refentrytitle>

168

<manvolnum>8mandos</manvolnum></citerefentry>. The key is

166

169

normally written to /etc/mandos for later installation into the

167

initrd image, but this, like most things, can be changed with

168

command line options.

170

initrd image, but this, and most other things, can be changed

171

with command line options.

172

</para>

173

<para>

174

This program can also be used with the

175

<option>--password</option> or <option>--passfile</option>

176

options to generate a ready-made section for

177

<filename>clients.conf</filename> (see

178

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

179

<manvolnum>5</manvolnum></citerefentry>).

180

</para>

181

</refsect1>

182

183

184

<title>PURPOSE</title>

185

<para>

186

The purpose of this is to enable <emphasis>remote and unattended

187

rebooting</emphasis> of client host computer with an

188

<emphasis>encrypted root file system</emphasis>. See <xref

189

linkend="overview"/> for details.

169

190

</para>

170

191

</refsect1>

171

192

172

193

173

194

<title>OPTIONS</title>

174

195

175

196

176

197

177

198

199

178

200

179

201

<para>

180

202

Show a help message and exit

181

203

</para>

182

204

</listitem>

183

205

</varlistentry>

184

185

186

<term><literal>-d</literal>, <literal>--dir

187

<replaceable>directory</replaceable></literal></term>

188

189

<para>

190

Target directory for key files.

191

</para>

192

</listitem>

193

</varlistentry>

194

195

196

<term><literal>-t</literal>, <literal>--type

197

198

199

<para>

200

Key type. Default is DSA.

201

</para>

202

</listitem>

203

</varlistentry>

204

205

206

<term><literal>-l</literal>, <literal>--length

207

208

209

<para>

210

Key length in bits. Default is 1024.

211

</para>

212

</listitem>

213

</varlistentry>

214

215

216

<term><literal>-e</literal>, <literal>--email</literal>

217

<replaceable>address</replaceable></term>

206

207

208

<term><option>--dir

209

<replaceable>DIRECTORY</replaceable></option></term>

210

<term><option>-d

211

<replaceable>DIRECTORY</replaceable></option></term>

212

213

<para>

214

Target directory for key files. Default is

215

<filename>/etc/mandos</filename>.

216

</para>

217

</listitem>

218

</varlistentry>

219

220

221

<term><option>--type

222

223

<term><option>-t

224

225

226

<para>

227

Key type. Default is <quote>DSA</quote>.

228

</para>

229

</listitem>

230

</varlistentry>

231

232

233

<term><option>--length

234

235

<term><option>-l

236

237

238

<para>

239

Key length in bits. Default is 2048.

240

</para>

241

</listitem>

242

</varlistentry>

243

244

245

<term><option>--subtype

246

<replaceable>KEYTYPE</replaceable></option></term>

247

<term><option>-s

248

<replaceable>KEYTYPE</replaceable></option></term>

249

250

<para>

251

Subkey type. Default is <quote>ELG-E</quote> (Elgamal

252

encryption-only).

253

</para>

254

</listitem>

255

</varlistentry>

256

257

258

<term><option>--sublength

259

260

<term><option>-L

261

262

263

<para>

264

Subkey length in bits. Default is 2048.

265

</para>

266

</listitem>

267

</varlistentry>

268

269

270

<term><option>--email

271

<replaceable>ADDRESS</replaceable></option></term>

272

<term><option>-e

273

<replaceable>ADDRESS</replaceable></option></term>

218

274

219

275

<para>

220

276

Email address of key. Default is empty.

221

277

</para>

222

278

</listitem>

223

279

</varlistentry>

224

280

225

281

226

<term><literal>-c</literal>, <literal>--comment</literal>

227

<replaceable>comment</replaceable></term>

282

<term><option>--comment

283

284

<term><option>-c

285

228

286

229

287

<para>

230

288

Comment field for key. The default value is

231

"<literal>Mandos client key</literal>".

289

<quote><literal>Mandos client key</literal></quote>.

232

290

</para>

233

291

</listitem>

234

292

</varlistentry>

235

293

236

294

237

<term><literal>-x</literal>, <literal>--expire</literal>

238

295

<term><option>--expire

296

297

<term><option>-x

298

239

299

240

300

<para>

241

301

Key expire time. Default is no expiration. See

244

304

</para>

245

305

</listitem>

246

306

</varlistentry>

247

248

249

<term><literal>-f</literal>, <literal>--force</literal></term>

250

251

<para>

252

Force overwriting old keys.

307

308

309

<term><option>--force</option></term>

310

311

312

<para>

313

Force overwriting old key.

314

</para>

315

</listitem>

316

</varlistentry>

317

318

<term><option>--password</option></term>

319

320

321

<para>

322

Prompt for a password and encrypt it with the key already

323

present in either <filename>/etc/mandos</filename> or the

324

directory specified with the <option>--dir</option>

325

option. Outputs, on standard output, a section suitable

326

for inclusion in <citerefentry><refentrytitle

327

>mandos-clients.conf</refentrytitle><manvolnum

328

>8</manvolnum></citerefentry>. The host name or the name

329

specified with the <option>--name</option> option is used

330

for the section header. All other options are ignored,

331

and no key is created.

332

</para>

333

</listitem>

334

</varlistentry>

335

336

<term><option>--passfile

337

338

<term><option>-F

339

340

341

<para>

342

The same as <option>--password</option>, but read from

343

<replaceable>FILE</replaceable>, not the terminal.

253

344

</para>

254

345

</listitem>

255

346

</varlistentry>

256

347

</variablelist>

257

348

</refsect1>

258

349

350

351

<title>OVERVIEW</title>

352

<xi:include href="overview.xml"/>

353

<para>

354

This program is a small utility to generate new OpenPGP keys for

355

new Mandos clients, and to generate sections for inclusion in

356

<filename>clients.conf</filename> on the server.

357

</para>

358

</refsect1>

359

259

360

260

361

<title>EXIT STATUS</title>

261

362

<para>

363

The exit status will be 0 if a new key (or password, if the

364

<option>--password</option> option was used) was successfully

365

created, otherwise not.

262

366

</para>

263

367

</refsect1>

264

368

369

370

<title>ENVIRONMENT</title>

371

372

373

<term><envar>TMPDIR</envar></term>

374

375

<para>

376

If set, temporary files will be created here. See

377

<citerefentry><refentrytitle>mktemp</refentrytitle>

378

<manvolnum>1</manvolnum></citerefentry>.

379

</para>

380

</listitem>

381

</varlistentry>

382

</variablelist>

383

</refsect1>

384

265

385

266

386

<title>FILES</title>

267

387

<para>

268

</para>

269

</refsect1>

270

271

272

273

<para>

274

</para>

275

</refsect1>

276

277

278

<title>EXAMPLES</title>

279

<para>

280

</para>

281

</refsect1>

282

388

Use the <option>--dir</option> option to change where

389

<command>&COMMANDNAME;</command> will write the key files. The

390

default file names are shown here.

391

</para>

392

393

394

<term><filename>/etc/mandos/seckey.txt</filename></term>

395

396

<para>

397

OpenPGP secret key file which will be created or

398

overwritten.

399

</para>

400

</listitem>

401

</varlistentry>

402

403

<term><filename>/etc/mandos/pubkey.txt</filename></term>

404

405

<para>

406

OpenPGP public key file which will be created or

407

overwritten.

408

</para>

409

</listitem>

410

</varlistentry>

411

412

413

414

<para>

415

Temporary files will be written here if

416

<varname>TMPDIR</varname> is not set.

417

</para>

418

</listitem>

419

</varlistentry>

420

</variablelist>

421

</refsect1>

422

423

424

425

426

427

428

429

430

<title>EXAMPLE</title>

431

432

<para>

433

Normal invocation needs no options:

434

</para>

435

<para>

436

<userinput>&COMMANDNAME;</userinput>

437

</para>

438

</informalexample>

439

440

<para>

441

Create key in another directory and of another type. Force

442

overwriting old key files:

443

</para>

444

<para>

445

446

447

<userinput>&COMMANDNAME; --dir ~/keydir --type RSA --force</userinput>

448

449

</para>

450

</informalexample>

451

452

<para>

453

Prompt for a password, encrypt it with the key in

454

<filename>/etc/mandos</filename> and output a section suitable

455

for <filename>clients.conf</filename>.

456

</para>

457

<para>

458

<userinput>&COMMANDNAME; --password</userinput>

459

</para>

460

</informalexample>

461

462

<para>

463

Prompt for a password, encrypt it with the key in the

464

<filename>client-key</filename> directory and output a section

465

suitable for <filename>clients.conf</filename>.

466

</para>

467

<para>

468

469

470

<userinput>&COMMANDNAME; --password --dir client-key</userinput>

471

472

</para>

473

</informalexample>

474

</refsect1>

475

283

476

284

477

<title>SECURITY</title>

285

478

<para>

479

The <option>--type</option>, <option>--length</option>,

480

<option>--subtype</option>, and <option>--sublength</option>

481

options can be used to create keys of low security. If in

482

doubt, leave them to the default values.

483

</para>

484

<para>

485

The key expire time is <emphasis>not</emphasis> guaranteed to be

486

honored by <citerefentry><refentrytitle>mandos</refentrytitle>

487

<manvolnum>8</manvolnum></citerefentry>.

286

488

</para>

287

489

</refsect1>

288

490

289

491

290

492

291

493

<para>

292

<citerefentry><refentrytitle>password-request</refentrytitle>

293

<manvolnum>8mandos</manvolnum></citerefentry>,

494

495

<manvolnum>1</manvolnum></citerefentry>,

496

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

497

<manvolnum>5</manvolnum></citerefentry>,

294

498

<citerefentry><refentrytitle>mandos</refentrytitle>

295

<manvolnum>8</manvolnum></citerefentry>, and

296

297

499

<manvolnum>8</manvolnum></citerefentry>,

500

<citerefentry><refentrytitle>mandos-client</refentrytitle>

501

<manvolnum>8mandos</manvolnum></citerefentry>

298

502

</para>

299

503

</refsect1>

300

504

301

505

</refentry>

506

507

508

509

510

Older »