/mandos/trunk : revision 238

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos-keygen.xml

Committer: Teddy Hogeborn
Date: 2008-12-10 01:26:02 UTC
mfrom: (237.1.2 mandos)
Revision ID: teddy@fukt.bsnet.se-20081210012602-vhz3h75xkj24t340

First version of a somewhat complete D-Bus server interface.  Also
change user/group name to "_mandos".

* debian/mandos.postinst: Rename old "mandos" user and group to
                          "_mandos"; create "_mandos" user and group
                          if none exist.
* debian/mandos-client.postinst: - '' -

* initramfs-tools-hook: Try "_mandos" before "mandos" as user and
                        group name.

* mandos (_datetime_to_dbus_struct): New; was previously local.
  (Client.started): Renamed to "last_started".  All users changed.
  (Client.started): New; boolean.
  (Client.dbus_object_path): New.
  (Client.check_command): Renamed to "checker_command".  All users
                          changed.
  (Client.__init__): Set and use "self.dbus_object_path".  Set
                     "self.started".
  (Client.start): Update "self.started".  Emit "self.PropertyChanged"
                  signals for both "started" and "last_started".
  (Client.stop): Update "self.started".  Emit "self.PropertyChanged"
                 signal for "started".
  (Client.checker_callback): Take additional "command" argument.  All
                             callers changed. Emit
                             "self.PropertyChanged" signal.
  (Client.bump_timeout): Emit "self.PropertyChanged" signal for
                         "last_checked_ok".
  (Client.start_checker): Emit "self.PropertyChanged" signal for
                          "checker_running".
  (Client.stop_checker): Emit "self.PropertyChanged" signal for
                         "checker_running".
  (Client.still_valid): Bug fix: use "getattr(self, started, False)"
                        instead of "self.started" in case this client
                        object is so new that the "started" attribute
                        has not been created yet.
  (Client.IntervalChanged, Client.CheckerIsRunning, Client.GetChecker,
  Client.GetCreated, Client.GetFingerprint, Client.GetHost,
  Client.GetInterval, Client.GetName, Client.GetStarted,
  Client.GetTimeout, Client.StateChanged, Client.TimeoutChanged):
  Removed; all callers changed.
  (Client.CheckerCompleted): Add "condition" and "command" arguments.
                             All callers changed.
  (Client.GetAllProperties, Client.PropertyChanged): New.
  (Client.StillValid): Renamed to "IsStillValid".
  (Client.StartChecker): Changed to its own function to avoid the
                         return value from "Client.start_checker()".
  (Client.Stop): Changed to its own function to avoid the return value
                 from "Client.stop()".
  (main): Try "_mandos" before "mandos" as user and group name.
          Removed inner function "remove_from_clients".  New inner
          class "MandosServer".

files added:
.bzr-builddeb

.bzr-builddeb/default.conf

.bzrignore

COPYING

INSTALL

NEWS

README

common.ent

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.config

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos-client.templates

debian/mandos.README.Debian

debian/mandos.config

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/mandos.templates

debian/po

debian/po/POTFILES.in

debian/po/sv.po

debian/rules

default-mandos

init.d-mandos

initramfs-tools-script

legalnotice.xml

mandos-keygen.xml

mandos-options.xml

mandos.lsm

overview.xml

plugin-runner.conf

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

files removed:
network-protocol.txt

files renamed:
mandos-client.c => plugin-runner.c

mandos-client.xml => plugin-runner.xml

plugins.d/password-request.c => plugins.d/mandos-client.c

plugins.d/password-request.xml => plugins.d/mandos-client.xml

files modified:
Makefile

TODO

clients.conf

initramfs-tools-hook

mandos

mandos-clients.conf.xml

mandos-keygen

mandos.conf

mandos.conf.xml

mandos.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

Show diffs side-by-side

added added

removed removed

mandos-keygen.xml

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY COMMANDNAME "mandos-keygen">

<!ENTITY TIMESTAMP "2008-10-03">

<!ENTITY % common SYSTEM "common.ent">

%common;

<title>Mandos Manual</title>

<productname>Mandos</productname>

<productnumber>&version;</productnumber>

<date>&TIMESTAMP;</date>

<firstname>Björn</firstname>

<surname>Påhlsson</surname>

<email>belorn@fukt.bsnet.se</email>

</address>

</author>

<firstname>Teddy</firstname>

<surname>Hogeborn</surname>

<email>teddy@fukt.bsnet.se</email>

</address>

</author>

</authorgroup>

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

<xi:include href="legalnotice.xml"/>

</refentryinfo>

<refentrytitle>&COMMANDNAME;</refentrytitle>

</refmeta>

<refname><command>&COMMANDNAME;</command></refname>

Generate key and password for Mandos client and server.

</refpurpose>

</refnamediv>

<command>&COMMANDNAME;</command>

<group>

<arg choice="plain"><option>--dir

<replaceable>DIRECTORY</replaceable></option></arg>

<arg choice="plain"><option>-d

<replaceable>DIRECTORY</replaceable></option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--type

<replaceable>KEYTYPE</replaceable></option></arg>

<arg choice="plain"><option>-t

<replaceable>KEYTYPE</replaceable></option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--length

<arg choice="plain"><option>-l

</group>

<sbr/>

<group>

<arg choice="plain"><option>--subtype

<replaceable>KEYTYPE</replaceable></option></arg>

<arg choice="plain"><option>-s

<replaceable>KEYTYPE</replaceable></option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--sublength

<arg choice="plain"><option>-L

</group>

<sbr/>

<group>

<arg choice="plain"><option>--name

<arg choice="plain"><option>-n

</group>

<sbr/>

<group>

<arg choice="plain"><option>--email

100

<replaceable>ADDRESS</replaceable></option></arg>

101

<arg choice="plain"><option>-e

102

<replaceable>ADDRESS</replaceable></option></arg>

103

</group>

104

<sbr/>

105

<group>

106

<arg choice="plain"><option>--comment

107

108

<arg choice="plain"><option>-c

109

110

</group>

111

<sbr/>

112

<group>

113

<arg choice="plain"><option>--expire

114

115

<arg choice="plain"><option>-x

116

117

</group>

118

<sbr/>

119

<arg><option>--force</option></arg>

120

</cmdsynopsis>

121

122

<command>&COMMANDNAME;</command>

123

124

<arg choice="plain"><option>--password</option></arg>

125

126

<arg choice="plain"><option>--passfile

127

128

129

130

</group>

131

<sbr/>

132

<group>

133

<arg choice="plain"><option>--dir

134

<replaceable>DIRECTORY</replaceable></option></arg>

135

<arg choice="plain"><option>-d

136

<replaceable>DIRECTORY</replaceable></option></arg>

137

</group>

138

<sbr/>

139

<group>

140

<arg choice="plain"><option>--name

141

142

<arg choice="plain"><option>-n

143

144

</group>

145

</cmdsynopsis>

146

147

<command>&COMMANDNAME;</command>

148

149

150

151

</group>

152

</cmdsynopsis>

153

154

<command>&COMMANDNAME;</command>

155

156

<arg choice="plain"><option>--version</option></arg>

157

158

</group>

159

</cmdsynopsis>

160

</refsynopsisdiv>

161

162

163

<title>DESCRIPTION</title>

164

<para>

165

<command>&COMMANDNAME;</command> is a program to generate the

166

OpenPGP key used by

167

<citerefentry><refentrytitle>mandos-client</refentrytitle>

168

<manvolnum>8mandos</manvolnum></citerefentry>. The key is

169

normally written to /etc/mandos for later installation into the

170

initrd image, but this, and most other things, can be changed

171

with command line options.

172

</para>

173

<para>

174

This program can also be used with the

175

<option>--password</option> or <option>--passfile</option>

176

options to generate a ready-made section for

177

<filename>clients.conf</filename> (see

178

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

179

<manvolnum>5</manvolnum></citerefentry>).

180

</para>

181

</refsect1>

182

183

184

<title>PURPOSE</title>

185

<para>

186

The purpose of this is to enable <emphasis>remote and unattended

187

rebooting</emphasis> of client host computer with an

188

<emphasis>encrypted root file system</emphasis>. See <xref

189

linkend="overview"/> for details.

190

</para>

191

</refsect1>

192

193

194

<title>OPTIONS</title>

195

196

197

198

199

200

201

<para>

202

Show a help message and exit

203

</para>

204

</listitem>

205

</varlistentry>

206

207

208

<term><option>--dir

209

<replaceable>DIRECTORY</replaceable></option></term>

210

<term><option>-d

211

<replaceable>DIRECTORY</replaceable></option></term>

212

213

<para>

214

Target directory for key files. Default is

215

<filename>/etc/mandos</filename>.

216

</para>

217

</listitem>

218

</varlistentry>

219

220

221

<term><option>--type

222

223

<term><option>-t

224

225

226

<para>

227

Key type. Default is <quote>DSA</quote>.

228

</para>

229

</listitem>

230

</varlistentry>

231

232

233

<term><option>--length

234

235

<term><option>-l

236

237

238

<para>

239

Key length in bits. Default is 2048.

240

</para>

241

</listitem>

242

</varlistentry>

243

244

245

<term><option>--subtype

246

<replaceable>KEYTYPE</replaceable></option></term>

247

<term><option>-s

248

<replaceable>KEYTYPE</replaceable></option></term>

249

250

<para>

251

Subkey type. Default is <quote>ELG-E</quote> (Elgamal

252

encryption-only).

253

</para>

254

</listitem>

255

</varlistentry>

256

257

258

<term><option>--sublength

259

260

<term><option>-L

261

262

263

<para>

264

Subkey length in bits. Default is 2048.

265

</para>

266

</listitem>

267

</varlistentry>

268

269

270

<term><option>--email

271

<replaceable>ADDRESS</replaceable></option></term>

272

<term><option>-e

273

<replaceable>ADDRESS</replaceable></option></term>

274

275

<para>

276

Email address of key. Default is empty.

277

</para>

278

</listitem>

279

</varlistentry>

280

281

282

<term><option>--comment

283

284

<term><option>-c

285

286

287

<para>

288

Comment field for key. The default value is

289

<quote><literal>Mandos client key</literal></quote>.

290

</para>

291

</listitem>

292

</varlistentry>

293

294

295

<term><option>--expire

296

297

<term><option>-x

298

299

300

<para>

301

Key expire time. Default is no expiration. See

302

303

<manvolnum>1</manvolnum></citerefentry> for syntax.

304

</para>

305

</listitem>

306

</varlistentry>

307

308

309

<term><option>--force</option></term>

310

311

312

<para>

313

Force overwriting old key.

314

</para>

315

</listitem>

316

</varlistentry>

317

318

<term><option>--password</option></term>

319

320

321

<para>

322

Prompt for a password and encrypt it with the key already

323

present in either <filename>/etc/mandos</filename> or the

324

directory specified with the <option>--dir</option>

325

option. Outputs, on standard output, a section suitable

326

for inclusion in <citerefentry><refentrytitle

327

>mandos-clients.conf</refentrytitle><manvolnum

328

>8</manvolnum></citerefentry>. The host name or the name

329

specified with the <option>--name</option> option is used

330

for the section header. All other options are ignored,

331

and no key is created.

332

</para>

333

</listitem>

334

</varlistentry>

335

336

<term><option>--passfile

337

338

<term><option>-F

339

340

341

<para>

342

The same as <option>--password</option>, but read from

343

<replaceable>FILE</replaceable>, not the terminal.

344

</para>

345

</listitem>

346

</varlistentry>

347

</variablelist>

348

</refsect1>

349

350

351

<title>OVERVIEW</title>

352

<xi:include href="overview.xml"/>

353

<para>

354

This program is a small utility to generate new OpenPGP keys for

355

new Mandos clients, and to generate sections for inclusion in

356

<filename>clients.conf</filename> on the server.

357

</para>

358

</refsect1>

359

360

361

<title>EXIT STATUS</title>

362

<para>

363

The exit status will be 0 if a new key (or password, if the

364

<option>--password</option> option was used) was successfully

365

created, otherwise not.

366

</para>

367

</refsect1>

368

369

370

<title>ENVIRONMENT</title>

371

372

373

<term><envar>TMPDIR</envar></term>

374

375

<para>

376

If set, temporary files will be created here. See

377

<citerefentry><refentrytitle>mktemp</refentrytitle>

378

<manvolnum>1</manvolnum></citerefentry>.

379

</para>

380

</listitem>

381

</varlistentry>

382

</variablelist>

383

</refsect1>

384

385

386

<title>FILES</title>

387

<para>

388

Use the <option>--dir</option> option to change where

389

<command>&COMMANDNAME;</command> will write the key files. The

390

default file names are shown here.

391

</para>

392

393

394

<term><filename>/etc/mandos/seckey.txt</filename></term>

395

396

<para>

397

OpenPGP secret key file which will be created or

398

overwritten.

399

</para>

400

</listitem>

401

</varlistentry>

402

403

<term><filename>/etc/mandos/pubkey.txt</filename></term>

404

405

<para>

406

OpenPGP public key file which will be created or

407

overwritten.

408

</para>

409

</listitem>

410

</varlistentry>

411

412

413

414

<para>

415

Temporary files will be written here if

416

<varname>TMPDIR</varname> is not set.

417

</para>

418

</listitem>

419

</varlistentry>

420

</variablelist>

421

</refsect1>

422

423

424

425

426

427

428

429

430

<title>EXAMPLE</title>

431

432

<para>

433

Normal invocation needs no options:

434

</para>

435

<para>

436

<userinput>&COMMANDNAME;</userinput>

437

</para>

438

</informalexample>

439

440

<para>

441

Create key in another directory and of another type. Force

442

overwriting old key files:

443

</para>

444

<para>

445

446

447

<userinput>&COMMANDNAME; --dir ~/keydir --type RSA --force</userinput>

448

449

</para>

450

</informalexample>

451

452

<para>

453

Prompt for a password, encrypt it with the key in

454

<filename>/etc/mandos</filename> and output a section suitable

455

for <filename>clients.conf</filename>.

456

</para>

457

<para>

458

<userinput>&COMMANDNAME; --password</userinput>

459

</para>

460

</informalexample>

461

462

<para>

463

Prompt for a password, encrypt it with the key in the

464

<filename>client-key</filename> directory and output a section

465

suitable for <filename>clients.conf</filename>.

466

</para>

467

<para>

468

469

470

<userinput>&COMMANDNAME; --password --dir client-key</userinput>

471

472

</para>

473

</informalexample>

474

</refsect1>

475

476

477

<title>SECURITY</title>

478

<para>

479

The <option>--type</option>, <option>--length</option>,

480

<option>--subtype</option>, and <option>--sublength</option>

481

options can be used to create keys of low security. If in

482

doubt, leave them to the default values.

483

</para>

484

<para>

485

The key expire time is <emphasis>not</emphasis> guaranteed to be

486

honored by <citerefentry><refentrytitle>mandos</refentrytitle>

487

<manvolnum>8</manvolnum></citerefentry>.

488

</para>

489

</refsect1>

490

491

492

493

<para>

494

495

<manvolnum>1</manvolnum></citerefentry>,

496

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

497

<manvolnum>5</manvolnum></citerefentry>,

498

<citerefentry><refentrytitle>mandos</refentrytitle>

499

<manvolnum>8</manvolnum></citerefentry>,

500

<citerefentry><refentrytitle>mandos-client</refentrytitle>

501

<manvolnum>8mandos</manvolnum></citerefentry>

502

</para>

503

</refsect1>

504

505

</refentry>

506

507

508

509

510

Older »