/mandos/trunk : revision 238

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos-keygen.xml

Committer: Teddy Hogeborn
Date: 2008-12-10 01:26:02 UTC
mfrom: (237.1.2 mandos)
Revision ID: teddy@fukt.bsnet.se-20081210012602-vhz3h75xkj24t340

First version of a somewhat complete D-Bus server interface.  Also
change user/group name to "_mandos".

* debian/mandos.postinst: Rename old "mandos" user and group to
                          "_mandos"; create "_mandos" user and group
                          if none exist.
* debian/mandos-client.postinst: - '' -

* initramfs-tools-hook: Try "_mandos" before "mandos" as user and
                        group name.

* mandos (_datetime_to_dbus_struct): New; was previously local.
  (Client.started): Renamed to "last_started".  All users changed.
  (Client.started): New; boolean.
  (Client.dbus_object_path): New.
  (Client.check_command): Renamed to "checker_command".  All users
                          changed.
  (Client.__init__): Set and use "self.dbus_object_path".  Set
                     "self.started".
  (Client.start): Update "self.started".  Emit "self.PropertyChanged"
                  signals for both "started" and "last_started".
  (Client.stop): Update "self.started".  Emit "self.PropertyChanged"
                 signal for "started".
  (Client.checker_callback): Take additional "command" argument.  All
                             callers changed. Emit
                             "self.PropertyChanged" signal.
  (Client.bump_timeout): Emit "self.PropertyChanged" signal for
                         "last_checked_ok".
  (Client.start_checker): Emit "self.PropertyChanged" signal for
                          "checker_running".
  (Client.stop_checker): Emit "self.PropertyChanged" signal for
                         "checker_running".
  (Client.still_valid): Bug fix: use "getattr(self, started, False)"
                        instead of "self.started" in case this client
                        object is so new that the "started" attribute
                        has not been created yet.
  (Client.IntervalChanged, Client.CheckerIsRunning, Client.GetChecker,
  Client.GetCreated, Client.GetFingerprint, Client.GetHost,
  Client.GetInterval, Client.GetName, Client.GetStarted,
  Client.GetTimeout, Client.StateChanged, Client.TimeoutChanged):
  Removed; all callers changed.
  (Client.CheckerCompleted): Add "condition" and "command" arguments.
                             All callers changed.
  (Client.GetAllProperties, Client.PropertyChanged): New.
  (Client.StillValid): Renamed to "IsStillValid".
  (Client.StartChecker): Changed to its own function to avoid the
                         return value from "Client.start_checker()".
  (Client.Stop): Changed to its own function to avoid the return value
                 from "Client.stop()".
  (main): Try "_mandos" before "mandos" as user and group name.
          Removed inner function "remove_from_clients".  New inner
          class "MandosServer".

files added:
debian/mandos-client.config

debian/mandos-client.templates

debian/mandos.config

debian/mandos.templates

debian/po/POTFILES.in

debian/po/sv.po

initramfs-tools-hook-conf

files removed:
DBUS-API

bugs.xml

dbus-mandos.conf

debian/mandos-client.examples

debian/source

debian/source/format

debian/source/local-options

debian/upstream

debian/upstream/signing-key.asc

debian/watch

initramfs-tools-conf

initramfs-tools-script-stop

initramfs-unpack

intro.xml

mandos-ctl

mandos-ctl.xml

mandos-monitor

mandos-monitor.xml

mandos-to-cryptroot-unlock

mandos.service

network-hooks.d

network-hooks.d/bridge

network-hooks.d/bridge.conf

network-hooks.d/openvpn

network-hooks.d/openvpn.conf

network-hooks.d/wireless

network-hooks.d/wireless.conf

plugin-helpers

plugin-helpers/mandos-client-iprouteadddel.c

plugins.d/plymouth.c

plugins.d/plymouth.xml

tmpfiles.d-mandos.conf

files modified:
.bzrignore

INSTALL

Makefile

NEWS

README

TODO

clients.conf

common.ent

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/rules

init.d-mandos

initramfs-tools-hook

initramfs-tools-script

legalnotice.xml

mandos

mandos-clients.conf.xml

mandos-keygen

mandos-keygen.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.lsm

mandos.xml

overview.xml

plugin-runner.c

plugin-runner.conf

plugin-runner.xml

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/mandos-client.c

plugins.d/mandos-client.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

Show diffs side-by-side

added added

removed removed

mandos-keygen.xml

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY COMMANDNAME "mandos-keygen">

<!ENTITY TIMESTAMP "2019-02-10">

<!ENTITY TIMESTAMP "2008-10-03">

<!ENTITY % common SYSTEM "common.ent">

%common;

<firstname>Björn</firstname>

<surname>Påhlsson</surname>

<email>belorn@recompile.se</email>

<email>belorn@fukt.bsnet.se</email>

</address>

</author>

<firstname>Teddy</firstname>

<surname>Hogeborn</surname>

<email>teddy@recompile.se</email>

<email>teddy@fukt.bsnet.se</email>

</address>

</author>

</authorgroup>

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

126

116

127

117

</group>

128

118

<sbr/>

129

<group>

130

<arg choice="plain"><option>--tls-keytype

131

<replaceable>KEYTYPE</replaceable></option></arg>

132

<arg choice="plain"><option>-T

133

<replaceable>KEYTYPE</replaceable></option></arg>

134

</group>

135

<sbr/>

136

<group>

137

<arg choice="plain"><option>--force</option></arg>

138

139

</group>

119

<arg><option>--force</option></arg>

140

120

</cmdsynopsis>

141

121

142

122

<command>&COMMANDNAME;</command>

162

142

<arg choice="plain"><option>-n

163

143

164

144

</group>

165

<group>

166

167

168

</group>

169

145

</cmdsynopsis>

170

146

171

147

<command>&COMMANDNAME;</command>

187

163

<title>DESCRIPTION</title>

188

164

<para>

189

165

<command>&COMMANDNAME;</command> is a program to generate the

190

TLS and OpenPGP keys used by

166

OpenPGP key used by

191

167

<citerefentry><refentrytitle>mandos-client</refentrytitle>

192

<manvolnum>8mandos</manvolnum></citerefentry>. The keys are

193

normally written to /etc/keys/mandos for later installation into

194

the initrd image, but this, and most other things, can be

195

changed with command line options.

168

<manvolnum>8mandos</manvolnum></citerefentry>. The key is

169

normally written to /etc/mandos for later installation into the

170

initrd image, but this, and most other things, can be changed

171

with command line options.

196

172

</para>

197

173

<para>

198

174

This program can also be used with the

235

211

<replaceable>DIRECTORY</replaceable></option></term>

236

212

237

213

<para>

238

Target directory for key files. Default is <filename

239

class="directory">/etc/keys/mandos</filename>.

214

Target directory for key files. Default is

215

<filename>/etc/mandos</filename>.

240

216

</para>

241

217

</listitem>

242

218

</varlistentry>

248

224

249

225

250

226

<para>

251

OpenPGP key type. Default is <quote>RSA</quote>.

227

Key type. Default is <quote>DSA</quote>.

252

228

</para>

253

229

</listitem>

254

230

</varlistentry>

260

236

261

237

262

238

<para>

263

OpenPGP key length in bits. Default is 4096.

239

Key length in bits. Default is 2048.

264

240

</para>

265

241

</listitem>

266

242

</varlistentry>

272

248

<replaceable>KEYTYPE</replaceable></option></term>

273

249

274

250

<para>

275

OpenPGP subkey type. Default is <quote>RSA</quote>

251

Subkey type. Default is <quote>ELG-E</quote> (Elgamal

252

encryption-only).

276

253

</para>

277

254

</listitem>

278

255

</varlistentry>

284

261

285

262

286

263

<para>

287

OpenPGP subkey length in bits. Default is 4096.

264

Subkey length in bits. Default is 2048.

288

265

</para>

289

266

</listitem>

290

267

</varlistentry>

308

285

309

286

310

287

<para>

311

Comment field for key. Default is empty.

288

Comment field for key. The default value is

289

<quote><literal>Mandos client key</literal></quote>.

312

290

</para>

313

291

</listitem>

314

292

</varlistentry>

328

306

</varlistentry>

329

307

330

308

331

<term><option>--tls-keytype

332

<replaceable>KEYTYPE</replaceable></option></term>

333

<term><option>-T

334

<replaceable>KEYTYPE</replaceable></option></term>

335

336

<para>

337

TLS key type. Default is <quote>ed25519</quote>

338

</para>

339

</listitem>

340

</varlistentry>

341

342

343

309

<term><option>--force</option></term>

344

310

345

311

354

320

355

321

<para>

356

322

Prompt for a password and encrypt it with the key already

357

present in either <filename>/etc/keys/mandos</filename> or

358

the directory specified with the <option>--dir</option>

323

present in either <filename>/etc/mandos</filename> or the

324

directory specified with the <option>--dir</option>

359

325

option. Outputs, on standard output, a section suitable

360

326

for inclusion in <citerefentry><refentrytitle

361

327

>mandos-clients.conf</refentrytitle><manvolnum

378

344

</para>

379

345

</listitem>

380

346

</varlistentry>

381

382

383

384

385

<para>

386

When <option>--password</option> or

387

<option>--passfile</option> is given, this option will

388

prevent <command>&COMMANDNAME;</command> from calling

389

<command>ssh-keyscan</command> to get an SSH fingerprint

390

for this host and, if successful, output suitable config

391

options to use this fingerprint as a

392

<option>checker</option> option in the output. This is

393

otherwise the default behavior.

394

</para>

395

</listitem>

396

</varlistentry>

397

347

</variablelist>

398

348

</refsect1>

399

349

401

351

<title>OVERVIEW</title>

402

352

<xi:include href="overview.xml"/>

403

353

<para>

404

This program is a small utility to generate new TLS and OpenPGP

405

keys for new Mandos clients, and to generate sections for

406

inclusion in <filename>clients.conf</filename> on the server.

354

This program is a small utility to generate new OpenPGP keys for

355

new Mandos clients, and to generate sections for inclusion in

356

<filename>clients.conf</filename> on the server.

407

357

</para>

408

358

</refsect1>

409

359

441

391

</para>

442

392

443

393

444

<term><filename>/etc/keys/mandos/seckey.txt</filename></term>

394

<term><filename>/etc/mandos/seckey.txt</filename></term>

445

395

446

396

<para>

447

397

OpenPGP secret key file which will be created or

450

400

</listitem>

451

401

</varlistentry>

452

402

453

<term><filename>/etc/keys/mandos/pubkey.txt</filename></term>

403

<term><filename>/etc/mandos/pubkey.txt</filename></term>

454

404

455

405

<para>

456

406

OpenPGP public key file which will be created or

459

409

</listitem>

460

410

</varlistentry>

461

411

462

<term><filename>/etc/keys/mandos/tls-privkey.pem</filename></term>

463

464

<para>

465

Private key file which will be created or overwritten.

466

</para>

467

</listitem>

468

</varlistentry>

469

470

<term><filename>/etc/keys/mandos/tls-pubkey.pem</filename></term>

471

472

<para>

473

Public key file which will be created or overwritten.

474

</para>

475

</listitem>

476

</varlistentry>

477

478

412

479

413

480

414

<para>

481

415

Temporary files will be written here if

486

420

</variablelist>

487

421

</refsect1>

488

422

489

490

491

<xi:include href="bugs.xml"/>

492

</refsect1>

423

424

425

426

427

493

428

494

429

495

430

<title>EXAMPLE</title>

515

450

</informalexample>

516

451

517

452

<para>

518

Prompt for a password, encrypt it with the keys in <filename

519

class="directory">/etc/keys/mandos</filename> and output a

520

section suitable for <filename>clients.conf</filename>.

453

Prompt for a password, encrypt it with the key in

454

<filename>/etc/mandos</filename> and output a section suitable

455

for <filename>clients.conf</filename>.

521

456

</para>

522

457

<para>

523

458

<userinput>&COMMANDNAME; --password</userinput>

525

460

</informalexample>

526

461

527

462

<para>

528

Prompt for a password, encrypt it with the keys in the

463

Prompt for a password, encrypt it with the key in the

529

464

<filename>client-key</filename> directory and output a section

530

465

suitable for <filename>clients.conf</filename>.

531

466

</para>

556

491

557

492

558

493

<para>

559

<citerefentry><refentrytitle>intro</refentrytitle>

560

<manvolnum>8mandos</manvolnum></citerefentry>,

561

494

562

495

<manvolnum>1</manvolnum></citerefentry>,

563

496

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

565

498

<citerefentry><refentrytitle>mandos</refentrytitle>

566

499

<manvolnum>8</manvolnum></citerefentry>,

567

500

<citerefentry><refentrytitle>mandos-client</refentrytitle>

568

<manvolnum>8mandos</manvolnum></citerefentry>,

569

<citerefentry><refentrytitle>ssh-keyscan</refentrytitle>

570

501

<manvolnum>8mandos</manvolnum></citerefentry>

571

502

</para>

572

503

</refsect1>

573

504

Older »