/mandos/trunk : revision 24.1.73

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos-keygen.xml

Committer: Björn Påhlsson
Date: 2008-08-29 09:32:06 UTC
mfrom: (114 mandos)
mto: (24.1.154 mandos) (237.4.3 mandos-release)
mto: This revision was merged to the branch mainline in revision 132.
Revision ID: belorn@braxen-20080829093206-12p8xfyduzkpf618

merge

files added:
plugins.d/usplash

files removed:
.bzr-builddeb

.bzr-builddeb/default.conf

INSTALL

README

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.config

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos-client.templates

debian/mandos.README.Debian

debian/mandos.config

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/mandos.templates

debian/po

debian/po/POTFILES.in

debian/po/sv.po

debian/rules

default-mandos

init.d-mandos

legalnotice.xml

plugin-runner.conf

plugins.d/splashy.c

plugins.d/usplash.c

files renamed:
plugins.d/mandos-client.c => plugins.d/password-request.c

plugins.d/mandos-client.xml => plugins.d/password-request.xml

files modified:
.bzrignore

Makefile

TODO

clients.conf

initramfs-tools-hook

initramfs-tools-script

mandos

mandos-clients.conf.xml

mandos-keygen

mandos-keygen.xml

mandos-options.xml

mandos.conf.xml

mandos.xml

overview.xml

plugin-runner.c

plugin-runner.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

Show diffs side-by-side

added added

removed removed

mandos-keygen.xml

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY VERSION "1.0">

<!ENTITY COMMANDNAME "mandos-keygen">

<!ENTITY TIMESTAMP "2008-09-20">

<!ENTITY TIMESTAMP "2008-08-29">

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

<xi:include href="legalnotice.xml"/>

<para>

This manual page is free software: you can redistribute it

and/or modify it under the terms of the GNU General Public

License as published by the Free Software Foundation,

either version 3 of the License, or (at your option) any

later version.

</para>

<para>

This manual page is distributed in the hope that it will

be useful, but WITHOUT ANY WARRANTY; without even the

implied warranty of MERCHANTABILITY or FITNESS FOR A

PARTICULAR PURPOSE. See the GNU General Public License

for more details.

</para>

<para>

You should have received a copy of the GNU General Public

License along with this program; If not, see

<ulink url="http://www.gnu.org/licenses/"/>.

</para>

</legalnotice>

</refentryinfo>

<refentrytitle>&COMMANDNAME;</refentrytitle>

<refname><command>&COMMANDNAME;</command></refname>

Generate key and password for Mandos client and server.

Generate keys for <citerefentry><refentrytitle>password-request

</refentrytitle><manvolnum>8mandos</manvolnum></citerefentry>

</refpurpose>

</refnamediv>

<command>&COMMANDNAME;</command>

<group>

<arg choice="plain"><option>--dir

<replaceable>DIRECTORY</replaceable></option></arg>

<arg choice="plain"><option>-d

<replaceable>DIRECTORY</replaceable></option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--type

<replaceable>KEYTYPE</replaceable></option></arg>

<arg choice="plain"><option>-t

<replaceable>KEYTYPE</replaceable></option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--length

<arg choice="plain"><option>-l

</group>

<sbr/>

<group>

<arg choice="plain"><option>--subtype

<replaceable>KEYTYPE</replaceable></option></arg>

<arg choice="plain"><option>-s

<replaceable>KEYTYPE</replaceable></option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--sublength

<arg choice="plain"><option>-L

</group>

<sbr/>

<group>

<arg choice="plain"><option>--name

<arg choice="plain"><option>-n

</group>

<sbr/>

<group>

<arg choice="plain"><option>--email

<replaceable>ADDRESS</replaceable></option></arg>

100

<arg choice="plain"><option>-e

101

<replaceable>ADDRESS</replaceable></option></arg>

102

</group>

103

<sbr/>

104

<group>

105

<arg choice="plain"><option>--comment

106

107

<arg choice="plain"><option>-c

108

109

</group>

110

<sbr/>

111

<group>

112

<arg choice="plain"><option>--expire

113

114

<arg choice="plain"><option>-x

115

116

</group>

117

<sbr/>

118

<arg><option>--force</option></arg>

<replaceable>directory</replaceable></arg>

</group>

</group>

<arg choice="plain"><option>--length</option>

</group>

<arg choice="plain"><option>--subtype</option>

</group>

<arg choice="plain"><option>--sublength</option>

</group>

100

101

</group>

102

103

<arg choice="plain"><option>--email</option>

104

<replaceable>EMAIL</replaceable></arg>

105

</group>

106

107

<arg choice="plain"><option>--comment</option>

108

<replaceable>COMMENT</replaceable></arg>

109

</group>

110

111

<arg choice="plain"><option>--expire</option>

112

113

</group>

114

115

<arg choice="plain"><option>--force</option></arg>

116

</group>

117

</cmdsynopsis>

118

119

<command>&COMMANDNAME;</command>

120

121

122

<replaceable>directory</replaceable></arg>

123

</group>

124

125

126

127

</group>

128

129

130

131

</group>

132

133

134

135

</group>

136

137

138

139

</group>

140

141

142

143

</group>

144

145

146

<replaceable>EMAIL</replaceable></arg>

147

</group>

148

149

150

<replaceable>COMMENT</replaceable></arg>

151

</group>

152

153

154

155

</group>

156

157

158

</group>

119

159

</cmdsynopsis>

120

160

121

161

<command>&COMMANDNAME;</command>

122

162

163

123

164

<arg choice="plain"><option>--password</option></arg>

124

125

<arg choice="plain"><option>--passfile

126

127

128

129

</group>

130

<sbr/>

131

<group>

132

<arg choice="plain"><option>--dir

133

<replaceable>DIRECTORY</replaceable></option></arg>

134

<arg choice="plain"><option>-d

135

<replaceable>DIRECTORY</replaceable></option></arg>

136

</group>

137

<sbr/>

138

<group>

139

<arg choice="plain"><option>--name

140

141

<arg choice="plain"><option>-n

142

165

</group>

166

167

168

<replaceable>directory</replaceable></arg>

169

</group>

170

171

172

143

173

</group>

144

174

</cmdsynopsis>

145

175

146

176

<command>&COMMANDNAME;</command>

147

177

178

148

179

149

150

180

</group>

151

181

</cmdsynopsis>

152

182

153

183

<command>&COMMANDNAME;</command>

154

184

185

155

186

<arg choice="plain"><option>--version</option></arg>

156

157

187

</group>

158

188

</cmdsynopsis>

159

189

</refsynopsisdiv>

160

190

161

191

162

192

<title>DESCRIPTION</title>

163

193

<para>

164

194

<command>&COMMANDNAME;</command> is a program to generate the

165

OpenPGP key used by

166

<citerefentry><refentrytitle>mandos-client</refentrytitle>

167

<manvolnum>8mandos</manvolnum></citerefentry>. The key is

195

OpenPGP keys used by

196

<citerefentry><refentrytitle>password-request</refentrytitle>

197

<manvolnum>8mandos</manvolnum></citerefentry>. The keys are

168

198

normally written to /etc/mandos for later installation into the

169

initrd image, but this, and most other things, can be changed

170

with command line options.

199

initrd image, but this, like most things, can be changed with

200

command line options.

171

201

</para>

172

202

<para>

173

This program can also be used with the

174

<option>--password</option> or <option>--passfile</option>

175

options to generate a ready-made section for

176

<filename>clients.conf</filename> (see

203

It can also be used to generate ready-made sections for

177

204

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

178

<manvolnum>5</manvolnum></citerefentry>).

205

<manvolnum>5</manvolnum></citerefentry> using the

206

<option>--password</option> option.

179

207

</para>

180

208

</refsect1>

181

209

182

210

183

211

<title>PURPOSE</title>

212

184

213

<para>

185

214

The purpose of this is to enable <emphasis>remote and unattended

186

215

rebooting</emphasis> of client host computer with an

187

216

<emphasis>encrypted root file system</emphasis>. See <xref

188

217

linkend="overview"/> for details.

189

218

</para>

219

190

220

</refsect1>

191

221

192

222

193

223

<title>OPTIONS</title>

194

224

195

225

196

226

197

198

227

199

228

200

229

<para>

201

230

Show a help message and exit

202

231

</para>

203

232

</listitem>

204

233

</varlistentry>

205

234

206

235

207

<term><option>--dir

208

<replaceable>DIRECTORY</replaceable></option></term>

209

<term><option>-d

210

<replaceable>DIRECTORY</replaceable></option></term>

236

<term><literal>-d</literal>, <literal>--dir

237

<replaceable>directory</replaceable></literal></term>

211

238

212

239

<para>

213

240

Target directory for key files. Default is

215

242

</para>

216

243

</listitem>

217

244

</varlistentry>

218

245

219

246

220

<term><option>--type

221

222

<term><option>-t

223

247

<term><literal>-t</literal>, <literal>--type

248

224

249

225

250

<para>

226

251

Key type. Default is <quote>DSA</quote>.

227

252

</para>

228

253

</listitem>

229

254

</varlistentry>

230

255

231

256

232

<term><option>--length

233

234

<term><option>-l

235

257

<term><literal>-l</literal>, <literal>--length

258

236

259

237

260

<para>

238

261

Key length in bits. Default is 2048.

239

262

</para>

240

263

</listitem>

241

264

</varlistentry>

242

265

243

266

244

<term><option>--subtype

245

<replaceable>KEYTYPE</replaceable></option></term>

246

<term><option>-s

247

<replaceable>KEYTYPE</replaceable></option></term>

267

<term><literal>-s</literal>, <literal>--subtype

268

248

269

249

270

<para>

250

271

Subkey type. Default is <quote>ELG-E</quote> (Elgamal

252

273

</para>

253

274

</listitem>

254

275

</varlistentry>

255

276

256

277

257

<term><option>--sublength

258

259

<term><option>-L

260

278

<term><literal>-L</literal>, <literal>--sublength

279

261

280

262

281

<para>

263

282

Subkey length in bits. Default is 2048.

264

283

</para>

265

284

</listitem>

266

285

</varlistentry>

267

286

268

287

269

<term><option>--email

270

<replaceable>ADDRESS</replaceable></option></term>

271

<term><option>-e

272

<replaceable>ADDRESS</replaceable></option></term>

288

<term><literal>-e</literal>, <literal>--email</literal>

289

<replaceable>address</replaceable></term>

273

290

274

291

<para>

275

292

Email address of key. Default is empty.

276

293

</para>

277

294

</listitem>

278

295

</varlistentry>

279

296

280

297

281

<term><option>--comment

282

283

<term><option>-c

284

298

<term><literal>-c</literal>, <literal>--comment</literal>

299

<replaceable>comment</replaceable></term>

285

300

286

301

<para>

287

302

Comment field for key. The default value is

289

304

</para>

290

305

</listitem>

291

306

</varlistentry>

292

307

293

308

294

<term><option>--expire

295

296

<term><option>-x

297

309

<term><literal>-x</literal>, <literal>--expire</literal>

310

298

311

299

312

<para>

300

313

Key expire time. Default is no expiration. See

303

316

</para>

304

317

</listitem>

305

318

</varlistentry>

306

319

307

320

308

<term><option>--force</option></term>

309

321

<term><literal>-f</literal>, <literal>--force</literal></term>

310

322

311

323

<para>

312

Force overwriting old key.

324

Force overwriting old keys.

313

325

</para>

314

326

</listitem>

315

327

</varlistentry>

316

328

317

<term><option>--password</option></term>

318

329

<term><literal>-p</literal>, <literal>--password</literal

330

></term>

319

331

320

332

<para>

321

333

Prompt for a password and encrypt it with the key already

327

339

>8</manvolnum></citerefentry>. The host name or the name

328

340

specified with the <option>--name</option> option is used

329

341

for the section header. All other options are ignored,

330

and no key is created.

331

</para>

332

</listitem>

333

</varlistentry>

334

335

<term><option>--passfile

336

337

<term><option>-F

338

339

340

<para>

341

The same as <option>--password</option>, but read from

342

<replaceable>FILE</replaceable>, not the terminal.

342

and no keys are created.

343

</para>

344

</listitem>

345

</varlistentry>

346

</variablelist>

347

</refsect1>

348

349

350

<title>OVERVIEW</title>

351

<xi:include href="overview.xml"/>

352

<para>

353

This program is a small utility to generate new OpenPGP keys for

354

new Mandos clients, and to generate sections for inclusion in

355

<filename>clients.conf</filename> on the server.

354

new Mandos clients.

356

355

</para>

357

356

</refsect1>

358

357

359

358

360

359

<title>EXIT STATUS</title>

361

360

<para>

362

The exit status will be 0 if a new key (or password, if the

363

<option>--password</option> option was used) was successfully

364

created, otherwise not.

361

The exit status will be 0 if new keys were successfully created,

362

otherwise not.

365

363

</para>

366

364

</refsect1>

367

365

369

367

<title>ENVIRONMENT</title>

370

368

371

369

372

<term><envar>TMPDIR</envar></term>

370

<term><varname>TMPDIR</varname></term>

373

371

374

372

<para>

375

373

If set, temporary files will be created here. See

418

416

</varlistentry>

419

417

</variablelist>

420

418

</refsect1>

421

422

423

424

425

426

427

419

420

421

422

<para>

423

None are known at this time.

424

</para>

425

</refsect1>

426

428

427

429

428

<title>EXAMPLE</title>

430

429

437

436

</informalexample>

438

437

439

438

<para>

440

Create key in another directory and of another type. Force

439

Create keys in another directory and of another type. Force

441

440

overwriting old key files:

442

441

</para>

443

442

<para>

447

446

448

447

</para>

449

448

</informalexample>

450

451

<para>

452

Prompt for a password, encrypt it with the key in

453

<filename>/etc/mandos</filename> and output a section suitable

454

for <filename>clients.conf</filename>.

455

</para>

456

<para>

457

<userinput>&COMMANDNAME; --password</userinput>

458

</para>

459

</informalexample>

460

461

<para>

462

Prompt for a password, encrypt it with the key in the

463

<filename>client-key</filename> directory and output a section

464

suitable for <filename>clients.conf</filename>.

465

</para>

466

<para>

467

468

469

<userinput>&COMMANDNAME; --password --dir client-key</userinput>

470

471

</para>

472

</informalexample>

473

449

</refsect1>

474

450

475

451

476

452

<title>SECURITY</title>

477

453

<para>

478

454

The <option>--type</option>, <option>--length</option>,

479

455

<option>--subtype</option>, and <option>--sublength</option>

480

options can be used to create keys of low security. If in

481

doubt, leave them to the default values.

456

options can be used to create keys of insufficient security. If

457

in doubt, leave them to the default values.

482

458

</para>

483

459

<para>

484

The key expire time is <emphasis>not</emphasis> guaranteed to be

485

honored by <citerefentry><refentrytitle>mandos</refentrytitle>

460

The key expire time is not guaranteed to be honored by

461

<citerefentry><refentrytitle>mandos</refentrytitle>

486

462

<manvolnum>8</manvolnum></citerefentry>.

487

463

</para>

488

464

</refsect1>

489

465

490

466

491

467

492

468

<para>

493

469

494

470

<manvolnum>1</manvolnum></citerefentry>,

495

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

496

<manvolnum>5</manvolnum></citerefentry>,

497

471

<citerefentry><refentrytitle>mandos</refentrytitle>

498

472

<manvolnum>8</manvolnum></citerefentry>,

499

<citerefentry><refentrytitle>mandos-client</refentrytitle>

473

<citerefentry><refentrytitle>password-request</refentrytitle>

500

474

<manvolnum>8mandos</manvolnum></citerefentry>

501

475

</para>

502

476

</refsect1>

Older »