/mandos/trunk : revision 24.1.73

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos-keygen.xml

Committer: Björn Påhlsson
Date: 2008-08-29 09:32:06 UTC
mfrom: (114 mandos)
mto: (24.1.154 mandos) (237.4.3 mandos-release)
mto: This revision was merged to the branch mainline in revision 132.
Revision ID: belorn@braxen-20080829093206-12p8xfyduzkpf618

merge

files added:
plugins.d/usplash

files removed:
.bzr-builddeb

.bzr-builddeb/default.conf

DBUS-API

INSTALL

NEWS

README

bugs.xml

common.ent

dbus-mandos.conf

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.examples

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/po

debian/rules

debian/source

debian/source/format

debian/source/local-options

debian/upstream

debian/upstream/signing-key.asc

debian/watch

default-mandos

init.d-mandos

initramfs-unpack

intro.xml

legalnotice.xml

mandos-ctl

mandos-ctl.xml

mandos-monitor

mandos-monitor.xml

mandos.lsm

mandos.service

network-hooks.d

network-hooks.d/bridge

network-hooks.d/bridge.conf

network-hooks.d/openvpn

network-hooks.d/openvpn.conf

network-hooks.d/wireless

network-hooks.d/wireless.conf

plugin-helpers

plugin-helpers/mandos-client-iprouteadddel.c

plugin-runner.conf

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

tmpfiles.d-mandos.conf

files renamed:
plugins.d/mandos-client.c => plugins.d/password-request.c

plugins.d/mandos-client.xml => plugins.d/password-request.xml

files modified:
.bzrignore

Makefile

TODO

clients.conf

initramfs-tools-hook

initramfs-tools-hook-conf

initramfs-tools-script

mandos

mandos-clients.conf.xml

mandos-keygen

mandos-keygen.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.xml

overview.xml

plugin-runner.c

plugin-runner.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

Show diffs side-by-side

added added

removed removed

mandos-keygen.xml

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY VERSION "1.0">

<!ENTITY COMMANDNAME "mandos-keygen">

<!ENTITY TIMESTAMP "2017-02-23">

<!ENTITY % common SYSTEM "common.ent">

%common;

<!ENTITY TIMESTAMP "2008-08-29">

<title>Mandos Manual</title>

<productname>Mandos</productname>

<productnumber>&version;</productnumber>

<productnumber>&VERSION;</productnumber>

<date>&TIMESTAMP;</date>

<firstname>Björn</firstname>

<surname>Påhlsson</surname>

<email>belorn@recompile.se</email>

<email>belorn@fukt.bsnet.se</email>

</address>

</author>

<firstname>Teddy</firstname>

<surname>Hogeborn</surname>

<email>teddy@recompile.se</email>

<email>teddy@fukt.bsnet.se</email>

</address>

</author>

</authorgroup>

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

<xi:include href="legalnotice.xml"/>

<para>

This manual page is free software: you can redistribute it

and/or modify it under the terms of the GNU General Public

License as published by the Free Software Foundation,

either version 3 of the License, or (at your option) any

later version.

</para>

<para>

This manual page is distributed in the hope that it will

be useful, but WITHOUT ANY WARRANTY; without even the

implied warranty of MERCHANTABILITY or FITNESS FOR A

PARTICULAR PURPOSE. See the GNU General Public License

for more details.

</para>

<para>

You should have received a copy of the GNU General Public

License along with this program; If not, see

<ulink url="http://www.gnu.org/licenses/"/>.

</para>

</legalnotice>

</refentryinfo>

<refentrytitle>&COMMANDNAME;</refentrytitle>

<refname><command>&COMMANDNAME;</command></refname>

Generate key and password for Mandos client and server.

Generate keys for <citerefentry><refentrytitle>password-request

</refentrytitle><manvolnum>8mandos</manvolnum></citerefentry>

</refpurpose>

</refnamediv>

<command>&COMMANDNAME;</command>

<group>

<arg choice="plain"><option>--dir

<replaceable>DIRECTORY</replaceable></option></arg>

<arg choice="plain"><option>-d

<replaceable>DIRECTORY</replaceable></option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--type

<replaceable>KEYTYPE</replaceable></option></arg>

<arg choice="plain"><option>-t

<replaceable>KEYTYPE</replaceable></option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--length

<arg choice="plain"><option>-l

</group>

<sbr/>

<group>

<arg choice="plain"><option>--subtype

<replaceable>KEYTYPE</replaceable></option></arg>

<arg choice="plain"><option>-s

<replaceable>KEYTYPE</replaceable></option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--sublength

<arg choice="plain"><option>-L

</group>

<sbr/>

100

<group>

101

<arg choice="plain"><option>--name

102

103

<arg choice="plain"><option>-n

104

105

</group>

106

<sbr/>

107

<group>

108

<arg choice="plain"><option>--email

109

<replaceable>ADDRESS</replaceable></option></arg>

110

<arg choice="plain"><option>-e

111

<replaceable>ADDRESS</replaceable></option></arg>

112

</group>

113

<sbr/>

114

<group>

115

<arg choice="plain"><option>--comment

116

117

<arg choice="plain"><option>-c

118

119

</group>

120

<sbr/>

121

<group>

122

<arg choice="plain"><option>--expire

123

124

<arg choice="plain"><option>-x

125

126

</group>

127

<sbr/>

128

<group>

<replaceable>directory</replaceable></arg>

</group>

</group>

<arg choice="plain"><option>--length</option>

</group>

<arg choice="plain"><option>--subtype</option>

</group>

<arg choice="plain"><option>--sublength</option>

</group>

100

101

</group>

102

103

<arg choice="plain"><option>--email</option>

104

<replaceable>EMAIL</replaceable></arg>

105

</group>

106

107

<arg choice="plain"><option>--comment</option>

108

<replaceable>COMMENT</replaceable></arg>

109

</group>

110

111

<arg choice="plain"><option>--expire</option>

112

113

</group>

114

129

115

<arg choice="plain"><option>--force</option></arg>

116

</group>

117

</cmdsynopsis>

118

119

<command>&COMMANDNAME;</command>

120

121

122

<replaceable>directory</replaceable></arg>

123

</group>

124

125

126

127

</group>

128

129

130

131

</group>

132

133

134

135

</group>

136

137

138

139

</group>

140

141

142

143

</group>

144

145

146

<replaceable>EMAIL</replaceable></arg>

147

</group>

148

149

150

<replaceable>COMMENT</replaceable></arg>

151

</group>

152

153

154

155

</group>

156

130

157

131

158

</group>

132

159

</cmdsynopsis>

133

160

134

161

<command>&COMMANDNAME;</command>

135

162

163

136

164

<arg choice="plain"><option>--password</option></arg>

137

138

<arg choice="plain"><option>--passfile

139

140

141

142

</group>

143

<sbr/>

144

<group>

145

<arg choice="plain"><option>--dir

146

<replaceable>DIRECTORY</replaceable></option></arg>

147

<arg choice="plain"><option>-d

148

<replaceable>DIRECTORY</replaceable></option></arg>

149

</group>

150

<sbr/>

151

<group>

152

<arg choice="plain"><option>--name

153

154

<arg choice="plain"><option>-n

155

156

</group>

157

<group>

158

159

165

</group>

166

167

168

<replaceable>directory</replaceable></arg>

169

</group>

170

171

172

160

173

</group>

161

174

</cmdsynopsis>

162

175

163

176

<command>&COMMANDNAME;</command>

164

177

178

165

179

166

167

180

</group>

168

181

</cmdsynopsis>

169

182

170

183

<command>&COMMANDNAME;</command>

171

184

185

172

186

<arg choice="plain"><option>--version</option></arg>

173

174

187

</group>

175

188

</cmdsynopsis>

176

189

</refsynopsisdiv>

177

190

178

191

179

192

<title>DESCRIPTION</title>

180

193

<para>

181

194

<command>&COMMANDNAME;</command> is a program to generate the

182

OpenPGP key used by

183

<citerefentry><refentrytitle>mandos-client</refentrytitle>

184

<manvolnum>8mandos</manvolnum></citerefentry>. The key is

195

OpenPGP keys used by

196

<citerefentry><refentrytitle>password-request</refentrytitle>

197

<manvolnum>8mandos</manvolnum></citerefentry>. The keys are

185

198

normally written to /etc/mandos for later installation into the

186

initrd image, but this, and most other things, can be changed

187

with command line options.

199

initrd image, but this, like most things, can be changed with

200

command line options.

188

201

</para>

189

202

<para>

190

This program can also be used with the

191

<option>--password</option> or <option>--passfile</option>

192

options to generate a ready-made section for

193

<filename>clients.conf</filename> (see

203

It can also be used to generate ready-made sections for

194

204

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

195

<manvolnum>5</manvolnum></citerefentry>).

205

<manvolnum>5</manvolnum></citerefentry> using the

206

<option>--password</option> option.

196

207

</para>

197

208

</refsect1>

198

209

199

210

200

211

<title>PURPOSE</title>

212

201

213

<para>

202

214

The purpose of this is to enable <emphasis>remote and unattended

203

215

rebooting</emphasis> of client host computer with an

204

216

<emphasis>encrypted root file system</emphasis>. See <xref

205

217

linkend="overview"/> for details.

206

218

</para>

219

207

220

</refsect1>

208

221

209

222

210

223

<title>OPTIONS</title>

211

224

212

225

213

226

214

215

227

216

228

217

229

<para>

218

230

Show a help message and exit

219

231

</para>

220

232

</listitem>

221

233

</varlistentry>

222

234

223

235

224

<term><option>--dir

225

<replaceable>DIRECTORY</replaceable></option></term>

226

<term><option>-d

227

<replaceable>DIRECTORY</replaceable></option></term>

236

<term><literal>-d</literal>, <literal>--dir

237

<replaceable>directory</replaceable></literal></term>

228

238

229

239

<para>

230

240

Target directory for key files. Default is

231

<filename class="directory">/etc/mandos</filename>.

232

</para>

233

</listitem>

234

</varlistentry>

235

236

237

<term><option>--type

238

239

<term><option>-t

240

241

242

<para>

243

Key type. Default is <quote>RSA</quote>.

244

</para>

245

</listitem>

246

</varlistentry>

247

248

249

<term><option>--length

250

251

<term><option>-l

252

253

254

<para>

255

Key length in bits. Default is 4096.

256

</para>

257

</listitem>

258

</varlistentry>

259

260

261

<term><option>--subtype

262

<replaceable>KEYTYPE</replaceable></option></term>

263

<term><option>-s

264

<replaceable>KEYTYPE</replaceable></option></term>

265

266

<para>

267

Subkey type. Default is <quote>RSA</quote> (Elgamal

241

<filename>/etc/mandos</filename>.

242

</para>

243

</listitem>

244

</varlistentry>

245

246

247

<term><literal>-t</literal>, <literal>--type

248

249

250

<para>

251

Key type. Default is <quote>DSA</quote>.

252

</para>

253

</listitem>

254

</varlistentry>

255

256

257

<term><literal>-l</literal>, <literal>--length

258

259

260

<para>

261

Key length in bits. Default is 2048.

262

</para>

263

</listitem>

264

</varlistentry>

265

266

267

<term><literal>-s</literal>, <literal>--subtype

268

269

270

<para>

271

Subkey type. Default is <quote>ELG-E</quote> (Elgamal

268

272

encryption-only).

269

273

</para>

270

274

</listitem>

271

275

</varlistentry>

272

276

273

277

274

<term><option>--sublength

275

276

<term><option>-L

277

278

<term><literal>-L</literal>, <literal>--sublength

279

278

280

279

281

<para>

280

Subkey length in bits. Default is 4096.

282

Subkey length in bits. Default is 2048.

281

283

</para>

282

284

</listitem>

283

285

</varlistentry>

284

286

285

287

286

<term><option>--email

287

<replaceable>ADDRESS</replaceable></option></term>

288

<term><option>-e

289

<replaceable>ADDRESS</replaceable></option></term>

288

<term><literal>-e</literal>, <literal>--email</literal>

289

<replaceable>address</replaceable></term>

290

291

<para>

292

Email address of key. Default is empty.

293

</para>

294

</listitem>

295

</varlistentry>

296

297

298

<term><option>--comment

299

300

<term><option>-c

301

298

<term><literal>-c</literal>, <literal>--comment</literal>

299

<replaceable>comment</replaceable></term>

302

300

303

301

<para>

304

Comment field for key. Default is empty.

302

Comment field for key. The default value is

303

<quote><literal>Mandos client key</literal></quote>.

305

304

</para>

306

305

</listitem>

307

306

</varlistentry>

308

307

309

308

310

<term><option>--expire

311

312

<term><option>-x

313

309

<term><literal>-x</literal>, <literal>--expire</literal>

310

314

311

315

312

<para>

316

313

Key expire time. Default is no expiration. See

319

316

</para>

320

317

</listitem>

321

318

</varlistentry>

322

319

323

320

324

<term><option>--force</option></term>

325

321

<term><literal>-f</literal>, <literal>--force</literal></term>

326

322

327

323

<para>

328

Force overwriting old key.

324

Force overwriting old keys.

329

325

</para>

330

326

</listitem>

331

327

</varlistentry>

332

328

333

<term><option>--password</option></term>

334

329

<term><literal>-p</literal>, <literal>--password</literal

330

></term>

335

331

336

332

<para>

337

333

Prompt for a password and encrypt it with the key already

343

339

>8</manvolnum></citerefentry>. The host name or the name

344

340

specified with the <option>--name</option> option is used

345

341

for the section header. All other options are ignored,

346

and no key is created.

347

</para>

348

</listitem>

349

</varlistentry>

350

351

<term><option>--passfile

352

353

<term><option>-F

354

355

356

<para>

357

The same as <option>--password</option>, but read from

358

<replaceable>FILE</replaceable>, not the terminal.

359

</para>

360

</listitem>

361

</varlistentry>

362

363

364

365

366

<para>

367

When <option>--password</option> or

368

<option>--passfile</option> is given, this option will

369

prevent <command>&COMMANDNAME;</command> from calling

370

<command>ssh-keyscan</command> to get an SSH fingerprint

371

for this host and, if successful, output suitable config

372

options to use this fingerprint as a

373

<option>checker</option> option in the output. This is

374

otherwise the default behavior.

342

and no keys are created.

375

343

</para>

376

344

</listitem>

377

345

</varlistentry>

378

346

</variablelist>

379

347

</refsect1>

380

348

381

349

382

350

<title>OVERVIEW</title>

383

351

<xi:include href="overview.xml"/>

384

352

<para>

385

353

This program is a small utility to generate new OpenPGP keys for

386

new Mandos clients, and to generate sections for inclusion in

387

<filename>clients.conf</filename> on the server.

354

new Mandos clients.

388

355

</para>

389

356

</refsect1>

390

357

391

358

392

359

<title>EXIT STATUS</title>

393

360

<para>

394

The exit status will be 0 if a new key (or password, if the

395

<option>--password</option> option was used) was successfully

396

created, otherwise not.

361

The exit status will be 0 if new keys were successfully created,

362

otherwise not.

397

363

</para>

398

364

</refsect1>

399

365

401

367

<title>ENVIRONMENT</title>

402

368

403

369

404

<term><envar>TMPDIR</envar></term>

370

<term><varname>TMPDIR</varname></term>

405

371

406

372

<para>

407

373

If set, temporary files will be created here. See

413

379

</variablelist>

414

380

</refsect1>

415

381

416

382

417

383

<title>FILES</title>

418

384

<para>

419

385

Use the <option>--dir</option> option to change where

440

406

</listitem>

441

407

</varlistentry>

442

408

443

409

444

410

445

411

<para>

446

412

Temporary files will be written here if

450

416

</varlistentry>

451

417

</variablelist>

452

418

</refsect1>

453

419

454

420

455

421

456

<xi:include href="bugs.xml"/>

422

<para>

423

None are known at this time.

424

</para>

457

425

</refsect1>

458

426

459

427

460

428

<title>EXAMPLE</title>

461

429

468

436

</informalexample>

469

437

470

438

<para>

471

Create key in another directory and of another type. Force

439

Create keys in another directory and of another type. Force

472

440

overwriting old key files:

473

441

</para>

474

442

<para>

478

446

479

447

</para>

480

448

</informalexample>

481

482

<para>

483

Prompt for a password, encrypt it with the key in <filename

484

class="directory">/etc/mandos</filename> and output a section

485

suitable for <filename>clients.conf</filename>.

486

</para>

487

<para>

488

<userinput>&COMMANDNAME; --password</userinput>

489

</para>

490

</informalexample>

491

492

<para>

493

Prompt for a password, encrypt it with the key in the

494

<filename>client-key</filename> directory and output a section

495

suitable for <filename>clients.conf</filename>.

496

</para>

497

<para>

498

499

500

<userinput>&COMMANDNAME; --password --dir client-key</userinput>

501

502

</para>

503

</informalexample>

504

449

</refsect1>

505

450

506

451

507

452

<title>SECURITY</title>

508

453

<para>

509

454

The <option>--type</option>, <option>--length</option>,

510

455

<option>--subtype</option>, and <option>--sublength</option>

511

options can be used to create keys of low security. If in

512

doubt, leave them to the default values.

456

options can be used to create keys of insufficient security. If

457

in doubt, leave them to the default values.

513

458

</para>

514

459

<para>

515

The key expire time is <emphasis>not</emphasis> guaranteed to be

516

honored by <citerefentry><refentrytitle>mandos</refentrytitle>

460

The key expire time is not guaranteed to be honored by

461

<citerefentry><refentrytitle>mandos</refentrytitle>

517

462

<manvolnum>8</manvolnum></citerefentry>.

518

463

</para>

519

464

</refsect1>

520

465

521

466

522

467

523

468

<para>

524

<citerefentry><refentrytitle>intro</refentrytitle>

525

<manvolnum>8mandos</manvolnum></citerefentry>,

526

469

527

470

<manvolnum>1</manvolnum></citerefentry>,

528

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

529

<manvolnum>5</manvolnum></citerefentry>,

530

471

<citerefentry><refentrytitle>mandos</refentrytitle>

531

472

<manvolnum>8</manvolnum></citerefentry>,

532

<citerefentry><refentrytitle>mandos-client</refentrytitle>

533

<manvolnum>8mandos</manvolnum></citerefentry>,

534

<citerefentry><refentrytitle>ssh-keyscan</refentrytitle>

535

473

<citerefentry><refentrytitle>password-request</refentrytitle>

474

<manvolnum>8mandos</manvolnum></citerefentry>

536

475

</para>

537

476

</refsect1>

538

477

Older »