1
1
<?xml version="1.0" encoding="UTF-8"?>
2
2
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3
3
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4
<!ENTITY VERSION "1.0">
4
5
<!ENTITY COMMANDNAME "mandos-keygen">
5
<!ENTITY TIMESTAMP "2008-10-03">
6
<!ENTITY % common SYSTEM "common.ent">
6
<!ENTITY TIMESTAMP "2008-08-30">
10
9
<refentry xmlns:xi="http://www.w3.org/2001/XInclude">
35
34
<holder>Teddy Hogeborn</holder>
36
35
<holder>Björn Påhlsson</holder>
38
<xi:include href="legalnotice.xml"/>
39
This manual page is free software: you can redistribute it
40
and/or modify it under the terms of the GNU General Public
41
License as published by the Free Software Foundation,
42
either version 3 of the License, or (at your option) any
47
This manual page is distributed in the hope that it will
48
be useful, but WITHOUT ANY WARRANTY; without even the
49
implied warranty of MERCHANTABILITY or FITNESS FOR A
50
PARTICULAR PURPOSE. See the GNU General Public License
55
You should have received a copy of the GNU General Public
56
License along with this program; If not, see
57
<ulink url="http://www.gnu.org/licenses/"/>.
42
63
<refentrytitle>&COMMANDNAME;</refentrytitle>
43
64
<manvolnum>8</manvolnum>
122
144
<command>&COMMANDNAME;</command>
123
145
<group choice="req">
146
<arg choice="plain"><option>-p</option></arg>
124
147
<arg choice="plain"><option>--password</option></arg>
125
<arg choice="plain"><option>-p</option></arg>
126
<arg choice="plain"><option>--passfile
127
<replaceable>FILE</replaceable></option></arg>
128
<arg choice="plain"><option>-F</option>
129
<replaceable>FILE</replaceable></arg>
147
165
<command>&COMMANDNAME;</command>
148
166
<group choice="req">
167
<arg choice="plain"><option>-h</option></arg>
149
168
<arg choice="plain"><option>--help</option></arg>
150
<arg choice="plain"><option>-h</option></arg>
154
172
<command>&COMMANDNAME;</command>
155
173
<group choice="req">
174
<arg choice="plain"><option>-v</option></arg>
156
175
<arg choice="plain"><option>--version</option></arg>
157
<arg choice="plain"><option>-v</option></arg>
160
178
</refsynopsisdiv>
162
180
<refsect1 id="description">
163
181
<title>DESCRIPTION</title>
165
183
<command>&COMMANDNAME;</command> is a program to generate the
167
<citerefentry><refentrytitle>mandos-client</refentrytitle>
168
<manvolnum>8mandos</manvolnum></citerefentry>. The key is
185
<citerefentry><refentrytitle>password-request</refentrytitle>
186
<manvolnum>8mandos</manvolnum></citerefentry>. The keys are
169
187
normally written to /etc/mandos for later installation into the
170
initrd image, but this, and most other things, can be changed
171
with command line options.
188
initrd image, but this, like most things, can be changed with
189
command line options.
174
This program can also be used with the
175
<option>--password</option> or <option>--passfile</option>
176
options to generate a ready-made section for
177
<filename>clients.conf</filename> (see
192
It can also be used to generate ready-made sections for
178
193
<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>
179
<manvolnum>5</manvolnum></citerefentry>).
194
<manvolnum>5</manvolnum></citerefentry> using the
195
<option>--password</option> option.
183
199
<refsect1 id="purpose">
184
200
<title>PURPOSE</title>
186
203
The purpose of this is to enable <emphasis>remote and unattended
187
204
rebooting</emphasis> of client host computer with an
188
205
<emphasis>encrypted root file system</emphasis>. See <xref
189
206
linkend="overview"/> for details.
193
211
<refsect1 id="options">
194
212
<title>OPTIONS</title>
198
<term><option>--help</option></term>
199
<term><option>-h</option></term>
216
<term><literal>-h</literal>, <literal>--help</literal></term>
202
219
Show a help message and exit
209
<replaceable>DIRECTORY</replaceable></option></term>
211
<replaceable>DIRECTORY</replaceable></option></term>
225
<term><literal>-d</literal>, <literal>--dir
226
<replaceable>directory</replaceable></literal></term>
214
229
Target directory for key files. Default is
222
<replaceable>TYPE</replaceable></option></term>
224
<replaceable>TYPE</replaceable></option></term>
236
<term><literal>-t</literal>, <literal>--type
237
<replaceable>type</replaceable></literal></term>
227
240
Key type. Default is <quote>DSA</quote>.
233
<term><option>--length
234
<replaceable>BITS</replaceable></option></term>
236
<replaceable>BITS</replaceable></option></term>
246
<term><literal>-l</literal>, <literal>--length
247
<replaceable>bits</replaceable></literal></term>
239
250
Key length in bits. Default is 2048.
245
<term><option>--subtype
246
<replaceable>KEYTYPE</replaceable></option></term>
248
<replaceable>KEYTYPE</replaceable></option></term>
256
<term><literal>-s</literal>, <literal>--subtype
257
<replaceable>type</replaceable></literal></term>
251
260
Subkey type. Default is <quote>ELG-E</quote> (Elgamal
258
<term><option>--sublength
259
<replaceable>BITS</replaceable></option></term>
261
<replaceable>BITS</replaceable></option></term>
267
<term><literal>-L</literal>, <literal>--sublength
268
<replaceable>bits</replaceable></literal></term>
264
271
Subkey length in bits. Default is 2048.
270
<term><option>--email
271
<replaceable>ADDRESS</replaceable></option></term>
273
<replaceable>ADDRESS</replaceable></option></term>
277
<term><literal>-e</literal>, <literal>--email</literal>
278
<replaceable>address</replaceable></term>
276
281
Email address of key. Default is empty.
282
<term><option>--comment
283
<replaceable>TEXT</replaceable></option></term>
285
<replaceable>TEXT</replaceable></option></term>
287
<term><literal>-c</literal>, <literal>--comment</literal>
288
<replaceable>comment</replaceable></term>
288
291
Comment field for key. The default value is
309
<term><option>--force</option></term>
310
<term><option>-f</option></term>
310
<term><literal>-f</literal>, <literal>--force</literal></term>
313
Force overwriting old key.
313
Force overwriting old keys.
318
<term><option>--password</option></term>
319
<term><option>-p</option></term>
318
<term><literal>-p</literal>, <literal>--password</literal
322
322
Prompt for a password and encrypt it with the key already
328
328
>8</manvolnum></citerefentry>. The host name or the name
329
329
specified with the <option>--name</option> option is used
330
330
for the section header. All other options are ignored,
331
and no key is created.
336
<term><option>--passfile
337
<replaceable>FILE</replaceable></option></term>
339
<replaceable>FILE</replaceable></option></term>
342
The same as <option>--password</option>, but read from
343
<replaceable>FILE</replaceable>, not the terminal.
331
and no keys are created.
350
338
<refsect1 id="overview">
351
339
<title>OVERVIEW</title>
352
340
<xi:include href="overview.xml"/>
354
342
This program is a small utility to generate new OpenPGP keys for
355
new Mandos clients, and to generate sections for inclusion in
356
<filename>clients.conf</filename> on the server.
360
347
<refsect1 id="exit_status">
361
348
<title>EXIT STATUS</title>
363
The exit status will be 0 if a new key (or password, if the
364
<option>--password</option> option was used) was successfully
365
created, otherwise not.
350
The exit status will be 0 if new keys were successfully created,
450
437
</informalexample>
453
Prompt for a password, encrypt it with the key in
454
<filename>/etc/mandos</filename> and output a section suitable
455
for <filename>clients.conf</filename>.
458
<userinput>&COMMANDNAME; --password</userinput>
463
Prompt for a password, encrypt it with the key in the
464
<filename>client-key</filename> directory and output a section
465
suitable for <filename>clients.conf</filename>.
469
<!-- do not wrap this line -->
470
<userinput>&COMMANDNAME; --password --dir client-key</userinput>
476
440
<refsect1 id="security">
477
441
<title>SECURITY</title>
479
443
The <option>--type</option>, <option>--length</option>,
480
444
<option>--subtype</option>, and <option>--sublength</option>
481
options can be used to create keys of low security. If in
482
doubt, leave them to the default values.
445
options can be used to create keys of insufficient security. If
446
in doubt, leave them to the default values.
485
The key expire time is <emphasis>not</emphasis> guaranteed to be
486
honored by <citerefentry><refentrytitle>mandos</refentrytitle>
449
The key expire time is not guaranteed to be honored by
450
<citerefentry><refentrytitle>mandos</refentrytitle>
487
451
<manvolnum>8</manvolnum></citerefentry>.
491
455
<refsect1 id="see_also">
492
456
<title>SEE ALSO</title>
494
458
<citerefentry><refentrytitle>gpg</refentrytitle>
495
459
<manvolnum>1</manvolnum></citerefentry>,
496
<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>
497
<manvolnum>5</manvolnum></citerefentry>,
498
460
<citerefentry><refentrytitle>mandos</refentrytitle>
499
461
<manvolnum>8</manvolnum></citerefentry>,
500
<citerefentry><refentrytitle>mandos-client</refentrytitle>
462
<citerefentry><refentrytitle>password-request</refentrytitle>
501
463
<manvolnum>8mandos</manvolnum></citerefentry>