/mandos/trunk : revision 24.1.75

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos-keygen.xml

Committer: Björn Påhlsson
Date: 2008-08-30 19:59:42 UTC
mfrom: (121 mandos)
mto: (24.1.154 mandos) (237.4.3 mandos-release)
mto: This revision was merged to the branch mainline in revision 132.
Revision ID: belorn@braxen-20080830195942-o76ct0zo0ximvgfz

merge

files added:
plugins.d/usplash

files removed:
.bzr-builddeb

.bzr-builddeb/default.conf

DBUS-API

INSTALL

NEWS

README

bugs.xml

common.ent

dbus-mandos.conf

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.examples

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/po

debian/rules

debian/source

debian/source/format

debian/source/local-options

debian/upstream

debian/upstream/signing-key.asc

debian/watch

default-mandos

init.d-mandos

initramfs-tools-conf

initramfs-tools-script-stop

initramfs-unpack

intro.xml

legalnotice.xml

mandos-ctl

mandos-ctl.xml

mandos-monitor

mandos-monitor.xml

mandos-to-cryptroot-unlock

mandos.lsm

mandos.service

network-hooks.d

network-hooks.d/bridge

network-hooks.d/bridge.conf

network-hooks.d/openvpn

network-hooks.d/openvpn.conf

network-hooks.d/wireless

network-hooks.d/wireless.conf

plugin-helpers

plugin-helpers/mandos-client-iprouteadddel.c

plugin-runner.conf

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

tmpfiles.d-mandos.conf

files renamed:
plugins.d/mandos-client.c => plugins.d/password-request.c

plugins.d/mandos-client.xml => plugins.d/password-request.xml

files modified:
.bzrignore

Makefile

TODO

clients.conf

initramfs-tools-hook

initramfs-tools-hook-conf

initramfs-tools-script

mandos

mandos-clients.conf.xml

mandos-keygen

mandos-keygen.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.xml

overview.xml

plugin-runner.c

plugin-runner.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

Show diffs side-by-side

added added

removed removed

mandos-keygen.xml

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY VERSION "1.0">

<!ENTITY COMMANDNAME "mandos-keygen">

<!ENTITY TIMESTAMP "2018-02-08">

<!ENTITY % common SYSTEM "common.ent">

%common;

<!ENTITY TIMESTAMP "2008-08-30">

<title>Mandos Manual</title>

<productname>Mandos</productname>

<productnumber>&version;</productnumber>

<productnumber>&VERSION;</productnumber>

<date>&TIMESTAMP;</date>

<firstname>Björn</firstname>

<surname>Påhlsson</surname>

<email>belorn@recompile.se</email>

<email>belorn@fukt.bsnet.se</email>

</address>

</author>

<firstname>Teddy</firstname>

<surname>Hogeborn</surname>

<email>teddy@recompile.se</email>

<email>teddy@fukt.bsnet.se</email>

</address>

</author>

</authorgroup>

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

<xi:include href="legalnotice.xml"/>

<para>

This manual page is free software: you can redistribute it

and/or modify it under the terms of the GNU General Public

License as published by the Free Software Foundation,

either version 3 of the License, or (at your option) any

later version.

</para>

<para>

This manual page is distributed in the hope that it will

be useful, but WITHOUT ANY WARRANTY; without even the

implied warranty of MERCHANTABILITY or FITNESS FOR A

PARTICULAR PURPOSE. See the GNU General Public License

for more details.

</para>

<para>

You should have received a copy of the GNU General Public

License along with this program; If not, see

<ulink url="http://www.gnu.org/licenses/"/>.

</para>

</legalnotice>

</refentryinfo>

<refentrytitle>&COMMANDNAME;</refentrytitle>

<refname><command>&COMMANDNAME;</command></refname>

Generate key and password for Mandos client and server.

Generate keys for <citerefentry><refentrytitle>password-request

</refentrytitle><manvolnum>8mandos</manvolnum></citerefentry>

</refpurpose>

</refnamediv>

<command>&COMMANDNAME;</command>

126

138

127

139

</group>

128

140

<sbr/>

129

<group>

130

<arg choice="plain"><option>--force</option></arg>

131

132

</group>

141

<arg><option>--force</option></arg>

133

142

</cmdsynopsis>

134

143

135

144

<command>&COMMANDNAME;</command>

136

145

146

137

147

<arg choice="plain"><option>--password</option></arg>

138

139

<arg choice="plain"><option>--passfile

140

141

142

143

148

</group>

144

149

<sbr/>

145

150

<group>

155

160

<arg choice="plain"><option>-n

156

161

157

162

</group>

158

<group>

159

160

161

</group>

162

163

</cmdsynopsis>

163

164

164

165

<command>&COMMANDNAME;</command>

165

166

167

166

168

167

168

169

</group>

169

170

</cmdsynopsis>

170

171

171

172

<command>&COMMANDNAME;</command>

172

173

174

173

175

<arg choice="plain"><option>--version</option></arg>

174

175

176

</group>

176

177

</cmdsynopsis>

177

178

</refsynopsisdiv>

178

179

180

180

181

<title>DESCRIPTION</title>

181

182

<para>

182

183

<command>&COMMANDNAME;</command> is a program to generate the

183

OpenPGP key used by

184

<citerefentry><refentrytitle>mandos-client</refentrytitle>

185

<manvolnum>8mandos</manvolnum></citerefentry>. The key is

184

OpenPGP keys used by

185

<citerefentry><refentrytitle>password-request</refentrytitle>

186

<manvolnum>8mandos</manvolnum></citerefentry>. The keys are

186

187

normally written to /etc/mandos for later installation into the

187

initrd image, but this, and most other things, can be changed

188

with command line options.

188

initrd image, but this, like most things, can be changed with

189

command line options.

189

190

</para>

190

191

<para>

191

This program can also be used with the

192

<option>--password</option> or <option>--passfile</option>

193

options to generate a ready-made section for

194

<filename>clients.conf</filename> (see

192

It can also be used to generate ready-made sections for

195

193

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

196

<manvolnum>5</manvolnum></citerefentry>).

194

<manvolnum>5</manvolnum></citerefentry> using the

195

<option>--password</option> option.

197

196

</para>

198

197

</refsect1>

199

198

200

199

201

200

<title>PURPOSE</title>

201

202

<para>

203

The purpose of this is to enable <emphasis>remote and unattended

204

rebooting</emphasis> of client host computer with an

205

<emphasis>encrypted root file system</emphasis>. See <xref

206

linkend="overview"/> for details.

207

</para>

208

209

</refsect1>

209

210

211

211

212

<title>OPTIONS</title>

212

213

214

214

215

215

216

216

217

218

<para>

219

Show a help message and exit

220

</para>

221

</listitem>

222

</varlistentry>

223

224

225

<term><option>--dir

226

<replaceable>DIRECTORY</replaceable></option></term>

227

<term><option>-d

228

<replaceable>DIRECTORY</replaceable></option></term>

225

<term><literal>-d</literal>, <literal>--dir

226

<replaceable>directory</replaceable></literal></term>

229

227

230

228

<para>

231

229

Target directory for key files. Default is

232

<filename class="directory">/etc/mandos</filename>.

233

</para>

234

</listitem>

235

</varlistentry>

236

237

238

<term><option>--type

239

240

<term><option>-t

241

242

243

<para>

244

Key type. Default is <quote>RSA</quote>.

245

</para>

246

</listitem>

247

</varlistentry>

248

249

250

<term><option>--length

251

252

<term><option>-l

253

254

255

<para>

256

Key length in bits. Default is 4096.

257

</para>

258

</listitem>

259

</varlistentry>

260

261

262

<term><option>--subtype

263

<replaceable>KEYTYPE</replaceable></option></term>

264

<term><option>-s

265

<replaceable>KEYTYPE</replaceable></option></term>

266

267

<para>

268

Subkey type. Default is <quote>RSA</quote> (Elgamal

230

<filename>/etc/mandos</filename>.

231

</para>

232

</listitem>

233

</varlistentry>

234

235

236

<term><literal>-t</literal>, <literal>--type

237

238

239

<para>

240

Key type. Default is <quote>DSA</quote>.

241

</para>

242

</listitem>

243

</varlistentry>

244

245

246

<term><literal>-l</literal>, <literal>--length

247

248

249

<para>

250

Key length in bits. Default is 2048.

251

</para>

252

</listitem>

253

</varlistentry>

254

255

256

<term><literal>-s</literal>, <literal>--subtype

257

258

259

<para>

260

Subkey type. Default is <quote>ELG-E</quote> (Elgamal

269

261

encryption-only).

270

262

</para>

271

263

</listitem>

272

264

</varlistentry>

273

265

274

266

275

<term><option>--sublength

276

277

<term><option>-L

278

267

<term><literal>-L</literal>, <literal>--sublength

268

279

269

280

270

<para>

281

Subkey length in bits. Default is 4096.

271

Subkey length in bits. Default is 2048.

282

272

</para>

283

273

</listitem>

284

274

</varlistentry>

285

275

286

276

287

<term><option>--email

288

<replaceable>ADDRESS</replaceable></option></term>

289

<term><option>-e

290

<replaceable>ADDRESS</replaceable></option></term>

277

<term><literal>-e</literal>, <literal>--email</literal>

278

<replaceable>address</replaceable></term>

291

279

292

280

<para>

293

281

Email address of key. Default is empty.

294

282

</para>

295

283

</listitem>

296

284

</varlistentry>

297

285

298

286

299

<term><option>--comment

300

301

<term><option>-c

302

287

<term><literal>-c</literal>, <literal>--comment</literal>

288

<replaceable>comment</replaceable></term>

303

289

304

290

<para>

305

Comment field for key. Default is empty.

291

Comment field for key. The default value is

292

<quote><literal>Mandos client key</literal></quote>.

306

293

</para>

307

294

</listitem>

308

295

</varlistentry>

309

296

310

297

311

<term><option>--expire

312

313

<term><option>-x

314

298

<term><literal>-x</literal>, <literal>--expire</literal>

299

315

300

316

301

<para>

317

302

Key expire time. Default is no expiration. See

320

305

</para>

321

306

</listitem>

322

307

</varlistentry>

323

308

324

309

325

<term><option>--force</option></term>

326

310

<term><literal>-f</literal>, <literal>--force</literal></term>

327

311

328

312

<para>

329

Force overwriting old key.

313

Force overwriting old keys.

330

314

</para>

331

315

</listitem>

332

316

</varlistentry>

333

317

334

<term><option>--password</option></term>

335

318

<term><literal>-p</literal>, <literal>--password</literal

319

></term>

336

320

337

321

<para>

338

322

Prompt for a password and encrypt it with the key already

344

328

>8</manvolnum></citerefentry>. The host name or the name

345

329

specified with the <option>--name</option> option is used

346

330

for the section header. All other options are ignored,

347

and no key is created.

348

</para>

349

</listitem>

350

</varlistentry>

351

352

<term><option>--passfile

353

354

<term><option>-F

355

356

357

<para>

358

The same as <option>--password</option>, but read from

359

<replaceable>FILE</replaceable>, not the terminal.

360

</para>

361

</listitem>

362

</varlistentry>

363

364

365

366

367

<para>

368

When <option>--password</option> or

369

<option>--passfile</option> is given, this option will

370

prevent <command>&COMMANDNAME;</command> from calling

371

<command>ssh-keyscan</command> to get an SSH fingerprint

372

for this host and, if successful, output suitable config

373

options to use this fingerprint as a

374

<option>checker</option> option in the output. This is

375

otherwise the default behavior.

331

and no keys are created.

376

332

</para>

377

333

</listitem>

378

334

</varlistentry>

379

335

</variablelist>

380

336

</refsect1>

381

337

382

338

383

339

<title>OVERVIEW</title>

384

340

<xi:include href="overview.xml"/>

385

341

<para>

386

342

This program is a small utility to generate new OpenPGP keys for

387

new Mandos clients, and to generate sections for inclusion in

388

<filename>clients.conf</filename> on the server.

343

new Mandos clients.

389

344

</para>

390

345

</refsect1>

391

346

392

347

393

348

<title>EXIT STATUS</title>

394

349

<para>

395

The exit status will be 0 if a new key (or password, if the

396

<option>--password</option> option was used) was successfully

397

created, otherwise not.

350

The exit status will be 0 if new keys were successfully created,

351

otherwise not.

398

352

</para>

399

353

</refsect1>

400

354

414

368

</variablelist>

415

369

</refsect1>

416

370

417

371

418

372

<title>FILES</title>

419

373

<para>

420

374

Use the <option>--dir</option> option to change where

441

395

</listitem>

442

396

</varlistentry>

443

397

444

398

445

399

446

400

<para>

447

401

Temporary files will be written here if

451

405

</varlistentry>

452

406

</variablelist>

453

407

</refsect1>

454

408

455

409

456

410

457

<xi:include href="bugs.xml"/>

411

<para>

412

None are known at this time.

413

</para>

458

414

</refsect1>

459

415

460

416

461

417

<title>EXAMPLE</title>

462

418

469

425

</informalexample>

470

426

471

427

<para>

472

Create key in another directory and of another type. Force

428

Create keys in another directory and of another type. Force

473

429

overwriting old key files:

474

430

</para>

475

431

<para>

479

435

480

436

</para>

481

437

</informalexample>

482

483

<para>

484

Prompt for a password, encrypt it with the key in <filename

485

class="directory">/etc/mandos</filename> and output a section

486

suitable for <filename>clients.conf</filename>.

487

</para>

488

<para>

489

<userinput>&COMMANDNAME; --password</userinput>

490

</para>

491

</informalexample>

492

493

<para>

494

Prompt for a password, encrypt it with the key in the

495

<filename>client-key</filename> directory and output a section

496

suitable for <filename>clients.conf</filename>.

497

</para>

498

<para>

499

500

501

<userinput>&COMMANDNAME; --password --dir client-key</userinput>

502

503

</para>

504

</informalexample>

505

438

</refsect1>

506

439

507

440

508

441

<title>SECURITY</title>

509

442

<para>

510

443

The <option>--type</option>, <option>--length</option>,

511

444

<option>--subtype</option>, and <option>--sublength</option>

512

options can be used to create keys of low security. If in

513

doubt, leave them to the default values.

445

options can be used to create keys of insufficient security. If

446

in doubt, leave them to the default values.

514

447

</para>

515

448

<para>

516

The key expire time is <emphasis>not</emphasis> guaranteed to be

517

honored by <citerefentry><refentrytitle>mandos</refentrytitle>

449

The key expire time is not guaranteed to be honored by

450

<citerefentry><refentrytitle>mandos</refentrytitle>

518

451

<manvolnum>8</manvolnum></citerefentry>.

519

452

</para>

520

453

</refsect1>

521

454

522

455

523

456

524

457

<para>

525

<citerefentry><refentrytitle>intro</refentrytitle>

526

<manvolnum>8mandos</manvolnum></citerefentry>,

527

458

528

459

<manvolnum>1</manvolnum></citerefentry>,

529

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

530

<manvolnum>5</manvolnum></citerefentry>,

531

460

<citerefentry><refentrytitle>mandos</refentrytitle>

532

461

<manvolnum>8</manvolnum></citerefentry>,

533

<citerefentry><refentrytitle>mandos-client</refentrytitle>

534

<manvolnum>8mandos</manvolnum></citerefentry>,

535

<citerefentry><refentrytitle>ssh-keyscan</refentrytitle>

536

462

<citerefentry><refentrytitle>password-request</refentrytitle>

463

<manvolnum>8mandos</manvolnum></citerefentry>

537

464

</para>

538

465

</refsect1>

539

466

Older »