/mandos/trunk : revision 330

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos-keygen.xml

Committer: Teddy Hogeborn
Date: 2009-04-03 03:36:08 UTC
Revision ID: teddy@fukt.bsnet.se-20090403033608-ftgzsnnuzo7gbvzc

* mandos (peer_certificate, fingerprint): Moved into "TCP_handler"
                                          class.
  (TCP_handler.peer_certificate, TCP_handler.fingerprint): Moved here.
  (TCP_handler.handle): Do not log conditions also sent via IPC.
  (IPv6_TCPServer.handle_ipc): Bug fix: Remove extra newline from IPC
                               command log message.  Bug fix:  Strip
                               CR and NL from IPC line.  Log
                               conditions recieved via IPC.  Log error
                               if IPC recieved about unknown client.

files added:
.bzr-builddeb

.bzr-builddeb/default.conf

INSTALL

NEWS

README

common.ent

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/po

debian/rules

debian/watch

default-mandos

init.d-mandos

legalnotice.xml

mandos-ctl

mandos.lsm

plugin-runner.conf

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

files removed:
plugins.d/usplash

files renamed:
plugins.d/password-request.c => plugins.d/mandos-client.c

plugins.d/password-request.xml => plugins.d/mandos-client.xml

files modified:
.bzrignore

Makefile

TODO

clients.conf

initramfs-tools-hook

initramfs-tools-script

mandos

mandos-clients.conf.xml

mandos-keygen

mandos-keygen.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.xml

overview.xml

plugin-runner.c

plugin-runner.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

Show diffs side-by-side

added added

removed removed

mandos-keygen.xml

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY VERSION "1.0">

<!ENTITY COMMANDNAME "mandos-keygen">

<!ENTITY TIMESTAMP "2008-08-29">

<!ENTITY TIMESTAMP "2009-01-04">

<!ENTITY % common SYSTEM "common.ent">

%common;

<title>Mandos Manual</title>

<productname>Mandos</productname>

<productnumber>&VERSION;</productnumber>

<productnumber>&version;</productnumber>

<date>&TIMESTAMP;</date>

</authorgroup>

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

<para>

This manual page is free software: you can redistribute it

and/or modify it under the terms of the GNU General Public

License as published by the Free Software Foundation,

either version 3 of the License, or (at your option) any

later version.

</para>

<para>

This manual page is distributed in the hope that it will

be useful, but WITHOUT ANY WARRANTY; without even the

implied warranty of MERCHANTABILITY or FITNESS FOR A

PARTICULAR PURPOSE. See the GNU General Public License

for more details.

</para>

<para>

You should have received a copy of the GNU General Public

License along with this program; If not, see

<ulink url="http://www.gnu.org/licenses/"/>.

</para>

</legalnotice>

<xi:include href="legalnotice.xml"/>

</refentryinfo>

<refentrytitle>&COMMANDNAME;</refentrytitle>

<refname><command>&COMMANDNAME;</command></refname>

Generate keys for <citerefentry><refentrytitle>password-request

</refentrytitle><manvolnum>8mandos</manvolnum></citerefentry>

Generate key and password for Mandos client and server.

</refpurpose>

</refnamediv>

<command>&COMMANDNAME;</command>

<replaceable>directory</replaceable></arg>

</group>

</group>

<arg choice="plain"><option>--length</option>

</group>

<arg choice="plain"><option>--subtype</option>

</group>

<arg choice="plain"><option>--sublength</option>

</group>

100

101

</group>

102

103

<arg choice="plain"><option>--email</option>

104

<replaceable>EMAIL</replaceable></arg>

105

</group>

106

107

<arg choice="plain"><option>--comment</option>

108

<replaceable>COMMENT</replaceable></arg>

109

</group>

110

111

<arg choice="plain"><option>--expire</option>

112

113

</group>

114

115

<arg choice="plain"><option>--force</option></arg>

116

</group>

117

</cmdsynopsis>

118

119

<command>&COMMANDNAME;</command>

120

121

122

<replaceable>directory</replaceable></arg>

123

</group>

124

125

126

127

</group>

128

129

130

131

</group>

132

133

134

135

</group>

136

137

138

139

</group>

140

141

142

143

</group>

144

145

146

<replaceable>EMAIL</replaceable></arg>

147

</group>

148

149

150

<replaceable>COMMENT</replaceable></arg>

151

</group>

152

153

154

155

</group>

156

157

158

</group>

<group>

<arg choice="plain"><option>--dir

<replaceable>DIRECTORY</replaceable></option></arg>

<arg choice="plain"><option>-d

<replaceable>DIRECTORY</replaceable></option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--type

<replaceable>KEYTYPE</replaceable></option></arg>

<arg choice="plain"><option>-t

<replaceable>KEYTYPE</replaceable></option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--length

<arg choice="plain"><option>-l

</group>

<sbr/>

<group>

<arg choice="plain"><option>--subtype

<replaceable>KEYTYPE</replaceable></option></arg>

<arg choice="plain"><option>-s

<replaceable>KEYTYPE</replaceable></option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--sublength

<arg choice="plain"><option>-L

</group>

<sbr/>

<group>

<arg choice="plain"><option>--name

<arg choice="plain"><option>-n

</group>

<sbr/>

<group>

100

<arg choice="plain"><option>--email

101

<replaceable>ADDRESS</replaceable></option></arg>

102

<arg choice="plain"><option>-e

103

<replaceable>ADDRESS</replaceable></option></arg>

104

</group>

105

<sbr/>

106

<group>

107

<arg choice="plain"><option>--comment

108

109

<arg choice="plain"><option>-c

110

111

</group>

112

<sbr/>

113

<group>

114

<arg choice="plain"><option>--expire

115

116

<arg choice="plain"><option>-x

117

118

</group>

119

<sbr/>

120

<arg><option>--force</option></arg>

159

121

</cmdsynopsis>

160

122

161

123

<command>&COMMANDNAME;</command>

162

124

125

<arg choice="plain"><option>--password</option></arg>

163

126

164

<arg choice="plain"><option>--password</option></arg>

165

</group>

166

167

168

<replaceable>directory</replaceable></arg>

169

</group>

170

171

172

127

<arg choice="plain"><option>--passfile

128

129

130

131

</group>

132

<sbr/>

133

<group>

134

<arg choice="plain"><option>--dir

135

<replaceable>DIRECTORY</replaceable></option></arg>

136

<arg choice="plain"><option>-d

137

<replaceable>DIRECTORY</replaceable></option></arg>

138

</group>

139

<sbr/>

140

<group>

141

<arg choice="plain"><option>--name

142

143

<arg choice="plain"><option>-n

144

173

145

</group>

174

146

</cmdsynopsis>

175

147

176

148

<command>&COMMANDNAME;</command>

177

149

150

178

151

179

180

152

</group>

181

153

</cmdsynopsis>

182

154

183

155

<command>&COMMANDNAME;</command>

184

156

157

<arg choice="plain"><option>--version</option></arg>

185

158

186

<arg choice="plain"><option>--version</option></arg>

187

159

</group>

188

160

</cmdsynopsis>

189

161

</refsynopsisdiv>

190

162

191

163

192

164

<title>DESCRIPTION</title>

193

165

<para>

194

166

<command>&COMMANDNAME;</command> is a program to generate the

195

OpenPGP keys used by

196

<citerefentry><refentrytitle>password-request</refentrytitle>

197

<manvolnum>8mandos</manvolnum></citerefentry>. The keys are

167

OpenPGP key used by

168

<citerefentry><refentrytitle>mandos-client</refentrytitle>

169

<manvolnum>8mandos</manvolnum></citerefentry>. The key is

198

170

normally written to /etc/mandos for later installation into the

199

initrd image, but this, like most things, can be changed with

200

command line options.

171

initrd image, but this, and most other things, can be changed

172

with command line options.

201

173

</para>

202

174

<para>

203

It can also be used to generate ready-made sections for

175

This program can also be used with the

176

<option>--password</option> or <option>--passfile</option>

177

options to generate a ready-made section for

178

<filename>clients.conf</filename> (see

204

179

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

205

<manvolnum>5</manvolnum></citerefentry> using the

206

<option>--password</option> option.

180

<manvolnum>5</manvolnum></citerefentry>).

207

181

</para>

208

182

</refsect1>

209

183

210

184

211

185

<title>PURPOSE</title>

212

213

186

<para>

214

187

The purpose of this is to enable <emphasis>remote and unattended

215

188

rebooting</emphasis> of client host computer with an

216

189

<emphasis>encrypted root file system</emphasis>. See <xref

217

190

linkend="overview"/> for details.

218

191

</para>

219

220

192

</refsect1>

221

193

222

194

223

195

<title>OPTIONS</title>

224

196

225

197

226

198

227

199

200

228

201

229

202

<para>

230

203

Show a help message and exit

231

204

</para>

232

205

</listitem>

233

206

</varlistentry>

234

207

235

208

236

<term><literal>-d</literal>, <literal>--dir

237

<replaceable>directory</replaceable></literal></term>

209

<term><option>--dir

210

<replaceable>DIRECTORY</replaceable></option></term>

211

<term><option>-d

212

<replaceable>DIRECTORY</replaceable></option></term>

238

213

239

214

<para>

240

215

Target directory for key files. Default is

242

217

</para>

243

218

</listitem>

244

219

</varlistentry>

245

220

246

221

247

<term><literal>-t</literal>, <literal>--type

248

222

<term><option>--type

223

224

<term><option>-t

225

249

226

250

227

<para>

251

228

Key type. Default is <quote>DSA</quote>.

252

229

</para>

253

230

</listitem>

254

231

</varlistentry>

255

232

256

233

257

<term><literal>-l</literal>, <literal>--length

258

234

<term><option>--length

235

236

<term><option>-l

237

259

238

260

239

<para>

261

240

Key length in bits. Default is 2048.

262

241

</para>

263

242

</listitem>

264

243

</varlistentry>

265

244

266

245

267

<term><literal>-s</literal>, <literal>--subtype

268

246

<term><option>--subtype

247

<replaceable>KEYTYPE</replaceable></option></term>

248

<term><option>-s

249

<replaceable>KEYTYPE</replaceable></option></term>

269

250

270

251

<para>

271

252

Subkey type. Default is <quote>ELG-E</quote> (Elgamal

273

254

</para>

274

255

</listitem>

275

256

</varlistentry>

276

257

277

258

278

<term><literal>-L</literal>, <literal>--sublength

279

259

<term><option>--sublength

260

261

<term><option>-L

262

280

263

281

264

<para>

282

265

Subkey length in bits. Default is 2048.

283

266

</para>

284

267

</listitem>

285

268

</varlistentry>

286

269

287

270

288

<term><literal>-e</literal>, <literal>--email</literal>

289

<replaceable>address</replaceable></term>

271

<term><option>--email

272

<replaceable>ADDRESS</replaceable></option></term>

273

<term><option>-e

274

<replaceable>ADDRESS</replaceable></option></term>

290

275

291

276

<para>

292

277

Email address of key. Default is empty.

293

278

</para>

294

279

</listitem>

295

280

</varlistentry>

296

281

297

282

298

<term><literal>-c</literal>, <literal>--comment</literal>

299

<replaceable>comment</replaceable></term>

283

<term><option>--comment

284

285

<term><option>-c

286

300

287

301

288

<para>

302

289

Comment field for key. The default value is

304

291

</para>

305

292

</listitem>

306

293

</varlistentry>

307

294

308

295

309

<term><literal>-x</literal>, <literal>--expire</literal>

310

296

<term><option>--expire

297

298

<term><option>-x

299

311

300

312

301

<para>

313

302

Key expire time. Default is no expiration. See

316

305

</para>

317

306

</listitem>

318

307

</varlistentry>

319

308

320

309

321

<term><literal>-f</literal>, <literal>--force</literal></term>

310

<term><option>--force</option></term>

311

322

312

323

313

<para>

324

Force overwriting old keys.

314

Force overwriting old key.

325

315

</para>

326

316

</listitem>

327

317

</varlistentry>

328

318

329

<term><literal>-p</literal>, <literal>--password</literal

330

></term>

319

<term><option>--password</option></term>

320

331

321

332

322

<para>

333

323

Prompt for a password and encrypt it with the key already

339

329

>8</manvolnum></citerefentry>. The host name or the name

340

330

specified with the <option>--name</option> option is used

341

331

for the section header. All other options are ignored,

342

and no keys are created.

332

and no key is created.

333

</para>

334

</listitem>

335

</varlistentry>

336

337

<term><option>--passfile

338

339

<term><option>-F

340

341

342

<para>

343

The same as <option>--password</option>, but read from

344

<replaceable>FILE</replaceable>, not the terminal.

343

345

</para>

344

346

</listitem>

345

347

</varlistentry>

346

348

</variablelist>

347

349

</refsect1>

348

350

349

351

350

352

<title>OVERVIEW</title>

351

353

<xi:include href="overview.xml"/>

352

354

<para>

353

355

This program is a small utility to generate new OpenPGP keys for

354

new Mandos clients.

356

new Mandos clients, and to generate sections for inclusion in

357

<filename>clients.conf</filename> on the server.

355

358

</para>

356

359

</refsect1>

357

360

358

361

359

362

<title>EXIT STATUS</title>

360

363

<para>

361

The exit status will be 0 if new keys were successfully created,

362

otherwise not.

364

The exit status will be 0 if a new key (or password, if the

365

<option>--password</option> option was used) was successfully

366

created, otherwise not.

363

367

</para>

364

368

</refsect1>

365

369

367

371

<title>ENVIRONMENT</title>

368

372

369

373

370

<term><varname>TMPDIR</varname></term>

374

<term><envar>TMPDIR</envar></term>

371

375

372

376

<para>

373

377

If set, temporary files will be created here. See

379

383

</variablelist>

380

384

</refsect1>

381

385

382

386

383

387

<title>FILES</title>

384

388

<para>

385

389

Use the <option>--dir</option> option to change where

416

420

</varlistentry>

417

421

</variablelist>

418

422

</refsect1>

419

420

421

422

<para>

423

None are known at this time.

424

</para>

425

</refsect1>

426

423

424

425

426

427

428

429

427

430

428

431

<title>EXAMPLE</title>

429

432

431

434

Normal invocation needs no options:

432

435

</para>

433

436

<para>

434

<userinput>mandos-keygen</userinput>

437

<userinput>&COMMANDNAME;</userinput>

435

438

</para>

436

439

</informalexample>

437

440

438

441

<para>

439

Create keys in another directory and of another type. Force

442

Create key in another directory and of another type. Force

440

443

overwriting old key files:

441

444

</para>

442

445

<para>

443

446

444

447

445

<userinput>mandos-keygen --dir ~/keydir --type RSA --force</userinput>

448

<userinput>&COMMANDNAME; --dir ~/keydir --type RSA --force</userinput>

449

450

</para>

451

</informalexample>

452

453

<para>

454

Prompt for a password, encrypt it with the key in

455

<filename>/etc/mandos</filename> and output a section suitable

456

for <filename>clients.conf</filename>.

457

</para>

458

<para>

459

<userinput>&COMMANDNAME; --password</userinput>

460

</para>

461

</informalexample>

462

463

<para>

464

Prompt for a password, encrypt it with the key in the

465

<filename>client-key</filename> directory and output a section

466

suitable for <filename>clients.conf</filename>.

467

</para>

468

<para>

469

470

471

<userinput>&COMMANDNAME; --password --dir client-key</userinput>

446

472

447

473

</para>

448

474

</informalexample>

449

475

</refsect1>

450

476

451

477

452

478

<title>SECURITY</title>

453

479

<para>

454

480

The <option>--type</option>, <option>--length</option>,

455

481

<option>--subtype</option>, and <option>--sublength</option>

456

options can be used to create keys of insufficient security. If

457

in doubt, leave them to the default values.

482

options can be used to create keys of low security. If in

483

doubt, leave them to the default values.

458

484

</para>

459

485

<para>

460

The key expire time is not guaranteed to be honored by

461

<citerefentry><refentrytitle>mandos</refentrytitle>

486

The key expire time is <emphasis>not</emphasis> guaranteed to be

487

honored by <citerefentry><refentrytitle>mandos</refentrytitle>

462

488

<manvolnum>8</manvolnum></citerefentry>.

463

489

</para>

464

490

</refsect1>

465

491

466

492

467

493

468

494

<para>

469

<citerefentry><refentrytitle>password-request</refentrytitle>

470

<manvolnum>8mandos</manvolnum></citerefentry>,

495

496

<manvolnum>1</manvolnum></citerefentry>,

497

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

498

<manvolnum>5</manvolnum></citerefentry>,

471

499

<citerefentry><refentrytitle>mandos</refentrytitle>

472

500

<manvolnum>8</manvolnum></citerefentry>,

473

474

501

<citerefentry><refentrytitle>mandos-client</refentrytitle>

502

<manvolnum>8mandos</manvolnum></citerefentry>

475

503

</para>

476

504

</refsect1>

477

505

Older »