1
<?xml version='1.0' encoding='UTF-8'?>
1
<?xml version="1.0" encoding="UTF-8"?>
2
2
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3
3
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4
<!ENTITY VERSION "1.0">
5
4
<!ENTITY COMMANDNAME "mandos-keygen">
6
<!ENTITY OVERVIEW SYSTEM "overview.xml">
5
<!ENTITY TIMESTAMP "2014-06-22">
6
<!ENTITY % common SYSTEM "common.ent">
10
<refentry xmlns:xi="http://www.w3.org/2001/XInclude">
11
<title>&COMMANDNAME;</title>
12
<!-- NWalsh's docbook scripts use this to generate the footer: -->
13
<productname>&COMMANDNAME;</productname>
14
<productnumber>&VERSION;</productnumber>
12
<title>Mandos Manual</title>
13
<!-- NWalsh’s docbook scripts use this to generate the footer: -->
14
<productname>Mandos</productname>
15
<productnumber>&version;</productnumber>
16
<date>&TIMESTAMP;</date>
17
19
<firstname>Björn</firstname>
18
20
<surname>Påhlsson</surname>
20
<email>belorn@fukt.bsnet.se</email>
22
<email>belorn@recompile.se</email>
24
26
<firstname>Teddy</firstname>
25
27
<surname>Hogeborn</surname>
27
<email>teddy@fukt.bsnet.se</email>
29
<email>teddy@recompile.se</email>
33
<holder>Teddy Hogeborn & Björn Påhlsson</holder>
38
<holder>Teddy Hogeborn</holder>
39
<holder>Björn Påhlsson</holder>
37
This manual page is free software: you can redistribute it
38
and/or modify it under the terms of the GNU General Public
39
License as published by the Free Software Foundation,
40
either version 3 of the License, or (at your option) any
45
This manual page is distributed in the hope that it will
46
be useful, but WITHOUT ANY WARRANTY; without even the
47
implied warranty of MERCHANTABILITY or FITNESS FOR A
48
PARTICULAR PURPOSE. See the GNU General Public License
53
You should have received a copy of the GNU General Public
54
License along with this program; If not, see
55
<ulink url="http://www.gnu.org/licenses/"/>.
41
<xi:include href="legalnotice.xml"/>
61
45
<refentrytitle>&COMMANDNAME;</refentrytitle>
62
46
<manvolnum>8</manvolnum>
66
50
<refname><command>&COMMANDNAME;</command></refname>
68
Generate keys for <citerefentry><refentrytitle>password-request
69
</refentrytitle><manvolnum>8mandos</manvolnum></citerefentry>
52
Generate key and password for Mandos client and server.
75
58
<command>&COMMANDNAME;</command>
77
<arg choice="plain"><option>--dir</option>
78
<replaceable>directory</replaceable></arg>
81
<arg choice="plain"><option>--type</option>
82
<replaceable>type</replaceable></arg>
85
<arg choice="plain"><option>--length</option>
86
<replaceable>bits</replaceable></arg>
89
<arg choice="plain"><option>--name</option>
90
<replaceable>NAME</replaceable></arg>
93
<arg choice="plain"><option>--email</option>
94
<replaceable>EMAIL</replaceable></arg>
97
<arg choice="plain"><option>--comment</option>
98
<replaceable>COMMENT</replaceable></arg>
101
<arg choice="plain"><option>--expire</option>
102
<replaceable>TIME</replaceable></arg>
60
<arg choice="plain"><option>--dir
61
<replaceable>DIRECTORY</replaceable></option></arg>
62
<arg choice="plain"><option>-d
63
<replaceable>DIRECTORY</replaceable></option></arg>
67
<arg choice="plain"><option>--type
68
<replaceable>KEYTYPE</replaceable></option></arg>
69
<arg choice="plain"><option>-t
70
<replaceable>KEYTYPE</replaceable></option></arg>
74
<arg choice="plain"><option>--length
75
<replaceable>BITS</replaceable></option></arg>
76
<arg choice="plain"><option>-l
77
<replaceable>BITS</replaceable></option></arg>
81
<arg choice="plain"><option>--subtype
82
<replaceable>KEYTYPE</replaceable></option></arg>
83
<arg choice="plain"><option>-s
84
<replaceable>KEYTYPE</replaceable></option></arg>
88
<arg choice="plain"><option>--sublength
89
<replaceable>BITS</replaceable></option></arg>
90
<arg choice="plain"><option>-L
91
<replaceable>BITS</replaceable></option></arg>
95
<arg choice="plain"><option>--name
96
<replaceable>NAME</replaceable></option></arg>
97
<arg choice="plain"><option>-n
98
<replaceable>NAME</replaceable></option></arg>
102
<arg choice="plain"><option>--email
103
<replaceable>ADDRESS</replaceable></option></arg>
104
<arg choice="plain"><option>-e
105
<replaceable>ADDRESS</replaceable></option></arg>
109
<arg choice="plain"><option>--comment
110
<replaceable>TEXT</replaceable></option></arg>
111
<arg choice="plain"><option>-c
112
<replaceable>TEXT</replaceable></option></arg>
116
<arg choice="plain"><option>--expire
117
<replaceable>TIME</replaceable></option></arg>
118
<arg choice="plain"><option>-x
119
<replaceable>TIME</replaceable></option></arg>
105
123
<arg choice="plain"><option>--force</option></arg>
109
<command>&COMMANDNAME;</command>
111
<arg choice="plain"><option>-d</option>
112
<replaceable>directory</replaceable></arg>
115
<arg choice="plain"><option>-t</option>
116
<replaceable>type</replaceable></arg>
119
<arg choice="plain"><option>-l</option>
120
<replaceable>bits</replaceable></arg>
123
<arg choice="plain"><option>-n</option>
124
<replaceable>NAME</replaceable></arg>
127
<arg choice="plain"><option>-e</option>
128
<replaceable>EMAIL</replaceable></arg>
131
<arg choice="plain"><option>-c</option>
132
<replaceable>COMMENT</replaceable></arg>
135
<arg choice="plain"><option>-x</option>
136
<replaceable>TIME</replaceable></arg>
139
124
<arg choice="plain"><option>-f</option></arg>
143
128
<command>&COMMANDNAME;</command>
144
129
<group choice="req">
145
<arg choice='plain'><option>-h</option></arg>
146
<arg choice='plain'><option>--help</option></arg>
150
<command>&COMMANDNAME;</command>
152
<arg choice='plain'><option>-v</option></arg>
153
<arg choice='plain'><option>--version</option></arg>
130
<arg choice="plain"><option>--password</option></arg>
131
<arg choice="plain"><option>-p</option></arg>
132
<arg choice="plain"><option>--passfile
133
<replaceable>FILE</replaceable></option></arg>
134
<arg choice="plain"><option>-F</option>
135
<replaceable>FILE</replaceable></arg>
139
<arg choice="plain"><option>--dir
140
<replaceable>DIRECTORY</replaceable></option></arg>
141
<arg choice="plain"><option>-d
142
<replaceable>DIRECTORY</replaceable></option></arg>
146
<arg choice="plain"><option>--name
147
<replaceable>NAME</replaceable></option></arg>
148
<arg choice="plain"><option>-n
149
<replaceable>NAME</replaceable></option></arg>
152
<arg choice="plain"><option>--no-ssh</option></arg>
153
<arg choice="plain"><option>-S</option></arg>
157
<command>&COMMANDNAME;</command>
159
<arg choice="plain"><option>--help</option></arg>
160
<arg choice="plain"><option>-h</option></arg>
164
<command>&COMMANDNAME;</command>
166
<arg choice="plain"><option>--version</option></arg>
167
<arg choice="plain"><option>-v</option></arg>
156
170
</refsynopsisdiv>
158
172
<refsect1 id="description">
159
173
<title>DESCRIPTION</title>
161
175
<command>&COMMANDNAME;</command> is a program to generate the
163
<citerefentry><refentrytitle>password-request</refentrytitle>
164
<manvolnum>8mandos</manvolnum></citerefentry>. The keys are
177
<citerefentry><refentrytitle>mandos-client</refentrytitle>
178
<manvolnum>8mandos</manvolnum></citerefentry>. The key is
165
179
normally written to /etc/mandos for later installation into the
166
initrd image, but this, like most things, can be changed with
167
command line options.
180
initrd image, but this, and most other things, can be changed
181
with command line options.
184
This program can also be used with the
185
<option>--password</option> or <option>--passfile</option>
186
options to generate a ready-made section for
187
<filename>clients.conf</filename> (see
188
<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>
189
<manvolnum>5</manvolnum></citerefentry>).
171
193
<refsect1 id="purpose">
172
194
<title>PURPOSE</title>
175
196
The purpose of this is to enable <emphasis>remote and unattended
176
197
rebooting</emphasis> of client host computer with an
177
198
<emphasis>encrypted root file system</emphasis>. See <xref
178
199
linkend="overview"/> for details.
183
203
<refsect1 id="options">
184
204
<title>OPTIONS</title>
188
<term><literal>-h</literal>, <literal>--help</literal></term>
208
<term><option>--help</option></term>
209
<term><option>-h</option></term>
191
212
Show a help message and exit
197
<term><literal>-d</literal>, <literal>--dir
198
<replaceable>directory</replaceable></literal></term>
201
Target directory for key files.
207
<term><literal>-t</literal>, <literal>--type
208
<replaceable>type</replaceable></literal></term>
211
Key type. Default is DSA.
217
<term><literal>-l</literal>, <literal>--length
218
<replaceable>bits</replaceable></literal></term>
221
Key length in bits. Default is 1024.
227
<term><literal>-e</literal>, <literal>--email</literal>
228
<replaceable>address</replaceable></term>
219
<replaceable>DIRECTORY</replaceable></option></term>
221
<replaceable>DIRECTORY</replaceable></option></term>
224
Target directory for key files. Default is
225
<filename class="directory">/etc/mandos</filename>.
232
<replaceable>TYPE</replaceable></option></term>
234
<replaceable>TYPE</replaceable></option></term>
237
Key type. Default is <quote>RSA</quote>.
243
<term><option>--length
244
<replaceable>BITS</replaceable></option></term>
246
<replaceable>BITS</replaceable></option></term>
249
Key length in bits. Default is 4096.
255
<term><option>--subtype
256
<replaceable>KEYTYPE</replaceable></option></term>
258
<replaceable>KEYTYPE</replaceable></option></term>
261
Subkey type. Default is <quote>RSA</quote> (Elgamal
268
<term><option>--sublength
269
<replaceable>BITS</replaceable></option></term>
271
<replaceable>BITS</replaceable></option></term>
274
Subkey length in bits. Default is 4096.
280
<term><option>--email
281
<replaceable>ADDRESS</replaceable></option></term>
283
<replaceable>ADDRESS</replaceable></option></term>
231
286
Email address of key. Default is empty.
237
<term><literal>-c</literal>, <literal>--comment</literal>
238
<replaceable>comment</replaceable></term>
292
<term><option>--comment
293
<replaceable>TEXT</replaceable></option></term>
295
<replaceable>TEXT</replaceable></option></term>
241
Comment field for key. The default value is
242
"<literal>Mandos client key</literal>".
298
Comment field for key. Default is empty.
248
<term><literal>-x</literal>, <literal>--expire</literal>
249
<replaceable>time</replaceable></term>
304
<term><option>--expire
305
<replaceable>TIME</replaceable></option></term>
307
<replaceable>TIME</replaceable></option></term>
252
310
Key expire time. Default is no expiration. See
260
<term><literal>-f</literal>, <literal>--force</literal></term>
263
Force overwriting old keys.
318
<term><option>--force</option></term>
319
<term><option>-f</option></term>
322
Force overwriting old key.
327
<term><option>--password</option></term>
328
<term><option>-p</option></term>
331
Prompt for a password and encrypt it with the key already
332
present in either <filename>/etc/mandos</filename> or the
333
directory specified with the <option>--dir</option>
334
option. Outputs, on standard output, a section suitable
335
for inclusion in <citerefentry><refentrytitle
336
>mandos-clients.conf</refentrytitle><manvolnum
337
>8</manvolnum></citerefentry>. The host name or the name
338
specified with the <option>--name</option> option is used
339
for the section header. All other options are ignored,
340
and no key is created.
345
<term><option>--passfile
346
<replaceable>FILE</replaceable></option></term>
348
<replaceable>FILE</replaceable></option></term>
351
The same as <option>--password</option>, but read from
352
<replaceable>FILE</replaceable>, not the terminal.
357
<term><option>--no-ssh</option></term>
358
<term><option>-S</option></term>
361
When <option>--password</option> or
362
<option>--passfile</option> is given, this option will
363
prevent <command>&COMMANDNAME;</command> from calling
364
<command>ssh-keyscan</command> to get an SSH fingerprint
365
for this host and, if successful, output suitable config
366
options to use this fingerprint as a
367
<option>checker</option> option in the output. This is
368
otherwise the default behavior.
270
375
<refsect1 id="overview">
271
376
<title>OVERVIEW</title>
377
<xi:include href="overview.xml"/>
274
This program is a small program to generate new OpenPGP keys for
379
This program is a small utility to generate new OpenPGP keys for
380
new Mandos clients, and to generate sections for inclusion in
381
<filename>clients.conf</filename> on the server.
279
385
<refsect1 id="exit_status">
280
386
<title>EXIT STATUS</title>
388
The exit status will be 0 if a new key (or password, if the
389
<option>--password</option> option was used) was successfully
390
created, otherwise not.
394
<refsect1 id="environment">
395
<title>ENVIRONMENT</title>
398
<term><envar>TMPDIR</envar></term>
401
If set, temporary files will be created here. See
402
<citerefentry><refentrytitle>mktemp</refentrytitle>
403
<manvolnum>1</manvolnum></citerefentry>.
410
<refsect1 id="files">
286
411
<title>FILES</title>
413
Use the <option>--dir</option> option to change where
414
<command>&COMMANDNAME;</command> will write the key files. The
415
default file names are shown here.
419
<term><filename>/etc/mandos/seckey.txt</filename></term>
422
OpenPGP secret key file which will be created or
428
<term><filename>/etc/mandos/pubkey.txt</filename></term>
431
OpenPGP public key file which will be created or
437
<term><filename class="directory">/tmp</filename></term>
440
Temporary files will be written here if
441
<varname>TMPDIR</varname> is not set.
448
<!-- <refsect1 id="bugs"> -->
449
<!-- <title>BUGS</title> -->
297
454
<refsect1 id="example">
298
455
<title>EXAMPLE</title>
458
Normal invocation needs no options:
461
<userinput>&COMMANDNAME;</userinput>
466
Create key in another directory and of another type. Force
467
overwriting old key files:
471
<!-- do not wrap this line -->
472
<userinput>&COMMANDNAME; --dir ~/keydir --type RSA --force</userinput>
478
Prompt for a password, encrypt it with the key in <filename
479
class="directory">/etc/mandos</filename> and output a section
480
suitable for <filename>clients.conf</filename>.
483
<userinput>&COMMANDNAME; --password</userinput>
488
Prompt for a password, encrypt it with the key in the
489
<filename>client-key</filename> directory and output a section
490
suitable for <filename>clients.conf</filename>.
494
<!-- do not wrap this line -->
495
<userinput>&COMMANDNAME; --password --dir client-key</userinput>
303
501
<refsect1 id="security">
304
502
<title>SECURITY</title>
504
The <option>--type</option>, <option>--length</option>,
505
<option>--subtype</option>, and <option>--sublength</option>
506
options can be used to create keys of low security. If in
507
doubt, leave them to the default values.
510
The key expire time is <emphasis>not</emphasis> guaranteed to be
511
honored by <citerefentry><refentrytitle>mandos</refentrytitle>
512
<manvolnum>8</manvolnum></citerefentry>.
309
516
<refsect1 id="see_also">
310
517
<title>SEE ALSO</title>
312
<citerefentry><refentrytitle>password-request</refentrytitle>
519
<citerefentry><refentrytitle>intro</refentrytitle>
313
520
<manvolnum>8mandos</manvolnum></citerefentry>,
521
<citerefentry><refentrytitle>gpg</refentrytitle>
522
<manvolnum>1</manvolnum></citerefentry>,
523
<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>
524
<manvolnum>5</manvolnum></citerefentry>,
314
525
<citerefentry><refentrytitle>mandos</refentrytitle>
315
<manvolnum>8</manvolnum></citerefentry>, and
316
<citerefentry><refentrytitle>gpg</refentrytitle>
526
<manvolnum>8</manvolnum></citerefentry>,
527
<citerefentry><refentrytitle>mandos-client</refentrytitle>
528
<manvolnum>8mandos</manvolnum></citerefentry>,
529
<citerefentry><refentrytitle>ssh-keyscan</refentrytitle>
317
530
<manvolnum>1</manvolnum></citerefentry>
535
<!-- Local Variables: -->
536
<!-- time-stamp-start: "<!ENTITY TIMESTAMP [\"']" -->
537
<!-- time-stamp-end: "[\"']>" -->
538
<!-- time-stamp-format: "%:y-%02m-%02d" -->