/mandos/trunk

To get this branch, use:
bzr branch http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos-keygen.xml

  • Committer: Teddy Hogeborn
  • Date: 2014-06-22 02:19:30 UTC
  • Revision ID: teddy@recompile.se-20140622021930-icl7h4cm97blhjml
mandos-keygen: Generate "checker" option to use SSH fingerprints.

To turn this off, use a new "--no-ssh" option to mandos-keygen.

* INSTALL (Mandos Server, Mandos Client): Document new suggested
                                          installation of SSH.
* Makefile (confdir/clients.conf): Use new "--no-ssh" option to
                                   "mandos-keygen".
* debian/control (mandos/Depends): Changed to "fping | ssh-client".
  (mandos-client/Recommends): New; set to "ssh".
* intro.xml (FREQUENTLY ASKED QUESTIONS): Rename and rewrite section
                                          called "Faking ping
                                          replies?" to address new
                                          default behavior.
* mandos-clients.conf.xml (OPTIONS/checker): Briefly discuss new
                                             behavior of
                                             mandos-keygen.
* mandos-keygen: Bug fix: Suppress failure output of "shred" to remove
                 "sec*", since no such files may exist.
 (password mode): Scan for SSH key fingerprints and output as new
                  "checker" and "ssh_fingerprint" options, unless new
                  "--no-ssh" option is given.
* mandos-keygen.xml (SYNOPSIS/--force): Bug fix: Document short form.
  (OPTIONS/--no-ssh): New.
  (SEE ALSO): Add reference "ssh-keyscan(1)".
* plugins.d/mandos-client.xml (SECURITY): Briefly mention the
                                          possibility of using SSH key
                                          fingerprints for checking.

Show diffs side-by-side

added added

removed removed

Lines of Context:
1
 
<?xml version='1.0' encoding='UTF-8'?>
 
1
<?xml version="1.0" encoding="UTF-8"?>
2
2
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3
3
        "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4
 
<!ENTITY VERSION "1.0">
5
4
<!ENTITY COMMANDNAME "mandos-keygen">
6
 
<!ENTITY OVERVIEW SYSTEM "overview.xml">
 
5
<!ENTITY TIMESTAMP "2014-06-22">
 
6
<!ENTITY % common SYSTEM "common.ent">
 
7
%common;
7
8
]>
8
9
 
9
 
<refentry>
 
10
<refentry xmlns:xi="http://www.w3.org/2001/XInclude">
10
11
  <refentryinfo>
11
 
    <title>&COMMANDNAME;</title>
12
 
    <!-- NWalsh's docbook scripts use this to generate the footer: -->
13
 
    <productname>&COMMANDNAME;</productname>
14
 
    <productnumber>&VERSION;</productnumber>
 
12
    <title>Mandos Manual</title>
 
13
    <!-- NWalsh’s docbook scripts use this to generate the footer: -->
 
14
    <productname>Mandos</productname>
 
15
    <productnumber>&version;</productnumber>
 
16
    <date>&TIMESTAMP;</date>
15
17
    <authorgroup>
16
18
      <author>
17
19
        <firstname>Björn</firstname>
18
20
        <surname>Påhlsson</surname>
19
21
        <address>
20
 
          <email>belorn@fukt.bsnet.se</email>
 
22
          <email>belorn@recompile.se</email>
21
23
        </address>
22
24
      </author>
23
25
      <author>
24
26
        <firstname>Teddy</firstname>
25
27
        <surname>Hogeborn</surname>
26
28
        <address>
27
 
          <email>teddy@fukt.bsnet.se</email>
 
29
          <email>teddy@recompile.se</email>
28
30
        </address>
29
31
      </author>
30
32
    </authorgroup>
31
33
    <copyright>
32
34
      <year>2008</year>
33
 
      <holder>Teddy Hogeborn &amp; Björn Påhlsson</holder>
 
35
      <year>2009</year>
 
36
      <year>2011</year>
 
37
      <year>2012</year>
 
38
      <holder>Teddy Hogeborn</holder>
 
39
      <holder>Björn Påhlsson</holder>
34
40
    </copyright>
35
 
    <legalnotice>
36
 
      <para>
37
 
        This manual page is free software: you can redistribute it
38
 
        and/or modify it under the terms of the GNU General Public
39
 
        License as published by the Free Software Foundation,
40
 
        either version 3 of the License, or (at your option) any
41
 
        later version.
42
 
      </para>
43
 
 
44
 
      <para>
45
 
        This manual page is distributed in the hope that it will
46
 
        be useful, but WITHOUT ANY WARRANTY; without even the
47
 
        implied warranty of MERCHANTABILITY or FITNESS FOR A
48
 
        PARTICULAR PURPOSE.  See the GNU General Public License
49
 
        for more details.
50
 
      </para>
51
 
 
52
 
      <para>
53
 
        You should have received a copy of the GNU General Public
54
 
        License along with this program; If not, see
55
 
        <ulink url="http://www.gnu.org/licenses/"/>.
56
 
      </para>
57
 
    </legalnotice>
 
41
    <xi:include href="legalnotice.xml"/>
58
42
  </refentryinfo>
59
 
 
 
43
  
60
44
  <refmeta>
61
45
    <refentrytitle>&COMMANDNAME;</refentrytitle>
62
46
    <manvolnum>8</manvolnum>
65
49
  <refnamediv>
66
50
    <refname><command>&COMMANDNAME;</command></refname>
67
51
    <refpurpose>
68
 
      Generate keys for <citerefentry><refentrytitle>password-request
69
 
      </refentrytitle><manvolnum>8mandos</manvolnum></citerefentry>
 
52
      Generate key and password for Mandos client and server.
70
53
    </refpurpose>
71
54
  </refnamediv>
72
 
 
 
55
  
73
56
  <refsynopsisdiv>
74
57
    <cmdsynopsis>
75
58
      <command>&COMMANDNAME;</command>
76
 
      <group choice="opt">
77
 
        <arg choice="plain"><option>--dir</option>
78
 
        <replaceable>directory</replaceable></arg>
79
 
      </group>
80
 
      <group choice="opt">
81
 
        <arg choice="plain"><option>--type</option>
82
 
        <replaceable>type</replaceable></arg>
83
 
      </group>
84
 
      <group choice="opt">
85
 
        <arg choice="plain"><option>--length</option>
86
 
        <replaceable>bits</replaceable></arg>
87
 
      </group>
88
 
      <group choice="opt">
89
 
        <arg choice="plain"><option>--name</option>
90
 
        <replaceable>NAME</replaceable></arg>
91
 
      </group>
92
 
      <group choice="opt">
93
 
        <arg choice="plain"><option>--email</option>
94
 
        <replaceable>EMAIL</replaceable></arg>
95
 
      </group>
96
 
      <group choice="opt">
97
 
        <arg choice="plain"><option>--comment</option>
98
 
        <replaceable>COMMENT</replaceable></arg>
99
 
      </group>
100
 
      <group choice="opt">
101
 
        <arg choice="plain"><option>--expire</option>
102
 
        <replaceable>TIME</replaceable></arg>
103
 
      </group>
104
 
      <group choice="opt">
 
59
      <group>
 
60
        <arg choice="plain"><option>--dir
 
61
        <replaceable>DIRECTORY</replaceable></option></arg>
 
62
        <arg choice="plain"><option>-d
 
63
        <replaceable>DIRECTORY</replaceable></option></arg>
 
64
      </group>
 
65
      <sbr/>
 
66
      <group>
 
67
        <arg choice="plain"><option>--type
 
68
        <replaceable>KEYTYPE</replaceable></option></arg>
 
69
        <arg choice="plain"><option>-t
 
70
        <replaceable>KEYTYPE</replaceable></option></arg>
 
71
      </group>
 
72
      <sbr/>
 
73
      <group>
 
74
        <arg choice="plain"><option>--length
 
75
        <replaceable>BITS</replaceable></option></arg>
 
76
        <arg choice="plain"><option>-l
 
77
        <replaceable>BITS</replaceable></option></arg>
 
78
      </group>
 
79
      <sbr/>
 
80
      <group>
 
81
        <arg choice="plain"><option>--subtype
 
82
        <replaceable>KEYTYPE</replaceable></option></arg>
 
83
        <arg choice="plain"><option>-s
 
84
        <replaceable>KEYTYPE</replaceable></option></arg>
 
85
      </group>
 
86
      <sbr/>
 
87
      <group>
 
88
        <arg choice="plain"><option>--sublength
 
89
        <replaceable>BITS</replaceable></option></arg>
 
90
        <arg choice="plain"><option>-L
 
91
        <replaceable>BITS</replaceable></option></arg>
 
92
      </group>
 
93
      <sbr/>
 
94
      <group>
 
95
        <arg choice="plain"><option>--name
 
96
        <replaceable>NAME</replaceable></option></arg>
 
97
        <arg choice="plain"><option>-n
 
98
        <replaceable>NAME</replaceable></option></arg>
 
99
      </group>
 
100
      <sbr/>
 
101
      <group>
 
102
        <arg choice="plain"><option>--email
 
103
        <replaceable>ADDRESS</replaceable></option></arg>
 
104
        <arg choice="plain"><option>-e
 
105
        <replaceable>ADDRESS</replaceable></option></arg>
 
106
      </group>
 
107
      <sbr/>
 
108
      <group>
 
109
        <arg choice="plain"><option>--comment
 
110
        <replaceable>TEXT</replaceable></option></arg>
 
111
        <arg choice="plain"><option>-c
 
112
        <replaceable>TEXT</replaceable></option></arg>
 
113
      </group>
 
114
      <sbr/>
 
115
      <group>
 
116
        <arg choice="plain"><option>--expire
 
117
        <replaceable>TIME</replaceable></option></arg>
 
118
        <arg choice="plain"><option>-x
 
119
        <replaceable>TIME</replaceable></option></arg>
 
120
      </group>
 
121
      <sbr/>
 
122
      <group>
105
123
        <arg choice="plain"><option>--force</option></arg>
106
 
      </group>
107
 
    </cmdsynopsis>
108
 
    <cmdsynopsis>
109
 
      <command>&COMMANDNAME;</command>
110
 
      <group choice="opt">
111
 
        <arg choice="plain"><option>-d</option>
112
 
        <replaceable>directory</replaceable></arg>
113
 
      </group>
114
 
      <group choice="opt">
115
 
        <arg choice="plain"><option>-t</option>
116
 
        <replaceable>type</replaceable></arg>
117
 
      </group>
118
 
      <group choice="opt">
119
 
        <arg choice="plain"><option>-l</option>
120
 
        <replaceable>bits</replaceable></arg>
121
 
      </group>
122
 
      <group choice="opt">
123
 
        <arg choice="plain"><option>-n</option>
124
 
        <replaceable>NAME</replaceable></arg>
125
 
      </group>
126
 
      <group choice="opt">
127
 
        <arg choice="plain"><option>-e</option>
128
 
        <replaceable>EMAIL</replaceable></arg>
129
 
      </group>
130
 
      <group choice="opt">
131
 
        <arg choice="plain"><option>-c</option>
132
 
        <replaceable>COMMENT</replaceable></arg>
133
 
      </group>
134
 
      <group choice="opt">
135
 
        <arg choice="plain"><option>-x</option>
136
 
        <replaceable>TIME</replaceable></arg>
137
 
      </group>
138
 
      <group choice="opt">
139
124
        <arg choice="plain"><option>-f</option></arg>
140
125
      </group>
141
126
    </cmdsynopsis>
142
127
    <cmdsynopsis>
143
128
      <command>&COMMANDNAME;</command>
144
129
      <group choice="req">
145
 
        <arg choice='plain'><option>-h</option></arg>
146
 
        <arg choice='plain'><option>--help</option></arg>
147
 
      </group>
148
 
    </cmdsynopsis>
149
 
    <cmdsynopsis>
150
 
      <command>&COMMANDNAME;</command>
151
 
      <group choice="req">
152
 
        <arg choice='plain'><option>-v</option></arg>
153
 
        <arg choice='plain'><option>--version</option></arg>
 
130
        <arg choice="plain"><option>--password</option></arg>
 
131
        <arg choice="plain"><option>-p</option></arg>
 
132
        <arg choice="plain"><option>--passfile
 
133
        <replaceable>FILE</replaceable></option></arg>
 
134
        <arg choice="plain"><option>-F</option>
 
135
        <replaceable>FILE</replaceable></arg>
 
136
      </group>
 
137
      <sbr/>
 
138
      <group>
 
139
        <arg choice="plain"><option>--dir
 
140
        <replaceable>DIRECTORY</replaceable></option></arg>
 
141
        <arg choice="plain"><option>-d
 
142
        <replaceable>DIRECTORY</replaceable></option></arg>
 
143
      </group>
 
144
      <sbr/>
 
145
      <group>
 
146
        <arg choice="plain"><option>--name
 
147
        <replaceable>NAME</replaceable></option></arg>
 
148
        <arg choice="plain"><option>-n
 
149
        <replaceable>NAME</replaceable></option></arg>
 
150
      </group>
 
151
      <group>
 
152
        <arg choice="plain"><option>--no-ssh</option></arg>
 
153
        <arg choice="plain"><option>-S</option></arg>
 
154
      </group>
 
155
    </cmdsynopsis>
 
156
    <cmdsynopsis>
 
157
      <command>&COMMANDNAME;</command>
 
158
      <group choice="req">
 
159
        <arg choice="plain"><option>--help</option></arg>
 
160
        <arg choice="plain"><option>-h</option></arg>
 
161
      </group>
 
162
    </cmdsynopsis>
 
163
    <cmdsynopsis>
 
164
      <command>&COMMANDNAME;</command>
 
165
      <group choice="req">
 
166
        <arg choice="plain"><option>--version</option></arg>
 
167
        <arg choice="plain"><option>-v</option></arg>
154
168
      </group>
155
169
    </cmdsynopsis>
156
170
  </refsynopsisdiv>
157
 
 
 
171
  
158
172
  <refsect1 id="description">
159
173
    <title>DESCRIPTION</title>
160
174
    <para>
161
175
      <command>&COMMANDNAME;</command> is a program to generate the
162
 
      OpenPGP keys used by
163
 
      <citerefentry><refentrytitle>password-request</refentrytitle>
164
 
      <manvolnum>8mandos</manvolnum></citerefentry>.  The keys are
 
176
      OpenPGP key used by
 
177
      <citerefentry><refentrytitle>mandos-client</refentrytitle>
 
178
      <manvolnum>8mandos</manvolnum></citerefentry>.  The key is
165
179
      normally written to /etc/mandos for later installation into the
166
 
      initrd image, but this, like most things, can be changed with
167
 
      command line options.
 
180
      initrd image, but this, and most other things, can be changed
 
181
      with command line options.
 
182
    </para>
 
183
    <para>
 
184
      This program can also be used with the
 
185
      <option>--password</option> or <option>--passfile</option>
 
186
      options to generate a ready-made section for
 
187
      <filename>clients.conf</filename> (see
 
188
      <citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>
 
189
      <manvolnum>5</manvolnum></citerefentry>).
168
190
    </para>
169
191
  </refsect1>
170
192
  
171
193
  <refsect1 id="purpose">
172
194
    <title>PURPOSE</title>
173
 
 
174
195
    <para>
175
196
      The purpose of this is to enable <emphasis>remote and unattended
176
197
      rebooting</emphasis> of client host computer with an
177
198
      <emphasis>encrypted root file system</emphasis>.  See <xref
178
199
      linkend="overview"/> for details.
179
200
    </para>
180
 
 
181
201
  </refsect1>
182
202
  
183
203
  <refsect1 id="options">
184
204
    <title>OPTIONS</title>
185
 
 
 
205
    
186
206
    <variablelist>
187
207
      <varlistentry>
188
 
        <term><literal>-h</literal>, <literal>--help</literal></term>
 
208
        <term><option>--help</option></term>
 
209
        <term><option>-h</option></term>
189
210
        <listitem>
190
211
          <para>
191
212
            Show a help message and exit
192
213
          </para>
193
214
        </listitem>
194
215
      </varlistentry>
195
 
 
196
 
      <varlistentry>
197
 
        <term><literal>-d</literal>, <literal>--dir
198
 
        <replaceable>directory</replaceable></literal></term>
199
 
        <listitem>
200
 
          <para>
201
 
            Target directory for key files.
202
 
          </para>
203
 
        </listitem>
204
 
      </varlistentry>
205
 
 
206
 
      <varlistentry>
207
 
        <term><literal>-t</literal>, <literal>--type
208
 
        <replaceable>type</replaceable></literal></term>
209
 
        <listitem>
210
 
          <para>
211
 
            Key type.  Default is DSA.
212
 
          </para>
213
 
        </listitem>
214
 
      </varlistentry>
215
 
 
216
 
      <varlistentry>
217
 
        <term><literal>-l</literal>, <literal>--length
218
 
        <replaceable>bits</replaceable></literal></term>
219
 
        <listitem>
220
 
          <para>
221
 
            Key length in bits.  Default is 1024.
222
 
          </para>
223
 
        </listitem>
224
 
      </varlistentry>
225
 
 
226
 
      <varlistentry>
227
 
        <term><literal>-e</literal>, <literal>--email</literal>
228
 
        <replaceable>address</replaceable></term>
 
216
      
 
217
      <varlistentry>
 
218
        <term><option>--dir
 
219
        <replaceable>DIRECTORY</replaceable></option></term>
 
220
        <term><option>-d
 
221
        <replaceable>DIRECTORY</replaceable></option></term>
 
222
        <listitem>
 
223
          <para>
 
224
            Target directory for key files.  Default is
 
225
            <filename class="directory">/etc/mandos</filename>.
 
226
          </para>
 
227
        </listitem>
 
228
      </varlistentry>
 
229
      
 
230
      <varlistentry>
 
231
        <term><option>--type
 
232
        <replaceable>TYPE</replaceable></option></term>
 
233
        <term><option>-t
 
234
        <replaceable>TYPE</replaceable></option></term>
 
235
        <listitem>
 
236
          <para>
 
237
            Key type.  Default is <quote>RSA</quote>.
 
238
          </para>
 
239
        </listitem>
 
240
      </varlistentry>
 
241
      
 
242
      <varlistentry>
 
243
        <term><option>--length
 
244
        <replaceable>BITS</replaceable></option></term>
 
245
        <term><option>-l
 
246
        <replaceable>BITS</replaceable></option></term>
 
247
        <listitem>
 
248
          <para>
 
249
            Key length in bits.  Default is 4096.
 
250
          </para>
 
251
        </listitem>
 
252
      </varlistentry>
 
253
      
 
254
      <varlistentry>
 
255
        <term><option>--subtype
 
256
        <replaceable>KEYTYPE</replaceable></option></term>
 
257
        <term><option>-s
 
258
        <replaceable>KEYTYPE</replaceable></option></term>
 
259
        <listitem>
 
260
          <para>
 
261
            Subkey type.  Default is <quote>RSA</quote> (Elgamal
 
262
            encryption-only).
 
263
          </para>
 
264
        </listitem>
 
265
      </varlistentry>
 
266
      
 
267
      <varlistentry>
 
268
        <term><option>--sublength
 
269
        <replaceable>BITS</replaceable></option></term>
 
270
        <term><option>-L
 
271
        <replaceable>BITS</replaceable></option></term>
 
272
        <listitem>
 
273
          <para>
 
274
            Subkey length in bits.  Default is 4096.
 
275
          </para>
 
276
        </listitem>
 
277
      </varlistentry>
 
278
      
 
279
      <varlistentry>
 
280
        <term><option>--email
 
281
        <replaceable>ADDRESS</replaceable></option></term>
 
282
        <term><option>-e
 
283
        <replaceable>ADDRESS</replaceable></option></term>
229
284
        <listitem>
230
285
          <para>
231
286
            Email address of key.  Default is empty.
232
287
          </para>
233
288
        </listitem>
234
289
      </varlistentry>
235
 
 
 
290
      
236
291
      <varlistentry>
237
 
        <term><literal>-c</literal>, <literal>--comment</literal>
238
 
        <replaceable>comment</replaceable></term>
 
292
        <term><option>--comment
 
293
        <replaceable>TEXT</replaceable></option></term>
 
294
        <term><option>-c
 
295
        <replaceable>TEXT</replaceable></option></term>
239
296
        <listitem>
240
297
          <para>
241
 
            Comment field for key.  The default value is
242
 
            "<literal>Mandos client key</literal>".
 
298
            Comment field for key.  Default is empty.
243
299
          </para>
244
300
        </listitem>
245
301
      </varlistentry>
246
 
 
 
302
      
247
303
      <varlistentry>
248
 
        <term><literal>-x</literal>, <literal>--expire</literal>
249
 
        <replaceable>time</replaceable></term>
 
304
        <term><option>--expire
 
305
        <replaceable>TIME</replaceable></option></term>
 
306
        <term><option>-x
 
307
        <replaceable>TIME</replaceable></option></term>
250
308
        <listitem>
251
309
          <para>
252
310
            Key expire time.  Default is no expiration.  See
255
313
          </para>
256
314
        </listitem>
257
315
      </varlistentry>
258
 
 
259
 
      <varlistentry>
260
 
        <term><literal>-f</literal>, <literal>--force</literal></term>
261
 
        <listitem>
262
 
          <para>
263
 
            Force overwriting old keys.
 
316
      
 
317
      <varlistentry>
 
318
        <term><option>--force</option></term>
 
319
        <term><option>-f</option></term>
 
320
        <listitem>
 
321
          <para>
 
322
            Force overwriting old key.
 
323
          </para>
 
324
        </listitem>
 
325
      </varlistentry>
 
326
      <varlistentry>
 
327
        <term><option>--password</option></term>
 
328
        <term><option>-p</option></term>
 
329
        <listitem>
 
330
          <para>
 
331
            Prompt for a password and encrypt it with the key already
 
332
            present in either <filename>/etc/mandos</filename> or the
 
333
            directory specified with the <option>--dir</option>
 
334
            option.  Outputs, on standard output, a section suitable
 
335
            for inclusion in <citerefentry><refentrytitle
 
336
            >mandos-clients.conf</refentrytitle><manvolnum
 
337
            >8</manvolnum></citerefentry>.  The host name or the name
 
338
            specified with the <option>--name</option> option is used
 
339
            for the section header.  All other options are ignored,
 
340
            and no key is created.
 
341
          </para>
 
342
        </listitem>
 
343
      </varlistentry>
 
344
      <varlistentry>
 
345
        <term><option>--passfile
 
346
        <replaceable>FILE</replaceable></option></term>
 
347
        <term><option>-F
 
348
        <replaceable>FILE</replaceable></option></term>
 
349
        <listitem>
 
350
          <para>
 
351
            The same as <option>--password</option>, but read from
 
352
            <replaceable>FILE</replaceable>, not the terminal.
 
353
          </para>
 
354
        </listitem>
 
355
      </varlistentry>
 
356
      <varlistentry>
 
357
        <term><option>--no-ssh</option></term>
 
358
        <term><option>-S</option></term>
 
359
        <listitem>
 
360
          <para>
 
361
            When <option>--password</option> or
 
362
            <option>--passfile</option> is given, this option will
 
363
            prevent <command>&COMMANDNAME;</command> from calling
 
364
            <command>ssh-keyscan</command> to get an SSH fingerprint
 
365
            for this host and, if successful, output suitable config
 
366
            options to use this fingerprint as a
 
367
            <option>checker</option> option in the output.  This is
 
368
            otherwise the default behavior.
264
369
          </para>
265
370
        </listitem>
266
371
      </varlistentry>
267
372
    </variablelist>
268
373
  </refsect1>
269
 
 
 
374
  
270
375
  <refsect1 id="overview">
271
376
    <title>OVERVIEW</title>
272
 
    &OVERVIEW;
 
377
    <xi:include href="overview.xml"/>
273
378
    <para>
274
 
      This program is a small program to generate new OpenPGP keys for
275
 
      new Mandos clients.
 
379
      This program is a small utility to generate new OpenPGP keys for
 
380
      new Mandos clients, and to generate sections for inclusion in
 
381
      <filename>clients.conf</filename> on the server.
276
382
    </para>
277
383
  </refsect1>
278
 
 
 
384
  
279
385
  <refsect1 id="exit_status">
280
386
    <title>EXIT STATUS</title>
281
387
    <para>
 
388
      The exit status will be 0 if a new key (or password, if the
 
389
      <option>--password</option> option was used) was successfully
 
390
      created, otherwise not.
282
391
    </para>
283
392
  </refsect1>
284
393
  
285
 
  <refsect1 id="file">
 
394
  <refsect1 id="environment">
 
395
    <title>ENVIRONMENT</title>
 
396
    <variablelist>
 
397
      <varlistentry>
 
398
        <term><envar>TMPDIR</envar></term>
 
399
        <listitem>
 
400
          <para>
 
401
            If set, temporary files will be created here. See
 
402
            <citerefentry><refentrytitle>mktemp</refentrytitle>
 
403
            <manvolnum>1</manvolnum></citerefentry>.
 
404
          </para>
 
405
        </listitem>
 
406
      </varlistentry>
 
407
    </variablelist>
 
408
  </refsect1>
 
409
  
 
410
  <refsect1 id="files">
286
411
    <title>FILES</title>
287
412
    <para>
288
 
    </para>
289
 
  </refsect1>
290
 
 
291
 
  <refsect1 id="bugs">
292
 
    <title>BUGS</title>
293
 
    <para>
294
 
    </para>
295
 
  </refsect1>
296
 
 
 
413
      Use the <option>--dir</option> option to change where
 
414
      <command>&COMMANDNAME;</command> will write the key files.  The
 
415
      default file names are shown here.
 
416
    </para>
 
417
    <variablelist>
 
418
      <varlistentry>
 
419
        <term><filename>/etc/mandos/seckey.txt</filename></term>
 
420
        <listitem>
 
421
          <para>
 
422
            OpenPGP secret key file which will be created or
 
423
            overwritten.
 
424
          </para>
 
425
        </listitem>
 
426
      </varlistentry>
 
427
      <varlistentry>
 
428
        <term><filename>/etc/mandos/pubkey.txt</filename></term>
 
429
        <listitem>
 
430
          <para>
 
431
            OpenPGP public key file which will be created or
 
432
            overwritten.
 
433
          </para>
 
434
        </listitem>
 
435
      </varlistentry>
 
436
      <varlistentry>
 
437
        <term><filename class="directory">/tmp</filename></term>
 
438
        <listitem>
 
439
          <para>
 
440
            Temporary files will be written here if
 
441
            <varname>TMPDIR</varname> is not set.
 
442
          </para>
 
443
        </listitem>
 
444
      </varlistentry>
 
445
    </variablelist>
 
446
  </refsect1>
 
447
  
 
448
<!--   <refsect1 id="bugs"> -->
 
449
<!--     <title>BUGS</title> -->
 
450
<!--     <para> -->
 
451
<!--     </para> -->
 
452
<!--   </refsect1> -->
 
453
  
297
454
  <refsect1 id="example">
298
455
    <title>EXAMPLE</title>
299
 
    <para>
300
 
    </para>
 
456
    <informalexample>
 
457
      <para>
 
458
        Normal invocation needs no options:
 
459
      </para>
 
460
      <para>
 
461
        <userinput>&COMMANDNAME;</userinput>
 
462
      </para>
 
463
    </informalexample>
 
464
    <informalexample>
 
465
      <para>
 
466
        Create key in another directory and of another type.  Force
 
467
        overwriting old key files:
 
468
      </para>
 
469
      <para>
 
470
 
 
471
<!-- do not wrap this line -->
 
472
<userinput>&COMMANDNAME; --dir ~/keydir --type RSA --force</userinput>
 
473
 
 
474
      </para>
 
475
    </informalexample>
 
476
    <informalexample>
 
477
      <para>
 
478
        Prompt for a password, encrypt it with the key in <filename
 
479
        class="directory">/etc/mandos</filename> and output a section
 
480
        suitable for <filename>clients.conf</filename>.
 
481
      </para>
 
482
      <para>
 
483
        <userinput>&COMMANDNAME; --password</userinput>
 
484
      </para>
 
485
    </informalexample>
 
486
    <informalexample>
 
487
      <para>
 
488
        Prompt for a password, encrypt it with the key in the
 
489
        <filename>client-key</filename> directory and output a section
 
490
        suitable for <filename>clients.conf</filename>.
 
491
      </para>
 
492
      <para>
 
493
 
 
494
<!-- do not wrap this line -->
 
495
<userinput>&COMMANDNAME; --password --dir client-key</userinput>
 
496
 
 
497
      </para>
 
498
    </informalexample>
301
499
  </refsect1>
302
 
 
 
500
  
303
501
  <refsect1 id="security">
304
502
    <title>SECURITY</title>
305
503
    <para>
 
504
      The <option>--type</option>, <option>--length</option>,
 
505
      <option>--subtype</option>, and <option>--sublength</option>
 
506
      options can be used to create keys of low security.  If in
 
507
      doubt, leave them to the default values.
 
508
    </para>
 
509
    <para>
 
510
      The key expire time is <emphasis>not</emphasis> guaranteed to be
 
511
      honored by <citerefentry><refentrytitle>mandos</refentrytitle>
 
512
      <manvolnum>8</manvolnum></citerefentry>.
306
513
    </para>
307
514
  </refsect1>
308
 
 
 
515
  
309
516
  <refsect1 id="see_also">
310
517
    <title>SEE ALSO</title>
311
518
    <para>
312
 
      <citerefentry><refentrytitle>password-request</refentrytitle>
 
519
      <citerefentry><refentrytitle>intro</refentrytitle>
313
520
      <manvolnum>8mandos</manvolnum></citerefentry>,
 
521
      <citerefentry><refentrytitle>gpg</refentrytitle>
 
522
      <manvolnum>1</manvolnum></citerefentry>,
 
523
      <citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>
 
524
      <manvolnum>5</manvolnum></citerefentry>,
314
525
      <citerefentry><refentrytitle>mandos</refentrytitle>
315
 
      <manvolnum>8</manvolnum></citerefentry>, and
316
 
      <citerefentry><refentrytitle>gpg</refentrytitle>
 
526
      <manvolnum>8</manvolnum></citerefentry>,
 
527
      <citerefentry><refentrytitle>mandos-client</refentrytitle>
 
528
      <manvolnum>8mandos</manvolnum></citerefentry>,
 
529
      <citerefentry><refentrytitle>ssh-keyscan</refentrytitle>
317
530
      <manvolnum>1</manvolnum></citerefentry>
318
531
    </para>
319
532
  </refsect1>
320
533
  
321
534
</refentry>
 
535
<!-- Local Variables: -->
 
536
<!-- time-stamp-start: "<!ENTITY TIMESTAMP [\"']" -->
 
537
<!-- time-stamp-end: "[\"']>" -->
 
538
<!-- time-stamp-format: "%:y-%02m-%02d" -->
 
539
<!-- End: -->