68
55
<refname><command>&COMMANDNAME;</command></refname>
70
Generate keys for <citerefentry><refentrytitle>password-request
71
</refentrytitle><manvolnum>8mandos</manvolnum></citerefentry>
57
Generate key and password for Mandos client and server.
77
63
<command>&COMMANDNAME;</command>
79
<arg choice="plain"><option>--dir</option>
80
<replaceable>directory</replaceable></arg>
83
<arg choice="plain"><option>--type</option>
84
<replaceable>type</replaceable></arg>
87
<arg choice="plain"><option>--length</option>
88
<replaceable>bits</replaceable></arg>
91
<arg choice="plain"><option>--subtype</option>
92
<replaceable>type</replaceable></arg>
95
<arg choice="plain"><option>--sublength</option>
96
<replaceable>bits</replaceable></arg>
99
<arg choice="plain"><option>--name</option>
100
<replaceable>NAME</replaceable></arg>
103
<arg choice="plain"><option>--email</option>
104
<replaceable>EMAIL</replaceable></arg>
107
<arg choice="plain"><option>--comment</option>
108
<replaceable>COMMENT</replaceable></arg>
111
<arg choice="plain"><option>--expire</option>
112
<replaceable>TIME</replaceable></arg>
65
<arg choice="plain"><option>--dir
66
<replaceable>DIRECTORY</replaceable></option></arg>
67
<arg choice="plain"><option>-d
68
<replaceable>DIRECTORY</replaceable></option></arg>
72
<arg choice="plain"><option>--type
73
<replaceable>KEYTYPE</replaceable></option></arg>
74
<arg choice="plain"><option>-t
75
<replaceable>KEYTYPE</replaceable></option></arg>
79
<arg choice="plain"><option>--length
80
<replaceable>BITS</replaceable></option></arg>
81
<arg choice="plain"><option>-l
82
<replaceable>BITS</replaceable></option></arg>
86
<arg choice="plain"><option>--subtype
87
<replaceable>KEYTYPE</replaceable></option></arg>
88
<arg choice="plain"><option>-s
89
<replaceable>KEYTYPE</replaceable></option></arg>
93
<arg choice="plain"><option>--sublength
94
<replaceable>BITS</replaceable></option></arg>
95
<arg choice="plain"><option>-L
96
<replaceable>BITS</replaceable></option></arg>
100
<arg choice="plain"><option>--name
101
<replaceable>NAME</replaceable></option></arg>
102
<arg choice="plain"><option>-n
103
<replaceable>NAME</replaceable></option></arg>
107
<arg choice="plain"><option>--email
108
<replaceable>ADDRESS</replaceable></option></arg>
109
<arg choice="plain"><option>-e
110
<replaceable>ADDRESS</replaceable></option></arg>
114
<arg choice="plain"><option>--comment
115
<replaceable>TEXT</replaceable></option></arg>
116
<arg choice="plain"><option>-c
117
<replaceable>TEXT</replaceable></option></arg>
121
<arg choice="plain"><option>--expire
122
<replaceable>TIME</replaceable></option></arg>
123
<arg choice="plain"><option>-x
124
<replaceable>TIME</replaceable></option></arg>
115
128
<arg choice="plain"><option>--force</option></arg>
119
<command>&COMMANDNAME;</command>
121
<arg choice="plain"><option>-d</option>
122
<replaceable>directory</replaceable></arg>
125
<arg choice="plain"><option>-t</option>
126
<replaceable>type</replaceable></arg>
129
<arg choice="plain"><option>-l</option>
130
<replaceable>bits</replaceable></arg>
133
<arg choice="plain"><option>-s</option>
134
<replaceable>type</replaceable></arg>
137
<arg choice="plain"><option>-L</option>
138
<replaceable>bits</replaceable></arg>
141
<arg choice="plain"><option>-n</option>
142
<replaceable>NAME</replaceable></arg>
145
<arg choice="plain"><option>-e</option>
146
<replaceable>EMAIL</replaceable></arg>
149
<arg choice="plain"><option>-c</option>
150
<replaceable>COMMENT</replaceable></arg>
153
<arg choice="plain"><option>-x</option>
154
<replaceable>TIME</replaceable></arg>
157
129
<arg choice="plain"><option>-f</option></arg>
161
133
<command>&COMMANDNAME;</command>
162
134
<group choice="req">
135
<arg choice="plain"><option>--password</option></arg>
163
136
<arg choice="plain"><option>-p</option></arg>
164
<arg choice="plain"><option>--password</option></arg>
167
<arg choice="plain"><option>--dir</option>
168
<replaceable>directory</replaceable></arg>
171
<arg choice="plain"><option>--name</option>
172
<replaceable>NAME</replaceable></arg>
137
<arg choice="plain"><option>--passfile
138
<replaceable>FILE</replaceable></option></arg>
139
<arg choice="plain"><option>-F</option>
140
<replaceable>FILE</replaceable></arg>
144
<arg choice="plain"><option>--dir
145
<replaceable>DIRECTORY</replaceable></option></arg>
146
<arg choice="plain"><option>-d
147
<replaceable>DIRECTORY</replaceable></option></arg>
151
<arg choice="plain"><option>--name
152
<replaceable>NAME</replaceable></option></arg>
153
<arg choice="plain"><option>-n
154
<replaceable>NAME</replaceable></option></arg>
157
<arg choice="plain"><option>--no-ssh</option></arg>
158
<arg choice="plain"><option>-S</option></arg>
176
162
<command>&COMMANDNAME;</command>
177
163
<group choice="req">
164
<arg choice="plain"><option>--help</option></arg>
178
165
<arg choice="plain"><option>-h</option></arg>
179
<arg choice="plain"><option>--help</option></arg>
183
169
<command>&COMMANDNAME;</command>
184
170
<group choice="req">
171
<arg choice="plain"><option>--version</option></arg>
185
172
<arg choice="plain"><option>-v</option></arg>
186
<arg choice="plain"><option>--version</option></arg>
189
175
</refsynopsisdiv>
191
177
<refsect1 id="description">
192
178
<title>DESCRIPTION</title>
194
180
<command>&COMMANDNAME;</command> is a program to generate the
196
<citerefentry><refentrytitle>password-request</refentrytitle>
197
<manvolnum>8mandos</manvolnum></citerefentry>. The keys are
182
<citerefentry><refentrytitle>mandos-client</refentrytitle>
183
<manvolnum>8mandos</manvolnum></citerefentry>. The key is
198
184
normally written to /etc/mandos for later installation into the
199
initrd image, but this, like most things, can be changed with
200
command line options.
185
initrd image, but this, and most other things, can be changed
186
with command line options.
203
It can also be used to generate ready-made sections for
189
This program can also be used with the
190
<option>--password</option> or <option>--passfile</option>
191
options to generate a ready-made section for
192
<filename>clients.conf</filename> (see
204
193
<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>
205
<manvolnum>5</manvolnum></citerefentry> using the
206
<option>--password</option> option.
194
<manvolnum>5</manvolnum></citerefentry>).
210
198
<refsect1 id="purpose">
211
199
<title>PURPOSE</title>
214
201
The purpose of this is to enable <emphasis>remote and unattended
215
202
rebooting</emphasis> of client host computer with an
216
203
<emphasis>encrypted root file system</emphasis>. See <xref
217
204
linkend="overview"/> for details.
222
208
<refsect1 id="options">
223
209
<title>OPTIONS</title>
227
<term><literal>-h</literal>, <literal>--help</literal></term>
213
<term><option>--help</option></term>
214
<term><option>-h</option></term>
230
217
Show a help message and exit
236
<term><literal>-d</literal>, <literal>--dir
237
<replaceable>directory</replaceable></literal></term>
224
<replaceable>DIRECTORY</replaceable></option></term>
226
<replaceable>DIRECTORY</replaceable></option></term>
240
229
Target directory for key files. Default is
241
<filename>/etc/mandos</filename>.
247
<term><literal>-t</literal>, <literal>--type
248
<replaceable>type</replaceable></literal></term>
251
Key type. Default is <quote>DSA</quote>.
257
<term><literal>-l</literal>, <literal>--length
258
<replaceable>bits</replaceable></literal></term>
261
Key length in bits. Default is 2048.
267
<term><literal>-s</literal>, <literal>--subtype
268
<replaceable>type</replaceable></literal></term>
271
Subkey type. Default is <quote>ELG-E</quote> (Elgamal
230
<filename class="directory">/etc/mandos</filename>.
237
<replaceable>TYPE</replaceable></option></term>
239
<replaceable>TYPE</replaceable></option></term>
242
Key type. Default is <quote>RSA</quote>.
248
<term><option>--length
249
<replaceable>BITS</replaceable></option></term>
251
<replaceable>BITS</replaceable></option></term>
254
Key length in bits. Default is 4096.
260
<term><option>--subtype
261
<replaceable>KEYTYPE</replaceable></option></term>
263
<replaceable>KEYTYPE</replaceable></option></term>
266
Subkey type. Default is <quote>RSA</quote> (Elgamal
272
267
encryption-only).
278
<term><literal>-L</literal>, <literal>--sublength
279
<replaceable>bits</replaceable></literal></term>
273
<term><option>--sublength
274
<replaceable>BITS</replaceable></option></term>
276
<replaceable>BITS</replaceable></option></term>
282
Subkey length in bits. Default is 2048.
279
Subkey length in bits. Default is 4096.
288
<term><literal>-e</literal>, <literal>--email</literal>
289
<replaceable>address</replaceable></term>
285
<term><option>--email
286
<replaceable>ADDRESS</replaceable></option></term>
288
<replaceable>ADDRESS</replaceable></option></term>
292
291
Email address of key. Default is empty.
298
<term><literal>-c</literal>, <literal>--comment</literal>
299
<replaceable>comment</replaceable></term>
297
<term><option>--comment
298
<replaceable>TEXT</replaceable></option></term>
300
<replaceable>TEXT</replaceable></option></term>
302
Comment field for key. The default value is
303
<quote><literal>Mandos client key</literal></quote>.
303
Comment field for key. Default is empty.
309
<term><literal>-x</literal>, <literal>--expire</literal>
310
<replaceable>time</replaceable></term>
309
<term><option>--expire
310
<replaceable>TIME</replaceable></option></term>
312
<replaceable>TIME</replaceable></option></term>
313
315
Key expire time. Default is no expiration. See
431
462
Normal invocation needs no options:
434
<userinput>mandos-keygen</userinput>
465
<userinput>&COMMANDNAME;</userinput>
436
467
</informalexample>
437
468
<informalexample>
439
Create keys in another directory and of another type. Force
470
Create key in another directory and of another type. Force
440
471
overwriting old key files:
444
475
<!-- do not wrap this line -->
445
<userinput>mandos-keygen --dir ~/keydir --type RSA --force</userinput>
476
<userinput>&COMMANDNAME; --dir ~/keydir --type RSA --force</userinput>
482
Prompt for a password, encrypt it with the key in <filename
483
class="directory">/etc/mandos</filename> and output a section
484
suitable for <filename>clients.conf</filename>.
487
<userinput>&COMMANDNAME; --password</userinput>
492
Prompt for a password, encrypt it with the key in the
493
<filename>client-key</filename> directory and output a section
494
suitable for <filename>clients.conf</filename>.
498
<!-- do not wrap this line -->
499
<userinput>&COMMANDNAME; --password --dir client-key</userinput>
448
502
</informalexample>
451
505
<refsect1 id="security">
452
506
<title>SECURITY</title>
454
508
The <option>--type</option>, <option>--length</option>,
455
509
<option>--subtype</option>, and <option>--sublength</option>
456
options can be used to create keys of insufficient security. If
457
in doubt, leave them to the default values.
510
options can be used to create keys of low security. If in
511
doubt, leave them to the default values.
460
The key expire time is not guaranteed to be honored by
461
<citerefentry><refentrytitle>mandos</refentrytitle>
514
The key expire time is <emphasis>not</emphasis> guaranteed to be
515
honored by <citerefentry><refentrytitle>mandos</refentrytitle>
462
516
<manvolnum>8</manvolnum></citerefentry>.
466
520
<refsect1 id="see_also">
467
521
<title>SEE ALSO</title>
469
<citerefentry><refentrytitle>password-request</refentrytitle>
523
<citerefentry><refentrytitle>intro</refentrytitle>
470
524
<manvolnum>8mandos</manvolnum></citerefentry>,
525
<citerefentry><refentrytitle>gpg</refentrytitle>
526
<manvolnum>1</manvolnum></citerefentry>,
527
<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>
528
<manvolnum>5</manvolnum></citerefentry>,
471
529
<citerefentry><refentrytitle>mandos</refentrytitle>
472
530
<manvolnum>8</manvolnum></citerefentry>,
473
<citerefentry><refentrytitle>gpg</refentrytitle>
531
<citerefentry><refentrytitle>mandos-client</refentrytitle>
532
<manvolnum>8mandos</manvolnum></citerefentry>,
533
<citerefentry><refentrytitle>ssh-keyscan</refentrytitle>
474
534
<manvolnum>1</manvolnum></citerefentry>