/mandos/trunk

To get this branch, use:
bzr branch http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos-keygen.xml

  • Committer: Teddy Hogeborn
  • Date: 2016-03-17 20:40:55 UTC
  • Revision ID: teddy@recompile.se-20160317204055-bhsh5xsidq7w5cxu
Client: Fix plymouth agent; broken since 1.7.2.

Fix an very old memory bug in the plymouth agent (which has been
present since its apperance in version 1.2), but which was only
recently detected at run time due to the new -fsanitize=address
compile- time flag, which has been used since version 1.7.2.  This
detection of a memory access violation causes the program to abort,
making the Plymouth graphical boot system unable to accept interactive
input of passwords when using the Mandos client.

* plugins.d/plymouth.c (exec_and_wait): Fix memory allocation bug when
  allocating new_argv.  Also tolerate a zero-length argv.

Show diffs side-by-side

added added

removed removed

Lines of Context:
1
1
<?xml version="1.0" encoding="UTF-8"?>
2
2
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3
3
        "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4
 
<!ENTITY VERSION "1.0">
5
4
<!ENTITY COMMANDNAME "mandos-keygen">
6
 
<!ENTITY TIMESTAMP "2008-08-31">
 
5
<!ENTITY TIMESTAMP "2016-03-05">
 
6
<!ENTITY % common SYSTEM "common.ent">
 
7
%common;
7
8
]>
8
9
 
9
10
<refentry xmlns:xi="http://www.w3.org/2001/XInclude">
11
12
    <title>Mandos Manual</title>
12
13
    <!-- NWalsh’s docbook scripts use this to generate the footer: -->
13
14
    <productname>Mandos</productname>
14
 
    <productnumber>&VERSION;</productnumber>
 
15
    <productnumber>&version;</productnumber>
15
16
    <date>&TIMESTAMP;</date>
16
17
    <authorgroup>
17
18
      <author>
18
19
        <firstname>Björn</firstname>
19
20
        <surname>Påhlsson</surname>
20
21
        <address>
21
 
          <email>belorn@fukt.bsnet.se</email>
 
22
          <email>belorn@recompile.se</email>
22
23
        </address>
23
24
      </author>
24
25
      <author>
25
26
        <firstname>Teddy</firstname>
26
27
        <surname>Hogeborn</surname>
27
28
        <address>
28
 
          <email>teddy@fukt.bsnet.se</email>
 
29
          <email>teddy@recompile.se</email>
29
30
        </address>
30
31
      </author>
31
32
    </authorgroup>
32
33
    <copyright>
33
34
      <year>2008</year>
 
35
      <year>2009</year>
 
36
      <year>2010</year>
 
37
      <year>2011</year>
 
38
      <year>2012</year>
 
39
      <year>2013</year>
 
40
      <year>2014</year>
 
41
      <year>2015</year>
 
42
      <year>2016</year>
34
43
      <holder>Teddy Hogeborn</holder>
35
44
      <holder>Björn Påhlsson</holder>
36
45
    </copyright>
37
46
    <xi:include href="legalnotice.xml"/>
38
47
  </refentryinfo>
39
 
 
 
48
  
40
49
  <refmeta>
41
50
    <refentrytitle>&COMMANDNAME;</refentrytitle>
42
51
    <manvolnum>8</manvolnum>
48
57
      Generate key and password for Mandos client and server.
49
58
    </refpurpose>
50
59
  </refnamediv>
51
 
 
 
60
  
52
61
  <refsynopsisdiv>
53
62
    <cmdsynopsis>
54
63
      <command>&COMMANDNAME;</command>
115
124
        <replaceable>TIME</replaceable></option></arg>
116
125
      </group>
117
126
      <sbr/>
118
 
      <arg><option>--force</option></arg>
 
127
      <group>
 
128
        <arg choice="plain"><option>--force</option></arg>
 
129
        <arg choice="plain"><option>-f</option></arg>
 
130
      </group>
119
131
    </cmdsynopsis>
120
132
    <cmdsynopsis>
121
133
      <command>&COMMANDNAME;</command>
122
134
      <group choice="req">
123
135
        <arg choice="plain"><option>--password</option></arg>
124
136
        <arg choice="plain"><option>-p</option></arg>
 
137
        <arg choice="plain"><option>--passfile
 
138
        <replaceable>FILE</replaceable></option></arg>
 
139
        <arg choice="plain"><option>-F</option>
 
140
        <replaceable>FILE</replaceable></arg>
125
141
      </group>
126
142
      <sbr/>
127
143
      <group>
137
153
        <arg choice="plain"><option>-n
138
154
        <replaceable>NAME</replaceable></option></arg>
139
155
      </group>
 
156
      <group>
 
157
        <arg choice="plain"><option>--no-ssh</option></arg>
 
158
        <arg choice="plain"><option>-S</option></arg>
 
159
      </group>
140
160
    </cmdsynopsis>
141
161
    <cmdsynopsis>
142
162
      <command>&COMMANDNAME;</command>
159
179
    <para>
160
180
      <command>&COMMANDNAME;</command> is a program to generate the
161
181
      OpenPGP key used by
162
 
      <citerefentry><refentrytitle>password-request</refentrytitle>
 
182
      <citerefentry><refentrytitle>mandos-client</refentrytitle>
163
183
      <manvolnum>8mandos</manvolnum></citerefentry>.  The key is
164
184
      normally written to /etc/mandos for later installation into the
165
185
      initrd image, but this, and most other things, can be changed
167
187
    </para>
168
188
    <para>
169
189
      This program can also be used with the
170
 
      <option>--password</option> option to generate a ready-made
171
 
      section for <filename>clients.conf</filename> (see
 
190
      <option>--password</option> or <option>--passfile</option>
 
191
      options to generate a ready-made section for
 
192
      <filename>clients.conf</filename> (see
172
193
      <citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>
173
194
      <manvolnum>5</manvolnum></citerefentry>).
174
195
    </para>
197
218
          </para>
198
219
        </listitem>
199
220
      </varlistentry>
200
 
 
 
221
      
201
222
      <varlistentry>
202
223
        <term><option>--dir
203
224
        <replaceable>DIRECTORY</replaceable></option></term>
206
227
        <listitem>
207
228
          <para>
208
229
            Target directory for key files.  Default is
209
 
            <filename>/etc/mandos</filename>.
 
230
            <filename class="directory">/etc/mandos</filename>.
210
231
          </para>
211
232
        </listitem>
212
233
      </varlistentry>
213
 
 
 
234
      
214
235
      <varlistentry>
215
236
        <term><option>--type
216
237
        <replaceable>TYPE</replaceable></option></term>
218
239
        <replaceable>TYPE</replaceable></option></term>
219
240
        <listitem>
220
241
          <para>
221
 
            Key type.  Default is <quote>DSA</quote>.
 
242
            Key type.  Default is <quote>RSA</quote>.
222
243
          </para>
223
244
        </listitem>
224
245
      </varlistentry>
225
 
 
 
246
      
226
247
      <varlistentry>
227
248
        <term><option>--length
228
249
        <replaceable>BITS</replaceable></option></term>
230
251
        <replaceable>BITS</replaceable></option></term>
231
252
        <listitem>
232
253
          <para>
233
 
            Key length in bits.  Default is 2048.
 
254
            Key length in bits.  Default is 4096.
234
255
          </para>
235
256
        </listitem>
236
257
      </varlistentry>
237
 
 
 
258
      
238
259
      <varlistentry>
239
260
        <term><option>--subtype
240
261
        <replaceable>KEYTYPE</replaceable></option></term>
242
263
        <replaceable>KEYTYPE</replaceable></option></term>
243
264
        <listitem>
244
265
          <para>
245
 
            Subkey type.  Default is <quote>ELG-E</quote> (Elgamal
 
266
            Subkey type.  Default is <quote>RSA</quote> (Elgamal
246
267
            encryption-only).
247
268
          </para>
248
269
        </listitem>
249
270
      </varlistentry>
250
 
 
 
271
      
251
272
      <varlistentry>
252
273
        <term><option>--sublength
253
274
        <replaceable>BITS</replaceable></option></term>
255
276
        <replaceable>BITS</replaceable></option></term>
256
277
        <listitem>
257
278
          <para>
258
 
            Subkey length in bits.  Default is 2048.
 
279
            Subkey length in bits.  Default is 4096.
259
280
          </para>
260
281
        </listitem>
261
282
      </varlistentry>
262
 
 
 
283
      
263
284
      <varlistentry>
264
285
        <term><option>--email
265
286
        <replaceable>ADDRESS</replaceable></option></term>
271
292
          </para>
272
293
        </listitem>
273
294
      </varlistentry>
274
 
 
 
295
      
275
296
      <varlistentry>
276
297
        <term><option>--comment
277
298
        <replaceable>TEXT</replaceable></option></term>
279
300
        <replaceable>TEXT</replaceable></option></term>
280
301
        <listitem>
281
302
          <para>
282
 
            Comment field for key.  The default value is
283
 
            <quote><literal>Mandos client key</literal></quote>.
 
303
            Comment field for key.  Default is empty.
284
304
          </para>
285
305
        </listitem>
286
306
      </varlistentry>
287
 
 
 
307
      
288
308
      <varlistentry>
289
309
        <term><option>--expire
290
310
        <replaceable>TIME</replaceable></option></term>
298
318
          </para>
299
319
        </listitem>
300
320
      </varlistentry>
301
 
 
 
321
      
302
322
      <varlistentry>
303
323
        <term><option>--force</option></term>
304
324
        <term><option>-f</option></term>
326
346
          </para>
327
347
        </listitem>
328
348
      </varlistentry>
 
349
      <varlistentry>
 
350
        <term><option>--passfile
 
351
        <replaceable>FILE</replaceable></option></term>
 
352
        <term><option>-F
 
353
        <replaceable>FILE</replaceable></option></term>
 
354
        <listitem>
 
355
          <para>
 
356
            The same as <option>--password</option>, but read from
 
357
            <replaceable>FILE</replaceable>, not the terminal.
 
358
          </para>
 
359
        </listitem>
 
360
      </varlistentry>
 
361
      <varlistentry>
 
362
        <term><option>--no-ssh</option></term>
 
363
        <term><option>-S</option></term>
 
364
        <listitem>
 
365
          <para>
 
366
            When <option>--password</option> or
 
367
            <option>--passfile</option> is given, this option will
 
368
            prevent <command>&COMMANDNAME;</command> from calling
 
369
            <command>ssh-keyscan</command> to get an SSH fingerprint
 
370
            for this host and, if successful, output suitable config
 
371
            options to use this fingerprint as a
 
372
            <option>checker</option> option in the output.  This is
 
373
            otherwise the default behavior.
 
374
          </para>
 
375
        </listitem>
 
376
      </varlistentry>
329
377
    </variablelist>
330
378
  </refsect1>
331
 
 
 
379
  
332
380
  <refsect1 id="overview">
333
381
    <title>OVERVIEW</title>
334
382
    <xi:include href="overview.xml"/>
338
386
      <filename>clients.conf</filename> on the server.
339
387
    </para>
340
388
  </refsect1>
341
 
 
 
389
  
342
390
  <refsect1 id="exit_status">
343
391
    <title>EXIT STATUS</title>
344
392
    <para>
364
412
    </variablelist>
365
413
  </refsect1>
366
414
  
367
 
  <refsect1 id="file">
 
415
  <refsect1 id="files">
368
416
    <title>FILES</title>
369
417
    <para>
370
418
      Use the <option>--dir</option> option to change where
391
439
        </listitem>
392
440
      </varlistentry>
393
441
      <varlistentry>
394
 
        <term><filename>/tmp</filename></term>
 
442
        <term><filename class="directory">/tmp</filename></term>
395
443
        <listitem>
396
444
          <para>
397
445
            Temporary files will be written here if
401
449
      </varlistentry>
402
450
    </variablelist>
403
451
  </refsect1>
404
 
 
 
452
  
405
453
  <refsect1 id="bugs">
406
454
    <title>BUGS</title>
407
 
    <para>
408
 
      None are known at this time.
409
 
    </para>
 
455
    <xi:include href="bugs.xml"/>
410
456
  </refsect1>
411
 
 
 
457
  
412
458
  <refsect1 id="example">
413
459
    <title>EXAMPLE</title>
414
460
    <informalexample>
433
479
    </informalexample>
434
480
    <informalexample>
435
481
      <para>
436
 
        Prompt for a password, encrypt it with the key in
437
 
        <filename>/etc/mandos</filename> and output a section suitable
438
 
        for <filename>clients.conf</filename>.
 
482
        Prompt for a password, encrypt it with the key in <filename
 
483
        class="directory">/etc/mandos</filename> and output a section
 
484
        suitable for <filename>clients.conf</filename>.
439
485
      </para>
440
486
      <para>
441
487
        <userinput>&COMMANDNAME; --password</userinput>
455
501
      </para>
456
502
    </informalexample>
457
503
  </refsect1>
458
 
 
 
504
  
459
505
  <refsect1 id="security">
460
506
    <title>SECURITY</title>
461
507
    <para>
470
516
      <manvolnum>8</manvolnum></citerefentry>.
471
517
    </para>
472
518
  </refsect1>
473
 
 
 
519
  
474
520
  <refsect1 id="see_also">
475
521
    <title>SEE ALSO</title>
476
522
    <para>
 
523
      <citerefentry><refentrytitle>intro</refentrytitle>
 
524
      <manvolnum>8mandos</manvolnum></citerefentry>,
477
525
      <citerefentry><refentrytitle>gpg</refentrytitle>
478
526
      <manvolnum>1</manvolnum></citerefentry>,
479
527
      <citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>
480
528
      <manvolnum>5</manvolnum></citerefentry>,
481
529
      <citerefentry><refentrytitle>mandos</refentrytitle>
482
530
      <manvolnum>8</manvolnum></citerefentry>,
483
 
      <citerefentry><refentrytitle>password-request</refentrytitle>
484
 
      <manvolnum>8mandos</manvolnum></citerefentry>
 
531
      <citerefentry><refentrytitle>mandos-client</refentrytitle>
 
532
      <manvolnum>8mandos</manvolnum></citerefentry>,
 
533
      <citerefentry><refentrytitle>ssh-keyscan</refentrytitle>
 
534
      <manvolnum>1</manvolnum></citerefentry>
485
535
    </para>
486
536
  </refsect1>
487
537