/mandos/trunk : revision 837

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos-keygen.xml

Committer: Teddy Hogeborn
Date: 2016-03-19 03:48:56 UTC
Revision ID: teddy@recompile.se-20160319034856-d8rox0kdxekgr03g

Server: Make persistent state directory mode u=rwx,go=

The Makefile target "install-server" creates the server persistent
state directory /var/lib/mandos as mode u=rwx,go= (0700). Make this
also the case for the Debian package (unless overridden by
dpkg-statoverride).

* debian/mandos.postinst (configure): Fix state directory permissions,
but only if not listed by "dpkg-statoverride".

files added:
.bzr-builddeb

.bzr-builddeb/default.conf

.bzrignore

DBUS-API

INSTALL

NEWS

README

bugs.xml

common.ent

dbus-mandos.conf

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.examples

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/po

debian/rules

debian/source

debian/source/format

debian/source/local-options

debian/upstream

debian/upstream/signing-key.asc

debian/watch

default-mandos

init.d-mandos

initramfs-unpack

intro.xml

legalnotice.xml

mandos-ctl

mandos-ctl.xml

mandos-monitor

mandos-monitor.xml

mandos-options.xml

mandos.lsm

mandos.service

network-hooks.d

network-hooks.d/bridge

network-hooks.d/bridge.conf

network-hooks.d/openvpn

network-hooks.d/openvpn.conf

network-hooks.d/wireless

network-hooks.d/wireless.conf

plugin-helpers

plugin-helpers/mandos-client-iprouteadddel.c

plugin-runner.conf

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

files removed:
plugins.d/usplash

files renamed:
plugins.d/password-request.c => plugins.d/mandos-client.c

plugins.d/password-request.xml => plugins.d/mandos-client.xml

files modified:
Makefile

TODO

clients.conf

initramfs-tools-hook

initramfs-tools-hook-conf

initramfs-tools-script

mandos

mandos-clients.conf.xml

mandos-keygen

mandos-keygen.xml

mandos.conf

mandos.conf.xml

mandos.xml

overview.xml

plugin-runner.c

plugin-runner.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

Show diffs side-by-side

added added

removed removed

mandos-keygen.xml

<?xml version='1.0' encoding='UTF-8'?>

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY VERSION "1.0">

<!ENTITY COMMANDNAME "mandos-keygen">

<!ENTITY OVERVIEW SYSTEM "overview.xml">

<!ENTITY TIMESTAMP "2016-03-05">

<!ENTITY % common SYSTEM "common.ent">

%common;

<title>&COMMANDNAME;</title>

<productname>&COMMANDNAME;</productname>

<productnumber>&VERSION;</productnumber>

<title>Mandos Manual</title>

<productname>Mandos</productname>

<productnumber>&version;</productnumber>

<date>&TIMESTAMP;</date>

<firstname>Björn</firstname>

<surname>Påhlsson</surname>

<email>belorn@fukt.bsnet.se</email>

<email>belorn@recompile.se</email>

</address>

</author>

<firstname>Teddy</firstname>

<surname>Hogeborn</surname>

<email>teddy@fukt.bsnet.se</email>

<email>teddy@recompile.se</email>

</address>

</author>

</authorgroup>

<holder>Teddy Hogeborn & Björn Påhlsson</holder>

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

<para>

This manual page is free software: you can redistribute it

and/or modify it under the terms of the GNU General Public

License as published by the Free Software Foundation,

either version 3 of the License, or (at your option) any

later version.

</para>

<para>

This manual page is distributed in the hope that it will

be useful, but WITHOUT ANY WARRANTY; without even the

implied warranty of MERCHANTABILITY or FITNESS FOR A

PARTICULAR PURPOSE. See the GNU General Public License

for more details.

</para>

<para>

You should have received a copy of the GNU General Public

License along with this program; If not, see

<ulink url="http://www.gnu.org/licenses/"/>.

</para>

</legalnotice>

<xi:include href="legalnotice.xml"/>

</refentryinfo>

<refentrytitle>&COMMANDNAME;</refentrytitle>

<refname><command>&COMMANDNAME;</command></refname>

Generate keys for <citerefentry><refentrytitle>password-request

</refentrytitle><manvolnum>8mandos</manvolnum></citerefentry>

Generate key and password for Mandos client and server.

</refpurpose>

</refnamediv>

<command>&COMMANDNAME;</command>

<replaceable>directory</replaceable></arg>

</group>

</group>

<arg choice="plain"><option>--length</option>

</group>

</group>

<arg choice="plain"><option>--email</option>

<replaceable>EMAIL</replaceable></arg>

</group>

<arg choice="plain"><option>--comment</option>

<replaceable>COMMENT</replaceable></arg>

</group>

100

101

<arg choice="plain"><option>--expire</option>

102

103

</group>

104

<group>

<arg choice="plain"><option>--dir

<replaceable>DIRECTORY</replaceable></option></arg>

<arg choice="plain"><option>-d

<replaceable>DIRECTORY</replaceable></option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--type

<replaceable>KEYTYPE</replaceable></option></arg>

<arg choice="plain"><option>-t

<replaceable>KEYTYPE</replaceable></option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--length

<arg choice="plain"><option>-l

</group>

<sbr/>

<group>

<arg choice="plain"><option>--subtype

<replaceable>KEYTYPE</replaceable></option></arg>

<arg choice="plain"><option>-s

<replaceable>KEYTYPE</replaceable></option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--sublength

<arg choice="plain"><option>-L

</group>

<sbr/>

<group>

100

<arg choice="plain"><option>--name

101

102

<arg choice="plain"><option>-n

103

104

</group>

105

<sbr/>

106

<group>

107

<arg choice="plain"><option>--email

108

<replaceable>ADDRESS</replaceable></option></arg>

109

<arg choice="plain"><option>-e

110

<replaceable>ADDRESS</replaceable></option></arg>

111

</group>

112

<sbr/>

113

<group>

114

<arg choice="plain"><option>--comment

115

116

<arg choice="plain"><option>-c

117

118

</group>

119

<sbr/>

120

<group>

121

<arg choice="plain"><option>--expire

122

123

<arg choice="plain"><option>-x

124

125

</group>

126

<sbr/>

127

<group>

105

128

<arg choice="plain"><option>--force</option></arg>

106

</group>

107

</cmdsynopsis>

108

109

<command>&COMMANDNAME;</command>

110

111

112

<replaceable>directory</replaceable></arg>

113

</group>

114

115

116

117

</group>

118

119

120

121

</group>

122

123

124

125

</group>

126

127

128

<replaceable>EMAIL</replaceable></arg>

129

</group>

130

131

132

<replaceable>COMMENT</replaceable></arg>

133

</group>

134

135

136

137

</group>

138

139

129

140

130

</group>

141

131

</cmdsynopsis>

142

132

143

133

<command>&COMMANDNAME;</command>

144

134

145

146

147

</group>

148

</cmdsynopsis>

149

150

<command>&COMMANDNAME;</command>

151

152

153

<arg choice='plain'><option>--version</option></arg>

135

<arg choice="plain"><option>--password</option></arg>

136

137

<arg choice="plain"><option>--passfile

138

139

140

141

</group>

142

<sbr/>

143

<group>

144

<arg choice="plain"><option>--dir

145

<replaceable>DIRECTORY</replaceable></option></arg>

146

<arg choice="plain"><option>-d

147

<replaceable>DIRECTORY</replaceable></option></arg>

148

</group>

149

<sbr/>

150

<group>

151

<arg choice="plain"><option>--name

152

153

<arg choice="plain"><option>-n

154

155

</group>

156

<group>

157

158

159

</group>

160

</cmdsynopsis>

161

162

<command>&COMMANDNAME;</command>

163

164

165

166

</group>

167

</cmdsynopsis>

168

169

<command>&COMMANDNAME;</command>

170

171

<arg choice="plain"><option>--version</option></arg>

172

154

173

</group>

155

174

</cmdsynopsis>

156

175

</refsynopsisdiv>

157

176

158

177

159

178

<title>DESCRIPTION</title>

160

179

<para>

161

180

<command>&COMMANDNAME;</command> is a program to generate the

162

OpenPGP keys used by

163

<citerefentry><refentrytitle>password-request</refentrytitle>

164

<manvolnum>8mandos</manvolnum></citerefentry>. The keys are

181

OpenPGP key used by

182

<citerefentry><refentrytitle>mandos-client</refentrytitle>

183

<manvolnum>8mandos</manvolnum></citerefentry>. The key is

165

184

normally written to /etc/mandos for later installation into the

166

initrd image, but this, like most things, can be changed with

167

command line options.

185

initrd image, but this, and most other things, can be changed

186

with command line options.

187

</para>

188

<para>

189

This program can also be used with the

190

<option>--password</option> or <option>--passfile</option>

191

options to generate a ready-made section for

192

<filename>clients.conf</filename> (see

193

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

194

<manvolnum>5</manvolnum></citerefentry>).

168

195

</para>

169

196

</refsect1>

170

197

171

198

172

199

<title>PURPOSE</title>

173

174

200

<para>

175

201

The purpose of this is to enable <emphasis>remote and unattended

176

202

rebooting</emphasis> of client host computer with an

177

203

<emphasis>encrypted root file system</emphasis>. See <xref

178

204

linkend="overview"/> for details.

179

205

</para>

180

181

206

</refsect1>

182

207

183

208

184

209

<title>OPTIONS</title>

185

210

186

211

187

212

188

213

214

189

215

190

216

<para>

191

217

Show a help message and exit

192

218

</para>

193

219

</listitem>

194

220

</varlistentry>

195

196

197

<term><literal>-d</literal>, <literal>--dir

198

<replaceable>directory</replaceable></literal></term>

199

200

<para>

201

Target directory for key files.

202

</para>

203

</listitem>

204

</varlistentry>

205

206

207

<term><literal>-t</literal>, <literal>--type

208

209

210

<para>

211

Key type. Default is DSA.

212

</para>

213

</listitem>

214

</varlistentry>

215

216

217

<term><literal>-l</literal>, <literal>--length

218

219

220

<para>

221

Key length in bits. Default is 1024.

222

</para>

223

</listitem>

224

</varlistentry>

225

226

227

<term><literal>-e</literal>, <literal>--email</literal>

228

<replaceable>address</replaceable></term>

221

222

223

<term><option>--dir

224

<replaceable>DIRECTORY</replaceable></option></term>

225

<term><option>-d

226

<replaceable>DIRECTORY</replaceable></option></term>

227

228

<para>

229

Target directory for key files. Default is

230

<filename class="directory">/etc/mandos</filename>.

231

</para>

232

</listitem>

233

</varlistentry>

234

235

236

<term><option>--type

237

238

<term><option>-t

239

240

241

<para>

242

Key type. Default is <quote>RSA</quote>.

243

</para>

244

</listitem>

245

</varlistentry>

246

247

248

<term><option>--length

249

250

<term><option>-l

251

252

253

<para>

254

Key length in bits. Default is 4096.

255

</para>

256

</listitem>

257

</varlistentry>

258

259

260

<term><option>--subtype

261

<replaceable>KEYTYPE</replaceable></option></term>

262

<term><option>-s

263

<replaceable>KEYTYPE</replaceable></option></term>

264

265

<para>

266

Subkey type. Default is <quote>RSA</quote> (Elgamal

267

encryption-only).

268

</para>

269

</listitem>

270

</varlistentry>

271

272

273

<term><option>--sublength

274

275

<term><option>-L

276

277

278

<para>

279

Subkey length in bits. Default is 4096.

280

</para>

281

</listitem>

282

</varlistentry>

283

284

285

<term><option>--email

286

<replaceable>ADDRESS</replaceable></option></term>

287

<term><option>-e

288

<replaceable>ADDRESS</replaceable></option></term>

229

289

230

290

<para>

231

291

Email address of key. Default is empty.

232

292

</para>

233

293

</listitem>

234

294

</varlistentry>

235

295

236

296

237

<term><literal>-c</literal>, <literal>--comment</literal>

238

<replaceable>comment</replaceable></term>

297

<term><option>--comment

298

299

<term><option>-c

300

239

301

240

302

<para>

241

Comment field for key. The default value is

242

"<literal>Mandos client key</literal>".

303

Comment field for key. Default is empty.

243

304

</para>

244

305

</listitem>

245

306

</varlistentry>

246

307

247

308

248

<term><literal>-x</literal>, <literal>--expire</literal>

249

309

<term><option>--expire

310

311

<term><option>-x

312

250

313

251

314

<para>

252

315

Key expire time. Default is no expiration. See

255

318

</para>

256

319

</listitem>

257

320

</varlistentry>

258

259

260

<term><literal>-f</literal>, <literal>--force</literal></term>

261

262

<para>

263

Force overwriting old keys.

321

322

323

<term><option>--force</option></term>

324

325

326

<para>

327

Force overwriting old key.

328

</para>

329

</listitem>

330

</varlistentry>

331

332

<term><option>--password</option></term>

333

334

335

<para>

336

Prompt for a password and encrypt it with the key already

337

present in either <filename>/etc/mandos</filename> or the

338

directory specified with the <option>--dir</option>

339

option. Outputs, on standard output, a section suitable

340

for inclusion in <citerefentry><refentrytitle

341

>mandos-clients.conf</refentrytitle><manvolnum

342

>8</manvolnum></citerefentry>. The host name or the name

343

specified with the <option>--name</option> option is used

344

for the section header. All other options are ignored,

345

and no key is created.

346

</para>

347

</listitem>

348

</varlistentry>

349

350

<term><option>--passfile

351

352

<term><option>-F

353

354

355

<para>

356

The same as <option>--password</option>, but read from

357

<replaceable>FILE</replaceable>, not the terminal.

358

</para>

359

</listitem>

360

</varlistentry>

361

362

363

364

365

<para>

366

When <option>--password</option> or

367

<option>--passfile</option> is given, this option will

368

prevent <command>&COMMANDNAME;</command> from calling

369

<command>ssh-keyscan</command> to get an SSH fingerprint

370

for this host and, if successful, output suitable config

371

options to use this fingerprint as a

372

<option>checker</option> option in the output. This is

373

otherwise the default behavior.

264

374

</para>

265

375

</listitem>

266

376

</varlistentry>

267

377

</variablelist>

268

378

</refsect1>

269

379

270

380

271

381

<title>OVERVIEW</title>

272

&OVERVIEW;

382

<xi:include href="overview.xml"/>

273

383

<para>

274

This program is a small program to generate new OpenPGP keys for

275

new Mandos clients.

384

This program is a small utility to generate new OpenPGP keys for

385

new Mandos clients, and to generate sections for inclusion in

386

<filename>clients.conf</filename> on the server.

276

387

</para>

277

388

</refsect1>

278

389

279

390

280

391

<title>EXIT STATUS</title>

281

392

<para>

282

The exit status will be 0 if new keys were successfully created,

283

otherwise not.

393

The exit status will be 0 if a new key (or password, if the

394

<option>--password</option> option was used) was successfully

395

created, otherwise not.

284

396

</para>

285

397

</refsect1>

286

398

288

400

<title>ENVIRONMENT</title>

289

401

290

402

291

<term><varname>TMPDIR</varname></term>

403

<term><envar>TMPDIR</envar></term>

292

404

293

405

<para>

294

406

If set, temporary files will be created here. See

300

412

</variablelist>

301

413

</refsect1>

302

414

303

415

304

416

<title>FILES</title>

305

417

<para>

306

418

Use the <option>--dir</option> option to change where

327

439

</listitem>

328

440

</varlistentry>

329

441

330

442

331

443

332

444

<para>

333

445

Temporary files will be written here if

337

449

</varlistentry>

338

450

</variablelist>

339

451

</refsect1>

340

452

341

453

342

454

343

<para>

344

None are known at this time.

345

</para>

455

<xi:include href="bugs.xml"/>

346

456

</refsect1>

347

457

348

458

349

459

<title>EXAMPLE</title>

350

460

352

462

Normal invocation needs no options:

353

463

</para>

354

464

<para>

355

<userinput>mandos-keygen</userinput>

465

<userinput>&COMMANDNAME;</userinput>

356

466

</para>

357

467

</informalexample>

358

468

359

469

<para>

360

Create keys in another directory and of another type. Force

470

Create key in another directory and of another type. Force

361

471

overwriting old key files:

362

472

</para>

363

473

<para>

364

474

365

475

366

<userinput>mandos-keygen --dir ~/keydir --type RSA --force</userinput>

476

<userinput>&COMMANDNAME; --dir ~/keydir --type RSA --force</userinput>

477

478

</para>

479

</informalexample>

480

481

<para>

482

Prompt for a password, encrypt it with the key in <filename

483

class="directory">/etc/mandos</filename> and output a section

484

suitable for <filename>clients.conf</filename>.

485

</para>

486

<para>

487

<userinput>&COMMANDNAME; --password</userinput>

488

</para>

489

</informalexample>

490

491

<para>

492

Prompt for a password, encrypt it with the key in the

493

<filename>client-key</filename> directory and output a section

494

suitable for <filename>clients.conf</filename>.

495

</para>

496

<para>

497

498

499

<userinput>&COMMANDNAME; --password --dir client-key</userinput>

367

500

368

501

</para>

369

502

</informalexample>

370

503

</refsect1>

371

504

372

505

373

506

<title>SECURITY</title>

374

507

<para>

375

The <option>--type</option> and <option>--length</option>

376

options can be used to create keys of insufficient security. If

377

in doubt, leave them to the default values.

508

The <option>--type</option>, <option>--length</option>,

509

<option>--subtype</option>, and <option>--sublength</option>

510

options can be used to create keys of low security. If in

511

doubt, leave them to the default values.

378

512

</para>

379

513

<para>

380

The key expire time is not guaranteed to be honored by

381

<citerefentry><refentrytitle>mandos</refentrytitle>

514

The key expire time is <emphasis>not</emphasis> guaranteed to be

515

honored by <citerefentry><refentrytitle>mandos</refentrytitle>

382

516

<manvolnum>8</manvolnum></citerefentry>.

383

517

</para>

384

518

</refsect1>

385

519

386

520

387

521

388

522

<para>

389

<citerefentry><refentrytitle>password-request</refentrytitle>

523

<citerefentry><refentrytitle>intro</refentrytitle>

390

524

<manvolnum>8mandos</manvolnum></citerefentry>,

391

<citerefentry><refentrytitle>mandos</refentrytitle>

392

<manvolnum>8</manvolnum></citerefentry>, and

393

525

526

<manvolnum>1</manvolnum></citerefentry>,

527

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

528

<manvolnum>5</manvolnum></citerefentry>,

529

<citerefentry><refentrytitle>mandos</refentrytitle>

530

<manvolnum>8</manvolnum></citerefentry>,

531

<citerefentry><refentrytitle>mandos-client</refentrytitle>

532

<manvolnum>8mandos</manvolnum></citerefentry>,

533

<citerefentry><refentrytitle>ssh-keyscan</refentrytitle>

394

534

395

535

</para>

396

536

</refsect1>

397

537

398

538

</refentry>

539

540

541

542

543

Older »