/mandos/trunk : revision 937

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos-keygen.xml

Committer: Teddy Hogeborn
Date: 2018-02-18 01:14:23 UTC
Revision ID: teddy@recompile.se-20180218011423-twxv4clb7wvm9fof

Remove dead code.

* plugins.d/mandos-client.d (main/clean_dir_at): Remove dead code.

files added:
.bzr-builddeb

.bzr-builddeb/default.conf

.bzrignore

DBUS-API

INSTALL

NEWS

README

bugs.xml

common.ent

dbus-mandos.conf

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.examples

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/po

debian/rules

debian/source

debian/source/format

debian/source/local-options

debian/upstream

debian/upstream/signing-key.asc

debian/watch

default-mandos

init.d-mandos

initramfs-unpack

intro.xml

legalnotice.xml

mandos-ctl

mandos-ctl.xml

mandos-monitor

mandos-monitor.xml

mandos.lsm

mandos.service

network-hooks.d

network-hooks.d/bridge

network-hooks.d/bridge.conf

network-hooks.d/openvpn

network-hooks.d/openvpn.conf

network-hooks.d/wireless

network-hooks.d/wireless.conf

plugin-helpers

plugin-helpers/mandos-client-iprouteadddel.c

plugin-runner.conf

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

tmpfiles.d-mandos.conf

files removed:
plugins.d/usplash

files renamed:
plugins.d/password-request.c => plugins.d/mandos-client.c

plugins.d/password-request.xml => plugins.d/mandos-client.xml

files modified:
Makefile

TODO

clients.conf

initramfs-tools-hook

initramfs-tools-hook-conf

initramfs-tools-script

mandos

mandos-clients.conf.xml

mandos-keygen

mandos-keygen.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.xml

overview.xml

plugin-runner.c

plugin-runner.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

Show diffs side-by-side

added added

removed removed

mandos-keygen.xml

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY VERSION "1.0">

<!ENTITY COMMANDNAME "mandos-keygen">

<!ENTITY TIMESTAMP "2018-02-08">

<!ENTITY % common SYSTEM "common.ent">

%common;

<title>&COMMANDNAME;</title>

<title>Mandos Manual</title>

<productname>&COMMANDNAME;</productname>

<productnumber>&VERSION;</productnumber>

<productname>Mandos</productname>

<productnumber>&version;</productnumber>

<date>&TIMESTAMP;</date>

<firstname>Björn</firstname>

<surname>Påhlsson</surname>

<email>belorn@fukt.bsnet.se</email>

<email>belorn@recompile.se</email>

</address>

</author>

<firstname>Teddy</firstname>

<surname>Hogeborn</surname>

<email>teddy@fukt.bsnet.se</email>

<email>teddy@recompile.se</email>

</address>

</author>

</authorgroup>

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

<para>

This manual page is free software: you can redistribute it

and/or modify it under the terms of the GNU General Public

License as published by the Free Software Foundation,

either version 3 of the License, or (at your option) any

later version.

</para>

<para>

This manual page is distributed in the hope that it will

be useful, but WITHOUT ANY WARRANTY; without even the

implied warranty of MERCHANTABILITY or FITNESS FOR A

PARTICULAR PURPOSE. See the GNU General Public License

for more details.

</para>

<para>

You should have received a copy of the GNU General Public

License along with this program; If not, see

<ulink url="http://www.gnu.org/licenses/"/>.

</para>

</legalnotice>

<xi:include href="legalnotice.xml"/>

</refentryinfo>

<refentrytitle>&COMMANDNAME;</refentrytitle>

<refname><command>&COMMANDNAME;</command></refname>

Generate keys for <citerefentry><refentrytitle>password-request

</refentrytitle><manvolnum>8mandos</manvolnum></citerefentry>

Generate key and password for Mandos client and server.

</refpurpose>

</refnamediv>

<command>&COMMANDNAME;</command>

<replaceable>directory</replaceable></arg>

</group>

</group>

<arg choice="plain"><option>--length</option>

</group>

<arg choice="plain"><option>--subtype</option>

</group>

<arg choice="plain"><option>--sublength</option>

</group>

</group>

100

101

<arg choice="plain"><option>--email</option>

102

<replaceable>EMAIL</replaceable></arg>

103

</group>

104

105

<arg choice="plain"><option>--comment</option>

106

<replaceable>COMMENT</replaceable></arg>

107

</group>

108

109

<arg choice="plain"><option>--expire</option>

110

111

</group>

112

<group>

<arg choice="plain"><option>--dir

<replaceable>DIRECTORY</replaceable></option></arg>

<arg choice="plain"><option>-d

<replaceable>DIRECTORY</replaceable></option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--type

<replaceable>KEYTYPE</replaceable></option></arg>

<arg choice="plain"><option>-t

<replaceable>KEYTYPE</replaceable></option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--length

<arg choice="plain"><option>-l

</group>

<sbr/>

<group>

<arg choice="plain"><option>--subtype

<replaceable>KEYTYPE</replaceable></option></arg>

<arg choice="plain"><option>-s

<replaceable>KEYTYPE</replaceable></option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--sublength

<arg choice="plain"><option>-L

</group>

100

<sbr/>

101

<group>

102

<arg choice="plain"><option>--name

103

104

<arg choice="plain"><option>-n

105

106

</group>

107

<sbr/>

108

<group>

109

<arg choice="plain"><option>--email

110

<replaceable>ADDRESS</replaceable></option></arg>

111

<arg choice="plain"><option>-e

112

<replaceable>ADDRESS</replaceable></option></arg>

113

</group>

114

<sbr/>

115

<group>

116

<arg choice="plain"><option>--comment

117

118

<arg choice="plain"><option>-c

119

120

</group>

121

<sbr/>

122

<group>

123

<arg choice="plain"><option>--expire

124

125

<arg choice="plain"><option>-x

126

127

</group>

128

<sbr/>

129

<group>

113

130

<arg choice="plain"><option>--force</option></arg>

114

</group>

115

</cmdsynopsis>

116

117

<command>&COMMANDNAME;</command>

118

119

120

<replaceable>directory</replaceable></arg>

121

</group>

122

123

124

125

</group>

126

127

128

129

</group>

130

131

132

133

</group>

134

135

136

137

</group>

138

139

140

141

</group>

142

143

144

<replaceable>EMAIL</replaceable></arg>

145

</group>

146

147

148

<replaceable>COMMENT</replaceable></arg>

149

</group>

150

151

152

153

</group>

154

155

131

156

132

</group>

157

133

</cmdsynopsis>

158

134

159

135

<command>&COMMANDNAME;</command>

160

136

137

<arg choice="plain"><option>--password</option></arg>

161

138

162

<arg choice="plain"><option>--password</option></arg>

163

</group>

164

165

166

<replaceable>directory</replaceable></arg>

167

</group>

168

169

170

139

<arg choice="plain"><option>--passfile

140

141

142

143

</group>

144

<sbr/>

145

<group>

146

<arg choice="plain"><option>--dir

147

<replaceable>DIRECTORY</replaceable></option></arg>

148

<arg choice="plain"><option>-d

149

<replaceable>DIRECTORY</replaceable></option></arg>

150

</group>

151

<sbr/>

152

<group>

153

<arg choice="plain"><option>--name

154

155

<arg choice="plain"><option>-n

156

157

</group>

158

<group>

159

160

171

161

</group>

172

162

</cmdsynopsis>

173

163

174

164

<command>&COMMANDNAME;</command>

175

165

166

176

167

177

178

168

</group>

179

169

</cmdsynopsis>

180

170

181

171

<command>&COMMANDNAME;</command>

182

172

173

<arg choice="plain"><option>--version</option></arg>

183

174

184

<arg choice="plain"><option>--version</option></arg>

185

175

</group>

186

176

</cmdsynopsis>

187

177

</refsynopsisdiv>

188

178

189

179

190

180

<title>DESCRIPTION</title>

191

181

<para>

192

182

<command>&COMMANDNAME;</command> is a program to generate the

193

OpenPGP keys used by

194

<citerefentry><refentrytitle>password-request</refentrytitle>

195

<manvolnum>8mandos</manvolnum></citerefentry>. The keys are

183

OpenPGP key used by

184

<citerefentry><refentrytitle>mandos-client</refentrytitle>

185

<manvolnum>8mandos</manvolnum></citerefentry>. The key is

196

186

normally written to /etc/mandos for later installation into the

197

initrd image, but this, like most things, can be changed with

198

command line options.

187

initrd image, but this, and most other things, can be changed

188

with command line options.

199

189

</para>

200

190

<para>

201

It can also be used to generate ready-made sections for

191

This program can also be used with the

192

<option>--password</option> or <option>--passfile</option>

193

options to generate a ready-made section for

194

<filename>clients.conf</filename> (see

202

195

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

203

<manvolnum>5</manvolnum></citerefentry> using the

204

<option>--password</option> option.

196

<manvolnum>5</manvolnum></citerefentry>).

205

197

</para>

206

198

</refsect1>

207

199

208

200

209

201

<title>PURPOSE</title>

210

211

202

<para>

212

203

The purpose of this is to enable <emphasis>remote and unattended

213

204

rebooting</emphasis> of client host computer with an

214

205

<emphasis>encrypted root file system</emphasis>. See <xref

215

206

linkend="overview"/> for details.

216

207

</para>

217

218

208

</refsect1>

219

209

220

210

221

211

<title>OPTIONS</title>

222

212

223

213

224

214

225

215

216

226

217

227

218

<para>

228

219

Show a help message and exit

229

220

</para>

230

221

</listitem>

231

222

</varlistentry>

232

223

233

224

234

<term><literal>-d</literal>, <literal>--dir

235

<replaceable>directory</replaceable></literal></term>

225

<term><option>--dir

226

<replaceable>DIRECTORY</replaceable></option></term>

227

<term><option>-d

228

<replaceable>DIRECTORY</replaceable></option></term>

236

229

237

230

<para>

238

231

Target directory for key files. Default is

239

<filename>/etc/mandos</filename>.

240

</para>

241

</listitem>

242

</varlistentry>

243

244

245

<term><literal>-t</literal>, <literal>--type

246

247

248

<para>

249

Key type. Default is <quote>DSA</quote>.

250

</para>

251

</listitem>

252

</varlistentry>

253

254

255

<term><literal>-l</literal>, <literal>--length

256

257

258

<para>

259

Key length in bits. Default is 1024.

260

</para>

261

</listitem>

262

</varlistentry>

263

264

265

<term><literal>-s</literal>, <literal>--subtype

266

267

268

<para>

269

Subkey type. Default is <quote>ELG-E</quote> (Elgamal

232

<filename class="directory">/etc/mandos</filename>.

233

</para>

234

</listitem>

235

</varlistentry>

236

237

238

<term><option>--type

239

240

<term><option>-t

241

242

243

<para>

244

Key type. Default is <quote>RSA</quote>.

245

</para>

246

</listitem>

247

</varlistentry>

248

249

250

<term><option>--length

251

252

<term><option>-l

253

254

255

<para>

256

Key length in bits. Default is 4096.

257

</para>

258

</listitem>

259

</varlistentry>

260

261

262

<term><option>--subtype

263

<replaceable>KEYTYPE</replaceable></option></term>

264

<term><option>-s

265

<replaceable>KEYTYPE</replaceable></option></term>

266

267

<para>

268

Subkey type. Default is <quote>RSA</quote> (Elgamal

270

269

encryption-only).

271

270

</para>

272

271

</listitem>

273

272

</varlistentry>

274

273

275

274

276

<term><literal>-L</literal>, <literal>--sublength

277

275

<term><option>--sublength

276

277

<term><option>-L

278

278

279

279

280

<para>

280

Subkey length in bits. Default is 2048.

281

Subkey length in bits. Default is 4096.

281

282

</para>

282

283

</listitem>

283

284

</varlistentry>

284

285

286

286

<term><literal>-e</literal>, <literal>--email</literal>

287

<replaceable>address</replaceable></term>

287

<term><option>--email

288

<replaceable>ADDRESS</replaceable></option></term>

289

<term><option>-e

290

<replaceable>ADDRESS</replaceable></option></term>

288

291

289

292

<para>

290

293

Email address of key. Default is empty.

291

294

</para>

292

295

</listitem>

293

296

</varlistentry>

294

297

295

298

296

<term><literal>-c</literal>, <literal>--comment</literal>

297

<replaceable>comment</replaceable></term>

299

<term><option>--comment

300

301

<term><option>-c

302

298

303

299

304

<para>

300

Comment field for key. The default value is

301

<quote><literal>Mandos client key</literal></quote>.

305

Comment field for key. Default is empty.

302

306

</para>

303

307

</listitem>

304

308

</varlistentry>

305

309

306

310

307

<term><literal>-x</literal>, <literal>--expire</literal>

308

311

<term><option>--expire

312

313

<term><option>-x

314

309

315

310

316

<para>

311

317

Key expire time. Default is no expiration. See

314

320

</para>

315

321

</listitem>

316

322

</varlistentry>

317

323

318

324

319

<term><literal>-f</literal>, <literal>--force</literal></term>

325

<term><option>--force</option></term>

326

320

327

321

328

<para>

322

Force overwriting old keys.

329

Force overwriting old key.

323

330

</para>

324

331

</listitem>

325

332

</varlistentry>

326

333

327

<term><literal>-p</literal>, <literal>--password</literal

328

></term>

334

<term><option>--password</option></term>

335

329

336

330

337

<para>

331

338

Prompt for a password and encrypt it with the key already

337

344

>8</manvolnum></citerefentry>. The host name or the name

338

345

specified with the <option>--name</option> option is used

339

346

for the section header. All other options are ignored,

340

and no keys are created.

347

and no key is created.

348

</para>

349

</listitem>

350

</varlistentry>

351

352

<term><option>--passfile

353

354

<term><option>-F

355

356

357

<para>

358

The same as <option>--password</option>, but read from

359

<replaceable>FILE</replaceable>, not the terminal.

360

</para>

361

</listitem>

362

</varlistentry>

363

364

365

366

367

<para>

368

When <option>--password</option> or

369

<option>--passfile</option> is given, this option will

370

prevent <command>&COMMANDNAME;</command> from calling

371

<command>ssh-keyscan</command> to get an SSH fingerprint

372

for this host and, if successful, output suitable config

373

options to use this fingerprint as a

374

<option>checker</option> option in the output. This is

375

otherwise the default behavior.

341

376

</para>

342

377

</listitem>

343

378

</varlistentry>

344

379

</variablelist>

345

380

</refsect1>

346

381

347

382

348

383

<title>OVERVIEW</title>

349

384

<xi:include href="overview.xml"/>

350

385

<para>

351

386

This program is a small utility to generate new OpenPGP keys for

352

new Mandos clients.

387

new Mandos clients, and to generate sections for inclusion in

388

<filename>clients.conf</filename> on the server.

353

389

</para>

354

390

</refsect1>

355

391

356

392

357

393

<title>EXIT STATUS</title>

358

394

<para>

359

The exit status will be 0 if new keys were successfully created,

360

otherwise not.

395

The exit status will be 0 if a new key (or password, if the

396

<option>--password</option> option was used) was successfully

397

created, otherwise not.

361

398

</para>

362

399

</refsect1>

363

400

365

402

<title>ENVIRONMENT</title>

366

403

367

404

368

<term><varname>TMPDIR</varname></term>

405

<term><envar>TMPDIR</envar></term>

369

406

370

407

<para>

371

408

If set, temporary files will be created here. See

377

414

</variablelist>

378

415

</refsect1>

379

416

380

417

381

418

<title>FILES</title>

382

419

<para>

383

420

Use the <option>--dir</option> option to change where

404

441

</listitem>

405

442

</varlistentry>

406

443

407

444

408

445

409

446

<para>

410

447

Temporary files will be written here if

414

451

</varlistentry>

415

452

</variablelist>

416

453

</refsect1>

417

454

418

455

419

456

420

<para>

421

None are known at this time.

422

</para>

457

<xi:include href="bugs.xml"/>

423

458

</refsect1>

424

459

425

460

426

461

<title>EXAMPLE</title>

427

462

429

464

Normal invocation needs no options:

430

465

</para>

431

466

<para>

432

<userinput>mandos-keygen</userinput>

467

<userinput>&COMMANDNAME;</userinput>

433

468

</para>

434

469

</informalexample>

435

470

436

471

<para>

437

Create keys in another directory and of another type. Force

472

Create key in another directory and of another type. Force

438

473

overwriting old key files:

439

474

</para>

440

475

<para>

441

476

442

477

443

<userinput>mandos-keygen --dir ~/keydir --type RSA --force</userinput>

478

<userinput>&COMMANDNAME; --dir ~/keydir --type RSA --force</userinput>

479

480

</para>

481

</informalexample>

482

483

<para>

484

Prompt for a password, encrypt it with the key in <filename

485

class="directory">/etc/mandos</filename> and output a section

486

suitable for <filename>clients.conf</filename>.

487

</para>

488

<para>

489

<userinput>&COMMANDNAME; --password</userinput>

490

</para>

491

</informalexample>

492

493

<para>

494

Prompt for a password, encrypt it with the key in the

495

<filename>client-key</filename> directory and output a section

496

suitable for <filename>clients.conf</filename>.

497

</para>

498

<para>

499

500

501

<userinput>&COMMANDNAME; --password --dir client-key</userinput>

444

502

445

503

</para>

446

504

</informalexample>

447

505

</refsect1>

448

506

449

507

450

508

<title>SECURITY</title>

451

509

<para>

452

510

The <option>--type</option>, <option>--length</option>,

453

511

<option>--subtype</option>, and <option>--sublength</option>

454

options can be used to create keys of insufficient security. If

455

in doubt, leave them to the default values.

512

options can be used to create keys of low security. If in

513

doubt, leave them to the default values.

456

514

</para>

457

515

<para>

458

The key expire time is not guaranteed to be honored by

459

<citerefentry><refentrytitle>mandos</refentrytitle>

516

The key expire time is <emphasis>not</emphasis> guaranteed to be

517

honored by <citerefentry><refentrytitle>mandos</refentrytitle>

460

518

<manvolnum>8</manvolnum></citerefentry>.

461

519

</para>

462

520

</refsect1>

463

521

464

522

465

523

466

524

<para>

467

<citerefentry><refentrytitle>password-request</refentrytitle>

525

<citerefentry><refentrytitle>intro</refentrytitle>

468

526

<manvolnum>8mandos</manvolnum></citerefentry>,

527

528

<manvolnum>1</manvolnum></citerefentry>,

529

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

530

<manvolnum>5</manvolnum></citerefentry>,

469

531

<citerefentry><refentrytitle>mandos</refentrytitle>

470

532

<manvolnum>8</manvolnum></citerefentry>,

471

533

<citerefentry><refentrytitle>mandos-client</refentrytitle>

534

<manvolnum>8mandos</manvolnum></citerefentry>,

535

<citerefentry><refentrytitle>ssh-keyscan</refentrytitle>

472

536

473

537

</para>

474

538

</refsect1>

475

539

476

540

</refentry>

541

542

543

544

545

Older »