/mandos/trunk

To get this branch, use:
bzr branch http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos-keygen.xml

  • Committer: Teddy Hogeborn
  • Date: 2018-02-19 21:32:07 UTC
  • Revision ID: teddy@recompile.se-20180219213207-0un0ylegx390pftq
Client bug fixes: Fix file descriptor leaks

* plugin-helpers/mandos-client.c (init_gnutls_global, get_flags):
  Always close files and sockets after they are used.

Show diffs side-by-side

added added

removed removed

Lines of Context:
1
 
<?xml version='1.0' encoding='UTF-8'?>
 
1
<?xml version="1.0" encoding="UTF-8"?>
2
2
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3
3
        "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4
 
<!ENTITY VERSION "1.0">
5
4
<!ENTITY COMMANDNAME "mandos-keygen">
6
 
<!ENTITY OVERVIEW SYSTEM "overview.xml">
 
5
<!ENTITY TIMESTAMP "2018-02-08">
 
6
<!ENTITY % common SYSTEM "common.ent">
 
7
%common;
7
8
]>
8
9
 
9
 
<refentry>
 
10
<refentry xmlns:xi="http://www.w3.org/2001/XInclude">
10
11
  <refentryinfo>
11
 
    <title>&COMMANDNAME;</title>
12
 
    <!-- NWalsh's docbook scripts use this to generate the footer: -->
13
 
    <productname>&COMMANDNAME;</productname>
14
 
    <productnumber>&VERSION;</productnumber>
 
12
    <title>Mandos Manual</title>
 
13
    <!-- NWalsh’s docbook scripts use this to generate the footer: -->
 
14
    <productname>Mandos</productname>
 
15
    <productnumber>&version;</productnumber>
 
16
    <date>&TIMESTAMP;</date>
15
17
    <authorgroup>
16
18
      <author>
17
19
        <firstname>Björn</firstname>
18
20
        <surname>Påhlsson</surname>
19
21
        <address>
20
 
          <email>belorn@fukt.bsnet.se</email>
 
22
          <email>belorn@recompile.se</email>
21
23
        </address>
22
24
      </author>
23
25
      <author>
24
26
        <firstname>Teddy</firstname>
25
27
        <surname>Hogeborn</surname>
26
28
        <address>
27
 
          <email>teddy@fukt.bsnet.se</email>
 
29
          <email>teddy@recompile.se</email>
28
30
        </address>
29
31
      </author>
30
32
    </authorgroup>
31
33
    <copyright>
32
34
      <year>2008</year>
33
 
      <holder>Teddy Hogeborn &amp; Björn Påhlsson</holder>
 
35
      <year>2009</year>
 
36
      <year>2010</year>
 
37
      <year>2011</year>
 
38
      <year>2012</year>
 
39
      <year>2013</year>
 
40
      <year>2014</year>
 
41
      <year>2015</year>
 
42
      <year>2016</year>
 
43
      <year>2017</year>
 
44
      <year>2018</year>
 
45
      <holder>Teddy Hogeborn</holder>
 
46
      <holder>Björn Påhlsson</holder>
34
47
    </copyright>
35
 
    <legalnotice>
36
 
      <para>
37
 
        This manual page is free software: you can redistribute it
38
 
        and/or modify it under the terms of the GNU General Public
39
 
        License as published by the Free Software Foundation,
40
 
        either version 3 of the License, or (at your option) any
41
 
        later version.
42
 
      </para>
43
 
 
44
 
      <para>
45
 
        This manual page is distributed in the hope that it will
46
 
        be useful, but WITHOUT ANY WARRANTY; without even the
47
 
        implied warranty of MERCHANTABILITY or FITNESS FOR A
48
 
        PARTICULAR PURPOSE.  See the GNU General Public License
49
 
        for more details.
50
 
      </para>
51
 
 
52
 
      <para>
53
 
        You should have received a copy of the GNU General Public
54
 
        License along with this program; If not, see
55
 
        <ulink url="http://www.gnu.org/licenses/"/>.
56
 
      </para>
57
 
    </legalnotice>
 
48
    <xi:include href="legalnotice.xml"/>
58
49
  </refentryinfo>
59
 
 
 
50
  
60
51
  <refmeta>
61
52
    <refentrytitle>&COMMANDNAME;</refentrytitle>
62
53
    <manvolnum>8</manvolnum>
65
56
  <refnamediv>
66
57
    <refname><command>&COMMANDNAME;</command></refname>
67
58
    <refpurpose>
68
 
      Generate keys for <citerefentry><refentrytitle>password-request
69
 
      </refentrytitle><manvolnum>8mandos</manvolnum></citerefentry>
 
59
      Generate key and password for Mandos client and server.
70
60
    </refpurpose>
71
61
  </refnamediv>
72
 
 
 
62
  
73
63
  <refsynopsisdiv>
74
64
    <cmdsynopsis>
75
65
      <command>&COMMANDNAME;</command>
76
 
      <group choice="opt">
77
 
        <arg choice="plain"><option>--dir</option>
78
 
        <replaceable>directory</replaceable></arg>
79
 
      </group>
80
 
      <group choice="opt">
81
 
        <arg choice="plain"><option>--type</option>
82
 
        <replaceable>type</replaceable></arg>
83
 
      </group>
84
 
      <group choice="opt">
85
 
        <arg choice="plain"><option>--length</option>
86
 
        <replaceable>bits</replaceable></arg>
87
 
      </group>
88
 
      <group choice="opt">
89
 
        <arg choice="plain"><option>--name</option>
90
 
        <replaceable>NAME</replaceable></arg>
91
 
      </group>
92
 
      <group choice="opt">
93
 
        <arg choice="plain"><option>--email</option>
94
 
        <replaceable>EMAIL</replaceable></arg>
95
 
      </group>
96
 
      <group choice="opt">
97
 
        <arg choice="plain"><option>--comment</option>
98
 
        <replaceable>COMMENT</replaceable></arg>
99
 
      </group>
100
 
      <group choice="opt">
101
 
        <arg choice="plain"><option>--expire</option>
102
 
        <replaceable>TIME</replaceable></arg>
103
 
      </group>
104
 
      <group choice="opt">
 
66
      <group>
 
67
        <arg choice="plain"><option>--dir
 
68
        <replaceable>DIRECTORY</replaceable></option></arg>
 
69
        <arg choice="plain"><option>-d
 
70
        <replaceable>DIRECTORY</replaceable></option></arg>
 
71
      </group>
 
72
      <sbr/>
 
73
      <group>
 
74
        <arg choice="plain"><option>--type
 
75
        <replaceable>KEYTYPE</replaceable></option></arg>
 
76
        <arg choice="plain"><option>-t
 
77
        <replaceable>KEYTYPE</replaceable></option></arg>
 
78
      </group>
 
79
      <sbr/>
 
80
      <group>
 
81
        <arg choice="plain"><option>--length
 
82
        <replaceable>BITS</replaceable></option></arg>
 
83
        <arg choice="plain"><option>-l
 
84
        <replaceable>BITS</replaceable></option></arg>
 
85
      </group>
 
86
      <sbr/>
 
87
      <group>
 
88
        <arg choice="plain"><option>--subtype
 
89
        <replaceable>KEYTYPE</replaceable></option></arg>
 
90
        <arg choice="plain"><option>-s
 
91
        <replaceable>KEYTYPE</replaceable></option></arg>
 
92
      </group>
 
93
      <sbr/>
 
94
      <group>
 
95
        <arg choice="plain"><option>--sublength
 
96
        <replaceable>BITS</replaceable></option></arg>
 
97
        <arg choice="plain"><option>-L
 
98
        <replaceable>BITS</replaceable></option></arg>
 
99
      </group>
 
100
      <sbr/>
 
101
      <group>
 
102
        <arg choice="plain"><option>--name
 
103
        <replaceable>NAME</replaceable></option></arg>
 
104
        <arg choice="plain"><option>-n
 
105
        <replaceable>NAME</replaceable></option></arg>
 
106
      </group>
 
107
      <sbr/>
 
108
      <group>
 
109
        <arg choice="plain"><option>--email
 
110
        <replaceable>ADDRESS</replaceable></option></arg>
 
111
        <arg choice="plain"><option>-e
 
112
        <replaceable>ADDRESS</replaceable></option></arg>
 
113
      </group>
 
114
      <sbr/>
 
115
      <group>
 
116
        <arg choice="plain"><option>--comment
 
117
        <replaceable>TEXT</replaceable></option></arg>
 
118
        <arg choice="plain"><option>-c
 
119
        <replaceable>TEXT</replaceable></option></arg>
 
120
      </group>
 
121
      <sbr/>
 
122
      <group>
 
123
        <arg choice="plain"><option>--expire
 
124
        <replaceable>TIME</replaceable></option></arg>
 
125
        <arg choice="plain"><option>-x
 
126
        <replaceable>TIME</replaceable></option></arg>
 
127
      </group>
 
128
      <sbr/>
 
129
      <group>
105
130
        <arg choice="plain"><option>--force</option></arg>
106
 
      </group>
107
 
    </cmdsynopsis>
108
 
    <cmdsynopsis>
109
 
      <command>&COMMANDNAME;</command>
110
 
      <group choice="opt">
111
 
        <arg choice="plain"><option>-d</option>
112
 
        <replaceable>directory</replaceable></arg>
113
 
      </group>
114
 
      <group choice="opt">
115
 
        <arg choice="plain"><option>-t</option>
116
 
        <replaceable>type</replaceable></arg>
117
 
      </group>
118
 
      <group choice="opt">
119
 
        <arg choice="plain"><option>-l</option>
120
 
        <replaceable>bits</replaceable></arg>
121
 
      </group>
122
 
      <group choice="opt">
123
 
        <arg choice="plain"><option>-n</option>
124
 
        <replaceable>NAME</replaceable></arg>
125
 
      </group>
126
 
      <group choice="opt">
127
 
        <arg choice="plain"><option>-e</option>
128
 
        <replaceable>EMAIL</replaceable></arg>
129
 
      </group>
130
 
      <group choice="opt">
131
 
        <arg choice="plain"><option>-c</option>
132
 
        <replaceable>COMMENT</replaceable></arg>
133
 
      </group>
134
 
      <group choice="opt">
135
 
        <arg choice="plain"><option>-x</option>
136
 
        <replaceable>TIME</replaceable></arg>
137
 
      </group>
138
 
      <group choice="opt">
139
131
        <arg choice="plain"><option>-f</option></arg>
140
132
      </group>
141
133
    </cmdsynopsis>
142
134
    <cmdsynopsis>
143
135
      <command>&COMMANDNAME;</command>
144
136
      <group choice="req">
145
 
        <arg choice='plain'><option>-h</option></arg>
146
 
        <arg choice='plain'><option>--help</option></arg>
147
 
      </group>
148
 
    </cmdsynopsis>
149
 
    <cmdsynopsis>
150
 
      <command>&COMMANDNAME;</command>
151
 
      <group choice="req">
152
 
        <arg choice='plain'><option>-v</option></arg>
153
 
        <arg choice='plain'><option>--version</option></arg>
 
137
        <arg choice="plain"><option>--password</option></arg>
 
138
        <arg choice="plain"><option>-p</option></arg>
 
139
        <arg choice="plain"><option>--passfile
 
140
        <replaceable>FILE</replaceable></option></arg>
 
141
        <arg choice="plain"><option>-F</option>
 
142
        <replaceable>FILE</replaceable></arg>
 
143
      </group>
 
144
      <sbr/>
 
145
      <group>
 
146
        <arg choice="plain"><option>--dir
 
147
        <replaceable>DIRECTORY</replaceable></option></arg>
 
148
        <arg choice="plain"><option>-d
 
149
        <replaceable>DIRECTORY</replaceable></option></arg>
 
150
      </group>
 
151
      <sbr/>
 
152
      <group>
 
153
        <arg choice="plain"><option>--name
 
154
        <replaceable>NAME</replaceable></option></arg>
 
155
        <arg choice="plain"><option>-n
 
156
        <replaceable>NAME</replaceable></option></arg>
 
157
      </group>
 
158
      <group>
 
159
        <arg choice="plain"><option>--no-ssh</option></arg>
 
160
        <arg choice="plain"><option>-S</option></arg>
 
161
      </group>
 
162
    </cmdsynopsis>
 
163
    <cmdsynopsis>
 
164
      <command>&COMMANDNAME;</command>
 
165
      <group choice="req">
 
166
        <arg choice="plain"><option>--help</option></arg>
 
167
        <arg choice="plain"><option>-h</option></arg>
 
168
      </group>
 
169
    </cmdsynopsis>
 
170
    <cmdsynopsis>
 
171
      <command>&COMMANDNAME;</command>
 
172
      <group choice="req">
 
173
        <arg choice="plain"><option>--version</option></arg>
 
174
        <arg choice="plain"><option>-v</option></arg>
154
175
      </group>
155
176
    </cmdsynopsis>
156
177
  </refsynopsisdiv>
157
 
 
 
178
  
158
179
  <refsect1 id="description">
159
180
    <title>DESCRIPTION</title>
160
181
    <para>
161
182
      <command>&COMMANDNAME;</command> is a program to generate the
162
 
      OpenPGP keys used by
163
 
      <citerefentry><refentrytitle>password-request</refentrytitle>
164
 
      <manvolnum>8mandos</manvolnum></citerefentry>.  The keys are
 
183
      OpenPGP key used by
 
184
      <citerefentry><refentrytitle>mandos-client</refentrytitle>
 
185
      <manvolnum>8mandos</manvolnum></citerefentry>.  The key is
165
186
      normally written to /etc/mandos for later installation into the
166
 
      initrd image, but this, like most things, can be changed with
167
 
      command line options.
 
187
      initrd image, but this, and most other things, can be changed
 
188
      with command line options.
 
189
    </para>
 
190
    <para>
 
191
      This program can also be used with the
 
192
      <option>--password</option> or <option>--passfile</option>
 
193
      options to generate a ready-made section for
 
194
      <filename>clients.conf</filename> (see
 
195
      <citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>
 
196
      <manvolnum>5</manvolnum></citerefentry>).
168
197
    </para>
169
198
  </refsect1>
170
199
  
171
200
  <refsect1 id="purpose">
172
201
    <title>PURPOSE</title>
173
 
 
174
202
    <para>
175
203
      The purpose of this is to enable <emphasis>remote and unattended
176
204
      rebooting</emphasis> of client host computer with an
177
205
      <emphasis>encrypted root file system</emphasis>.  See <xref
178
206
      linkend="overview"/> for details.
179
207
    </para>
180
 
 
181
208
  </refsect1>
182
209
  
183
210
  <refsect1 id="options">
184
211
    <title>OPTIONS</title>
185
 
 
 
212
    
186
213
    <variablelist>
187
214
      <varlistentry>
188
 
        <term><literal>-h</literal>, <literal>--help</literal></term>
 
215
        <term><option>--help</option></term>
 
216
        <term><option>-h</option></term>
189
217
        <listitem>
190
218
          <para>
191
219
            Show a help message and exit
192
220
          </para>
193
221
        </listitem>
194
222
      </varlistentry>
195
 
 
196
 
      <varlistentry>
197
 
        <term><literal>-d</literal>, <literal>--dir
198
 
        <replaceable>directory</replaceable></literal></term>
199
 
        <listitem>
200
 
          <para>
201
 
            Target directory for key files.
202
 
          </para>
203
 
        </listitem>
204
 
      </varlistentry>
205
 
 
206
 
      <varlistentry>
207
 
        <term><literal>-t</literal>, <literal>--type
208
 
        <replaceable>type</replaceable></literal></term>
209
 
        <listitem>
210
 
          <para>
211
 
            Key type.  Default is DSA.
212
 
          </para>
213
 
        </listitem>
214
 
      </varlistentry>
215
 
 
216
 
      <varlistentry>
217
 
        <term><literal>-l</literal>, <literal>--length
218
 
        <replaceable>bits</replaceable></literal></term>
219
 
        <listitem>
220
 
          <para>
221
 
            Key length in bits.  Default is 1024.
222
 
          </para>
223
 
        </listitem>
224
 
      </varlistentry>
225
 
 
226
 
      <varlistentry>
227
 
        <term><literal>-e</literal>, <literal>--email</literal>
228
 
        <replaceable>address</replaceable></term>
 
223
      
 
224
      <varlistentry>
 
225
        <term><option>--dir
 
226
        <replaceable>DIRECTORY</replaceable></option></term>
 
227
        <term><option>-d
 
228
        <replaceable>DIRECTORY</replaceable></option></term>
 
229
        <listitem>
 
230
          <para>
 
231
            Target directory for key files.  Default is
 
232
            <filename class="directory">/etc/mandos</filename>.
 
233
          </para>
 
234
        </listitem>
 
235
      </varlistentry>
 
236
      
 
237
      <varlistentry>
 
238
        <term><option>--type
 
239
        <replaceable>TYPE</replaceable></option></term>
 
240
        <term><option>-t
 
241
        <replaceable>TYPE</replaceable></option></term>
 
242
        <listitem>
 
243
          <para>
 
244
            Key type.  Default is <quote>RSA</quote>.
 
245
          </para>
 
246
        </listitem>
 
247
      </varlistentry>
 
248
      
 
249
      <varlistentry>
 
250
        <term><option>--length
 
251
        <replaceable>BITS</replaceable></option></term>
 
252
        <term><option>-l
 
253
        <replaceable>BITS</replaceable></option></term>
 
254
        <listitem>
 
255
          <para>
 
256
            Key length in bits.  Default is 4096.
 
257
          </para>
 
258
        </listitem>
 
259
      </varlistentry>
 
260
      
 
261
      <varlistentry>
 
262
        <term><option>--subtype
 
263
        <replaceable>KEYTYPE</replaceable></option></term>
 
264
        <term><option>-s
 
265
        <replaceable>KEYTYPE</replaceable></option></term>
 
266
        <listitem>
 
267
          <para>
 
268
            Subkey type.  Default is <quote>RSA</quote> (Elgamal
 
269
            encryption-only).
 
270
          </para>
 
271
        </listitem>
 
272
      </varlistentry>
 
273
      
 
274
      <varlistentry>
 
275
        <term><option>--sublength
 
276
        <replaceable>BITS</replaceable></option></term>
 
277
        <term><option>-L
 
278
        <replaceable>BITS</replaceable></option></term>
 
279
        <listitem>
 
280
          <para>
 
281
            Subkey length in bits.  Default is 4096.
 
282
          </para>
 
283
        </listitem>
 
284
      </varlistentry>
 
285
      
 
286
      <varlistentry>
 
287
        <term><option>--email
 
288
        <replaceable>ADDRESS</replaceable></option></term>
 
289
        <term><option>-e
 
290
        <replaceable>ADDRESS</replaceable></option></term>
229
291
        <listitem>
230
292
          <para>
231
293
            Email address of key.  Default is empty.
232
294
          </para>
233
295
        </listitem>
234
296
      </varlistentry>
235
 
 
 
297
      
236
298
      <varlistentry>
237
 
        <term><literal>-c</literal>, <literal>--comment</literal>
238
 
        <replaceable>comment</replaceable></term>
 
299
        <term><option>--comment
 
300
        <replaceable>TEXT</replaceable></option></term>
 
301
        <term><option>-c
 
302
        <replaceable>TEXT</replaceable></option></term>
239
303
        <listitem>
240
304
          <para>
241
 
            Comment field for key.  The default value is
242
 
            "<literal>Mandos client key</literal>".
 
305
            Comment field for key.  Default is empty.
243
306
          </para>
244
307
        </listitem>
245
308
      </varlistentry>
246
 
 
 
309
      
247
310
      <varlistentry>
248
 
        <term><literal>-x</literal>, <literal>--expire</literal>
249
 
        <replaceable>time</replaceable></term>
 
311
        <term><option>--expire
 
312
        <replaceable>TIME</replaceable></option></term>
 
313
        <term><option>-x
 
314
        <replaceable>TIME</replaceable></option></term>
250
315
        <listitem>
251
316
          <para>
252
317
            Key expire time.  Default is no expiration.  See
255
320
          </para>
256
321
        </listitem>
257
322
      </varlistentry>
258
 
 
259
 
      <varlistentry>
260
 
        <term><literal>-f</literal>, <literal>--force</literal></term>
261
 
        <listitem>
262
 
          <para>
263
 
            Force overwriting old keys.
 
323
      
 
324
      <varlistentry>
 
325
        <term><option>--force</option></term>
 
326
        <term><option>-f</option></term>
 
327
        <listitem>
 
328
          <para>
 
329
            Force overwriting old key.
 
330
          </para>
 
331
        </listitem>
 
332
      </varlistentry>
 
333
      <varlistentry>
 
334
        <term><option>--password</option></term>
 
335
        <term><option>-p</option></term>
 
336
        <listitem>
 
337
          <para>
 
338
            Prompt for a password and encrypt it with the key already
 
339
            present in either <filename>/etc/mandos</filename> or the
 
340
            directory specified with the <option>--dir</option>
 
341
            option.  Outputs, on standard output, a section suitable
 
342
            for inclusion in <citerefentry><refentrytitle
 
343
            >mandos-clients.conf</refentrytitle><manvolnum
 
344
            >8</manvolnum></citerefentry>.  The host name or the name
 
345
            specified with the <option>--name</option> option is used
 
346
            for the section header.  All other options are ignored,
 
347
            and no key is created.
 
348
          </para>
 
349
        </listitem>
 
350
      </varlistentry>
 
351
      <varlistentry>
 
352
        <term><option>--passfile
 
353
        <replaceable>FILE</replaceable></option></term>
 
354
        <term><option>-F
 
355
        <replaceable>FILE</replaceable></option></term>
 
356
        <listitem>
 
357
          <para>
 
358
            The same as <option>--password</option>, but read from
 
359
            <replaceable>FILE</replaceable>, not the terminal.
 
360
          </para>
 
361
        </listitem>
 
362
      </varlistentry>
 
363
      <varlistentry>
 
364
        <term><option>--no-ssh</option></term>
 
365
        <term><option>-S</option></term>
 
366
        <listitem>
 
367
          <para>
 
368
            When <option>--password</option> or
 
369
            <option>--passfile</option> is given, this option will
 
370
            prevent <command>&COMMANDNAME;</command> from calling
 
371
            <command>ssh-keyscan</command> to get an SSH fingerprint
 
372
            for this host and, if successful, output suitable config
 
373
            options to use this fingerprint as a
 
374
            <option>checker</option> option in the output.  This is
 
375
            otherwise the default behavior.
264
376
          </para>
265
377
        </listitem>
266
378
      </varlistentry>
267
379
    </variablelist>
268
380
  </refsect1>
269
 
 
 
381
  
270
382
  <refsect1 id="overview">
271
383
    <title>OVERVIEW</title>
272
 
    &OVERVIEW;
 
384
    <xi:include href="overview.xml"/>
273
385
    <para>
274
 
      This program is a small program to generate new OpenPGP keys for
275
 
      new Mandos clients.
 
386
      This program is a small utility to generate new OpenPGP keys for
 
387
      new Mandos clients, and to generate sections for inclusion in
 
388
      <filename>clients.conf</filename> on the server.
276
389
    </para>
277
390
  </refsect1>
278
 
 
 
391
  
279
392
  <refsect1 id="exit_status">
280
393
    <title>EXIT STATUS</title>
281
394
    <para>
 
395
      The exit status will be 0 if a new key (or password, if the
 
396
      <option>--password</option> option was used) was successfully
 
397
      created, otherwise not.
282
398
    </para>
283
399
  </refsect1>
284
400
  
285
 
  <refsect1 id="file">
 
401
  <refsect1 id="environment">
 
402
    <title>ENVIRONMENT</title>
 
403
    <variablelist>
 
404
      <varlistentry>
 
405
        <term><envar>TMPDIR</envar></term>
 
406
        <listitem>
 
407
          <para>
 
408
            If set, temporary files will be created here. See
 
409
            <citerefentry><refentrytitle>mktemp</refentrytitle>
 
410
            <manvolnum>1</manvolnum></citerefentry>.
 
411
          </para>
 
412
        </listitem>
 
413
      </varlistentry>
 
414
    </variablelist>
 
415
  </refsect1>
 
416
  
 
417
  <refsect1 id="files">
286
418
    <title>FILES</title>
287
419
    <para>
 
420
      Use the <option>--dir</option> option to change where
 
421
      <command>&COMMANDNAME;</command> will write the key files.  The
 
422
      default file names are shown here.
288
423
    </para>
 
424
    <variablelist>
 
425
      <varlistentry>
 
426
        <term><filename>/etc/mandos/seckey.txt</filename></term>
 
427
        <listitem>
 
428
          <para>
 
429
            OpenPGP secret key file which will be created or
 
430
            overwritten.
 
431
          </para>
 
432
        </listitem>
 
433
      </varlistentry>
 
434
      <varlistentry>
 
435
        <term><filename>/etc/mandos/pubkey.txt</filename></term>
 
436
        <listitem>
 
437
          <para>
 
438
            OpenPGP public key file which will be created or
 
439
            overwritten.
 
440
          </para>
 
441
        </listitem>
 
442
      </varlistentry>
 
443
      <varlistentry>
 
444
        <term><filename class="directory">/tmp</filename></term>
 
445
        <listitem>
 
446
          <para>
 
447
            Temporary files will be written here if
 
448
            <varname>TMPDIR</varname> is not set.
 
449
          </para>
 
450
        </listitem>
 
451
      </varlistentry>
 
452
    </variablelist>
289
453
  </refsect1>
290
 
 
 
454
  
291
455
  <refsect1 id="bugs">
292
456
    <title>BUGS</title>
293
 
    <para>
294
 
    </para>
 
457
    <xi:include href="bugs.xml"/>
295
458
  </refsect1>
296
 
 
 
459
  
297
460
  <refsect1 id="example">
298
461
    <title>EXAMPLE</title>
299
 
    <para>
300
 
    </para>
 
462
    <informalexample>
 
463
      <para>
 
464
        Normal invocation needs no options:
 
465
      </para>
 
466
      <para>
 
467
        <userinput>&COMMANDNAME;</userinput>
 
468
      </para>
 
469
    </informalexample>
 
470
    <informalexample>
 
471
      <para>
 
472
        Create key in another directory and of another type.  Force
 
473
        overwriting old key files:
 
474
      </para>
 
475
      <para>
 
476
 
 
477
<!-- do not wrap this line -->
 
478
<userinput>&COMMANDNAME; --dir ~/keydir --type RSA --force</userinput>
 
479
 
 
480
      </para>
 
481
    </informalexample>
 
482
    <informalexample>
 
483
      <para>
 
484
        Prompt for a password, encrypt it with the key in <filename
 
485
        class="directory">/etc/mandos</filename> and output a section
 
486
        suitable for <filename>clients.conf</filename>.
 
487
      </para>
 
488
      <para>
 
489
        <userinput>&COMMANDNAME; --password</userinput>
 
490
      </para>
 
491
    </informalexample>
 
492
    <informalexample>
 
493
      <para>
 
494
        Prompt for a password, encrypt it with the key in the
 
495
        <filename>client-key</filename> directory and output a section
 
496
        suitable for <filename>clients.conf</filename>.
 
497
      </para>
 
498
      <para>
 
499
 
 
500
<!-- do not wrap this line -->
 
501
<userinput>&COMMANDNAME; --password --dir client-key</userinput>
 
502
 
 
503
      </para>
 
504
    </informalexample>
301
505
  </refsect1>
302
 
 
 
506
  
303
507
  <refsect1 id="security">
304
508
    <title>SECURITY</title>
305
509
    <para>
 
510
      The <option>--type</option>, <option>--length</option>,
 
511
      <option>--subtype</option>, and <option>--sublength</option>
 
512
      options can be used to create keys of low security.  If in
 
513
      doubt, leave them to the default values.
 
514
    </para>
 
515
    <para>
 
516
      The key expire time is <emphasis>not</emphasis> guaranteed to be
 
517
      honored by <citerefentry><refentrytitle>mandos</refentrytitle>
 
518
      <manvolnum>8</manvolnum></citerefentry>.
306
519
    </para>
307
520
  </refsect1>
308
 
 
 
521
  
309
522
  <refsect1 id="see_also">
310
523
    <title>SEE ALSO</title>
311
524
    <para>
312
 
      <citerefentry><refentrytitle>password-request</refentrytitle>
 
525
      <citerefentry><refentrytitle>intro</refentrytitle>
313
526
      <manvolnum>8mandos</manvolnum></citerefentry>,
 
527
      <citerefentry><refentrytitle>gpg</refentrytitle>
 
528
      <manvolnum>1</manvolnum></citerefentry>,
 
529
      <citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>
 
530
      <manvolnum>5</manvolnum></citerefentry>,
314
531
      <citerefentry><refentrytitle>mandos</refentrytitle>
315
 
      <manvolnum>8</manvolnum></citerefentry>, and
316
 
      <citerefentry><refentrytitle>gpg</refentrytitle>
 
532
      <manvolnum>8</manvolnum></citerefentry>,
 
533
      <citerefentry><refentrytitle>mandos-client</refentrytitle>
 
534
      <manvolnum>8mandos</manvolnum></citerefentry>,
 
535
      <citerefentry><refentrytitle>ssh-keyscan</refentrytitle>
317
536
      <manvolnum>1</manvolnum></citerefentry>
318
537
    </para>
319
538
  </refsect1>
320
539
  
321
540
</refentry>
 
541
<!-- Local Variables: -->
 
542
<!-- time-stamp-start: "<!ENTITY TIMESTAMP [\"']" -->
 
543
<!-- time-stamp-end: "[\"']>" -->
 
544
<!-- time-stamp-format: "%:y-%02m-%02d" -->
 
545
<!-- End: -->