/mandos/trunk : revision 94

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos-keygen.xml

Committer: Teddy Hogeborn
Date: 2008-08-22 00:16:20 UTC
mfrom: (24.1.57 mandos)
Revision ID: teddy@fukt.bsnet.se-20080822001620-vxpn1evy0t0kyvj0

* clients.conf ([DEFAULT]/checker): Update to new default value.

* mandos (Client.start_checker): Bug fix: OSError, not
                                 subprocess.OSError.
  (main): Use "fping -q -- %(host)s" instead of "fping -q --
          %%(host)s" as default value for "checker".  Always redirect
          stdin to be from /dev/null, even if in debug mode.

* mandos-clients.conf.xml (DESCRIPTION): Improved wording and refer to
                                         the EXPANSION section.
  (OPTIONS): Added synopsis and improved wording for "checker",
             "fingerprint", and "secret".  Refer to the RUNTIME
             EXPANSION section for the "checker" option.
  (EXAMPLE): Update to new default value for "checker".

* mandos-keygen (trap): Split lines and add "set +e".

files removed:
.bzrignore

files modified:
Makefile

TODO

clients.conf

initramfs-tools-hook

mandos

mandos-clients.conf.xml

mandos-keygen

mandos-keygen.xml

mandos-options.xml

mandos.conf.xml

mandos.xml

overview.xml

plugin-runner.c

plugin-runner.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

plugins.d/password-request.c

plugins.d/password-request.xml

Show diffs side-by-side

added added

removed removed

mandos-keygen.xml

<?xml version="1.0" encoding="UTF-8"?>

<?xml version='1.0' encoding='UTF-8'?>

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY VERSION "1.0">

<!ENTITY COMMANDNAME "mandos-keygen">

<!ENTITY TIMESTAMP "2008-08-31">

<title>Mandos Manual</title>

<productname>Mandos</productname>

<title>&COMMANDNAME;</title>

<productname>&COMMANDNAME;</productname>

<productnumber>&VERSION;</productnumber>

<date>&TIMESTAMP;</date>

<firstname>Björn</firstname>

</authorgroup>

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

<holder>Teddy Hogeborn & Björn Påhlsson</holder>

</copyright>

<para>

<refname><command>&COMMANDNAME;</command></refname>

Generate key and password for Mandos client and server.

Generate keys for <citerefentry><refentrytitle>password-request

</refentrytitle><manvolnum>8mandos</manvolnum></citerefentry>

</refpurpose>

</refnamediv>

<command>&COMMANDNAME;</command>

<group>

<arg choice="plain"><option>--dir

<replaceable>DIRECTORY</replaceable></option></arg>

<arg choice="plain"><option>-d

<replaceable>DIRECTORY</replaceable></option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--type

<replaceable>KEYTYPE</replaceable></option></arg>

<arg choice="plain"><option>-t

<replaceable>KEYTYPE</replaceable></option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--length

<arg choice="plain"><option>-l

</group>

<sbr/>

<group>

<arg choice="plain"><option>--subtype

100

<replaceable>KEYTYPE</replaceable></option></arg>

101

<arg choice="plain"><option>-s

102

<replaceable>KEYTYPE</replaceable></option></arg>

103

</group>

104

<sbr/>

105

<group>

106

<arg choice="plain"><option>--sublength

107

108

<arg choice="plain"><option>-L

109

110

</group>

111

<sbr/>

112

<group>

113

<arg choice="plain"><option>--name

114

115

<arg choice="plain"><option>-n

116

117

</group>

118

<sbr/>

119

<group>

120

<arg choice="plain"><option>--email

121

<replaceable>ADDRESS</replaceable></option></arg>

122

<arg choice="plain"><option>-e

123

<replaceable>ADDRESS</replaceable></option></arg>

124

</group>

125

<sbr/>

126

<group>

127

<arg choice="plain"><option>--comment

128

129

<arg choice="plain"><option>-c

130

131

</group>

132

<sbr/>

133

<group>

134

<arg choice="plain"><option>--expire

135

136

<arg choice="plain"><option>-x

137

138

</group>

139

<sbr/>

140

<arg><option>--force</option></arg>

141

</cmdsynopsis>

142

143

<command>&COMMANDNAME;</command>

144

145

<arg choice="plain"><option>--password</option></arg>

146

147

</group>

148

<sbr/>

149

<group>

150

<arg choice="plain"><option>--dir

151

<replaceable>DIRECTORY</replaceable></option></arg>

152

<arg choice="plain"><option>-d

153

<replaceable>DIRECTORY</replaceable></option></arg>

154

</group>

155

<sbr/>

156

<group>

157

<arg choice="plain"><option>--name

158

159

<arg choice="plain"><option>-n

160

161

</group>

162

</cmdsynopsis>

163

164

<command>&COMMANDNAME;</command>

165

166

167

168

</group>

169

</cmdsynopsis>

170

171

<command>&COMMANDNAME;</command>

172

173

<arg choice="plain"><option>--version</option></arg>

174

<replaceable>directory</replaceable></arg>

</group>

</group>

<arg choice="plain"><option>--length</option>

</group>

</group>

<arg choice="plain"><option>--email</option>

<replaceable>EMAIL</replaceable></arg>

</group>

<arg choice="plain"><option>--comment</option>

<replaceable>COMMENT</replaceable></arg>

</group>

100

<arg choice="plain"><option>--expire</option>

101

102

</group>

103

104

<arg choice="plain"><option>--force</option></arg>

105

</group>

106

</cmdsynopsis>

107

108

<command>&COMMANDNAME;</command>

109

110

111

<replaceable>directory</replaceable></arg>

112

</group>

113

114

115

116

</group>

117

118

119

120

</group>

121

122

123

124

</group>

125

126

127

<replaceable>EMAIL</replaceable></arg>

128

</group>

129

130

131

<replaceable>COMMENT</replaceable></arg>

132

</group>

133

134

135

136

</group>

137

138

139

</group>

140

</cmdsynopsis>

141

142

<command>&COMMANDNAME;</command>

143

144

145

146

</group>

147

</cmdsynopsis>

148

149

<command>&COMMANDNAME;</command>

150

151

152

<arg choice='plain'><option>--version</option></arg>

175

153

</group>

176

154

</cmdsynopsis>

177

155

</refsynopsisdiv>

178

156

179

157

180

158

<title>DESCRIPTION</title>

181

159

<para>

182

160

<command>&COMMANDNAME;</command> is a program to generate the

183

OpenPGP key used by

161

OpenPGP keys used by

184

162

<citerefentry><refentrytitle>password-request</refentrytitle>

185

<manvolnum>8mandos</manvolnum></citerefentry>. The key is

163

<manvolnum>8mandos</manvolnum></citerefentry>. The keys are

186

164

normally written to /etc/mandos for later installation into the

187

initrd image, but this, and most other things, can be changed

188

with command line options.

189

</para>

190

<para>

191

This program can also be used with the

192

<option>--password</option> option to generate a ready-made

193

section for <filename>clients.conf</filename> (see

194

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

195

<manvolnum>5</manvolnum></citerefentry>).

165

initrd image, but this, like most things, can be changed with

166

command line options.

196

167

</para>

197

168

</refsect1>

198

169

199

170

200

171

<title>PURPOSE</title>

172

201

173

<para>

202

174

The purpose of this is to enable <emphasis>remote and unattended

203

175

rebooting</emphasis> of client host computer with an

204

176

<emphasis>encrypted root file system</emphasis>. See <xref

205

177

linkend="overview"/> for details.

206

178

</para>

179

207

180

</refsect1>

208

181

209

182

210

183

<title>OPTIONS</title>

211

184

212

185

213

186

214

215

187

216

188

217

189

<para>

218

190

Show a help message and exit

221

193

</varlistentry>

222

194

223

195

224

<term><option>--dir

225

<replaceable>DIRECTORY</replaceable></option></term>

226

<term><option>-d

227

<replaceable>DIRECTORY</replaceable></option></term>

228

229

<para>

230

Target directory for key files. Default is

231

<filename>/etc/mandos</filename>.

232

</para>

233

</listitem>

234

</varlistentry>

235

236

237

<term><option>--type

238

239

<term><option>-t

240

241

242

<para>

243

Key type. Default is <quote>DSA</quote>.

244

</para>

245

</listitem>

246

</varlistentry>

247

248

249

<term><option>--length

250

251

<term><option>-l

252

253

254

<para>

255

Key length in bits. Default is 2048.

256

</para>

257

</listitem>

258

</varlistentry>

259

260

261

<term><option>--subtype

262

<replaceable>KEYTYPE</replaceable></option></term>

263

<term><option>-s

264

<replaceable>KEYTYPE</replaceable></option></term>

265

266

<para>

267

Subkey type. Default is <quote>ELG-E</quote> (Elgamal

268

encryption-only).

269

</para>

270

</listitem>

271

</varlistentry>

272

273

274

<term><option>--sublength

275

276

<term><option>-L

277

278

279

<para>

280

Subkey length in bits. Default is 2048.

281

</para>

282

</listitem>

283

</varlistentry>

284

285

286

<term><option>--email

287

<replaceable>ADDRESS</replaceable></option></term>

288

<term><option>-e

289

<replaceable>ADDRESS</replaceable></option></term>

196

<term><literal>-d</literal>, <literal>--dir

197

<replaceable>directory</replaceable></literal></term>

198

199

<para>

200

Target directory for key files.

201

</para>

202

</listitem>

203

</varlistentry>

204

205

206

<term><literal>-t</literal>, <literal>--type

207

208

209

<para>

210

Key type. Default is DSA.

211

</para>

212

</listitem>

213

</varlistentry>

214

215

216

<term><literal>-l</literal>, <literal>--length

217

218

219

<para>

220

Key length in bits. Default is 1024.

221

</para>

222

</listitem>

223

</varlistentry>

224

225

226

<term><literal>-e</literal>, <literal>--email</literal>

227

<replaceable>address</replaceable></term>

290

228

291

229

<para>

292

230

Email address of key. Default is empty.

295

233

</varlistentry>

296

234

297

235

298

<term><option>--comment

299

300

<term><option>-c

301

236

<term><literal>-c</literal>, <literal>--comment</literal>

237

<replaceable>comment</replaceable></term>

302

238

303

239

<para>

304

240

Comment field for key. The default value is

305

<quote><literal>Mandos client key</literal></quote>.

241

"<literal>Mandos client key</literal>".

306

242

</para>

307

243

</listitem>

308

244

</varlistentry>

309

245

310

246

311

<term><option>--expire

312

313

<term><option>-x

314

247

<term><literal>-x</literal>, <literal>--expire</literal>

248

315

249

316

250

<para>

317

251

Key expire time. Default is no expiration. See

322

256

</varlistentry>

323

257

324

258

325

<term><option>--force</option></term>

326

327

328

<para>

329

Force overwriting old key.

330

</para>

331

</listitem>

332

</varlistentry>

333

334

<term><option>--password</option></term>

335

336

337

<para>

338

Prompt for a password and encrypt it with the key already

339

present in either <filename>/etc/mandos</filename> or the

340

directory specified with the <option>--dir</option>

341

option. Outputs, on standard output, a section suitable

342

for inclusion in <citerefentry><refentrytitle

343

>mandos-clients.conf</refentrytitle><manvolnum

344

>8</manvolnum></citerefentry>. The host name or the name

345

specified with the <option>--name</option> option is used

346

for the section header. All other options are ignored,

347

and no key is created.

259

<term><literal>-f</literal>, <literal>--force</literal></term>

260

261

<para>

262

Force overwriting old keys.

348

263

</para>

349

264

</listitem>

350

265

</varlistentry>

355

270

<title>OVERVIEW</title>

356

271

<xi:include href="overview.xml"/>

357

272

<para>

358

This program is a small utility to generate new OpenPGP keys for

359

new Mandos clients, and to generate sections for inclusion in

360

<filename>clients.conf</filename> on the server.

273

This program is a small program to generate new OpenPGP keys for

274

new Mandos clients.

361

275

</para>

362

276

</refsect1>

363

277

364

278

365

279

<title>EXIT STATUS</title>

366

280

<para>

367

The exit status will be 0 if a new key (or password, if the

368

<option>--password</option> option was used) was successfully

369

created, otherwise not.

281

The exit status will be 0 if new keys were successfully created,

282

otherwise not.

370

283

</para>

371

284

</refsect1>

372

285

374

287

<title>ENVIRONMENT</title>

375

288

376

289

377

<term><envar>TMPDIR</envar></term>

290

<term><varname>TMPDIR</varname></term>

378

291

379

292

<para>

380

293

If set, temporary files will be created here. See

438

351

Normal invocation needs no options:

439

352

</para>

440

353

<para>

441

<userinput>&COMMANDNAME;</userinput>

354

<userinput>mandos-keygen</userinput>

442

355

</para>

443

356

</informalexample>

444

357

445

358

<para>

446

Create key in another directory and of another type. Force

359

Create keys in another directory and of another type. Force

447

360

overwriting old key files:

448

361

</para>

449

362

<para>

450

363

451

364

452

<userinput>&COMMANDNAME; --dir ~/keydir --type RSA --force</userinput>

453

454

</para>

455

</informalexample>

456

457

<para>

458

Prompt for a password, encrypt it with the key in

459

<filename>/etc/mandos</filename> and output a section suitable

460

for <filename>clients.conf</filename>.

461

</para>

462

<para>

463

<userinput>&COMMANDNAME; --password</userinput>

464

</para>

465

</informalexample>

466

467

<para>

468

Prompt for a password, encrypt it with the key in the

469

<filename>client-key</filename> directory and output a section

470

suitable for <filename>clients.conf</filename>.

471

</para>

472

<para>

473

474

475

<userinput>&COMMANDNAME; --password --dir client-key</userinput>

365

<userinput>mandos-keygen --dir ~/keydir --type RSA --force</userinput>

476

366

477

367

</para>

478

368

</informalexample>

481

371

482

372

<title>SECURITY</title>

483

373

<para>

484

The <option>--type</option>, <option>--length</option>,

485

<option>--subtype</option>, and <option>--sublength</option>

486

options can be used to create keys of low security. If in

487

doubt, leave them to the default values.

374

The <option>--type</option> and <option>--length</option>

375

options can be used to create keys of insufficient security. If

376

in doubt, leave them to the default values.

488

377

</para>

489

378

<para>

490

The key expire time is <emphasis>not</emphasis> guaranteed to be

491

honored by <citerefentry><refentrytitle>mandos</refentrytitle>

379

The key expire time is not guaranteed to be honored by

380

<citerefentry><refentrytitle>mandos</refentrytitle>

492

381

<manvolnum>8</manvolnum></citerefentry>.

493

382

</para>

494

383

</refsect1>

496

385

497

386

498

387

<para>

388

<citerefentry><refentrytitle>password-request</refentrytitle>

389

<manvolnum>8mandos</manvolnum></citerefentry>,

390

<citerefentry><refentrytitle>mandos</refentrytitle>

391

<manvolnum>8</manvolnum></citerefentry>,

499

392

500

<manvolnum>1</manvolnum></citerefentry>,

501

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

502

<manvolnum>5</manvolnum></citerefentry>,

503

<citerefentry><refentrytitle>mandos</refentrytitle>

504

<manvolnum>8</manvolnum></citerefentry>,

505

<citerefentry><refentrytitle>password-request</refentrytitle>

506

<manvolnum>8mandos</manvolnum></citerefentry>

393

507

394

</para>

508

395

</refsect1>

509

396

510

397

</refentry>

511

512

513

514

515

Older »