/mandos/trunk : revision 951

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos-keygen.xml

Committer: Teddy Hogeborn
Date: 2018-08-15 09:26:02 UTC
Revision ID: teddy@recompile.se-20180815092602-xoyb5s6gf8376i7u

http://bugs.debian.org/894495

mandos-client: Set system clock if necessary

* plugins.d/mandos-client.c (init_gpgme/import_key): If the system
  clock is not set, or set to january 1970, set the system clock to
  the more plausible value that is the mtime of the key file.  This is
  required by GnuPG to be able to import the keys.  (We can't pass the
  --ignore-time-conflict or the --ignore-valid-from options though
  GPGME.)

files added:
initramfs-tools-hook-conf

files removed:
debian/mandos-client.templates

debian/mandos.templates

debian/po/POTFILES.in

debian/po/de.po

debian/po/en_US.po

debian/po/fr.po

debian/po/pt.po

debian/po/sv.po

debian/po/templates.pot

debian/source/lintian-overrides

debian/tests

debian/tests/control

debian/upstream/metadata

dracut-module

dracut-module/ask-password-mandos.path

dracut-module/ask-password-mandos.service

dracut-module/cmdline-mandos.sh

dracut-module/module-setup.sh

dracut-module/password-agent.c

dracut-module/password-agent.xml

initramfs-tools-conf

initramfs-tools-conf-hook

initramfs-tools-script-stop

mandos-to-cryptroot-unlock

sysusers.d-mandos.conf

files modified:
.bzrignore

DBUS-API

INSTALL

Makefile

NEWS

TODO

clients.conf

common.ent

debian/changelog

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.dirs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/rules

debian/watch

initramfs-tools-hook

initramfs-tools-script

initramfs-unpack

intro.xml

mandos

mandos-clients.conf.xml

mandos-ctl

mandos-ctl.xml

mandos-keygen

mandos-keygen.xml

mandos-monitor

mandos-monitor.xml

mandos-options.xml

mandos.conf.xml

mandos.lsm

mandos.xml

overview.xml

plugin-runner.c

plugin-runner.xml

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/mandos-client.c

plugins.d/mandos-client.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.xml

plugins.d/usplash.xml

Show diffs side-by-side

added added

removed removed

mandos-keygen.xml

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY COMMANDNAME "mandos-keygen">

<!ENTITY TIMESTAMP "2019-07-18">

<!ENTITY TIMESTAMP "2018-02-08">

<!ENTITY % common SYSTEM "common.ent">

%common;

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

128

127

</group>

129

128

<sbr/>

130

129

<group>

131

<arg choice="plain"><option>--tls-keytype

132

<replaceable>KEYTYPE</replaceable></option></arg>

133

<arg choice="plain"><option>-T

134

<replaceable>KEYTYPE</replaceable></option></arg>

135

</group>

136

<sbr/>

137

<group>

138

130

<arg choice="plain"><option>--force</option></arg>

139

131

140

132

</group>

188

180

<title>DESCRIPTION</title>

189

181

<para>

190

182

<command>&COMMANDNAME;</command> is a program to generate the

191

TLS and OpenPGP keys used by

183

OpenPGP key used by

192

184

<citerefentry><refentrytitle>mandos-client</refentrytitle>

193

<manvolnum>8mandos</manvolnum></citerefentry>. The keys are

194

normally written to /etc/keys/mandos for later installation into

195

the initrd image, but this, and most other things, can be

196

changed with command line options.

185

<manvolnum>8mandos</manvolnum></citerefentry>. The key is

186

normally written to /etc/mandos for later installation into the

187

initrd image, but this, and most other things, can be changed

188

with command line options.

197

189

</para>

198

190

<para>

199

191

This program can also be used with the

236

228

<replaceable>DIRECTORY</replaceable></option></term>

237

229

238

230

<para>

239

Target directory for key files. Default is <filename

240

class="directory">/etc/keys/mandos</filename>.

231

Target directory for key files. Default is

232

<filename class="directory">/etc/mandos</filename>.

241

233

</para>

242

234

</listitem>

243

235

</varlistentry>

249

241

250

242

251

243

<para>

252

OpenPGP key type. Default is <quote>RSA</quote>.

244

Key type. Default is <quote>RSA</quote>.

253

245

</para>

254

246

</listitem>

255

247

</varlistentry>

261

253

262

254

263

255

<para>

264

OpenPGP key length in bits. Default is 4096.

256

Key length in bits. Default is 4096.

265

257

</para>

266

258

</listitem>

267

259

</varlistentry>

273

265

<replaceable>KEYTYPE</replaceable></option></term>

274

266

275

267

<para>

276

OpenPGP subkey type. Default is <quote>RSA</quote>

268

Subkey type. Default is <quote>RSA</quote> (Elgamal

269

encryption-only).

277

270

</para>

278

271

</listitem>

279

272

</varlistentry>

285

278

286

279

287

280

<para>

288

OpenPGP subkey length in bits. Default is 4096.

281

Subkey length in bits. Default is 4096.

289

282

</para>

290

283

</listitem>

291

284

</varlistentry>

329

322

</varlistentry>

330

323

331

324

332

<term><option>--tls-keytype

333

<replaceable>KEYTYPE</replaceable></option></term>

334

<term><option>-T

335

<replaceable>KEYTYPE</replaceable></option></term>

336

337

<para>

338

TLS key type. Default is <quote>ed25519</quote>

339

</para>

340

</listitem>

341

</varlistentry>

342

343

344

325

<term><option>--force</option></term>

345

326

346

327

355

336

356

337

<para>

357

338

Prompt for a password and encrypt it with the key already

358

present in either <filename>/etc/keys/mandos</filename> or

359

the directory specified with the <option>--dir</option>

339

present in either <filename>/etc/mandos</filename> or the

340

directory specified with the <option>--dir</option>

360

341

option. Outputs, on standard output, a section suitable

361

342

for inclusion in <citerefentry><refentrytitle

362

343

>mandos-clients.conf</refentrytitle><manvolnum

363

344

>8</manvolnum></citerefentry>. The host name or the name

364

345

specified with the <option>--name</option> option is used

365

346

for the section header. All other options are ignored,

366

and no key is created. Note: white space is stripped from

367

the beginning and from the end of the password; See <xref

368

linkend="bugs"/>.

347

and no key is created.

369

348

</para>

370

349

</listitem>

371

350

</varlistentry>

377

356

378

357

<para>

379

358

The same as <option>--password</option>, but read from

380

<replaceable>FILE</replaceable>, not the terminal, and

381

white space is not stripped from the password in any way.

359

<replaceable>FILE</replaceable>, not the terminal.

382

360

</para>

383

361

</listitem>

384

362

</varlistentry>

405

383

<title>OVERVIEW</title>

406

384

<xi:include href="overview.xml"/>

407

385

<para>

408

This program is a small utility to generate new TLS and OpenPGP

409

keys for new Mandos clients, and to generate sections for

410

inclusion in <filename>clients.conf</filename> on the server.

386

This program is a small utility to generate new OpenPGP keys for

387

new Mandos clients, and to generate sections for inclusion in

388

<filename>clients.conf</filename> on the server.

411

389

</para>

412

390

</refsect1>

413

391

445

423

</para>

446

424

447

425

448

<term><filename>/etc/keys/mandos/seckey.txt</filename></term>

426

<term><filename>/etc/mandos/seckey.txt</filename></term>

449

427

450

428

<para>

451

429

OpenPGP secret key file which will be created or

454

432

</listitem>

455

433

</varlistentry>

456

434

457

<term><filename>/etc/keys/mandos/pubkey.txt</filename></term>

435

<term><filename>/etc/mandos/pubkey.txt</filename></term>

458

436

459

437

<para>

460

438

OpenPGP public key file which will be created or

463

441

</listitem>

464

442

</varlistentry>

465

443

466

<term><filename>/etc/keys/mandos/tls-privkey.pem</filename></term>

467

468

<para>

469

Private key file which will be created or overwritten.

470

</para>

471

</listitem>

472

</varlistentry>

473

474

<term><filename>/etc/keys/mandos/tls-pubkey.pem</filename></term>

475

476

<para>

477

Public key file which will be created or overwritten.

478

</para>

479

</listitem>

480

</varlistentry>

481

482

444

483

445

484

446

<para>

492

454

493

455

494

456

495

<para>

496

The <option>--password</option>/<option>-p</option> option

497

strips white space from the start and from the end of the

498

password before using it. If this is a problem, use the

499

<option>--passfile</option> option instead, which does not do

500

this.

501

</para>

502

457

<xi:include href="bugs.xml"/>

503

458

</refsect1>

504

459

526

481

</informalexample>

527

482

528

483

<para>

529

Prompt for a password, encrypt it with the keys in <filename

530

class="directory">/etc/keys/mandos</filename> and output a

531

section suitable for <filename>clients.conf</filename>.

484

Prompt for a password, encrypt it with the key in <filename

485

class="directory">/etc/mandos</filename> and output a section

486

suitable for <filename>clients.conf</filename>.

532

487

</para>

533

488

<para>

534

489

<userinput>&COMMANDNAME; --password</userinput>

536

491

</informalexample>

537

492

538

493

<para>

539

Prompt for a password, encrypt it with the keys in the

494

Prompt for a password, encrypt it with the key in the

540

495

<filename>client-key</filename> directory and output a section

541

496

suitable for <filename>clients.conf</filename>.

542

497

</para>

Older »