/mandos/trunk

To get this branch, use:
bzr branch http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos-keygen.xml

  • Committer: Teddy Hogeborn
  • Date: 2018-08-15 09:26:02 UTC
  • Revision ID: teddy@recompile.se-20180815092602-xoyb5s6gf8376i7u
mandos-client: Set system clock if necessary

* plugins.d/mandos-client.c (init_gpgme/import_key): If the system
  clock is not set, or set to january 1970, set the system clock to
  the more plausible value that is the mtime of the key file.  This is
  required by GnuPG to be able to import the keys.  (We can't pass the
  --ignore-time-conflict or the --ignore-valid-from options though
  GPGME.)

Show diffs side-by-side

added added

removed removed

Lines of Context:
1
1
<?xml version="1.0" encoding="UTF-8"?>
2
2
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3
3
        "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4
 
<!ENTITY VERSION "1.0">
5
4
<!ENTITY COMMANDNAME "mandos-keygen">
6
 
<!ENTITY TIMESTAMP "2008-09-03">
 
5
<!ENTITY TIMESTAMP "2018-02-08">
 
6
<!ENTITY % common SYSTEM "common.ent">
 
7
%common;
7
8
]>
8
9
 
9
10
<refentry xmlns:xi="http://www.w3.org/2001/XInclude">
11
12
    <title>Mandos Manual</title>
12
13
    <!-- NWalsh’s docbook scripts use this to generate the footer: -->
13
14
    <productname>Mandos</productname>
14
 
    <productnumber>&VERSION;</productnumber>
 
15
    <productnumber>&version;</productnumber>
15
16
    <date>&TIMESTAMP;</date>
16
17
    <authorgroup>
17
18
      <author>
18
19
        <firstname>Björn</firstname>
19
20
        <surname>Påhlsson</surname>
20
21
        <address>
21
 
          <email>belorn@fukt.bsnet.se</email>
 
22
          <email>belorn@recompile.se</email>
22
23
        </address>
23
24
      </author>
24
25
      <author>
25
26
        <firstname>Teddy</firstname>
26
27
        <surname>Hogeborn</surname>
27
28
        <address>
28
 
          <email>teddy@fukt.bsnet.se</email>
 
29
          <email>teddy@recompile.se</email>
29
30
        </address>
30
31
      </author>
31
32
    </authorgroup>
32
33
    <copyright>
33
34
      <year>2008</year>
 
35
      <year>2009</year>
 
36
      <year>2010</year>
 
37
      <year>2011</year>
 
38
      <year>2012</year>
 
39
      <year>2013</year>
 
40
      <year>2014</year>
 
41
      <year>2015</year>
 
42
      <year>2016</year>
 
43
      <year>2017</year>
 
44
      <year>2018</year>
34
45
      <holder>Teddy Hogeborn</holder>
35
46
      <holder>Björn Påhlsson</holder>
36
47
    </copyright>
37
48
    <xi:include href="legalnotice.xml"/>
38
49
  </refentryinfo>
39
 
 
 
50
  
40
51
  <refmeta>
41
52
    <refentrytitle>&COMMANDNAME;</refentrytitle>
42
53
    <manvolnum>8</manvolnum>
48
59
      Generate key and password for Mandos client and server.
49
60
    </refpurpose>
50
61
  </refnamediv>
51
 
 
 
62
  
52
63
  <refsynopsisdiv>
53
64
    <cmdsynopsis>
54
65
      <command>&COMMANDNAME;</command>
115
126
        <replaceable>TIME</replaceable></option></arg>
116
127
      </group>
117
128
      <sbr/>
118
 
      <arg><option>--force</option></arg>
 
129
      <group>
 
130
        <arg choice="plain"><option>--force</option></arg>
 
131
        <arg choice="plain"><option>-f</option></arg>
 
132
      </group>
119
133
    </cmdsynopsis>
120
134
    <cmdsynopsis>
121
135
      <command>&COMMANDNAME;</command>
122
136
      <group choice="req">
123
137
        <arg choice="plain"><option>--password</option></arg>
124
138
        <arg choice="plain"><option>-p</option></arg>
 
139
        <arg choice="plain"><option>--passfile
 
140
        <replaceable>FILE</replaceable></option></arg>
 
141
        <arg choice="plain"><option>-F</option>
 
142
        <replaceable>FILE</replaceable></arg>
125
143
      </group>
126
144
      <sbr/>
127
145
      <group>
137
155
        <arg choice="plain"><option>-n
138
156
        <replaceable>NAME</replaceable></option></arg>
139
157
      </group>
 
158
      <group>
 
159
        <arg choice="plain"><option>--no-ssh</option></arg>
 
160
        <arg choice="plain"><option>-S</option></arg>
 
161
      </group>
140
162
    </cmdsynopsis>
141
163
    <cmdsynopsis>
142
164
      <command>&COMMANDNAME;</command>
159
181
    <para>
160
182
      <command>&COMMANDNAME;</command> is a program to generate the
161
183
      OpenPGP key used by
162
 
      <citerefentry><refentrytitle>password-request</refentrytitle>
 
184
      <citerefentry><refentrytitle>mandos-client</refentrytitle>
163
185
      <manvolnum>8mandos</manvolnum></citerefentry>.  The key is
164
186
      normally written to /etc/mandos for later installation into the
165
187
      initrd image, but this, and most other things, can be changed
167
189
    </para>
168
190
    <para>
169
191
      This program can also be used with the
170
 
      <option>--password</option> option to generate a ready-made
171
 
      section for <filename>clients.conf</filename> (see
 
192
      <option>--password</option> or <option>--passfile</option>
 
193
      options to generate a ready-made section for
 
194
      <filename>clients.conf</filename> (see
172
195
      <citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>
173
196
      <manvolnum>5</manvolnum></citerefentry>).
174
197
    </para>
197
220
          </para>
198
221
        </listitem>
199
222
      </varlistentry>
200
 
 
 
223
      
201
224
      <varlistentry>
202
225
        <term><option>--dir
203
226
        <replaceable>DIRECTORY</replaceable></option></term>
206
229
        <listitem>
207
230
          <para>
208
231
            Target directory for key files.  Default is
209
 
            <filename>/etc/mandos</filename>.
 
232
            <filename class="directory">/etc/mandos</filename>.
210
233
          </para>
211
234
        </listitem>
212
235
      </varlistentry>
213
 
 
 
236
      
214
237
      <varlistentry>
215
238
        <term><option>--type
216
239
        <replaceable>TYPE</replaceable></option></term>
218
241
        <replaceable>TYPE</replaceable></option></term>
219
242
        <listitem>
220
243
          <para>
221
 
            Key type.  Default is <quote>DSA</quote>.
 
244
            Key type.  Default is <quote>RSA</quote>.
222
245
          </para>
223
246
        </listitem>
224
247
      </varlistentry>
225
 
 
 
248
      
226
249
      <varlistentry>
227
250
        <term><option>--length
228
251
        <replaceable>BITS</replaceable></option></term>
230
253
        <replaceable>BITS</replaceable></option></term>
231
254
        <listitem>
232
255
          <para>
233
 
            Key length in bits.  Default is 2048.
 
256
            Key length in bits.  Default is 4096.
234
257
          </para>
235
258
        </listitem>
236
259
      </varlistentry>
237
 
 
 
260
      
238
261
      <varlistentry>
239
262
        <term><option>--subtype
240
263
        <replaceable>KEYTYPE</replaceable></option></term>
242
265
        <replaceable>KEYTYPE</replaceable></option></term>
243
266
        <listitem>
244
267
          <para>
245
 
            Subkey type.  Default is <quote>ELG-E</quote> (Elgamal
 
268
            Subkey type.  Default is <quote>RSA</quote> (Elgamal
246
269
            encryption-only).
247
270
          </para>
248
271
        </listitem>
249
272
      </varlistentry>
250
 
 
 
273
      
251
274
      <varlistentry>
252
275
        <term><option>--sublength
253
276
        <replaceable>BITS</replaceable></option></term>
255
278
        <replaceable>BITS</replaceable></option></term>
256
279
        <listitem>
257
280
          <para>
258
 
            Subkey length in bits.  Default is 2048.
 
281
            Subkey length in bits.  Default is 4096.
259
282
          </para>
260
283
        </listitem>
261
284
      </varlistentry>
262
 
 
 
285
      
263
286
      <varlistentry>
264
287
        <term><option>--email
265
288
        <replaceable>ADDRESS</replaceable></option></term>
271
294
          </para>
272
295
        </listitem>
273
296
      </varlistentry>
274
 
 
 
297
      
275
298
      <varlistentry>
276
299
        <term><option>--comment
277
300
        <replaceable>TEXT</replaceable></option></term>
279
302
        <replaceable>TEXT</replaceable></option></term>
280
303
        <listitem>
281
304
          <para>
282
 
            Comment field for key.  The default value is
283
 
            <quote><literal>Mandos client key</literal></quote>.
 
305
            Comment field for key.  Default is empty.
284
306
          </para>
285
307
        </listitem>
286
308
      </varlistentry>
287
 
 
 
309
      
288
310
      <varlistentry>
289
311
        <term><option>--expire
290
312
        <replaceable>TIME</replaceable></option></term>
298
320
          </para>
299
321
        </listitem>
300
322
      </varlistentry>
301
 
 
 
323
      
302
324
      <varlistentry>
303
325
        <term><option>--force</option></term>
304
326
        <term><option>-f</option></term>
326
348
          </para>
327
349
        </listitem>
328
350
      </varlistentry>
 
351
      <varlistentry>
 
352
        <term><option>--passfile
 
353
        <replaceable>FILE</replaceable></option></term>
 
354
        <term><option>-F
 
355
        <replaceable>FILE</replaceable></option></term>
 
356
        <listitem>
 
357
          <para>
 
358
            The same as <option>--password</option>, but read from
 
359
            <replaceable>FILE</replaceable>, not the terminal.
 
360
          </para>
 
361
        </listitem>
 
362
      </varlistentry>
 
363
      <varlistentry>
 
364
        <term><option>--no-ssh</option></term>
 
365
        <term><option>-S</option></term>
 
366
        <listitem>
 
367
          <para>
 
368
            When <option>--password</option> or
 
369
            <option>--passfile</option> is given, this option will
 
370
            prevent <command>&COMMANDNAME;</command> from calling
 
371
            <command>ssh-keyscan</command> to get an SSH fingerprint
 
372
            for this host and, if successful, output suitable config
 
373
            options to use this fingerprint as a
 
374
            <option>checker</option> option in the output.  This is
 
375
            otherwise the default behavior.
 
376
          </para>
 
377
        </listitem>
 
378
      </varlistentry>
329
379
    </variablelist>
330
380
  </refsect1>
331
 
 
 
381
  
332
382
  <refsect1 id="overview">
333
383
    <title>OVERVIEW</title>
334
384
    <xi:include href="overview.xml"/>
338
388
      <filename>clients.conf</filename> on the server.
339
389
    </para>
340
390
  </refsect1>
341
 
 
 
391
  
342
392
  <refsect1 id="exit_status">
343
393
    <title>EXIT STATUS</title>
344
394
    <para>
364
414
    </variablelist>
365
415
  </refsect1>
366
416
  
367
 
  <refsect1 id="file">
 
417
  <refsect1 id="files">
368
418
    <title>FILES</title>
369
419
    <para>
370
420
      Use the <option>--dir</option> option to change where
391
441
        </listitem>
392
442
      </varlistentry>
393
443
      <varlistentry>
394
 
        <term><filename>/tmp</filename></term>
 
444
        <term><filename class="directory">/tmp</filename></term>
395
445
        <listitem>
396
446
          <para>
397
447
            Temporary files will be written here if
401
451
      </varlistentry>
402
452
    </variablelist>
403
453
  </refsect1>
404
 
 
405
 
<!--   <refsect1 id="bugs"> -->
406
 
<!--     <title>BUGS</title> -->
407
 
<!--     <para> -->
408
 
<!--     </para> -->
409
 
<!--   </refsect1> -->
410
 
 
 
454
  
 
455
  <refsect1 id="bugs">
 
456
    <title>BUGS</title>
 
457
    <xi:include href="bugs.xml"/>
 
458
  </refsect1>
 
459
  
411
460
  <refsect1 id="example">
412
461
    <title>EXAMPLE</title>
413
462
    <informalexample>
432
481
    </informalexample>
433
482
    <informalexample>
434
483
      <para>
435
 
        Prompt for a password, encrypt it with the key in
436
 
        <filename>/etc/mandos</filename> and output a section suitable
437
 
        for <filename>clients.conf</filename>.
 
484
        Prompt for a password, encrypt it with the key in <filename
 
485
        class="directory">/etc/mandos</filename> and output a section
 
486
        suitable for <filename>clients.conf</filename>.
438
487
      </para>
439
488
      <para>
440
489
        <userinput>&COMMANDNAME; --password</userinput>
454
503
      </para>
455
504
    </informalexample>
456
505
  </refsect1>
457
 
 
 
506
  
458
507
  <refsect1 id="security">
459
508
    <title>SECURITY</title>
460
509
    <para>
469
518
      <manvolnum>8</manvolnum></citerefentry>.
470
519
    </para>
471
520
  </refsect1>
472
 
 
 
521
  
473
522
  <refsect1 id="see_also">
474
523
    <title>SEE ALSO</title>
475
524
    <para>
 
525
      <citerefentry><refentrytitle>intro</refentrytitle>
 
526
      <manvolnum>8mandos</manvolnum></citerefentry>,
476
527
      <citerefentry><refentrytitle>gpg</refentrytitle>
477
528
      <manvolnum>1</manvolnum></citerefentry>,
478
529
      <citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>
479
530
      <manvolnum>5</manvolnum></citerefentry>,
480
531
      <citerefentry><refentrytitle>mandos</refentrytitle>
481
532
      <manvolnum>8</manvolnum></citerefentry>,
482
 
      <citerefentry><refentrytitle>password-request</refentrytitle>
483
 
      <manvolnum>8mandos</manvolnum></citerefentry>
 
533
      <citerefentry><refentrytitle>mandos-client</refentrytitle>
 
534
      <manvolnum>8mandos</manvolnum></citerefentry>,
 
535
      <citerefentry><refentrytitle>ssh-keyscan</refentrytitle>
 
536
      <manvolnum>1</manvolnum></citerefentry>
484
537
    </para>
485
538
  </refsect1>
486
539