/mandos/trunk : revision 964

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos-keygen.xml

Committer: Teddy Hogeborn
Date: 2019-02-09 23:34:15 UTC
Revision ID: teddy@recompile.se-20190209233415-m1ntebuepwna1xg1

Doc fix: Change some "/etc/mandos" to "/etc/keys/mandos"

* clients.conf: Change "/etc/mandos" to "/etc/keys/mandos" where
appropriate
* mandos-keygen.xml: - '' -

files added:
.bzr-builddeb

.bzr-builddeb/default.conf

DBUS-API

INSTALL

NEWS

README

bugs.xml

common.ent

dbus-mandos.conf

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.examples

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/po

debian/rules

debian/source

debian/source/format

debian/source/local-options

debian/upstream

debian/upstream/signing-key.asc

debian/watch

default-mandos

init.d-mandos

initramfs-tools-conf

initramfs-tools-script-stop

initramfs-unpack

intro.xml

legalnotice.xml

mandos-ctl

mandos-ctl.xml

mandos-monitor

mandos-monitor.xml

mandos-to-cryptroot-unlock

mandos.lsm

mandos.service

network-hooks.d

network-hooks.d/bridge

network-hooks.d/bridge.conf

network-hooks.d/openvpn

network-hooks.d/openvpn.conf

network-hooks.d/wireless

network-hooks.d/wireless.conf

plugin-helpers

plugin-helpers/mandos-client-iprouteadddel.c

plugin-runner.conf

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

tmpfiles.d-mandos.conf

files removed:
initramfs-tools-hook-conf

plugins.d/usplash

files renamed:
plugins.d/password-request.c => plugins.d/mandos-client.c

plugins.d/password-request.xml => plugins.d/mandos-client.xml

files modified:
.bzrignore

Makefile

TODO

clients.conf

initramfs-tools-hook

initramfs-tools-script

mandos

mandos-clients.conf.xml

mandos-keygen

mandos-keygen.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.xml

overview.xml

plugin-runner.c

plugin-runner.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

Show diffs side-by-side

added added

removed removed

mandos-keygen.xml

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY VERSION "1.0">

<!ENTITY COMMANDNAME "mandos-keygen">

<!ENTITY TIMESTAMP "2008-08-31">

<!ENTITY TIMESTAMP "2019-02-10">

<!ENTITY % common SYSTEM "common.ent">

%common;

<title>Mandos Manual</title>

<productname>Mandos</productname>

<productnumber>&VERSION;</productnumber>

<productnumber>&version;</productnumber>

<date>&TIMESTAMP;</date>

<firstname>Björn</firstname>

<surname>Påhlsson</surname>

<email>belorn@fukt.bsnet.se</email>

<email>belorn@recompile.se</email>

</address>

</author>

<firstname>Teddy</firstname>

<surname>Hogeborn</surname>

<email>teddy@fukt.bsnet.se</email>

<email>teddy@recompile.se</email>

</address>

</author>

</authorgroup>

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

<para>

This manual page is free software: you can redistribute it

and/or modify it under the terms of the GNU General Public

License as published by the Free Software Foundation,

either version 3 of the License, or (at your option) any

later version.

</para>

<para>

This manual page is distributed in the hope that it will

be useful, but WITHOUT ANY WARRANTY; without even the

implied warranty of MERCHANTABILITY or FITNESS FOR A

PARTICULAR PURPOSE. See the GNU General Public License

for more details.

</para>

<para>

You should have received a copy of the GNU General Public

License along with this program; If not, see

<ulink url="http://www.gnu.org/licenses/"/>.

</para>

</legalnotice>

<xi:include href="legalnotice.xml"/>

</refentryinfo>

<refentrytitle>&COMMANDNAME;</refentrytitle>

Generate key and password for Mandos client and server.

</refpurpose>

</refnamediv>

<command>&COMMANDNAME;</command>

137

126

138

127

</group>

139

128

<sbr/>

140

<arg><option>--force</option></arg>

129

<group>

130

<arg choice="plain"><option>--tls-keytype

131

<replaceable>KEYTYPE</replaceable></option></arg>

132

<arg choice="plain"><option>-T

133

<replaceable>KEYTYPE</replaceable></option></arg>

134

</group>

135

<sbr/>

136

<group>

137

<arg choice="plain"><option>--force</option></arg>

138

139

</group>

141

140

</cmdsynopsis>

142

141

143

142

<command>&COMMANDNAME;</command>

144

143

145

144

<arg choice="plain"><option>--password</option></arg>

146

145

146

<arg choice="plain"><option>--passfile

147

148

149

147

150

</group>

148

151

<sbr/>

149

152

<group>

159

162

<arg choice="plain"><option>-n

160

163

161

164

</group>

165

<group>

166

167

168

</group>

162

169

</cmdsynopsis>

163

170

164

171

<command>&COMMANDNAME;</command>

180

187

<title>DESCRIPTION</title>

181

188

<para>

182

189

<command>&COMMANDNAME;</command> is a program to generate the

183

OpenPGP key used by

184

<citerefentry><refentrytitle>password-request</refentrytitle>

185

<manvolnum>8mandos</manvolnum></citerefentry>. The key is

186

normally written to /etc/mandos for later installation into the

187

initrd image, but this, and most other things, can be changed

188

with command line options.

190

TLS and OpenPGP keys used by

191

<citerefentry><refentrytitle>mandos-client</refentrytitle>

192

<manvolnum>8mandos</manvolnum></citerefentry>. The keys are

193

normally written to /etc/keys/mandos for later installation into

194

the initrd image, but this, and most other things, can be

195

changed with command line options.

189

196

</para>

190

197

<para>

191

198

This program can also be used with the

192

<option>--password</option> option to generate a ready-made

193

section for <filename>clients.conf</filename> (see

199

<option>--password</option> or <option>--passfile</option>

200

options to generate a ready-made section for

201

<filename>clients.conf</filename> (see

194

202

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

195

203

<manvolnum>5</manvolnum></citerefentry>).

196

204

</para>

219

227

</para>

220

228

</listitem>

221

229

</varlistentry>

222

230

223

231

224

232

<term><option>--dir

225

233

<replaceable>DIRECTORY</replaceable></option></term>

227

235

<replaceable>DIRECTORY</replaceable></option></term>

228

236

229

237

<para>

230

Target directory for key files. Default is

231

<filename>/etc/mandos</filename>.

238

Target directory for key files. Default is <filename

239

class="directory">/etc/keys/mandos</filename>.

232

240

</para>

233

241

</listitem>

234

242

</varlistentry>

235

243

236

244

237

245

<term><option>--type

238

246

240

248

241

249

242

250

<para>

243

Key type. Default is <quote>DSA</quote>.

251

OpenPGP key type. Default is <quote>RSA</quote>.

244

252

</para>

245

253

</listitem>

246

254

</varlistentry>

247

255

248

256

249

257

<term><option>--length

250

258

252

260

253

261

254

262

<para>

255

Key length in bits. Default is 2048.

263

OpenPGP key length in bits. Default is 4096.

256

264

</para>

257

265

</listitem>

258

266

</varlistentry>

259

267

260

268

261

269

<term><option>--subtype

262

270

<replaceable>KEYTYPE</replaceable></option></term>

264

272

<replaceable>KEYTYPE</replaceable></option></term>

265

273

266

274

<para>

267

Subkey type. Default is <quote>ELG-E</quote> (Elgamal

268

encryption-only).

275

OpenPGP subkey type. Default is <quote>RSA</quote>

269

276

</para>

270

277

</listitem>

271

278

</varlistentry>

272

279

273

280

274

281

<term><option>--sublength

275

282

277

284

278

285

279

286

<para>

280

Subkey length in bits. Default is 2048.

287

OpenPGP subkey length in bits. Default is 4096.

281

288

</para>

282

289

</listitem>

283

290

</varlistentry>

284

291

285

292

286

293

<term><option>--email

287

294

<replaceable>ADDRESS</replaceable></option></term>

293

300

</para>

294

301

</listitem>

295

302

</varlistentry>

296

303

297

304

298

305

<term><option>--comment

299

306

301

308

302

309

303

310

<para>

304

Comment field for key. The default value is

305

<quote><literal>Mandos client key</literal></quote>.

311

Comment field for key. Default is empty.

306

312

</para>

307

313

</listitem>

308

314

</varlistentry>

309

315

310

316

311

317

<term><option>--expire

312

318

320

326

</para>

321

327

</listitem>

322

328

</varlistentry>

323

329

330

331

<term><option>--tls-keytype

332

<replaceable>KEYTYPE</replaceable></option></term>

333

<term><option>-T

334

<replaceable>KEYTYPE</replaceable></option></term>

335

336

<para>

337

TLS key type. Default is <quote>ed25519</quote>

338

</para>

339

</listitem>

340

</varlistentry>

341

324

342

325

343

<term><option>--force</option></term>

326

344

336

354

337

355

<para>

338

356

Prompt for a password and encrypt it with the key already

339

present in either <filename>/etc/mandos</filename> or the

340

directory specified with the <option>--dir</option>

357

present in either <filename>/etc/keys/mandos</filename> or

358

the directory specified with the <option>--dir</option>

341

359

option. Outputs, on standard output, a section suitable

342

360

for inclusion in <citerefentry><refentrytitle

343

361

>mandos-clients.conf</refentrytitle><manvolnum

348

366

</para>

349

367

</listitem>

350

368

</varlistentry>

369

370

<term><option>--passfile

371

372

<term><option>-F

373

374

375

<para>

376

The same as <option>--password</option>, but read from

377

<replaceable>FILE</replaceable>, not the terminal.

378

</para>

379

</listitem>

380

</varlistentry>

381

382

383

384

385

<para>

386

When <option>--password</option> or

387

<option>--passfile</option> is given, this option will

388

prevent <command>&COMMANDNAME;</command> from calling

389

<command>ssh-keyscan</command> to get an SSH fingerprint

390

for this host and, if successful, output suitable config

391

options to use this fingerprint as a

392

<option>checker</option> option in the output. This is

393

otherwise the default behavior.

394

</para>

395

</listitem>

396

</varlistentry>

351

397

</variablelist>

352

398

</refsect1>

353

399

354

400

355

401

<title>OVERVIEW</title>

356

402

<xi:include href="overview.xml"/>

357

403

<para>

358

This program is a small utility to generate new OpenPGP keys for

359

new Mandos clients, and to generate sections for inclusion in

360

<filename>clients.conf</filename> on the server.

404

This program is a small utility to generate new TLS and OpenPGP

405

keys for new Mandos clients, and to generate sections for

406

inclusion in <filename>clients.conf</filename> on the server.

361

407

</para>

362

408

</refsect1>

363

409

364

410

365

411

<title>EXIT STATUS</title>

366

412

<para>

386

432

</variablelist>

387

433

</refsect1>

388

434

389

435

390

436

<title>FILES</title>

391

437

<para>

392

438

Use the <option>--dir</option> option to change where

395

441

</para>

396

442

397

443

398

<term><filename>/etc/mandos/seckey.txt</filename></term>

444

<term><filename>/etc/keys/mandos/seckey.txt</filename></term>

399

445

400

446

<para>

401

447

OpenPGP secret key file which will be created or

404

450

</listitem>

405

451

</varlistentry>

406

452

407

<term><filename>/etc/mandos/pubkey.txt</filename></term>

453

<term><filename>/etc/keys/mandos/pubkey.txt</filename></term>

408

454

409

455

<para>

410

456

OpenPGP public key file which will be created or

413

459

</listitem>

414

460

</varlistentry>

415

461

416

462

<term><filename>/etc/keys/mandos/tls-privkey.pem</filename></term>

463

464

<para>

465

Private key file which will be created or overwritten.

466

</para>

467

</listitem>

468

</varlistentry>

469

470

<term><filename>/etc/keys/mandos/tls-pubkey.pem</filename></term>

471

472

<para>

473

Public key file which will be created or overwritten.

474

</para>

475

</listitem>

476

</varlistentry>

477

478

417

479

418

480

<para>

419

481

Temporary files will be written here if

423

485

</varlistentry>

424

486

</variablelist>

425

487

</refsect1>

426

488

427

489

428

490

429

<para>

430

None are known at this time.

431

</para>

491

<xi:include href="bugs.xml"/>

432

492

</refsect1>

433

493

434

494

435

495

<title>EXAMPLE</title>

436

496

455

515

</informalexample>

456

516

457

517

<para>

458

Prompt for a password, encrypt it with the key in

459

<filename>/etc/mandos</filename> and output a section suitable

460

for <filename>clients.conf</filename>.

518

Prompt for a password, encrypt it with the keys in <filename

519

class="directory">/etc/keys/mandos</filename> and output a

520

section suitable for <filename>clients.conf</filename>.

461

521

</para>

462

522

<para>

463

523

<userinput>&COMMANDNAME; --password</userinput>

465

525

</informalexample>

466

526

467

527

<para>

468

Prompt for a password, encrypt it with the key in the

528

Prompt for a password, encrypt it with the keys in the

469

529

<filename>client-key</filename> directory and output a section

470

530

suitable for <filename>clients.conf</filename>.

471

531

</para>

477

537

</para>

478

538

</informalexample>

479

539

</refsect1>

480

540

481

541

482

542

<title>SECURITY</title>

483

543

<para>

492

552

<manvolnum>8</manvolnum></citerefentry>.

493

553

</para>

494

554

</refsect1>

495

555

496

556

497

557

498

558

<para>

559

<citerefentry><refentrytitle>intro</refentrytitle>

560

<manvolnum>8mandos</manvolnum></citerefentry>,

499

561

500

562

<manvolnum>1</manvolnum></citerefentry>,

501

563

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

502

564

<manvolnum>5</manvolnum></citerefentry>,

503

565

<citerefentry><refentrytitle>mandos</refentrytitle>

504

566

<manvolnum>8</manvolnum></citerefentry>,

505

<citerefentry><refentrytitle>password-request</refentrytitle>

506

<manvolnum>8mandos</manvolnum></citerefentry>

567

<citerefentry><refentrytitle>mandos-client</refentrytitle>

568

<manvolnum>8mandos</manvolnum></citerefentry>,

569

<citerefentry><refentrytitle>ssh-keyscan</refentrytitle>

570

507

571

</para>

508

572

</refsect1>

509

573

Older »