/mandos/trunk : revision 964

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos-keygen.xml

Committer: Teddy Hogeborn
Date: 2019-02-09 23:34:15 UTC
Revision ID: teddy@recompile.se-20190209233415-m1ntebuepwna1xg1

Doc fix: Change some "/etc/mandos" to "/etc/keys/mandos"

* clients.conf: Change "/etc/mandos" to "/etc/keys/mandos" where
appropriate
* mandos-keygen.xml: - '' -

files added:
.bzr-builddeb

.bzr-builddeb/default.conf

DBUS-API

INSTALL

NEWS

bugs.xml

common.ent

dbus-mandos.conf

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.examples

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/po

debian/rules

debian/source

debian/source/format

debian/source/local-options

debian/upstream

debian/upstream/signing-key.asc

debian/watch

initramfs-tools-conf

initramfs-tools-script-stop

initramfs-unpack

intro.xml

mandos-ctl

mandos-ctl.xml

mandos-monitor

mandos-monitor.xml

mandos-to-cryptroot-unlock

mandos.lsm

mandos.service

network-hooks.d

network-hooks.d/bridge

network-hooks.d/bridge.conf

network-hooks.d/openvpn

network-hooks.d/openvpn.conf

network-hooks.d/wireless

network-hooks.d/wireless.conf

plugin-helpers

plugin-helpers/mandos-client-iprouteadddel.c

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

tmpfiles.d-mandos.conf

files removed:
initramfs-tools-hook-conf

plugins.d/usplash

files renamed:
plugins.d/password-request.c => plugins.d/mandos-client.c

plugins.d/password-request.xml => plugins.d/mandos-client.xml

files modified:
.bzrignore

Makefile

README

TODO

clients.conf

default-mandos

init.d-mandos

initramfs-tools-hook

initramfs-tools-script

legalnotice.xml

mandos

mandos-clients.conf.xml

mandos-keygen

mandos-keygen.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.xml

overview.xml

plugin-runner.c

plugin-runner.conf

plugin-runner.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

Show diffs side-by-side

added added

removed removed

mandos-keygen.xml

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY VERSION "1.0">

<!ENTITY COMMANDNAME "mandos-keygen">

<!ENTITY TIMESTAMP "2008-09-03">

<!ENTITY TIMESTAMP "2019-02-10">

<!ENTITY % common SYSTEM "common.ent">

%common;

<title>Mandos Manual</title>

<productname>Mandos</productname>

<productnumber>&VERSION;</productnumber>

<productnumber>&version;</productnumber>

<date>&TIMESTAMP;</date>

<firstname>Björn</firstname>

<surname>Påhlsson</surname>

<email>belorn@fukt.bsnet.se</email>

<email>belorn@recompile.se</email>

</address>

</author>

<firstname>Teddy</firstname>

<surname>Hogeborn</surname>

<email>teddy@fukt.bsnet.se</email>

<email>teddy@recompile.se</email>

</address>

</author>

</authorgroup>

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

<xi:include href="legalnotice.xml"/>

</refentryinfo>

<refentrytitle>&COMMANDNAME;</refentrytitle>

Generate key and password for Mandos client and server.

</refpurpose>

</refnamediv>

<command>&COMMANDNAME;</command>

115

126

116

127

</group>

117

128

<sbr/>

118

<arg><option>--force</option></arg>

129

<group>

130

<arg choice="plain"><option>--tls-keytype

131

<replaceable>KEYTYPE</replaceable></option></arg>

132

<arg choice="plain"><option>-T

133

<replaceable>KEYTYPE</replaceable></option></arg>

134

</group>

135

<sbr/>

136

<group>

137

<arg choice="plain"><option>--force</option></arg>

138

139

</group>

119

140

</cmdsynopsis>

120

141

121

142

<command>&COMMANDNAME;</command>

122

143

123

144

<arg choice="plain"><option>--password</option></arg>

124

145

146

<arg choice="plain"><option>--passfile

147

148

149

125

150

</group>

126

151

<sbr/>

127

152

<group>

137

162

<arg choice="plain"><option>-n

138

163

139

164

</group>

165

<group>

166

167

168

</group>

140

169

</cmdsynopsis>

141

170

142

171

<command>&COMMANDNAME;</command>

158

187

<title>DESCRIPTION</title>

159

188

<para>

160

189

<command>&COMMANDNAME;</command> is a program to generate the

161

OpenPGP key used by

162

<citerefentry><refentrytitle>password-request</refentrytitle>

163

<manvolnum>8mandos</manvolnum></citerefentry>. The key is

164

normally written to /etc/mandos for later installation into the

165

initrd image, but this, and most other things, can be changed

166

with command line options.

190

TLS and OpenPGP keys used by

191

<citerefentry><refentrytitle>mandos-client</refentrytitle>

192

<manvolnum>8mandos</manvolnum></citerefentry>. The keys are

193

normally written to /etc/keys/mandos for later installation into

194

the initrd image, but this, and most other things, can be

195

changed with command line options.

167

196

</para>

168

197

<para>

169

198

This program can also be used with the

170

<option>--password</option> option to generate a ready-made

171

section for <filename>clients.conf</filename> (see

199

<option>--password</option> or <option>--passfile</option>

200

options to generate a ready-made section for

201

<filename>clients.conf</filename> (see

172

202

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

173

203

<manvolnum>5</manvolnum></citerefentry>).

174

204

</para>

197

227

</para>

198

228

</listitem>

199

229

</varlistentry>

200

230

201

231

202

232

<term><option>--dir

203

233

<replaceable>DIRECTORY</replaceable></option></term>

205

235

<replaceable>DIRECTORY</replaceable></option></term>

206

236

207

237

<para>

208

Target directory for key files. Default is

209

<filename>/etc/mandos</filename>.

238

Target directory for key files. Default is <filename

239

class="directory">/etc/keys/mandos</filename>.

210

240

</para>

211

241

</listitem>

212

242

</varlistentry>

213

243

214

244

215

245

<term><option>--type

216

246

218

248

219

249

220

250

<para>

221

Key type. Default is <quote>DSA</quote>.

251

OpenPGP key type. Default is <quote>RSA</quote>.

222

252

</para>

223

253

</listitem>

224

254

</varlistentry>

225

255

226

256

227

257

<term><option>--length

228

258

230

260

231

261

232

262

<para>

233

Key length in bits. Default is 2048.

263

OpenPGP key length in bits. Default is 4096.

234

264

</para>

235

265

</listitem>

236

266

</varlistentry>

237

267

238

268

239

269

<term><option>--subtype

240

270

<replaceable>KEYTYPE</replaceable></option></term>

242

272

<replaceable>KEYTYPE</replaceable></option></term>

243

273

244

274

<para>

245

Subkey type. Default is <quote>ELG-E</quote> (Elgamal

246

encryption-only).

275

OpenPGP subkey type. Default is <quote>RSA</quote>

247

276

</para>

248

277

</listitem>

249

278

</varlistentry>

250

279

251

280

252

281

<term><option>--sublength

253

282

255

284

256

285

257

286

<para>

258

Subkey length in bits. Default is 2048.

287

OpenPGP subkey length in bits. Default is 4096.

259

288

</para>

260

289

</listitem>

261

290

</varlistentry>

262

291

263

292

264

293

<term><option>--email

265

294

<replaceable>ADDRESS</replaceable></option></term>

271

300

</para>

272

301

</listitem>

273

302

</varlistentry>

274

303

275

304

276

305

<term><option>--comment

277

306

279

308

280

309

281

310

<para>

282

Comment field for key. The default value is

283

<quote><literal>Mandos client key</literal></quote>.

311

Comment field for key. Default is empty.

284

312

</para>

285

313

</listitem>

286

314

</varlistentry>

287

315

288

316

289

317

<term><option>--expire

290

318

298

326

</para>

299

327

</listitem>

300

328

</varlistentry>

301

329

330

331

<term><option>--tls-keytype

332

<replaceable>KEYTYPE</replaceable></option></term>

333

<term><option>-T

334

<replaceable>KEYTYPE</replaceable></option></term>

335

336

<para>

337

TLS key type. Default is <quote>ed25519</quote>

338

</para>

339

</listitem>

340

</varlistentry>

341

302

342

303

343

<term><option>--force</option></term>

304

344

314

354

315

355

<para>

316

356

Prompt for a password and encrypt it with the key already

317

present in either <filename>/etc/mandos</filename> or the

318

directory specified with the <option>--dir</option>

357

present in either <filename>/etc/keys/mandos</filename> or

358

the directory specified with the <option>--dir</option>

319

359

option. Outputs, on standard output, a section suitable

320

360

for inclusion in <citerefentry><refentrytitle

321

361

>mandos-clients.conf</refentrytitle><manvolnum

326

366

</para>

327

367

</listitem>

328

368

</varlistentry>

369

370

<term><option>--passfile

371

372

<term><option>-F

373

374

375

<para>

376

The same as <option>--password</option>, but read from

377

<replaceable>FILE</replaceable>, not the terminal.

378

</para>

379

</listitem>

380

</varlistentry>

381

382

383

384

385

<para>

386

When <option>--password</option> or

387

<option>--passfile</option> is given, this option will

388

prevent <command>&COMMANDNAME;</command> from calling

389

<command>ssh-keyscan</command> to get an SSH fingerprint

390

for this host and, if successful, output suitable config

391

options to use this fingerprint as a

392

<option>checker</option> option in the output. This is

393

otherwise the default behavior.

394

</para>

395

</listitem>

396

</varlistentry>

329

397

</variablelist>

330

398

</refsect1>

331

399

332

400

333

401

<title>OVERVIEW</title>

334

402

<xi:include href="overview.xml"/>

335

403

<para>

336

This program is a small utility to generate new OpenPGP keys for

337

new Mandos clients, and to generate sections for inclusion in

338

<filename>clients.conf</filename> on the server.

404

This program is a small utility to generate new TLS and OpenPGP

405

keys for new Mandos clients, and to generate sections for

406

inclusion in <filename>clients.conf</filename> on the server.

339

407

</para>

340

408

</refsect1>

341

409

342

410

343

411

<title>EXIT STATUS</title>

344

412

<para>

364

432

</variablelist>

365

433

</refsect1>

366

434

367

435

368

436

<title>FILES</title>

369

437

<para>

370

438

Use the <option>--dir</option> option to change where

373

441

</para>

374

442

375

443

376

<term><filename>/etc/mandos/seckey.txt</filename></term>

444

<term><filename>/etc/keys/mandos/seckey.txt</filename></term>

377

445

378

446

<para>

379

447

OpenPGP secret key file which will be created or

382

450

</listitem>

383

451

</varlistentry>

384

452

385

<term><filename>/etc/mandos/pubkey.txt</filename></term>

453

<term><filename>/etc/keys/mandos/pubkey.txt</filename></term>

386

454

387

455

<para>

388

456

OpenPGP public key file which will be created or

391

459

</listitem>

392

460

</varlistentry>

393

461

394

462

<term><filename>/etc/keys/mandos/tls-privkey.pem</filename></term>

463

464

<para>

465

Private key file which will be created or overwritten.

466

</para>

467

</listitem>

468

</varlistentry>

469

470

<term><filename>/etc/keys/mandos/tls-pubkey.pem</filename></term>

471

472

<para>

473

Public key file which will be created or overwritten.

474

</para>

475

</listitem>

476

</varlistentry>

477

478

395

479

396

480

<para>

397

481

Temporary files will be written here if

401

485

</varlistentry>

402

486

</variablelist>

403

487

</refsect1>

404

405

406

407

408

409

410

488

489

490

491

<xi:include href="bugs.xml"/>

492

</refsect1>

493

411

494

412

495

<title>EXAMPLE</title>

413

496

432

515

</informalexample>

433

516

434

517

<para>

435

Prompt for a password, encrypt it with the key in

436

<filename>/etc/mandos</filename> and output a section suitable

437

for <filename>clients.conf</filename>.

518

Prompt for a password, encrypt it with the keys in <filename

519

class="directory">/etc/keys/mandos</filename> and output a

520

section suitable for <filename>clients.conf</filename>.

438

521

</para>

439

522

<para>

440

523

<userinput>&COMMANDNAME; --password</userinput>

442

525

</informalexample>

443

526

444

527

<para>

445

Prompt for a password, encrypt it with the key in the

528

Prompt for a password, encrypt it with the keys in the

446

529

<filename>client-key</filename> directory and output a section

447

530

suitable for <filename>clients.conf</filename>.

448

531

</para>

454

537

</para>

455

538

</informalexample>

456

539

</refsect1>

457

540

458

541

459

542

<title>SECURITY</title>

460

543

<para>

469

552

<manvolnum>8</manvolnum></citerefentry>.

470

553

</para>

471

554

</refsect1>

472

555

473

556

474

557

475

558

<para>

559

<citerefentry><refentrytitle>intro</refentrytitle>

560

<manvolnum>8mandos</manvolnum></citerefentry>,

476

561

477

562

<manvolnum>1</manvolnum></citerefentry>,

478

563

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

479

564

<manvolnum>5</manvolnum></citerefentry>,

480

565

<citerefentry><refentrytitle>mandos</refentrytitle>

481

566

<manvolnum>8</manvolnum></citerefentry>,

482

<citerefentry><refentrytitle>password-request</refentrytitle>

483

<manvolnum>8mandos</manvolnum></citerefentry>

567

<citerefentry><refentrytitle>mandos-client</refentrytitle>

568

<manvolnum>8mandos</manvolnum></citerefentry>,

569

<citerefentry><refentrytitle>ssh-keyscan</refentrytitle>

570

484

571

</para>

485

572

</refsect1>

486

573

Older »