/mandos/trunk

To get this branch, use:
bzr branch http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos-keygen.xml

  • Committer: Teddy Hogeborn
  • Date: 2019-02-10 03:50:20 UTC
  • Revision ID: teddy@recompile.se-20190210035020-nttr1tybgwwixueu
http://bugs.debian.org/879538
http://bugs.debian.org/916673
Show debconf note about new TLS key IDs

If mandos-client did not see TLS keys and had to create them, or if
mandos sees GnuTLS version 3.6.6 or later, show an important notice on
package installation about the importance of adding the new key_id
options to clients.conf on the Mandos server.

* debian/control (Package: mandos, Package: mandos-client): Depend on
                                                            debconf.
* debian/mandos-client.lintian-overrides: Override warnings.
* debian/mandos-client.postinst (create_keys): Show notice if new TLS
                                               key files were created.
* debian/mandos-client.templates: New.
* debian/mandos.lintian-overrides: Override warnings.
* debian/mandos.postinst (configure): If GnuTLS 3.6.6 or later is
                                      detected, show an important
                                      notice (once) about the new
                                      key_id option required in
                                      clients.conf.
* debian/mandos.templates: New.

Show diffs side-by-side

added added

removed removed

Lines of Context:
mandos-keygen.xml
2
2
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3
3
        "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4
4
<!ENTITY COMMANDNAME "mandos-keygen">
5
 
<!ENTITY TIMESTAMP "2015-07-20">
 
5
<!ENTITY TIMESTAMP "2019-02-10">
6
6
<!ENTITY % common SYSTEM "common.ent">
7
7
%common;
8
8
]>
39
39
      <year>2013</year>
40
40
      <year>2014</year>
41
41
      <year>2015</year>
 
42
      <year>2016</year>
 
43
      <year>2017</year>
 
44
      <year>2018</year>
42
45
      <holder>Teddy Hogeborn</holder>
43
46
      <holder>Björn Påhlsson</holder>
44
47
    </copyright>
124
127
      </group>
125
128
      <sbr/>
126
129
      <group>
 
130
        <arg choice="plain"><option>--tls-keytype
 
131
        <replaceable>KEYTYPE</replaceable></option></arg>
 
132
        <arg choice="plain"><option>-T
 
133
        <replaceable>KEYTYPE</replaceable></option></arg>
 
134
      </group>
 
135
      <sbr/>
 
136
      <group>
127
137
        <arg choice="plain"><option>--force</option></arg>
128
138
        <arg choice="plain"><option>-f</option></arg>
129
139
      </group>
177
187
    <title>DESCRIPTION</title>
178
188
    <para>
179
189
      <command>&COMMANDNAME;</command> is a program to generate the
180
 
      OpenPGP key used by
 
190
      TLS and OpenPGP keys used by
181
191
      <citerefentry><refentrytitle>mandos-client</refentrytitle>
182
 
      <manvolnum>8mandos</manvolnum></citerefentry>.  The key is
183
 
      normally written to /etc/mandos for later installation into the
184
 
      initrd image, but this, and most other things, can be changed
185
 
      with command line options.
 
192
      <manvolnum>8mandos</manvolnum></citerefentry>.  The keys are
 
193
      normally written to /etc/keys/mandos for later installation into
 
194
      the initrd image, but this, and most other things, can be
 
195
      changed with command line options.
186
196
    </para>
187
197
    <para>
188
198
      This program can also be used with the
225
235
        <replaceable>DIRECTORY</replaceable></option></term>
226
236
        <listitem>
227
237
          <para>
228
 
            Target directory for key files.  Default is
229
 
            <filename class="directory">/etc/mandos</filename>.
 
238
            Target directory for key files.  Default is <filename
 
239
            class="directory">/etc/keys/mandos</filename>.
230
240
          </para>
231
241
        </listitem>
232
242
      </varlistentry>
238
248
        <replaceable>TYPE</replaceable></option></term>
239
249
        <listitem>
240
250
          <para>
241
 
            Key type.  Default is <quote>RSA</quote>.
 
251
            OpenPGP key type.  Default is <quote>RSA</quote>.
242
252
          </para>
243
253
        </listitem>
244
254
      </varlistentry>
250
260
        <replaceable>BITS</replaceable></option></term>
251
261
        <listitem>
252
262
          <para>
253
 
            Key length in bits.  Default is 4096.
 
263
            OpenPGP key length in bits.  Default is 4096.
254
264
          </para>
255
265
        </listitem>
256
266
      </varlistentry>
262
272
        <replaceable>KEYTYPE</replaceable></option></term>
263
273
        <listitem>
264
274
          <para>
265
 
            Subkey type.  Default is <quote>RSA</quote> (Elgamal
266
 
            encryption-only).
 
275
            OpenPGP subkey type.  Default is <quote>RSA</quote>
267
276
          </para>
268
277
        </listitem>
269
278
      </varlistentry>
275
284
        <replaceable>BITS</replaceable></option></term>
276
285
        <listitem>
277
286
          <para>
278
 
            Subkey length in bits.  Default is 4096.
 
287
            OpenPGP subkey length in bits.  Default is 4096.
279
288
          </para>
280
289
        </listitem>
281
290
      </varlistentry>
319
328
      </varlistentry>
320
329
      
321
330
      <varlistentry>
 
331
        <term><option>--tls-keytype
 
332
        <replaceable>KEYTYPE</replaceable></option></term>
 
333
        <term><option>-T
 
334
        <replaceable>KEYTYPE</replaceable></option></term>
 
335
        <listitem>
 
336
          <para>
 
337
            TLS key type.  Default is <quote>ed25519</quote>
 
338
          </para>
 
339
        </listitem>
 
340
      </varlistentry>
 
341
      
 
342
      <varlistentry>
322
343
        <term><option>--force</option></term>
323
344
        <term><option>-f</option></term>
324
345
        <listitem>
333
354
        <listitem>
334
355
          <para>
335
356
            Prompt for a password and encrypt it with the key already
336
 
            present in either <filename>/etc/mandos</filename> or the
337
 
            directory specified with the <option>--dir</option>
 
357
            present in either <filename>/etc/keys/mandos</filename> or
 
358
            the directory specified with the <option>--dir</option>
338
359
            option.  Outputs, on standard output, a section suitable
339
360
            for inclusion in <citerefentry><refentrytitle
340
361
            >mandos-clients.conf</refentrytitle><manvolnum
380
401
    <title>OVERVIEW</title>
381
402
    <xi:include href="overview.xml"/>
382
403
    <para>
383
 
      This program is a small utility to generate new OpenPGP keys for
384
 
      new Mandos clients, and to generate sections for inclusion in
385
 
      <filename>clients.conf</filename> on the server.
 
404
      This program is a small utility to generate new TLS and OpenPGP
 
405
      keys for new Mandos clients, and to generate sections for
 
406
      inclusion in <filename>clients.conf</filename> on the server.
386
407
    </para>
387
408
  </refsect1>
388
409
  
420
441
    </para>
421
442
    <variablelist>
422
443
      <varlistentry>
423
 
        <term><filename>/etc/mandos/seckey.txt</filename></term>
 
444
        <term><filename>/etc/keys/mandos/seckey.txt</filename></term>
424
445
        <listitem>
425
446
          <para>
426
447
            OpenPGP secret key file which will be created or
429
450
        </listitem>
430
451
      </varlistentry>
431
452
      <varlistentry>
432
 
        <term><filename>/etc/mandos/pubkey.txt</filename></term>
 
453
        <term><filename>/etc/keys/mandos/pubkey.txt</filename></term>
433
454
        <listitem>
434
455
          <para>
435
456
            OpenPGP public key file which will be created or
438
459
        </listitem>
439
460
      </varlistentry>
440
461
      <varlistentry>
 
462
        <term><filename>/etc/keys/mandos/tls-privkey.pem</filename></term>
 
463
        <listitem>
 
464
          <para>
 
465
            Private key file which will be created or overwritten.
 
466
          </para>
 
467
        </listitem>
 
468
      </varlistentry>
 
469
      <varlistentry>
 
470
        <term><filename>/etc/keys/mandos/tls-pubkey.pem</filename></term>
 
471
        <listitem>
 
472
          <para>
 
473
            Public key file which will be created or overwritten.
 
474
          </para>
 
475
        </listitem>
 
476
      </varlistentry>
 
477
      <varlistentry>
441
478
        <term><filename class="directory">/tmp</filename></term>
442
479
        <listitem>
443
480
          <para>
449
486
    </variablelist>
450
487
  </refsect1>
451
488
  
452
 
<!--   <refsect1 id="bugs"> -->
453
 
<!--     <title>BUGS</title> -->
454
 
<!--     <para> -->
455
 
<!--     </para> -->
456
 
<!--   </refsect1> -->
 
489
  <refsect1 id="bugs">
 
490
    <title>BUGS</title>
 
491
    <xi:include href="bugs.xml"/>
 
492
  </refsect1>
457
493
  
458
494
  <refsect1 id="example">
459
495
    <title>EXAMPLE</title>
479
515
    </informalexample>
480
516
    <informalexample>
481
517
      <para>
482
 
        Prompt for a password, encrypt it with the key in <filename
483
 
        class="directory">/etc/mandos</filename> and output a section
484
 
        suitable for <filename>clients.conf</filename>.
 
518
        Prompt for a password, encrypt it with the keys in <filename
 
519
        class="directory">/etc/keys/mandos</filename> and output a
 
520
        section suitable for <filename>clients.conf</filename>.
485
521
      </para>
486
522
      <para>
487
523
        <userinput>&COMMANDNAME; --password</userinput>
489
525
    </informalexample>
490
526
    <informalexample>
491
527
      <para>
492
 
        Prompt for a password, encrypt it with the key in the
 
528
        Prompt for a password, encrypt it with the keys in the
493
529
        <filename>client-key</filename> directory and output a section
494
530
        suitable for <filename>clients.conf</filename>.
495
531
      </para>