/mandos/trunk

To get this branch, use:
bzr branch http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos-keygen.xml

  • Committer: Teddy Hogeborn
  • Date: 2019-02-10 08:41:14 UTC
  • Revision ID: teddy@recompile.se-20190210084114-u91mijrxtifvzra5
Bug fix: Only create TLS key with certtool, and read correct key file

* debian/mandos-client.postinst (create_keys): Remove any bad keys
                                               created by 1.8.0-1.
                                               Only create TLS keys if
                                               certtool succeeds.
* debian/mandos.postinst (configure): Remove any bad keys from
                                      clients.conf, and inform the
                                      user if any were found.
* debian/mandos.templates (mandos/removed_bad_key_ids): New message.
* mandos (MandosServer.handle_ipc): Do not trust a key_id with a known
                                    bad key ID.
* mandos-keygen (keygen): Only create TLS keys if certtool succeeds.
  (password): Bug fix: Generate key_id correctly, and only output
              key_id if TLS key exists.

Show diffs side-by-side

added added

removed removed

Lines of Context:
mandos-keygen.xml
2
2
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3
3
        "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4
4
<!ENTITY COMMANDNAME "mandos-keygen">
5
 
<!ENTITY TIMESTAMP "2016-03-05">
 
5
<!ENTITY TIMESTAMP "2019-02-10">
6
6
<!ENTITY % common SYSTEM "common.ent">
7
7
%common;
8
8
]>
40
40
      <year>2014</year>
41
41
      <year>2015</year>
42
42
      <year>2016</year>
 
43
      <year>2017</year>
 
44
      <year>2018</year>
 
45
      <year>2019</year>
43
46
      <holder>Teddy Hogeborn</holder>
44
47
      <holder>Björn Påhlsson</holder>
45
48
    </copyright>
125
128
      </group>
126
129
      <sbr/>
127
130
      <group>
 
131
        <arg choice="plain"><option>--tls-keytype
 
132
        <replaceable>KEYTYPE</replaceable></option></arg>
 
133
        <arg choice="plain"><option>-T
 
134
        <replaceable>KEYTYPE</replaceable></option></arg>
 
135
      </group>
 
136
      <sbr/>
 
137
      <group>
128
138
        <arg choice="plain"><option>--force</option></arg>
129
139
        <arg choice="plain"><option>-f</option></arg>
130
140
      </group>
178
188
    <title>DESCRIPTION</title>
179
189
    <para>
180
190
      <command>&COMMANDNAME;</command> is a program to generate the
181
 
      OpenPGP key used by
 
191
      TLS and OpenPGP keys used by
182
192
      <citerefentry><refentrytitle>mandos-client</refentrytitle>
183
 
      <manvolnum>8mandos</manvolnum></citerefentry>.  The key is
184
 
      normally written to /etc/mandos for later installation into the
185
 
      initrd image, but this, and most other things, can be changed
186
 
      with command line options.
 
193
      <manvolnum>8mandos</manvolnum></citerefentry>.  The keys are
 
194
      normally written to /etc/keys/mandos for later installation into
 
195
      the initrd image, but this, and most other things, can be
 
196
      changed with command line options.
187
197
    </para>
188
198
    <para>
189
199
      This program can also be used with the
226
236
        <replaceable>DIRECTORY</replaceable></option></term>
227
237
        <listitem>
228
238
          <para>
229
 
            Target directory for key files.  Default is
230
 
            <filename class="directory">/etc/mandos</filename>.
 
239
            Target directory for key files.  Default is <filename
 
240
            class="directory">/etc/keys/mandos</filename>.
231
241
          </para>
232
242
        </listitem>
233
243
      </varlistentry>
239
249
        <replaceable>TYPE</replaceable></option></term>
240
250
        <listitem>
241
251
          <para>
242
 
            Key type.  Default is <quote>RSA</quote>.
 
252
            OpenPGP key type.  Default is <quote>RSA</quote>.
243
253
          </para>
244
254
        </listitem>
245
255
      </varlistentry>
251
261
        <replaceable>BITS</replaceable></option></term>
252
262
        <listitem>
253
263
          <para>
254
 
            Key length in bits.  Default is 4096.
 
264
            OpenPGP key length in bits.  Default is 4096.
255
265
          </para>
256
266
        </listitem>
257
267
      </varlistentry>
263
273
        <replaceable>KEYTYPE</replaceable></option></term>
264
274
        <listitem>
265
275
          <para>
266
 
            Subkey type.  Default is <quote>RSA</quote> (Elgamal
267
 
            encryption-only).
 
276
            OpenPGP subkey type.  Default is <quote>RSA</quote>
268
277
          </para>
269
278
        </listitem>
270
279
      </varlistentry>
276
285
        <replaceable>BITS</replaceable></option></term>
277
286
        <listitem>
278
287
          <para>
279
 
            Subkey length in bits.  Default is 4096.
 
288
            OpenPGP subkey length in bits.  Default is 4096.
280
289
          </para>
281
290
        </listitem>
282
291
      </varlistentry>
320
329
      </varlistentry>
321
330
      
322
331
      <varlistentry>
 
332
        <term><option>--tls-keytype
 
333
        <replaceable>KEYTYPE</replaceable></option></term>
 
334
        <term><option>-T
 
335
        <replaceable>KEYTYPE</replaceable></option></term>
 
336
        <listitem>
 
337
          <para>
 
338
            TLS key type.  Default is <quote>ed25519</quote>
 
339
          </para>
 
340
        </listitem>
 
341
      </varlistentry>
 
342
      
 
343
      <varlistentry>
323
344
        <term><option>--force</option></term>
324
345
        <term><option>-f</option></term>
325
346
        <listitem>
334
355
        <listitem>
335
356
          <para>
336
357
            Prompt for a password and encrypt it with the key already
337
 
            present in either <filename>/etc/mandos</filename> or the
338
 
            directory specified with the <option>--dir</option>
 
358
            present in either <filename>/etc/keys/mandos</filename> or
 
359
            the directory specified with the <option>--dir</option>
339
360
            option.  Outputs, on standard output, a section suitable
340
361
            for inclusion in <citerefentry><refentrytitle
341
362
            >mandos-clients.conf</refentrytitle><manvolnum
381
402
    <title>OVERVIEW</title>
382
403
    <xi:include href="overview.xml"/>
383
404
    <para>
384
 
      This program is a small utility to generate new OpenPGP keys for
385
 
      new Mandos clients, and to generate sections for inclusion in
386
 
      <filename>clients.conf</filename> on the server.
 
405
      This program is a small utility to generate new TLS and OpenPGP
 
406
      keys for new Mandos clients, and to generate sections for
 
407
      inclusion in <filename>clients.conf</filename> on the server.
387
408
    </para>
388
409
  </refsect1>
389
410
  
421
442
    </para>
422
443
    <variablelist>
423
444
      <varlistentry>
424
 
        <term><filename>/etc/mandos/seckey.txt</filename></term>
 
445
        <term><filename>/etc/keys/mandos/seckey.txt</filename></term>
425
446
        <listitem>
426
447
          <para>
427
448
            OpenPGP secret key file which will be created or
430
451
        </listitem>
431
452
      </varlistentry>
432
453
      <varlistentry>
433
 
        <term><filename>/etc/mandos/pubkey.txt</filename></term>
 
454
        <term><filename>/etc/keys/mandos/pubkey.txt</filename></term>
434
455
        <listitem>
435
456
          <para>
436
457
            OpenPGP public key file which will be created or
439
460
        </listitem>
440
461
      </varlistentry>
441
462
      <varlistentry>
 
463
        <term><filename>/etc/keys/mandos/tls-privkey.pem</filename></term>
 
464
        <listitem>
 
465
          <para>
 
466
            Private key file which will be created or overwritten.
 
467
          </para>
 
468
        </listitem>
 
469
      </varlistentry>
 
470
      <varlistentry>
 
471
        <term><filename>/etc/keys/mandos/tls-pubkey.pem</filename></term>
 
472
        <listitem>
 
473
          <para>
 
474
            Public key file which will be created or overwritten.
 
475
          </para>
 
476
        </listitem>
 
477
      </varlistentry>
 
478
      <varlistentry>
442
479
        <term><filename class="directory">/tmp</filename></term>
443
480
        <listitem>
444
481
          <para>
479
516
    </informalexample>
480
517
    <informalexample>
481
518
      <para>
482
 
        Prompt for a password, encrypt it with the key in <filename
483
 
        class="directory">/etc/mandos</filename> and output a section
484
 
        suitable for <filename>clients.conf</filename>.
 
519
        Prompt for a password, encrypt it with the keys in <filename
 
520
        class="directory">/etc/keys/mandos</filename> and output a
 
521
        section suitable for <filename>clients.conf</filename>.
485
522
      </para>
486
523
      <para>
487
524
        <userinput>&COMMANDNAME; --password</userinput>
489
526
    </informalexample>
490
527
    <informalexample>
491
528
      <para>
492
 
        Prompt for a password, encrypt it with the key in the
 
529
        Prompt for a password, encrypt it with the keys in the
493
530
        <filename>client-key</filename> directory and output a section
494
531
        suitable for <filename>clients.conf</filename>.
495
532
      </para>