/mandos/trunk : revision 13

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos-keygen.xml

Committer: Björn Påhlsson
Date: 2008-07-20 02:52:20 UTC
Revision ID: belorn@braxen-20080720025220-r5u0388uy9iu23h6

Added following support:
Pluginbased client handler
rewritten Mandos client
Avahi instead of udp server discovery
openpgp encrypted key support
Passprompt stand alone application for direct console input
Added logging for Mandos server

files added:
ca.pem

cert.pem

client-cert.pem

client-key.pem

crl.pem

key.pem

plugins.d/Makefile

files removed:
.bzr-builddeb

.bzr-builddeb/default.conf

.bzrignore

COPYING

DBUS-API

INSTALL

NEWS

README

bugs.xml

common.ent

dbus-mandos.conf

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.examples

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/po

debian/rules

debian/source

debian/source/format

debian/source/local-options

debian/upstream

debian/upstream/signing-key.asc

debian/watch

default-mandos

init.d-mandos

initramfs-tools-conf

initramfs-tools-hook

initramfs-tools-script

initramfs-tools-script-stop

initramfs-unpack

intro.xml

legalnotice.xml

mandos-clients.conf.xml

mandos-ctl

mandos-ctl.xml

mandos-keygen

mandos-keygen.xml

mandos-monitor

mandos-monitor.xml

mandos-options.xml

mandos-to-cryptroot-unlock

mandos.conf

mandos.conf.xml

mandos.lsm

mandos.service

mandos.xml

network-hooks.d

network-hooks.d/bridge

network-hooks.d/bridge.conf

network-hooks.d/openvpn

network-hooks.d/openvpn.conf

network-hooks.d/wireless

network-hooks.d/wireless.conf

overview.xml

plugin-helpers

plugin-helpers/mandos-client-iprouteadddel.c

plugin-runner.conf

plugin-runner.xml

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/mandos-client.xml

plugins.d/password-prompt.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

tmpfiles.d-mandos.conf

files renamed:
clients.conf => mandos-clients.conf

plugin-runner.c => plugbasedclient.c

plugins.d/mandos-client.c => plugins.d/mandosclient.c

plugins.d/password-prompt.c => plugins.d/passprompt.c

mandos => server.py

files modified:
Makefile

TODO

Show diffs side-by-side

added added

removed removed

mandos-keygen.xml

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY COMMANDNAME "mandos-keygen">

<!ENTITY TIMESTAMP "2019-02-10">

<!ENTITY % common SYSTEM "common.ent">

%common;

<title>Mandos Manual</title>

<productname>Mandos</productname>

<productnumber>&version;</productnumber>

<date>&TIMESTAMP;</date>

<firstname>Björn</firstname>

<surname>Påhlsson</surname>

<email>belorn@recompile.se</email>

</address>

</author>

<firstname>Teddy</firstname>

<surname>Hogeborn</surname>

<email>teddy@recompile.se</email>

</address>

</author>

</authorgroup>

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

<xi:include href="legalnotice.xml"/>

</refentryinfo>

<refentrytitle>&COMMANDNAME;</refentrytitle>

</refmeta>

<refname><command>&COMMANDNAME;</command></refname>

Generate key and password for Mandos client and server.

</refpurpose>

</refnamediv>

<command>&COMMANDNAME;</command>

<group>

<arg choice="plain"><option>--dir

<replaceable>DIRECTORY</replaceable></option></arg>

<arg choice="plain"><option>-d

<replaceable>DIRECTORY</replaceable></option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--type

<replaceable>KEYTYPE</replaceable></option></arg>

<arg choice="plain"><option>-t

<replaceable>KEYTYPE</replaceable></option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--length

<arg choice="plain"><option>-l

</group>

<sbr/>

<group>

<arg choice="plain"><option>--subtype

<replaceable>KEYTYPE</replaceable></option></arg>

<arg choice="plain"><option>-s

<replaceable>KEYTYPE</replaceable></option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--sublength

<arg choice="plain"><option>-L

</group>

100

<sbr/>

101

<group>

102

<arg choice="plain"><option>--name

103

104

<arg choice="plain"><option>-n

105

106

</group>

107

<sbr/>

108

<group>

109

<arg choice="plain"><option>--email

110

<replaceable>ADDRESS</replaceable></option></arg>

111

<arg choice="plain"><option>-e

112

<replaceable>ADDRESS</replaceable></option></arg>

113

</group>

114

<sbr/>

115

<group>

116

<arg choice="plain"><option>--comment

117

118

<arg choice="plain"><option>-c

119

120

</group>

121

<sbr/>

122

<group>

123

<arg choice="plain"><option>--expire

124

125

<arg choice="plain"><option>-x

126

127

</group>

128

<sbr/>

129

<group>

130

<arg choice="plain"><option>--tls-keytype

131

<replaceable>KEYTYPE</replaceable></option></arg>

132

<arg choice="plain"><option>-T

133

<replaceable>KEYTYPE</replaceable></option></arg>

134

</group>

135

<sbr/>

136

<group>

137

<arg choice="plain"><option>--force</option></arg>

138

139

</group>

140

</cmdsynopsis>

141

142

<command>&COMMANDNAME;</command>

143

144

<arg choice="plain"><option>--password</option></arg>

145

146

<arg choice="plain"><option>--passfile

147

148

149

150

</group>

151

<sbr/>

152

<group>

153

<arg choice="plain"><option>--dir

154

<replaceable>DIRECTORY</replaceable></option></arg>

155

<arg choice="plain"><option>-d

156

<replaceable>DIRECTORY</replaceable></option></arg>

157

</group>

158

<sbr/>

159

<group>

160

<arg choice="plain"><option>--name

161

162

<arg choice="plain"><option>-n

163

164

</group>

165

<group>

166

167

168

</group>

169

</cmdsynopsis>

170

171

<command>&COMMANDNAME;</command>

172

173

174

175

</group>

176

</cmdsynopsis>

177

178

<command>&COMMANDNAME;</command>

179

180

<arg choice="plain"><option>--version</option></arg>

181

182

</group>

183

</cmdsynopsis>

184

</refsynopsisdiv>

185

186

187

<title>DESCRIPTION</title>

188

<para>

189

<command>&COMMANDNAME;</command> is a program to generate the

190

TLS and OpenPGP keys used by

191

<citerefentry><refentrytitle>mandos-client</refentrytitle>

192

<manvolnum>8mandos</manvolnum></citerefentry>. The keys are

193

normally written to /etc/mandos for later installation into the

194

initrd image, but this, and most other things, can be changed

195

with command line options.

196

</para>

197

<para>

198

This program can also be used with the

199

<option>--password</option> or <option>--passfile</option>

200

options to generate a ready-made section for

201

<filename>clients.conf</filename> (see

202

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

203

<manvolnum>5</manvolnum></citerefentry>).

204

</para>

205

</refsect1>

206

207

208

<title>PURPOSE</title>

209

<para>

210

The purpose of this is to enable <emphasis>remote and unattended

211

rebooting</emphasis> of client host computer with an

212

<emphasis>encrypted root file system</emphasis>. See <xref

213

linkend="overview"/> for details.

214

</para>

215

</refsect1>

216

217

218

<title>OPTIONS</title>

219

220

221

222

223

224

225

<para>

226

Show a help message and exit

227

</para>

228

</listitem>

229

</varlistentry>

230

231

232

<term><option>--dir

233

<replaceable>DIRECTORY</replaceable></option></term>

234

<term><option>-d

235

<replaceable>DIRECTORY</replaceable></option></term>

236

237

<para>

238

Target directory for key files. Default is

239

<filename class="directory">/etc/mandos</filename>.

240

</para>

241

</listitem>

242

</varlistentry>

243

244

245

<term><option>--type

246

247

<term><option>-t

248

249

250

<para>

251

OpenPGP key type. Default is <quote>RSA</quote>.

252

</para>

253

</listitem>

254

</varlistentry>

255

256

257

<term><option>--length

258

259

<term><option>-l

260

261

262

<para>

263

OpenPGP key length in bits. Default is 4096.

264

</para>

265

</listitem>

266

</varlistentry>

267

268

269

<term><option>--subtype

270

<replaceable>KEYTYPE</replaceable></option></term>

271

<term><option>-s

272

<replaceable>KEYTYPE</replaceable></option></term>

273

274

<para>

275

OpenPGP subkey type. Default is <quote>RSA</quote>

276

</para>

277

</listitem>

278

</varlistentry>

279

280

281

<term><option>--sublength

282

283

<term><option>-L

284

285

286

<para>

287

OpenPGP subkey length in bits. Default is 4096.

288

</para>

289

</listitem>

290

</varlistentry>

291

292

293

<term><option>--email

294

<replaceable>ADDRESS</replaceable></option></term>

295

<term><option>-e

296

<replaceable>ADDRESS</replaceable></option></term>

297

298

<para>

299

Email address of key. Default is empty.

300

</para>

301

</listitem>

302

</varlistentry>

303

304

305

<term><option>--comment

306

307

<term><option>-c

308

309

310

<para>

311

Comment field for key. Default is empty.

312

</para>

313

</listitem>

314

</varlistentry>

315

316

317

<term><option>--expire

318

319

<term><option>-x

320

321

322

<para>

323

Key expire time. Default is no expiration. See

324

325

<manvolnum>1</manvolnum></citerefentry> for syntax.

326

</para>

327

</listitem>

328

</varlistentry>

329

330

331

<term><option>--tls-keytype

332

<replaceable>KEYTYPE</replaceable></option></term>

333

<term><option>-T

334

<replaceable>KEYTYPE</replaceable></option></term>

335

336

<para>

337

TLS key type. Default is <quote>ed25519</quote>

338

</para>

339

</listitem>

340

</varlistentry>

341

342

343

<term><option>--force</option></term>

344

345

346

<para>

347

Force overwriting old key.

348

</para>

349

</listitem>

350

</varlistentry>

351

352

<term><option>--password</option></term>

353

354

355

<para>

356

Prompt for a password and encrypt it with the key already

357

present in either <filename>/etc/mandos</filename> or the

358

directory specified with the <option>--dir</option>

359

option. Outputs, on standard output, a section suitable

360

for inclusion in <citerefentry><refentrytitle

361

>mandos-clients.conf</refentrytitle><manvolnum

362

>8</manvolnum></citerefentry>. The host name or the name

363

specified with the <option>--name</option> option is used

364

for the section header. All other options are ignored,

365

and no key is created.

366

</para>

367

</listitem>

368

</varlistentry>

369

370

<term><option>--passfile

371

372

<term><option>-F

373

374

375

<para>

376

The same as <option>--password</option>, but read from

377

<replaceable>FILE</replaceable>, not the terminal.

378

</para>

379

</listitem>

380

</varlistentry>

381

382

383

384

385

<para>

386

When <option>--password</option> or

387

<option>--passfile</option> is given, this option will

388

prevent <command>&COMMANDNAME;</command> from calling

389

<command>ssh-keyscan</command> to get an SSH fingerprint

390

for this host and, if successful, output suitable config

391

options to use this fingerprint as a

392

<option>checker</option> option in the output. This is

393

otherwise the default behavior.

394

</para>

395

</listitem>

396

</varlistentry>

397

</variablelist>

398

</refsect1>

399

400

401

<title>OVERVIEW</title>

402

<xi:include href="overview.xml"/>

403

<para>

404

This program is a small utility to generate new TLS and OpenPGP

405

keys for new Mandos clients, and to generate sections for

406

inclusion in <filename>clients.conf</filename> on the server.

407

</para>

408

</refsect1>

409

410

411

<title>EXIT STATUS</title>

412

<para>

413

The exit status will be 0 if a new key (or password, if the

414

<option>--password</option> option was used) was successfully

415

created, otherwise not.

416

</para>

417

</refsect1>

418

419

420

<title>ENVIRONMENT</title>

421

422

423

<term><envar>TMPDIR</envar></term>

424

425

<para>

426

If set, temporary files will be created here. See

427

<citerefentry><refentrytitle>mktemp</refentrytitle>

428

<manvolnum>1</manvolnum></citerefentry>.

429

</para>

430

</listitem>

431

</varlistentry>

432

</variablelist>

433

</refsect1>

434

435

436

<title>FILES</title>

437

<para>

438

Use the <option>--dir</option> option to change where

439

<command>&COMMANDNAME;</command> will write the key files. The

440

default file names are shown here.

441

</para>

442

443

444

<term><filename>/etc/mandos/seckey.txt</filename></term>

445

446

<para>

447

OpenPGP secret key file which will be created or

448

overwritten.

449

</para>

450

</listitem>

451

</varlistentry>

452

453

<term><filename>/etc/mandos/pubkey.txt</filename></term>

454

455

<para>

456

OpenPGP public key file which will be created or

457

overwritten.

458

</para>

459

</listitem>

460

</varlistentry>

461

462

<term><filename>/etc/keys/mandos/tls-privkey.pem</filename></term>

463

464

<para>

465

Private key file which will be created or overwritten.

466

</para>

467

</listitem>

468

</varlistentry>

469

470

<term><filename>/etc/keys/mandos/tls-pubkey.pem</filename></term>

471

472

<para>

473

Public key file which will be created or overwritten.

474

</para>

475

</listitem>

476

</varlistentry>

477

478

479

480

<para>

481

Temporary files will be written here if

482

<varname>TMPDIR</varname> is not set.

483

</para>

484

</listitem>

485

</varlistentry>

486

</variablelist>

487

</refsect1>

488

489

490

491

<xi:include href="bugs.xml"/>

492

</refsect1>

493

494

495

<title>EXAMPLE</title>

496

497

<para>

498

Normal invocation needs no options:

499

</para>

500

<para>

501

<userinput>&COMMANDNAME;</userinput>

502

</para>

503

</informalexample>

504

505

<para>

506

Create key in another directory and of another type. Force

507

overwriting old key files:

508

</para>

509

<para>

510

511

512

<userinput>&COMMANDNAME; --dir ~/keydir --type RSA --force</userinput>

513

514

</para>

515

</informalexample>

516

517

<para>

518

Prompt for a password, encrypt it with the key in <filename

519

class="directory">/etc/mandos</filename> and output a section

520

suitable for <filename>clients.conf</filename>.

521

</para>

522

<para>

523

<userinput>&COMMANDNAME; --password</userinput>

524

</para>

525

</informalexample>

526

527

<para>

528

Prompt for a password, encrypt it with the key in the

529

<filename>client-key</filename> directory and output a section

530

suitable for <filename>clients.conf</filename>.

531

</para>

532

<para>

533

534

535

<userinput>&COMMANDNAME; --password --dir client-key</userinput>

536

537

</para>

538

</informalexample>

539

</refsect1>

540

541

542

<title>SECURITY</title>

543

<para>

544

The <option>--type</option>, <option>--length</option>,

545

<option>--subtype</option>, and <option>--sublength</option>

546

options can be used to create keys of low security. If in

547

doubt, leave them to the default values.

548

</para>

549

<para>

550

The key expire time is <emphasis>not</emphasis> guaranteed to be

551

honored by <citerefentry><refentrytitle>mandos</refentrytitle>

552

<manvolnum>8</manvolnum></citerefentry>.

553

</para>

554

</refsect1>

555

556

557

558

<para>

559

<citerefentry><refentrytitle>intro</refentrytitle>

560

<manvolnum>8mandos</manvolnum></citerefentry>,

561

562

<manvolnum>1</manvolnum></citerefentry>,

563

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

564

<manvolnum>5</manvolnum></citerefentry>,

565

<citerefentry><refentrytitle>mandos</refentrytitle>

566

<manvolnum>8</manvolnum></citerefentry>,

567

<citerefentry><refentrytitle>mandos-client</refentrytitle>

568

<manvolnum>8mandos</manvolnum></citerefentry>,

569

<citerefentry><refentrytitle>ssh-keyscan</refentrytitle>

570

571

</para>

572

</refsect1>

573

574

</refentry>

575

576

577

578

579

Older »