060ca767 |
1 | .\" -*-nroff-*- |
2 | .\". |
3 | .de hP |
4 | .IP |
5 | \h'-\w'\fB\\$1\ \fP'u'\fB\\$1\ \fP\c |
6 | .. |
7 | .de VS |
8 | .sp 1 |
9 | .RS |
10 | .nf |
11 | .ft B |
12 | .. |
13 | .de VE |
14 | .ft R |
15 | .fi |
16 | .RE |
17 | .sp 1 |
18 | .. |
19 | .ie t \{\ |
20 | . ds o \(bu |
21 | . ds ss \s8\u |
22 | . ds se \d\s0 |
23 | . if \n(.g \{\ |
24 | . fam P |
25 | . \} |
26 | .\} |
27 | .el \{\ |
28 | . ds o o |
29 | . ds ss ^ |
30 | . ds se |
31 | .\} |
32 | .TH tripe-keys 8 "14 September 2005" "Straylight/Edgeware" "TrIPE: Trivial IP Encryption" |
33 | .SH "NAME" |
34 | tripe-keys \- simple centralized key management for tripe |
35 | .SH "SYNOPSIS" |
36 | .B tripe-keys |
37 | .I operation |
38 | .IP "Operations supported:" |
c77687d5 |
39 | .BI "help \fR[" command \fR] |
40 | .br |
41 | .B "setup" |
42 | .br |
43 | .B "upload" |
060ca767 |
44 | .br |
45 | .BI "generate " tag |
46 | .br |
47 | .B "update" |
48 | .br |
c77687d5 |
49 | .B "newmaster" |
060ca767 |
50 | .br |
c77687d5 |
51 | .B "rebuild" |
060ca767 |
52 | .br |
c77687d5 |
53 | .B "clean" |
060ca767 |
54 | .SH "DESCRIPTION" |
55 | The |
56 | .B tripe-keys |
57 | script implements a very simple, centralized key management system for |
58 | .BR tripe (8). |
59 | It assumes that there is a central authority who knows all the public |
60 | keys for a private network. |
61 | .SS "Overview" |
62 | The |
63 | .B tripe-keys |
64 | program maintains a |
65 | .I repository |
66 | of public keys. It provides a way for a master authority to publish the |
67 | repository and for clients to obtain authentic copies of it. |
68 | .PP |
69 | The repository is very simple: it consists of a directory |
70 | .B repos |
71 | full of public-key files, each named |
72 | .BI peer- tag .pub \fR. |
73 | .PP |
74 | The repository setup process creates a master signing key, stored in the |
75 | .B master |
76 | keyring, and a key describing the parameters to be used for generating |
77 | key-exchange keys, stored in |
78 | .BR repos/param . |
79 | .PP |
80 | The master authority has a configuration file |
81 | .BR tripe-keys.master , |
82 | usually created by copying the template provided and editing it. |
83 | .PP |
84 | The published repository consists of a tarball of the |
85 | .B repos |
86 | directory, containing the key-generation parameters and all the peers' |
87 | public keys, and a client configuration file |
88 | .BR tripe-keys.conf . |
89 | The tarball is signed by the master authority's signing key. |
90 | .PP |
91 | The client configuration file is essentially a copy of |
92 | .B tripe-keys.master |
93 | with some extra bits filled in: in particular, it contains the |
94 | fingerprint of the master signing key, so that the client can be sure |
95 | it's checking the right key. |
96 | .PP |
97 | A peer starts by downloading a copy of |
98 | .B tripe-keys.conf |
99 | and then making sure it's authentic. (This is one of the tricky bits. |
100 | The other is getting public keys back to the master authority.) This is |
101 | enough for the peer to fetch a copy of the repository, verify the |
102 | signature, and assemble a public keyring for the other peers in the |
103 | network. |
104 | .PP |
105 | In fact, it's not |
106 | .I quite |
107 | that simple. The system allows new signing keys to replace old ones, so |
108 | in fact the publication process signs the repository archive using a |
109 | collection of keys. Each signing key is given a sequence number. The |
110 | client configuration file contains the sequence number of the master |
111 | signing key whose fingerprint it knows. During an update, the right |
112 | signature is fetched and checked; if there's a new master key, then the |
113 | .B tripe-keys.conf |
114 | in the new repository archive will have its sequence number and |
115 | fingerprint: the update process will replace its configuration file with |
116 | the new version, and the peer will use the new key from then on. |
117 | .SS "Options" |
118 | The |
119 | .B tripe-keys |
120 | program accepts some standard command-line options: |
121 | .TP |
122 | .B "\-h, \-\-help" |
123 | Print general help about |
124 | .B tripe-keys |
125 | to standard output and exit successfully. |
126 | .TP |
127 | .B "\-v, \-\-version" |
128 | Print the version number of |
129 | .B tripe-keys |
130 | to standard output and exit successfully. |
131 | .TP |
132 | .B "\-u, \-\-usage" |
133 | Print brief usage about |
134 | .B tripe-keys |
135 | to standard output and exit successfully. |
136 | .SS "Subcommands" |
137 | .TP |
c77687d5 |
138 | .BI "help \fR[" command \fR] |
060ca767 |
139 | With no arguments, shows help, as for the |
140 | .B \-\-help |
141 | option. With an argument, shows help about that |
142 | .IR command . |
143 | .TP |
144 | .B "setup" |
145 | Constructs a new repository and makes a signing key (as for |
146 | .BR newmaster ) |
147 | and key-exchange parameters. Fails if |
148 | .B repos |
149 | already exists. |
150 | .TP |
151 | .B "upload" |
152 | Build a repository archive, sign it with the active signing keys, and |
153 | make a |
154 | .B tripe-keys.conf |
155 | file. Copy the results to the places named by |
156 | .IR repos-file , |
157 | .IR sig-file , |
158 | and |
159 | .I conf-file |
160 | respectively. (This command is currently misnamed. It only copies |
161 | stuff about the local filesystem. Some day it'll really upload stuff.) |
162 | .TP |
163 | .BI "generate " tag |
164 | Generate a peer key for the peer named |
165 | .IR tag . |
166 | The private key ends up in |
167 | .BR keyring ; |
168 | the public key is written to |
169 | .BI peer- tag .pub |
170 | in the |
171 | .I current |
172 | directory. |
173 | .TP |
174 | .B update |
175 | Fetches a new copy of the repository archive and its signature. It |
176 | unpacks the archive in a temporary directory, and checks the enclosed |
177 | master public key against the fingerprint in the configuration file. It |
178 | then verifies the signature on the archive using this public key. If |
179 | all is well, it replaces the current |
180 | .B repos |
181 | directory with the version in the new archive, and if necessary it |
182 | replaces the current configuration file with the new one in the |
183 | archive. It then does a |
184 | .B rebuild |
185 | to construct a new |
186 | .B keyring.pub |
187 | file. |
188 | .TP |
189 | .B newmaster |
190 | Generates a new master signing key. The old master key is not deleted. |
191 | .TP |
192 | .B rebuild |
193 | Rebuilds the public keyring |
194 | .B keyring.pub |
195 | from the public keys in the |
196 | .B repos |
197 | directory. |
198 | .TP |
199 | .B clean |
200 | Deletes everything which |
201 | .B tripe-keys |
202 | might have written to a directory. In particular, it deletes |
203 | .BR repos , |
204 | .BR tmp , |
205 | .BR master , |
206 | .BR keyring , |
207 | .BR keying.pub , |
208 | and their associated |
209 | .B .old |
210 | files. |
211 | .SH "SEE ALSO" |
212 | .BR key (1), |
213 | .BR tripe\-keys.conf (5), |
214 | .BR tripe (8). |
215 | .SH "AUTHOR" |
216 | Mark Wooding, <mdw@distorted.org.uk> |