\input texinfo @c -*-texinfo-*-
@c
-@c $Id: become.texi,v 1.7 2003/11/29 23:39:16 mdw Exp $
+@c $Id: become.texi,v 1.9 2004/04/17 10:54:21 mdw Exp $
@c
@c Documentation for `become'
@c
@c (c) 1998 EBI
@c
-@c ----- Revision history ---------------------------------------------------
-@c
-@c $Log: become.texi,v $
-@c Revision 1.7 2003/11/29 23:39:16 mdw
-@c Debianization.
-@c
-@c Revision 1.6 2003/10/26 11:57:46 mdw
-@c Fix key reloading core dumps. Change advice on keys.
-@c
-@c Revision 1.5 2003/10/12 00:14:49 mdw
-@c Major overhaul. Now uses DSA signatures rather than the bogus symmetric
-@c encrypt-and-hope thing. Integrated with mLib and Catacomb.
-@c
-@c Revision 1.4 1998/04/23 13:16:14 mdw
-@c Include `texinice' to produce decent printed output. Add documentation
-@c for new `bcquery' program. Various fixes, including spelling mistakes,
-@c and some factual inaccuracies.
-@c
-@c Revision 1.3 1998/01/20 14:37:43 mdw
-@c Fix typo. Short form of `--preserve' should be `-e', not `-p'.
-@c
-@c Revision 1.2 1998/01/12 16:41:31 mdw
-@c Tidying for new release versions. Fix copyright date.
-@c
-@c Revision 1.1 1997/09/18 11:16:34 mdw
-@c Brand new Texinfo manual, with wider scope than the original LaTeX one.
-@c
-
@c ----- Standard boilerplate -----------------------------------------------
@c %**start of header
commands
@example
-key -k /etc/become/become.key add -adsa -e"now + 1 year" become-dsa
+key -k /etc/become/become.key add -adsa -e"now + 1 year" become
key -k /etc/become/become.key extract -f -secret /etc/become/become.pubkey
@end example
root. The private key should be only on the server, and readable or writable
only by root.
+You can also use elliptic-curve DSA. The key-generation runes are more
+complicated in this case. For example,
+
+@example
+key -k /etc/become/become.key add -aec -Cnist-p256 -e"now + 1 year" \
+ become sig=ecdsa hash=sha256
+@end example
+The @code{hash=sha256} is not required, but it's good to have a hash function
+as strong as your curve. See the manpage for @code{key} for more details
+about generating elliptic curve keys, and for the kinds of curves supported.
+
If you have multiple servers, they can all have different private keys.
You'll need to put all of the public keys in the
@file{/etc/become/become.pubkey} file.