67
68
<refname><command>&COMMANDNAME;</command></refname>
69
Passprompt for luks during boot sequence
69
<refpurpose>Prompt for a password and output it.</refpurpose>
75
74
<command>&COMMANDNAME;</command>
76
<arg choice='opt'>--prefix<arg choice='plain'>PREFIX</arg></arg>
77
<arg choice='opt'>--debug</arg>
80
<command>&COMMANDNAME;</command>
81
<arg choice='plain'>--help</arg>
84
<command>&COMMANDNAME;</command>
85
<arg choice='plain'>--usage</arg>
88
<command>&COMMANDNAME;</command>
89
<arg choice='plain'>--version</arg>
76
<arg choice="plain"><option>--prefix <replaceable
77
>PREFIX</replaceable></option></arg>
78
<arg choice="plain"><option>-p </option><replaceable
79
>PREFIX</replaceable></arg>
82
<arg choice="opt"><option>--debug</option></arg>
85
<command>&COMMANDNAME;</command>
87
<arg choice="plain"><option>--help</option></arg>
88
<arg choice="plain"><option>-?</option></arg>
92
<command>&COMMANDNAME;</command>
93
<arg choice="plain"><option>--usage</option></arg>
96
<command>&COMMANDNAME;</command>
98
<arg choice="plain"><option>--version</option></arg>
99
<arg choice="plain"><option>-V</option></arg>
93
104
<refsect1 id="description">
94
105
<title>DESCRIPTION</title>
96
<command>&COMMANDNAME;</command> is a terminal program that ask for
97
passwords during boot sequence. It is a plugin to
98
<firstterm>mandos</firstterm>, and is used as a fallback and
99
alternative to retriving passwords from a mandos server. During
100
boot sequence the user is prompted for the disk password, and
101
when a password is given it then gets forwarded to
102
<acronym>LUKS</acronym>.
107
All <command>&COMMANDNAME;</command> does is prompt for a
108
password and output any given password to standard output. This
109
is not very useful on its own. This program is really meant to
110
run as a plugin in the <application>Mandos</application>
111
client-side system, where it is used as a fallback and
112
alternative to retriving passwords from a <application
113
>Mandos</application> server.
116
This program is little more than a <citerefentry><refentrytitle
117
>getpass</refentrytitle><manvolnum>3</manvolnum></citerefentry>
118
wrapper, although actual use of that function is not guaranteed
106
123
<refsect1 id="options">
107
124
<title>OPTIONS</title>
109
Commonly not invoked as command lines but from configuration
110
file of plugin runner.
126
This program is commonly not invoked from the command line; it
127
is normally started by the <application>Mandos</application>
128
plugin runner, see <citerefentry><refentrytitle
129
>plugin-runner</refentrytitle><manvolnum>8mandos</manvolnum>
130
</citerefentry>. Any command line options this program accepts
131
are therefore normally provided by the plugin runner, and not
115
<term><literal>-p</literal>, <literal>--prefix=<replaceable>PREFIX
116
</replaceable></literal></term>
119
Prefix used before the passprompt
125
<term><literal>--debug</literal></term>
134
<term><literal>-?</literal>, <literal>--help</literal></term>
143
<term><literal>--usage</literal></term>
146
Gives a short usage message
152
<term><literal>-V</literal>, <literal>--version</literal></term>
155
Prints the program version
137
<term><option>--prefix=<replaceable
138
>PREFIX</replaceable></option></term>
140
<replaceable>PREFIX</replaceable></option></term>
143
Prefix string shown before the password prompt.
149
<term><option>--debug</option></term>
152
Enable debug mode. This will enable a lot of output to
153
standard error about what the program is doing. The
154
program will still perform all other functions normally.
160
<term><option>--help</option></term>
161
<term><option>-?</option></term>
164
Gives a help message about options and their meanings.
170
<term><option>--usage</option></term>
173
Gives a short usage message.
179
<term><option>--version</option></term>
180
<term><option>-V</option></term>
183
Prints the program version.
162
190
<refsect1 id="exit_status">
163
191
<title>EXIT STATUS</title>
193
If exit status is 0, the output from the program is the password
194
as it was read. Otherwise, if exit status is other than 0, the
195
program has encountered an error, and any output so far could be
196
corrupt and/or truncated, and should therefore be ignored.
168
<refsect1 id="notes">
200
<refsect1 id="environment">
201
<title>ENVIRONMENT</title>
204
<term><envar>cryptsource</envar></term>
205
<term><envar>crypttarget</envar></term>
208
If set, these environment variables will be assumed to
209
contain the source device name and the target device
210
mapper name, respectively, and will be shown as part of
214
These variables will normally be inherited from
215
<citerefentry><refentrytitle>plugin-runner</refentrytitle>
216
<manvolnum>8mandos</manvolnum></citerefentry>, which will
217
normally have inherited them from
218
<filename>/scripts/local-top/cryptroot</filename> in the
219
initial RAM disk environment, which will have set them from
220
parsing kernel arguments and
221
<filename>/conf/conf.d/cryptroot</filename> (also in the
222
initial RAM disk environment), which in turn will have been
223
created when the initial RAM disk image was created by
225
>/usr/share/initramfs-tools/hooks/cryptroot</filename>, by
226
extracting the information of the root file system from
227
<filename >/etc/crypttab</filename>.
230
This behavior is meant to exactly mirror the behavior of
231
<command>askpass</command>, the default password prompter.
174
238
<refsect1 id="bugs">
175
239
<title>BUGS</title>
241
None are known at this time.
180
<refsect1 id="examples">
181
<title>EXAMPLES</title>
245
<refsect1 id="example">
246
<title>EXAMPLE</title>
248
Note that normally, command line options will not be given
249
directly, but via options for the Mandos <citerefentry
250
><refentrytitle>plugin-runner</refentrytitle>
251
<manvolnum>8mandos</manvolnum></citerefentry>.
255
Normal invocation needs no options:
258
<userinput>&COMMANDNAME;</userinput>
263
Show a prefix before the prompt; in this case, a host name.
264
It might be useful to be reminded of which host needs a
265
password, in case of KVM switches, etc.
269
<!-- do not wrap this line -->
270
<userinput>&COMMANDNAME; --prefix=host.example.org:</userinput>
279
<!-- do not wrap this line -->
280
<userinput>&COMMANDNAME; --debug</userinput>
186
285
<refsect1 id="security">
187
286
<title>SECURITY</title>
288
On its own, this program is very simple, and does not exactly
289
present any security risks. The one thing that could be
290
considered worthy of note is this: This program is meant to be
291
run by <citerefentry><refentrytitle
292
>plugin-runner</refentrytitle><manvolnum>8mandos</manvolnum>
293
</citerefentry>, and will, when run standalone, outside, in a
294
normal environment, immediately output on its standard output
295
any presumably secret password it just recieved. Therefore,
296
when running this program standalone (which should never
297
normally be done), take care not to type in any real secret
298
password by force of habit, since it would then immediately be
302
To further alleviate any risk of being locked out of a system,
303
the <citerefentry><refentrytitle>plugin-runner</refentrytitle>
304
<manvolnum>8mandos</manvolnum></citerefentry> has a fallback
305
mode which does the same thing as this program, only with less
192
310
<refsect1 id="see_also">
193
311
<title>SEE ALSO</title>
195
<citerefentry><refentrytitle>mandos</refentrytitle>
196
<manvolnum>8</manvolnum></citerefentry>, <citerefentry>
197
<refentrytitle>plugin-runner</refentrytitle>
198
<manvolnum>8mandos</manvolnum></citerefentry> and <citerefentry>
199
<refentrytitle>password-request</refentrytitle>
313
<citerefentry><refentrytitle>crypttab</refentrytitle>
314
<manvolnum>5</manvolnum></citerefentry>
315
<citerefentry><refentrytitle>password-request</refentrytitle>
200
316
<manvolnum>8mandos</manvolnum></citerefentry>
317
<citerefentry><refentrytitle>plugin-runner</refentrytitle>
318
<manvolnum>8mandos</manvolnum></citerefentry>,
322
<!-- Local Variables: -->
323
<!-- time-stamp-start: "<!ENTITY TIMESTAMP [\"']" -->
324
<!-- time-stamp-end: "[\"']>" -->
325
<!-- time-stamp-format: "%:y-%02m-%02d" -->