67
49
<refname><command>&COMMANDNAME;</command></refname>
69
Passprompt for luks during boot sequence
50
<refpurpose>Prompt for a password and output it.</refpurpose>
75
55
<command>&COMMANDNAME;</command>
76
<arg choice='opt' rep='repeat'>OPTION</arg>
57
<arg choice="plain"><option>--prefix <replaceable
58
>PREFIX</replaceable></option></arg>
59
<arg choice="plain"><option>-p </option><replaceable
60
>PREFIX</replaceable></arg>
63
<arg choice="opt"><option>--debug</option></arg>
66
<command>&COMMANDNAME;</command>
68
<arg choice="plain"><option>--help</option></arg>
69
<arg choice="plain"><option>-?</option></arg>
73
<command>&COMMANDNAME;</command>
74
<arg choice="plain"><option>--usage</option></arg>
77
<command>&COMMANDNAME;</command>
79
<arg choice="plain"><option>--version</option></arg>
80
<arg choice="plain"><option>-V</option></arg>
80
85
<refsect1 id="description">
81
86
<title>DESCRIPTION</title>
83
<command>&COMMANDNAME;</command> is a terminal program that ask for
84
passwords during boot sequence. It is a plugin to
85
<firstterm>mandos</firstterm>, and is used as a fallback and
86
alternative to retriving passwords from a mandos server. During
87
boot sequence the user is prompted for the disk password, and
88
when a password is given it then gets forwarded to
89
<acronym>LUKS</acronym>.
94
<term><literal>-p</literal>, <literal>--prefix=<replaceable>PREFIX
95
</replaceable></literal></term>
98
Prefix used before the passprompt
104
<term><literal>--debug</literal></term>
113
<term><literal>-?</literal>, <literal>--help</literal></term>
122
<term><literal>--usage</literal></term>
125
Gives a short usage message
131
<term><literal>-V</literal>, <literal>--version</literal></term>
134
Prints the program version
88
All <command>&COMMANDNAME;</command> does is prompt for a
89
password and output any given password to standard output.
92
This program is not very useful on its own. This program is
93
really meant to run as a plugin in the <application
94
>Mandos</application> client-side system, where it is used as a
95
fallback and alternative to retrieving passwords from a
96
<application >Mandos</application> server.
99
This program is little more than a <citerefentry><refentrytitle
100
>getpass</refentrytitle><manvolnum>3</manvolnum></citerefentry>
101
wrapper, although actual use of that function is not guaranteed
106
<refsect1 id="options">
107
<title>OPTIONS</title>
109
This program is commonly not invoked from the command line; it
110
is normally started by the <application>Mandos</application>
111
plugin runner, see <citerefentry><refentrytitle
112
>plugin-runner</refentrytitle><manvolnum>8mandos</manvolnum>
113
</citerefentry>. Any command line options this program accepts
114
are therefore normally provided by the plugin runner, and not
120
<term><option>--prefix=<replaceable
121
>PREFIX</replaceable></option></term>
123
<replaceable>PREFIX</replaceable></option></term>
126
Prefix string shown before the password prompt.
132
<term><option>--debug</option></term>
135
Enable debug mode. This will enable a lot of output to
136
standard error about what the program is doing. The
137
program will still perform all other functions normally.
143
<term><option>--help</option></term>
144
<term><option>-?</option></term>
147
Gives a help message about options and their meanings.
153
<term><option>--usage</option></term>
156
Gives a short usage message.
162
<term><option>--version</option></term>
163
<term><option>-V</option></term>
166
Prints the program version.
173
<refsect1 id="exit_status">
174
<title>EXIT STATUS</title>
176
If exit status is 0, the output from the program is the password
177
as it was read. Otherwise, if exit status is other than 0, the
178
program has encountered an error, and any output so far could be
179
corrupt and/or truncated, and should therefore be ignored.
183
<refsect1 id="environment">
184
<title>ENVIRONMENT</title>
187
<term><envar>CRYPTTAB_SOURCE</envar></term>
188
<term><envar>CRYPTTAB_NAME</envar></term>
191
If set, these environment variables will be assumed to
192
contain the source device name and the target device
193
mapper name, respectively, and will be shown as part of
197
These variables will normally be inherited from
198
<citerefentry><refentrytitle>plugin-runner</refentrytitle>
199
<manvolnum>8mandos</manvolnum></citerefentry>, which will
200
normally have inherited them from
201
<filename>/scripts/local-top/cryptroot</filename> in the
202
initial <acronym>RAM</acronym> disk environment, which will
203
have set them from parsing kernel arguments and
204
<filename>/conf/conf.d/cryptroot</filename> (also in the
205
initial RAM disk environment), which in turn will have been
206
created when the initial RAM disk image was created by
208
>/usr/share/initramfs-tools/hooks/cryptroot</filename>, by
209
extracting the information of the root file system from
210
<filename >/etc/crypttab</filename>.
213
This behavior is meant to exactly mirror the behavior of
214
<command>askpass</command>, the default password prompter.
224
None are known at this time.
228
<refsect1 id="example">
229
<title>EXAMPLE</title>
231
Note that normally, command line options will not be given
232
directly, but via options for the Mandos <citerefentry
233
><refentrytitle>plugin-runner</refentrytitle>
234
<manvolnum>8mandos</manvolnum></citerefentry>.
238
Normal invocation needs no options:
241
<userinput>&COMMANDNAME;</userinput>
246
Show a prefix before the prompt; in this case, a host name.
247
It might be useful to be reminded of which host needs a
248
password, in case of <acronym>KVM</acronym> switches, etc.
252
<!-- do not wrap this line -->
253
<userinput>&COMMANDNAME; --prefix=host.example.org:</userinput>
262
<!-- do not wrap this line -->
263
<userinput>&COMMANDNAME; --debug</userinput>
268
<refsect1 id="security">
269
<title>SECURITY</title>
271
On its own, this program is very simple, and does not exactly
272
present any security risks. The one thing that could be
273
considered worthy of note is this: This program is meant to be
274
run by <citerefentry><refentrytitle
275
>plugin-runner</refentrytitle><manvolnum>8mandos</manvolnum>
276
</citerefentry>, and will, when run standalone, outside, in a
277
normal environment, immediately output on its standard output
278
any presumably secret password it just received. Therefore,
279
when running this program standalone (which should never
280
normally be done), take care not to type in any real secret
281
password by force of habit, since it would then immediately be
285
To further alleviate any risk of being locked out of a system,
286
the <citerefentry><refentrytitle>plugin-runner</refentrytitle>
287
<manvolnum>8mandos</manvolnum></citerefentry> has a fallback
288
mode which does the same thing as this program, only with less
293
<refsect1 id="see_also">
294
<title>SEE ALSO</title>
296
<citerefentry><refentrytitle>intro</refentrytitle>
297
<manvolnum>8mandos</manvolnum></citerefentry>
298
<citerefentry><refentrytitle>crypttab</refentrytitle>
299
<manvolnum>5</manvolnum></citerefentry>
300
<citerefentry><refentrytitle>mandos-client</refentrytitle>
301
<manvolnum>8mandos</manvolnum></citerefentry>
302
<citerefentry><refentrytitle>plugin-runner</refentrytitle>
303
<manvolnum>8mandos</manvolnum></citerefentry>,
307
<!-- Local Variables: -->
308
<!-- time-stamp-start: "<!ENTITY TIMESTAMP [\"']" -->
309
<!-- time-stamp-end: "[\"']>" -->
310
<!-- time-stamp-format: "%:y-%02m-%02d" -->