/mandos/release : revision 24.1.73

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/release

« back to all changes in this revision

Viewing changes to plugins.d/password-prompt.xml

Committer: Björn Påhlsson
Date: 2008-08-29 09:32:06 UTC
mfrom: (114 mandos)
mto: (237.7.1 mandos) (24.1.154 mandos)
mto: This revision was merged to the branch mainline in revision 132.
Revision ID: belorn@braxen-20080829093206-12p8xfyduzkpf618

merge

files modified:
TODO

mandos-clients.conf.xml

mandos-keygen.xml

mandos.conf.xml

mandos.xml

plugin-runner.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

plugins.d/password-request.xml

Show diffs side-by-side

added added

removed removed

plugins.d/password-prompt.xml

<?xml version='1.0' encoding='UTF-8'?>

<?xml-stylesheet type="text/xsl"

href="http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl"?>

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY VERSION "1.0">

<!ENTITY COMMANDNAME "password-prompt">

<!ENTITY TIMESTAMP "2008-08-29">

<title>&COMMANDNAME;</title>

<productname>&COMMANDNAME;</productname>

<title>Mandos Manual</title>

<productname>Mandos</productname>

<productnumber>&VERSION;</productnumber>

<date>&TIMESTAMP;</date>

<firstname>Björn</firstname>

</authorgroup>

<holder>Teddy Hogeborn & Björn Påhlsson</holder>

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

<para>

either version 3 of the License, or (at your option) any

later version.

</para>

<para>

This manual page is distributed in the hope that it will

be useful, but WITHOUT ANY WARRANTY; without even the

PARTICULAR PURPOSE. See the GNU General Public License

for more details.

</para>

<para>

You should have received a copy of the GNU General Public

License along with this program; If not, see

</para>

</legalnotice>

</refentryinfo>

<refentrytitle>&COMMANDNAME;</refentrytitle>

<manvolnum>8mandos</manvolnum>

<refname><command>&COMMANDNAME;</command></refname>

Passprompt for luks during boot sequence

</refpurpose>

<refpurpose>Prompt for a password and output it.</refpurpose>

</refnamediv>

<command>&COMMANDNAME;</command>

<arg choice='opt'>--prefix<arg choice='plain'>PREFIX</arg></arg>

<arg choice='opt'>--debug</arg>

</cmdsynopsis>

<command>&COMMANDNAME;</command>

</cmdsynopsis>

<command>&COMMANDNAME;</command>

<arg choice='plain'>--usage</arg>

</cmdsynopsis>

<command>&COMMANDNAME;</command>

<arg choice='plain'>--version</arg>

<arg choice="plain"><option>-p <replaceable

>PREFIX</replaceable></option></arg>

<arg choice="plain"><option>--prefix </option><replaceable

>PREFIX</replaceable></arg>

</group>

<arg choice="opt"><option>--debug</option></arg>

</cmdsynopsis>

<command>&COMMANDNAME;</command>

</group>

</cmdsynopsis>

<command>&COMMANDNAME;</command>

<arg choice="plain"><option>--usage</option></arg>

</cmdsynopsis>

<command>&COMMANDNAME;</command>

<arg choice="plain"><option>--version</option></arg>

</group>

100

</cmdsynopsis>

101

</refsynopsisdiv>

102

103

104

<title>DESCRIPTION</title>

105

<para>

<command>&COMMANDNAME;</command> is a terminal program that ask for

passwords during boot sequence. It is a plugin to

<firstterm>mandos</firstterm>, and is used as a fallback and

alternative to retriving passwords from a mandos server. During

100

boot sequence the user is prompted for the disk password, and

101

when a password is given it then gets forwarded to

102

<acronym>LUKS</acronym>.

106

All <command>&COMMANDNAME;</command> does is prompt for a

107

password and output any given password to standard output. This

108

is not very useful on its own. This program is really meant to

109

run as a plugin in the <application>Mandos</application>

110

client-side system, where it is used as a fallback and

111

alternative to retriving passwords from a <application

112

>Mandos</application> server.

113

</para>

114

<para>

115

This program is little more than a <citerefentry><refentrytitle

116

>getpass</refentrytitle><manvolnum>3</manvolnum></citerefentry>

117

wrapper, although actual use of that function is not guaranteed

118

or implied.

103

119

</para>

104

120

</refsect1>

105

121

106

122

107

123

<title>OPTIONS</title>

108

124

<para>

109

Commonly not invoked as command lines but from configuration

110

file of plugin runner.

125

This program is commonly not invoked from the command line; it

126

is normally started by the <application>Mandos</application>

127

plugin runner, see <citerefentry><refentrytitle

128

>plugin-runner</refentrytitle><manvolnum>8mandos</manvolnum>

129

</citerefentry>. Any command line options this program accepts

130

are therefore normally provided by the plugin runner, and not

131

directly.

111

132

</para>

112

133

113

134

114

135

115

<term><literal>-p</literal>, <literal>--prefix=<replaceable>PREFIX

116

</replaceable></literal></term>

117

118

<para>

119

Prefix used before the passprompt

120

</para>

121

</listitem>

122

</varlistentry>

123

124

125

<term><literal>--debug</literal></term>

126

127

<para>

128

Debug mode

129

</para>

130

</listitem>

131

</varlistentry>

132

133

134

135

136

<para>

137

Gives a help message

138

</para>

139

</listitem>

140

</varlistentry>

141

142

143

<term><literal>--usage</literal></term>

144

145

<para>

146

Gives a short usage message

147

</para>

148

</listitem>

149

</varlistentry>

150

151

152

<term><literal>-V</literal>, <literal>--version</literal></term>

153

154

<para>

155

Prints the program version

136

<term><option>-p</option> <replaceable>PREFIX</replaceable

137

></term>

138

<term><option>--prefix=</option><replaceable

139

>PREFIX</replaceable></term>

140

141

<para>

142

Prefix string shown before the password prompt.

143

</para>

144

</listitem>

145

</varlistentry>

146

147

148

<term><option>--debug</option></term>

149

150

<para>

151

Enable debug mode. This will enable a lot of output to

152

standard error about what the program is doing. The

153

program will still perform all other functions normally.

154

</para>

155

</listitem>

156

</varlistentry>

157

158

159

160

161

162

<para>

163

Gives a help message about options and their meanings.

164

</para>

165

</listitem>

166

</varlistentry>

167

168

169

<term><option>--usage</option></term>

170

171

<para>

172

Gives a short usage message.

173

</para>

174

</listitem>

175

</varlistentry>

176

177

178

179

<term><option>--version</option></term>

180

181

<para>

182

Prints the program version.

156

183

</para>

157

184

</listitem>

158

185

</varlistentry>

159

186

</variablelist>

160

187

</refsect1>

161

188

162

189

163

190

<title>EXIT STATUS</title>

164

191

<para>

192

If exit status is 0, the output from the program is the password

193

as it was read. Otherwise, if exit status is other than 0, the

194

program has encountered an error, and any output so far could be

195

corrupt and/or truncated, and should therefore be ignored.

165

196

</para>

166

197

</refsect1>

167

198

168

199

169

200

<title>ENVIRONMENT</title>

170

<para>

171

</para>

172

</refsect1>

173

174

175

<title>FILES</title>

176

<para>

177

</para>

201

202

203

<term><envar>cryptsource</envar></term>

204

<term><envar>crypttarget</envar></term>

205

206

<para>

207

If set, these environment variables will be assumed to

208

contain the source device name and the target device

209

mapper name, respectively, and will be shown as part of

210

the prompt.

211

</para>

212

<para>

213

These variables will normally be inherited from

214

<citerefentry><refentrytitle>plugin-runner</refentrytitle>

215

<manvolnum>8mandos</manvolnum></citerefentry>, which will

216

normally have inherited them from

217

<filename>/scripts/local-top/cryptroot</filename> in the

218

initial RAM disk environment, which will have set them from

219

parsing kernel arguments and

220

<filename>/conf/conf.d/cryptroot</filename> (also in the

221

initial RAM disk environment), which in turn will have been

222

created when the initial RAM disk image was created by

223

<filename

224

>/usr/share/initramfs-tools/hooks/cryptroot</filename>, by

225

extracting the information of the root file system from

226

<filename >/etc/crypttab</filename>.

227

</para>

228

<para>

229

This behavior is meant to exactly mirror the behavior of

230

<command>askpass</command>, the default password prompter.

231

</para>

232

</listitem>

233

</varlistentry>

234

</variablelist>

178

235

</refsect1>

179

236

180

237

181

238

182

239

<para>

240

None are known at this time.

183

241

</para>

184

242

</refsect1>

185

243

186

244

187

245

<title>EXAMPLE</title>

188

246

<para>

247

Note that normally, command line options will not be given

248

directly, but via options for the Mandos <citerefentry

249

><refentrytitle>plugin-runner</refentrytitle>

250

<manvolnum>8mandos</manvolnum></citerefentry>.

189

251

</para>

252

253

<para>

254

Normal invocation needs no options:

255

</para>

256

<para>

257

<userinput>&COMMANDNAME;</userinput>

258

</para>

259

</informalexample>

260

261

<para>

262

Show a prefix before the prompt; in this case, a host name.

263

It might be useful to be reminded of which host needs a

264

password, in case of KVM switches, etc.

265

</para>

266

<para>

267

268

269

<userinput>&COMMANDNAME; --prefix=host.example.org:</userinput>

270

271

</para>

272

</informalexample>

273

274

<para>

275

Run in debug mode.

276

</para>

277

<para>

278

279

<userinput>&COMMANDNAME; --debug</userinput>

280

</para>

281

</informalexample>

190

282

</refsect1>

191

283

192

284

193

285

<title>SECURITY</title>

194

286

<para>

287

On its own, this program is very simple, and does not exactly

288

present any security risks. The one thing that could be

289

considered worthy of note is this: This program is meant to be

290

run by <citerefentry><refentrytitle

291

>plugin-runner</refentrytitle><manvolnum>8mandos</manvolnum>

292

</citerefentry>, and will, when run standalone, outside, in a

293

normal environment, immediately output on its standard output

294

any presumably secret password it just recieved. Therefore,

295

when running this program standalone (which should never

296

normally be done), take care not to type in any real secret

297

password by force of habit, since it would then immediately be

298

shown as output.

299

</para>

300

<para>

301

To further alleviate any risk of being locked out of a system,

302

the <citerefentry><refentrytitle>plugin-runner</refentrytitle>

303

<manvolnum>8mandos</manvolnum></citerefentry> has a fallback

304

mode which does the same thing as this program, only with less

305

features.

195

306

</para>

196

307

</refsect1>

197

308

198

309

199

310

200

311

<para>

201

<citerefentry><refentrytitle>mandos</refentrytitle>

202

203

<refentrytitle>plugin-runner</refentrytitle>

204

<manvolnum>8mandos</manvolnum></citerefentry> and <citerefentry>

205

<refentrytitle>password-request</refentrytitle>

312

<citerefentry><refentrytitle>crypttab</refentrytitle>

313

314

<citerefentry><refentrytitle>password-request</refentrytitle>

206

315

<manvolnum>8mandos</manvolnum></citerefentry>

316

<citerefentry><refentrytitle>plugin-runner</refentrytitle>

317

<manvolnum>8mandos</manvolnum></citerefentry>,

207

318

</para>

208

</refsect1>

209

319

</refsect1>

210

320

</refentry>

321

322

323

324

325

Older »