/mandos/release

To get this branch, use:
bzr branch http://bzr.recompile.se/loggerhead/mandos/release
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
	"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
<!ENTITY VERSION "1.0">
<!ENTITY COMMANDNAME "password-prompt">
<!ENTITY TIMESTAMP "2008-08-30">
]>

<refentry>
  <refentryinfo>
    <title>Mandos Manual</title>
    <!-- NWalsh’s docbook scripts use this to generate the footer: -->
    <productname>Mandos</productname>
    <productnumber>&VERSION;</productnumber>
    <date>&TIMESTAMP;</date>
    <authorgroup>
      <author>
	<firstname>Björn</firstname>
	<surname>Påhlsson</surname>
	<address>
	  <email>belorn@fukt.bsnet.se</email>
	</address>
      </author>
      <author>
	<firstname>Teddy</firstname>
	<surname>Hogeborn</surname>
	<address>
	  <email>teddy@fukt.bsnet.se</email>
	</address>
      </author>
    </authorgroup>
    <copyright>
      <year>2008</year>
      <holder>Teddy Hogeborn</holder>
      <holder>Björn Påhlsson</holder>
    </copyright>
    <legalnotice>
      <para>
	This manual page is free software: you can redistribute it
	and/or modify it under the terms of the GNU General Public
	License as published by the Free Software Foundation,
	either version 3 of the License, or (at your option) any
	later version.
      </para>
      
      <para>
	This manual page is distributed in the hope that it will
	be useful, but WITHOUT ANY WARRANTY; without even the
	implied warranty of MERCHANTABILITY or FITNESS FOR A
	PARTICULAR PURPOSE.  See the GNU General Public License
	for more details.
      </para>
      
      <para>
	You should have received a copy of the GNU General Public
	License along with this program; If not, see
	<ulink url="http://www.gnu.org/licenses/"/>.
      </para>
    </legalnotice>
  </refentryinfo>
  
  <refmeta>
    <refentrytitle>&COMMANDNAME;</refentrytitle>
    <manvolnum>8mandos</manvolnum>
  </refmeta>
  
  <refnamediv>
    <refname><command>&COMMANDNAME;</command></refname>
    <refpurpose>Prompt for a password and output it.</refpurpose>
  </refnamediv>
  
  <refsynopsisdiv>
    <cmdsynopsis>
      <command>&COMMANDNAME;</command>
      <group choice="opt">
	<arg choice="plain"><option>-p <replaceable
	>PREFIX</replaceable></option></arg>
	<arg choice="plain"><option>--prefix </option><replaceable
	>PREFIX</replaceable></arg>
      </group>
      <arg choice="opt"><option>--debug</option></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>&COMMANDNAME;</command>
      <group choice="req">
	<arg choice="plain"><option>-?</option></arg>
	<arg choice="plain"><option>--help</option></arg>
      </group>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>&COMMANDNAME;</command>
      <arg choice="plain"><option>--usage</option></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>&COMMANDNAME;</command>
      <group choice="req">
	<arg choice="plain"><option>-V</option></arg>
	<arg choice="plain"><option>--version</option></arg>
      </group>
    </cmdsynopsis>
  </refsynopsisdiv>
  
  <refsect1 id="description">
    <title>DESCRIPTION</title>
    <para>
      All <command>&COMMANDNAME;</command> does is prompt for a
      password and output any given password to standard output.  This
      is not very useful on its own.  This program is really meant to
      run as a plugin in the <application>Mandos</application>
      client-side system, where it is used as a fallback and
      alternative to retriving passwords from a <application
      >Mandos</application> server.
    </para>
    <para>
      This program is little more than a <citerefentry><refentrytitle
      >getpass</refentrytitle><manvolnum>3</manvolnum></citerefentry>
      wrapper, although actual use of that function is not guaranteed
      or implied.
    </para>
  </refsect1>
  
  <refsect1 id="options">
    <title>OPTIONS</title>
    <para>
      This program is commonly not invoked from the command line; it
      is normally started by the <application>Mandos</application>
      plugin runner, see <citerefentry><refentrytitle
      >plugin-runner</refentrytitle><manvolnum>8mandos</manvolnum>
      </citerefentry>.  Any command line options this program accepts
      are therefore normally provided by the plugin runner, and not
      directly.
    </para>
    
    <variablelist>
      <varlistentry>
	<term><option>-p</option> <replaceable>PREFIX</replaceable
	></term>
	<term><option>--prefix=</option><replaceable
	>PREFIX</replaceable></term>
	<listitem>
	  <para>
	    Prefix string shown before the password prompt.
	  </para>
	</listitem>
      </varlistentry>
      
      <varlistentry>
	<term><option>--debug</option></term>
	<listitem>
	  <para>
	    Enable debug mode.  This will enable a lot of output to
	    standard error about what the program is doing.  The
	    program will still perform all other functions normally.
	  </para>
	</listitem>
      </varlistentry>
      
      <varlistentry>
	<term><option>-?</option></term>
	<term><option>--help</option></term>
	<listitem>
	  <para>
	    Gives a help message about options and their meanings.
	  </para>
	</listitem>
      </varlistentry>
      
      <varlistentry>
	<term><option>--usage</option></term>
	<listitem>
	  <para>
	    Gives a short usage message.
	  </para>
	</listitem>
      </varlistentry>
      
      <varlistentry>
	<term><option>-V</option></term>
	<term><option>--version</option></term>
	<listitem>
	  <para>
	    Prints the program version.
	  </para>
	</listitem>
      </varlistentry>
    </variablelist>
  </refsect1>
  
  <refsect1 id="exit_status">
    <title>EXIT STATUS</title>
    <para>
      If exit status is 0, the output from the program is the password
      as it was read.  Otherwise, if exit status is other than 0, the
      program has encountered an error, and any output so far could be
      corrupt and/or truncated, and should therefore be ignored.
    </para>
  </refsect1>
  
  <refsect1 id="environment">
    <title>ENVIRONMENT</title>
    <variablelist>
      <varlistentry>
	<term><envar>cryptsource</envar></term>
	<term><envar>crypttarget</envar></term>
	<listitem>
	  <para>
	    If set, these environment variables will be assumed to
	    contain the source device name and the target device
	    mapper name, respectively, and will be shown as part of
	    the prompt.
	</para>
	<para>
	  These variables will normally be inherited from
	  <citerefentry><refentrytitle>plugin-runner</refentrytitle>
	  <manvolnum>8mandos</manvolnum></citerefentry>, which will
	  normally have inherited them from
	  <filename>/scripts/local-top/cryptroot</filename> in the
	  initial RAM disk environment, which will have set them from
	  parsing kernel arguments and
	  <filename>/conf/conf.d/cryptroot</filename> (also in the
	  initial RAM disk environment), which in turn will have been
	  created when the initial RAM disk image was created by
	  <filename
	  >/usr/share/initramfs-tools/hooks/cryptroot</filename>, by
	  extracting the information of the root file system from
	  <filename >/etc/crypttab</filename>.
	</para>
	<para>
	  This behavior is meant to exactly mirror the behavior of
	  <command>askpass</command>, the default password prompter.
	</para>
	</listitem>
      </varlistentry>
    </variablelist>
  </refsect1>
  
  <refsect1 id="bugs">
    <title>BUGS</title>
    <para>
      None are known at this time.
    </para>
  </refsect1>
  
  <refsect1 id="example">
    <title>EXAMPLE</title>
    <para>
      Note that normally, command line options will not be given
      directly, but via options for the Mandos <citerefentry
      ><refentrytitle>plugin-runner</refentrytitle>
      <manvolnum>8mandos</manvolnum></citerefentry>.
    </para>
    <informalexample>
      <para>
	Normal invocation needs no options:
      </para>
      <para>
	<userinput>&COMMANDNAME;</userinput>
      </para>
    </informalexample>
    <informalexample>
      <para>
	Show a prefix before the prompt; in this case, a host name.
	It might be useful to be reminded of which host needs a
	password, in case of KVM switches, etc.
      </para>
      <para>

<!-- do not wrap this line -->
<userinput>&COMMANDNAME; --prefix=host.example.org:</userinput>

      </para>
    </informalexample>
    <informalexample>
      <para>
	Run in debug mode.
      </para>
      <para>
	<!-- do not wrap this line -->
	<userinput>&COMMANDNAME; --debug</userinput>
      </para>
    </informalexample>
  </refsect1>
  
  <refsect1 id="security">
    <title>SECURITY</title>
    <para>
      On its own, this program is very simple, and does not exactly
      present any security risks.  The one thing that could be
      considered worthy of note is this: This program is meant to be
      run by <citerefentry><refentrytitle
      >plugin-runner</refentrytitle><manvolnum>8mandos</manvolnum>
      </citerefentry>, and will, when run standalone, outside, in a
      normal environment, immediately output on its standard output
      any presumably secret password it just recieved.  Therefore,
      when running this program standalone (which should never
      normally be done), take care not to type in any real secret
      password by force of habit, since it would then immediately be
      shown as output.
    </para>
    <para>
      To further alleviate any risk of being locked out of a system,
      the <citerefentry><refentrytitle>plugin-runner</refentrytitle>
      <manvolnum>8mandos</manvolnum></citerefentry> has a fallback
      mode which does the same thing as this program, only with less
      features.
    </para>
  </refsect1>
  
  <refsect1 id="see_also">
    <title>SEE ALSO</title>
    <para>
      <citerefentry><refentrytitle>crypttab</refentrytitle>
      <manvolnum>5</manvolnum></citerefentry>
      <citerefentry><refentrytitle>password-request</refentrytitle>
      <manvolnum>8mandos</manvolnum></citerefentry>
      <citerefentry><refentrytitle>plugin-runner</refentrytitle>
      <manvolnum>8mandos</manvolnum></citerefentry>,
    </para>
  </refsect1>
</refentry>
<!-- Local Variables: -->
<!-- time-stamp-start: "<!ENTITY TIMESTAMP [\"']" -->
<!-- time-stamp-end: "[\"']>" -->
<!-- time-stamp-format: "%:y-%02m-%02d" -->
<!-- End: -->