/mandos/trunk : revision 101

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to plugins.d/password-prompt.xml

Committer: Teddy Hogeborn
Date: 2008-08-24 23:18:18 UTC
Revision ID: teddy@fukt.bsnet.se-20080824231818-4cgr5zekodg4s0dl

* initramfs-tools-hook: Added "--enable-dsa2" and "--trust-model
always" options to gpg.

files added:
plugins.d/usplash

files removed:
.bzr-builddeb

.bzr-builddeb/default.conf

.bzrignore

INSTALL

NEWS

README

common.ent

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.config

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos-client.templates

debian/mandos.README.Debian

debian/mandos.config

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/mandos.templates

debian/po

debian/po/POTFILES.in

debian/po/sv.po

debian/rules

default-mandos

init.d-mandos

legalnotice.xml

mandos.lsm

plugin-runner.conf

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

files renamed:
plugins.d/mandos-client.c => plugins.d/password-request.c

plugins.d/mandos-client.xml => plugins.d/password-request.xml

files modified:
Makefile

TODO

clients.conf

initramfs-tools-hook

initramfs-tools-script

mandos

mandos-clients.conf.xml

mandos-keygen

mandos-keygen.xml

mandos-options.xml

mandos.conf.xml

mandos.xml

overview.xml

plugin-runner.c

plugin-runner.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

Show diffs side-by-side

added added

removed removed

plugins.d/password-prompt.xml

<?xml version="1.0" encoding="UTF-8"?>

<?xml version='1.0' encoding='UTF-8'?>

<?xml-stylesheet type="text/xsl"

href="http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl"?>

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY VERSION "1.0">

<!ENTITY COMMANDNAME "password-prompt">

<!ENTITY TIMESTAMP "2008-10-04">

<!ENTITY % common SYSTEM "../common.ent">

%common;

<title>Mandos Manual</title>

<productname>Mandos</productname>

<productnumber>&version;</productnumber>

<date>&TIMESTAMP;</date>

<title>&COMMANDNAME;</title>

<productname>&COMMANDNAME;</productname>

<productnumber>&VERSION;</productnumber>

<firstname>Björn</firstname>

</authorgroup>

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

<holder>Teddy Hogeborn & Björn Påhlsson</holder>

</copyright>

<xi:include href="../legalnotice.xml"/>

<para>

This manual page is free software: you can redistribute it

and/or modify it under the terms of the GNU General Public

License as published by the Free Software Foundation,

either version 3 of the License, or (at your option) any

later version.

</para>

<para>

This manual page is distributed in the hope that it will

be useful, but WITHOUT ANY WARRANTY; without even the

implied warranty of MERCHANTABILITY or FITNESS FOR A

PARTICULAR PURPOSE. See the GNU General Public License

for more details.

</para>

<para>

You should have received a copy of the GNU General Public

License along with this program; If not, see

<ulink url="http://www.gnu.org/licenses/"/>.

</para>

</legalnotice>

</refentryinfo>

<refentrytitle>&COMMANDNAME;</refentrytitle>

<manvolnum>8mandos</manvolnum>

<refname><command>&COMMANDNAME;</command></refname>

<refpurpose>Prompt for a password and output it.</refpurpose>

Passprompt for luks during boot sequence

</refpurpose>

</refnamediv>

<command>&COMMANDNAME;</command>

<arg choice="plain"><option>--prefix <replaceable

>PREFIX</replaceable></option></arg>

<arg choice="plain"><option>-p </option><replaceable

>PREFIX</replaceable></arg>

</group>

<sbr/>

<arg choice="opt"><option>--debug</option></arg>

</cmdsynopsis>

<command>&COMMANDNAME;</command>

</group>

</cmdsynopsis>

<command>&COMMANDNAME;</command>

<arg choice="plain"><option>--usage</option></arg>

</cmdsynopsis>

<command>&COMMANDNAME;</command>

<arg choice="plain"><option>--version</option></arg>

</group>

</cmdsynopsis>

<arg choice='opt'>--prefix<arg choice='plain'>PREFIX</arg></arg>

<arg choice='opt'>--debug</arg>

</cmdsynopsis>

<command>&COMMANDNAME;</command>

</cmdsynopsis>

<command>&COMMANDNAME;</command>

<arg choice='plain'>--usage</arg>

</cmdsynopsis>

<command>&COMMANDNAME;</command>

<arg choice='plain'>--version</arg>

</cmdsynopsis>

</refsynopsisdiv>

<title>DESCRIPTION</title>

<para>

All <command>&COMMANDNAME;</command> does is prompt for a

password and output any given password to standard output.

</para>

<para>

This program is not very useful on its own. This program is

really meant to run as a plugin in the <application

>Mandos</application> client-side system, where it is used as a

fallback and alternative to retrieving passwords from a

<application >Mandos</application> server.

</para>

<para>

This program is little more than a <citerefentry><refentrytitle

>getpass</refentrytitle><manvolnum>3</manvolnum></citerefentry>

wrapper, although actual use of that function is not guaranteed

100

or implied.

<command>&COMMANDNAME;</command> is a terminal program that ask for

passwords during boot sequence. It is a plugin to

<firstterm>mandos</firstterm>, and is used as a fallback and

alternative to retriving passwords from a mandos server. During

100

boot sequence the user is prompted for the disk password, and

101

when a password is given it then gets forwarded to

102

<acronym>LUKS</acronym>.

101

103

</para>

102

104

</refsect1>

103

105

104

106

105

107

<title>OPTIONS</title>

106

108

<para>

107

This program is commonly not invoked from the command line; it

108

is normally started by the <application>Mandos</application>

109

plugin runner, see <citerefentry><refentrytitle

110

>plugin-runner</refentrytitle><manvolnum>8mandos</manvolnum>

111

</citerefentry>. Any command line options this program accepts

112

are therefore normally provided by the plugin runner, and not

113

directly.

109

Commonly not invoked as command lines but from configuration

110

file of plugin runner.

114

111

</para>

115

112

116

113

117

114

118

<term><option>--prefix=<replaceable

119

>PREFIX</replaceable></option></term>

120

<term><option>-p

121

<replaceable>PREFIX</replaceable></option></term>

122

123

<para>

124

Prefix string shown before the password prompt.

125

</para>

126

</listitem>

127

</varlistentry>

128

129

130

<term><option>--debug</option></term>

131

132

<para>

133

Enable debug mode. This will enable a lot of output to

134

standard error about what the program is doing. The

135

program will still perform all other functions normally.

136

</para>

137

</listitem>

138

</varlistentry>

139

140

141

142

143

144

<para>

145

Gives a help message about options and their meanings.

146

</para>

147

</listitem>

148

</varlistentry>

149

150

151

<term><option>--usage</option></term>

152

153

<para>

154

Gives a short usage message.

155

</para>

156

</listitem>

157

</varlistentry>

158

159

160

<term><option>--version</option></term>

161

162

163

<para>

164

Prints the program version.

165

</para>

166

</listitem>

167

</varlistentry>

115

<term><literal>-p</literal>, <literal>--prefix=<replaceable>PREFIX

116

</replaceable></literal></term>

117

118

<para>

119

Prefix used before the passprompt

120

</para>

121

</listitem>

122

</varlistentry>

123

124

125

<term><literal>--debug</literal></term>

126

127

<para>

128

Debug mode

129

</para>

130

</listitem>

131

</varlistentry>

132

133

134

135

136

<para>

137

Gives a help message

138

</para>

139

</listitem>

140

</varlistentry>

141

142

143

<term><literal>--usage</literal></term>

144

145

<para>

146

Gives a short usage message

147

</para>

148

</listitem>

149

</varlistentry>

150

151

152

<term><literal>-V</literal>, <literal>--version</literal></term>

153

154

<para>

155

Prints the program version

156

</para>

157

</listitem>

158

</varlistentry>

168

159

</variablelist>

169

160

</refsect1>

170

161

171

162

172

163

<title>EXIT STATUS</title>

173

164

<para>

174

If exit status is 0, the output from the program is the password

175

as it was read. Otherwise, if exit status is other than 0, the

176

program has encountered an error, and any output so far could be

177

corrupt and/or truncated, and should therefore be ignored.

178

165

</para>

179

166

</refsect1>

180

167

181

168

182

169

<title>ENVIRONMENT</title>

183

184

185

<term><envar>cryptsource</envar></term>

186

<term><envar>crypttarget</envar></term>

187

188

<para>

189

If set, these environment variables will be assumed to

190

contain the source device name and the target device

191

mapper name, respectively, and will be shown as part of

192

the prompt.

193

</para>

194

<para>

195

These variables will normally be inherited from

196

<citerefentry><refentrytitle>plugin-runner</refentrytitle>

197

<manvolnum>8mandos</manvolnum></citerefentry>, which will

198

normally have inherited them from

199

<filename>/scripts/local-top/cryptroot</filename> in the

200

initial <acronym>RAM</acronym> disk environment, which will

201

have set them from parsing kernel arguments and

202

<filename>/conf/conf.d/cryptroot</filename> (also in the

203

initial RAM disk environment), which in turn will have been

204

created when the initial RAM disk image was created by

205

<filename

206

>/usr/share/initramfs-tools/hooks/cryptroot</filename>, by

207

extracting the information of the root file system from

208

<filename >/etc/crypttab</filename>.

209

</para>

210

<para>

211

This behavior is meant to exactly mirror the behavior of

212

<command>askpass</command>, the default password prompter.

213

</para>

214

</listitem>

215

</varlistentry>

216

</variablelist>

170

<para>

171

</para>

172

</refsect1>

173

174

175

<title>FILES</title>

176

<para>

177

</para>

217

178

</refsect1>

218

179

219

180

220

181

221

182

<para>

222

None are known at this time.

223

183

</para>

224

</refsect1>

225

184

</refsect1>

185

226

186

227

187

<title>EXAMPLE</title>

228

188

<para>

229

Note that normally, command line options will not be given

230

directly, but via options for the Mandos <citerefentry

231

><refentrytitle>plugin-runner</refentrytitle>

232

<manvolnum>8mandos</manvolnum></citerefentry>.

233

189

</para>

234

235

<para>

236

Normal invocation needs no options:

237

</para>

238

<para>

239

<userinput>&COMMANDNAME;</userinput>

240

</para>

241

</informalexample>

242

243

<para>

244

Show a prefix before the prompt; in this case, a host name.

245

It might be useful to be reminded of which host needs a

246

password, in case of <acronym>KVM</acronym> switches, etc.

247

</para>

248

<para>

249

250

251

<userinput>&COMMANDNAME; --prefix=host.example.org:</userinput>

252

253

</para>

254

</informalexample>

255

256

<para>

257

Run in debug mode.

258

</para>

259

<para>

260

261

<userinput>&COMMANDNAME; --debug</userinput>

262

</para>

263

</informalexample>

264

190

</refsect1>

265

191

266

192

267

193

<title>SECURITY</title>

268

194

<para>

269

On its own, this program is very simple, and does not exactly

270

present any security risks. The one thing that could be

271

considered worthy of note is this: This program is meant to be

272

run by <citerefentry><refentrytitle

273

>plugin-runner</refentrytitle><manvolnum>8mandos</manvolnum>

274

</citerefentry>, and will, when run standalone, outside, in a

275

normal environment, immediately output on its standard output

276

any presumably secret password it just received. Therefore,

277

when running this program standalone (which should never

278

normally be done), take care not to type in any real secret

279

password by force of habit, since it would then immediately be

280

shown as output.

281

</para>

282

<para>

283

To further alleviate any risk of being locked out of a system,

284

the <citerefentry><refentrytitle>plugin-runner</refentrytitle>

285

<manvolnum>8mandos</manvolnum></citerefentry> has a fallback

286

mode which does the same thing as this program, only with less

287

features.

288

195

</para>

289

196

</refsect1>

290

197

291

198

292

199

293

200

<para>

294

<citerefentry><refentrytitle>crypttab</refentrytitle>

295

296

<citerefentry><refentrytitle>mandos-client</refentrytitle>

201

<citerefentry><refentrytitle>mandos</refentrytitle>

202

203

<refentrytitle>plugin-runner</refentrytitle>

204

<manvolnum>8mandos</manvolnum></citerefentry> and <citerefentry>

205

<refentrytitle>password-request</refentrytitle>

297

206

<manvolnum>8mandos</manvolnum></citerefentry>

298

<citerefentry><refentrytitle>plugin-runner</refentrytitle>

299

<manvolnum>8mandos</manvolnum></citerefentry>,

300

207

</para>

301

</refsect1>

208

</refsect1>

209

302

210

</refentry>

303

304

305

306

307

Older »