1
<?xml version='1.0' encoding='UTF-8'?>
2
<?xml-stylesheet type="text/xsl"
3
href="http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl"?>
1
<?xml version="1.0" encoding="UTF-8"?>
4
2
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
5
3
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
6
<!ENTITY VERSION "1.0">
7
4
<!ENTITY COMMANDNAME "password-prompt">
5
<!ENTITY TIMESTAMP "2019-02-10">
6
<!ENTITY % common SYSTEM "../common.ent">
10
<refentry xmlns:xi="http://www.w3.org/2001/XInclude">
12
<title>&COMMANDNAME;</title>
13
<!-- NWalsh's docbook scripts use this to generate the footer: -->
14
<productname>&COMMANDNAME;</productname>
15
<productnumber>&VERSION;</productnumber>
12
<title>Mandos Manual</title>
13
<!-- NWalsh’s docbook scripts use this to generate the footer: -->
14
<productname>Mandos</productname>
15
<productnumber>&version;</productnumber>
16
<date>&TIMESTAMP;</date>
18
19
<firstname>Björn</firstname>
19
20
<surname>Påhlsson</surname>
21
<email>belorn@fukt.bsnet.se</email>
22
<email>belorn@recompile.se</email>
25
26
<firstname>Teddy</firstname>
26
27
<surname>Hogeborn</surname>
28
<email>teddy@fukt.bsnet.se</email>
29
<email>teddy@recompile.se</email>
34
<holder>Teddy Hogeborn & Björn Påhlsson</holder>
46
<holder>Teddy Hogeborn</holder>
47
<holder>Björn Påhlsson</holder>
38
This manual page is free software: you can redistribute it
39
and/or modify it under the terms of the GNU General Public
40
License as published by the Free Software Foundation,
41
either version 3 of the License, or (at your option) any
46
This manual page is distributed in the hope that it will
47
be useful, but WITHOUT ANY WARRANTY; without even the
48
implied warranty of MERCHANTABILITY or FITNESS FOR A
49
PARTICULAR PURPOSE. See the GNU General Public License
54
You should have received a copy of the GNU General Public
55
License along with this program; If not, see
56
<ulink url="http://www.gnu.org/licenses/"/>.
49
<xi:include href="../legalnotice.xml"/>
62
53
<refentrytitle>&COMMANDNAME;</refentrytitle>
63
54
<manvolnum>8mandos</manvolnum>
67
58
<refname><command>&COMMANDNAME;</command></refname>
69
Passprompt for luks during boot sequence
59
<refpurpose>Prompt for a password and output it.</refpurpose>
75
64
<command>&COMMANDNAME;</command>
76
<arg choice='opt'>--prefix<arg choice='plain'>PREFIX</arg></arg>
77
<arg choice='opt'>--debug</arg>
80
<command>&COMMANDNAME;</command>
81
<arg choice='plain'>--help</arg>
84
<command>&COMMANDNAME;</command>
85
<arg choice='plain'>--usage</arg>
88
<command>&COMMANDNAME;</command>
89
<arg choice='plain'>--version</arg>
66
<arg choice="plain"><option>--prefix <replaceable
67
>PREFIX</replaceable></option></arg>
68
<arg choice="plain"><option>-p </option><replaceable
69
>PREFIX</replaceable></arg>
72
<arg choice="opt"><option>--debug</option></arg>
75
<command>&COMMANDNAME;</command>
77
<arg choice="plain"><option>--help</option></arg>
78
<arg choice="plain"><option>-?</option></arg>
82
<command>&COMMANDNAME;</command>
83
<arg choice="plain"><option>--usage</option></arg>
86
<command>&COMMANDNAME;</command>
88
<arg choice="plain"><option>--version</option></arg>
89
<arg choice="plain"><option>-V</option></arg>
93
94
<refsect1 id="description">
94
95
<title>DESCRIPTION</title>
96
<command>&COMMANDNAME;</command> is a terminal program that ask for
97
passwords during boot sequence. It is a plugin to
98
<firstterm>mandos</firstterm>, and is used as a fallback and
99
alternative to retriving passwords from a mandos server. During
100
boot sequence the user is prompted for the disk password, and
101
when a password is given it then gets forwarded to
102
<acronym>LUKS</acronym>.
107
<term><literal>-p</literal>, <literal>--prefix=<replaceable>PREFIX
108
</replaceable></literal></term>
111
Prefix used before the passprompt
117
<term><literal>--debug</literal></term>
126
<term><literal>-?</literal>, <literal>--help</literal></term>
135
<term><literal>--usage</literal></term>
138
Gives a short usage message
144
<term><literal>-V</literal>, <literal>--version</literal></term>
147
Prints the program version
97
All <command>&COMMANDNAME;</command> does is prompt for a
98
password and output any given password to standard output.
101
This program is not very useful on its own. This program is
102
really meant to run as a plugin in the <application
103
>Mandos</application> client-side system, where it is used as a
104
fallback and alternative to retrieving passwords from a
105
<application >Mandos</application> server.
108
This program is little more than a <citerefentry><refentrytitle
109
>getpass</refentrytitle><manvolnum>3</manvolnum></citerefentry>
110
wrapper, although actual use of that function is not guaranteed
115
<refsect1 id="options">
116
<title>OPTIONS</title>
118
This program is commonly not invoked from the command line; it
119
is normally started by the <application>Mandos</application>
120
plugin runner, see <citerefentry><refentrytitle
121
>plugin-runner</refentrytitle><manvolnum>8mandos</manvolnum>
122
</citerefentry>. Any command line options this program accepts
123
are therefore normally provided by the plugin runner, and not
129
<term><option>--prefix=<replaceable
130
>PREFIX</replaceable></option></term>
132
<replaceable>PREFIX</replaceable></option></term>
135
Prefix string shown before the password prompt.
141
<term><option>--debug</option></term>
144
Enable debug mode. This will enable a lot of output to
145
standard error about what the program is doing. The
146
program will still perform all other functions normally.
152
<term><option>--help</option></term>
153
<term><option>-?</option></term>
156
Gives a help message about options and their meanings.
162
<term><option>--usage</option></term>
165
Gives a short usage message.
171
<term><option>--version</option></term>
172
<term><option>-V</option></term>
175
Prints the program version.
182
<refsect1 id="exit_status">
183
<title>EXIT STATUS</title>
185
If exit status is 0, the output from the program is the password
186
as it was read. Otherwise, if exit status is other than 0, the
187
program has encountered an error, and any output so far could be
188
corrupt and/or truncated, and should therefore be ignored.
192
<refsect1 id="environment">
193
<title>ENVIRONMENT</title>
196
<term><envar>CRYPTTAB_SOURCE</envar></term>
197
<term><envar>CRYPTTAB_NAME</envar></term>
200
If set, these environment variables will be assumed to
201
contain the source device name and the target device
202
mapper name, respectively, and will be shown as part of
206
These variables will normally be inherited from
207
<citerefentry><refentrytitle>plugin-runner</refentrytitle>
208
<manvolnum>8mandos</manvolnum></citerefentry>, which will
209
normally have inherited them from
210
<filename>/scripts/local-top/cryptroot</filename> in the
211
initial <acronym>RAM</acronym> disk environment, which will
212
have set them from parsing kernel arguments and
213
<filename>/conf/conf.d/cryptroot</filename> (also in the
214
initial RAM disk environment), which in turn will have been
215
created when the initial RAM disk image was created by
217
>/usr/share/initramfs-tools/hooks/cryptroot</filename>, by
218
extracting the information of the root file system from
219
<filename >/etc/crypttab</filename>.
222
This behavior is meant to exactly mirror the behavior of
223
<command>askpass</command>, the default password prompter.
232
<xi:include href="../bugs.xml"/>
235
<refsect1 id="example">
236
<title>EXAMPLE</title>
238
Note that normally, command line options will not be given
239
directly, but via options for the Mandos <citerefentry
240
><refentrytitle>plugin-runner</refentrytitle>
241
<manvolnum>8mandos</manvolnum></citerefentry>.
245
Normal invocation needs no options:
248
<userinput>&COMMANDNAME;</userinput>
253
Show a prefix before the prompt; in this case, a host name.
254
It might be useful to be reminded of which host needs a
255
password, in case of <acronym>KVM</acronym> switches, etc.
259
<!-- do not wrap this line -->
260
<userinput>&COMMANDNAME; --prefix=host.example.org:</userinput>
269
<!-- do not wrap this line -->
270
<userinput>&COMMANDNAME; --debug</userinput>
275
<refsect1 id="security">
276
<title>SECURITY</title>
278
On its own, this program is very simple, and does not exactly
279
present any security risks. The one thing that could be
280
considered worthy of note is this: This program is meant to be
281
run by <citerefentry><refentrytitle
282
>plugin-runner</refentrytitle><manvolnum>8mandos</manvolnum>
283
</citerefentry>, and will, when run standalone, outside, in a
284
normal environment, immediately output on its standard output
285
any presumably secret password it just received. Therefore,
286
when running this program standalone (which should never
287
normally be done), take care not to type in any real secret
288
password by force of habit, since it would then immediately be
292
To further alleviate any risk of being locked out of a system,
293
the <citerefentry><refentrytitle>plugin-runner</refentrytitle>
294
<manvolnum>8mandos</manvolnum></citerefentry> has a fallback
295
mode which does the same thing as this program, only with less
300
<refsect1 id="see_also">
301
<title>SEE ALSO</title>
303
<citerefentry><refentrytitle>intro</refentrytitle>
304
<manvolnum>8mandos</manvolnum></citerefentry>
305
<citerefentry><refentrytitle>crypttab</refentrytitle>
306
<manvolnum>5</manvolnum></citerefentry>
307
<citerefentry><refentrytitle>mandos-client</refentrytitle>
308
<manvolnum>8mandos</manvolnum></citerefentry>
309
<citerefentry><refentrytitle>plugin-runner</refentrytitle>
310
<manvolnum>8mandos</manvolnum></citerefentry>,
314
<!-- Local Variables: -->
315
<!-- time-stamp-start: "<!ENTITY TIMESTAMP [\"']" -->
316
<!-- time-stamp-end: "[\"']>" -->
317
<!-- time-stamp-format: "%:y-%02m-%02d" -->
added
removed
plugins.d/password-prompt.xml
