67
68
<refname><command>&COMMANDNAME;</command></refname>
69
Passprompt for luks during boot sequence
69
<refpurpose>Prompt for a password and output it.</refpurpose>
75
74
<command>&COMMANDNAME;</command>
76
<arg choice='opt'>--prefix<arg choice='plain'>PREFIX</arg></arg>
77
<arg choice='opt'>--debug</arg>
80
<command>&COMMANDNAME;</command>
81
<arg choice='plain'>--help</arg>
84
<command>&COMMANDNAME;</command>
85
<arg choice='plain'>--usage</arg>
88
<command>&COMMANDNAME;</command>
89
<arg choice='plain'>--version</arg>
76
<arg choice="plain"><option>-p <replaceable
77
>PREFIX</replaceable></option></arg>
78
<arg choice="plain"><option>--prefix </option><replaceable
79
>PREFIX</replaceable></arg>
81
<arg choice="opt"><option>--debug</option></arg>
84
<command>&COMMANDNAME;</command>
86
<arg choice="plain"><option>-?</option></arg>
87
<arg choice="plain"><option>--help</option></arg>
91
<command>&COMMANDNAME;</command>
92
<arg choice="plain"><option>--usage</option></arg>
95
<command>&COMMANDNAME;</command>
97
<arg choice="plain"><option>-V</option></arg>
98
<arg choice="plain"><option>--version</option></arg>
93
103
<refsect1 id="description">
94
104
<title>DESCRIPTION</title>
96
<command>&COMMANDNAME;</command> is a terminal program that ask for
97
passwords during boot sequence. It is a plugin to
98
<firstterm>mandos</firstterm>, and is used as a fallback and
99
alternative to retriving passwords from a mandos server. During
100
boot sequence the user is prompted for the disk password, and
101
when a password is given it then gets forwarded to
102
<acronym>LUKS</acronym>.
106
All <command>&COMMANDNAME;</command> does is prompt for a
107
password and output any given password to standard output. This
108
is not very useful on its own. This program is really meant to
109
run as a plugin in the <application>Mandos</application>
110
client-side system, where it is used as a fallback and
111
alternative to retriving passwords from a <application
112
>Mandos</application> server.
115
This program is little more than a <citerefentry><refentrytitle
116
>getpass</refentrytitle><manvolnum>3</manvolnum></citerefentry>
117
wrapper, although actual use of that function is not guaranteed
122
<refsect1 id="options">
123
<title>OPTIONS</title>
125
This program is commonly not invoked from the command line; it
126
is normally started by the <application>Mandos</application>
127
plugin runner, see <citerefentry><refentrytitle
128
>plugin-runner</refentrytitle><manvolnum>8mandos</manvolnum>
129
</citerefentry>. Any command line options this program accepts
130
are therefore normally provided by the plugin runner, and not
107
<term><literal>-p</literal>, <literal>--prefix=<replaceable>PREFIX
108
</replaceable></literal></term>
111
Prefix used before the passprompt
117
<term><literal>--debug</literal></term>
126
<term><literal>-?</literal>, <literal>--help</literal></term>
135
<term><literal>--usage</literal></term>
138
Gives a short usage message
144
<term><literal>-V</literal>, <literal>--version</literal></term>
147
Prints the program version
136
<term><option>-p</option> <replaceable>PREFIX</replaceable
138
<term><option>--prefix=</option><replaceable
139
>PREFIX</replaceable></term>
142
Prefix string shown before the password prompt.
148
<term><option>--debug</option></term>
151
Enable debug mode. This will enable a lot of output to
152
standard error about what the program is doing. The
153
program will still perform all other functions normally.
159
<term><option>-?</option></term>
160
<term><option>--help</option></term>
163
Gives a help message about options and their meanings.
169
<term><option>--usage</option></term>
172
Gives a short usage message.
178
<term><option>-V</option></term>
179
<term><option>--version</option></term>
182
Prints the program version.
189
<refsect1 id="exit_status">
190
<title>EXIT STATUS</title>
192
If exit status is 0, the output from the program is the password
193
as it was read. Otherwise, if exit status is other than 0, the
194
program has encountered an error, and any output so far could be
195
corrupt and/or truncated, and should therefore be ignored.
199
<refsect1 id="environment">
200
<title>ENVIRONMENT</title>
203
<term><envar>cryptsource</envar></term>
204
<term><envar>crypttarget</envar></term>
207
If set, these environment variables will be assumed to
208
contain the source device name and the target device
209
mapper name, respectively, and will be shown as part of
213
These variables will normally be inherited from
214
<citerefentry><refentrytitle>plugin-runner</refentrytitle>
215
<manvolnum>8mandos</manvolnum></citerefentry>, which will
216
normally have inherited them from
217
<filename>/scripts/local-top/cryptroot</filename> in the
218
initial RAM disk environment, which will have set them from
219
parsing kernel arguments and
220
<filename>/conf/conf.d/cryptroot</filename> (also in the
221
initial RAM disk environment), which in turn will have been
222
created when the initial RAM disk image was created by
224
>/usr/share/initramfs-tools/hooks/cryptroot</filename>, by
225
extracting the information of the root file system from
226
<filename >/etc/crypttab</filename>.
229
This behavior is meant to exactly mirror the behavior of
230
<command>askpass</command>, the default password prompter.
240
None are known at this time.
244
<refsect1 id="example">
245
<title>EXAMPLE</title>
247
Note that normally, command line options will not be given
248
directly, but via options for the Mandos <citerefentry
249
><refentrytitle>plugin-runner</refentrytitle>
250
<manvolnum>8mandos</manvolnum></citerefentry>.
254
Normal invocation needs no options:
257
<userinput>&COMMANDNAME;</userinput>
262
Show a prefix before the prompt; in this case, a host name.
263
It might be useful to be reminded of which host needs a
264
password, in case of KVM switches, etc.
268
<!-- do not wrap this line -->
269
<userinput>&COMMANDNAME; --prefix=host.example.org:</userinput>
278
<!-- do not wrap this line -->
279
<userinput>&COMMANDNAME; --debug</userinput>
284
<refsect1 id="security">
285
<title>SECURITY</title>
287
On its own, this program is very simple, and does not exactly
288
present any security risks. The one thing that could be
289
considered worthy of note is this: This program is meant to be
290
run by <citerefentry><refentrytitle
291
>plugin-runner</refentrytitle><manvolnum>8mandos</manvolnum>
292
</citerefentry>, and will, when run standalone, outside, in a
293
normal environment, immediately output on its standard output
294
any presumably secret password it just recieved. Therefore,
295
when running this program standalone (which should never
296
normally be done), take care not to type in any real secret
297
password by force of habit, since it would then immediately be
301
To further alleviate any risk of being locked out of a system,
302
the <citerefentry><refentrytitle>plugin-runner</refentrytitle>
303
<manvolnum>8mandos</manvolnum></citerefentry> has a fallback
304
mode which does the same thing as this program, only with less
309
<refsect1 id="see_also">
310
<title>SEE ALSO</title>
312
<citerefentry><refentrytitle>crypttab</refentrytitle>
313
<manvolnum>5</manvolnum></citerefentry>
314
<citerefentry><refentrytitle>password-request</refentrytitle>
315
<manvolnum>8mandos</manvolnum></citerefentry>
316
<citerefentry><refentrytitle>plugin-runner</refentrytitle>
317
<manvolnum>8mandos</manvolnum></citerefentry>,
321
<!-- Local Variables: -->
322
<!-- time-stamp-start: "<!ENTITY TIMESTAMP [\"']" -->
323
<!-- time-stamp-end: "[\"']>" -->
324
<!-- time-stamp-format: "%:y-%02m-%02d" -->