1
<?xml version="1.0" encoding="UTF-8"?>
2
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4
<!ENTITY COMMANDNAME "password-prompt">
5
<!ENTITY TIMESTAMP "2017-02-23">
6
<!ENTITY % common SYSTEM "../common.ent">
10
<refentry xmlns:xi="http://www.w3.org/2001/XInclude">
12
<title>Mandos Manual</title>
13
<!-- NWalsh’s docbook scripts use this to generate the footer: -->
14
<productname>Mandos</productname>
15
<productnumber>&version;</productnumber>
16
<date>&TIMESTAMP;</date>
19
<firstname>Björn</firstname>
20
<surname>Påhlsson</surname>
22
<email>belorn@recompile.se</email>
26
<firstname>Teddy</firstname>
27
<surname>Hogeborn</surname>
29
<email>teddy@recompile.se</email>
44
<holder>Teddy Hogeborn</holder>
45
<holder>Björn Påhlsson</holder>
47
<xi:include href="../legalnotice.xml"/>
51
<refentrytitle>&COMMANDNAME;</refentrytitle>
52
<manvolnum>8mandos</manvolnum>
56
<refname><command>&COMMANDNAME;</command></refname>
57
<refpurpose>Prompt for a password and output it.</refpurpose>
62
<command>&COMMANDNAME;</command>
64
<arg choice="plain"><option>--prefix <replaceable
65
>PREFIX</replaceable></option></arg>
66
<arg choice="plain"><option>-p </option><replaceable
67
>PREFIX</replaceable></arg>
70
<arg choice="opt"><option>--debug</option></arg>
73
<command>&COMMANDNAME;</command>
75
<arg choice="plain"><option>--help</option></arg>
76
<arg choice="plain"><option>-?</option></arg>
80
<command>&COMMANDNAME;</command>
81
<arg choice="plain"><option>--usage</option></arg>
84
<command>&COMMANDNAME;</command>
86
<arg choice="plain"><option>--version</option></arg>
87
<arg choice="plain"><option>-V</option></arg>
92
<refsect1 id="description">
93
<title>DESCRIPTION</title>
95
All <command>&COMMANDNAME;</command> does is prompt for a
96
password and output any given password to standard output.
99
This program is not very useful on its own. This program is
100
really meant to run as a plugin in the <application
101
>Mandos</application> client-side system, where it is used as a
102
fallback and alternative to retrieving passwords from a
103
<application >Mandos</application> server.
106
This program is little more than a <citerefentry><refentrytitle
107
>getpass</refentrytitle><manvolnum>3</manvolnum></citerefentry>
108
wrapper, although actual use of that function is not guaranteed
113
<refsect1 id="options">
114
<title>OPTIONS</title>
116
This program is commonly not invoked from the command line; it
117
is normally started by the <application>Mandos</application>
118
plugin runner, see <citerefentry><refentrytitle
119
>plugin-runner</refentrytitle><manvolnum>8mandos</manvolnum>
120
</citerefentry>. Any command line options this program accepts
121
are therefore normally provided by the plugin runner, and not
127
<term><option>--prefix=<replaceable
128
>PREFIX</replaceable></option></term>
130
<replaceable>PREFIX</replaceable></option></term>
133
Prefix string shown before the password prompt.
139
<term><option>--debug</option></term>
142
Enable debug mode. This will enable a lot of output to
143
standard error about what the program is doing. The
144
program will still perform all other functions normally.
150
<term><option>--help</option></term>
151
<term><option>-?</option></term>
154
Gives a help message about options and their meanings.
160
<term><option>--usage</option></term>
163
Gives a short usage message.
169
<term><option>--version</option></term>
170
<term><option>-V</option></term>
173
Prints the program version.
180
<refsect1 id="exit_status">
181
<title>EXIT STATUS</title>
183
If exit status is 0, the output from the program is the password
184
as it was read. Otherwise, if exit status is other than 0, the
185
program has encountered an error, and any output so far could be
186
corrupt and/or truncated, and should therefore be ignored.
190
<refsect1 id="environment">
191
<title>ENVIRONMENT</title>
194
<term><envar>CRYPTTAB_SOURCE</envar></term>
195
<term><envar>CRYPTTAB_NAME</envar></term>
198
If set, these environment variables will be assumed to
199
contain the source device name and the target device
200
mapper name, respectively, and will be shown as part of
204
These variables will normally be inherited from
205
<citerefentry><refentrytitle>plugin-runner</refentrytitle>
206
<manvolnum>8mandos</manvolnum></citerefentry>, which will
207
normally have inherited them from
208
<filename>/scripts/local-top/cryptroot</filename> in the
209
initial <acronym>RAM</acronym> disk environment, which will
210
have set them from parsing kernel arguments and
211
<filename>/conf/conf.d/cryptroot</filename> (also in the
212
initial RAM disk environment), which in turn will have been
213
created when the initial RAM disk image was created by
215
>/usr/share/initramfs-tools/hooks/cryptroot</filename>, by
216
extracting the information of the root file system from
217
<filename >/etc/crypttab</filename>.
220
This behavior is meant to exactly mirror the behavior of
221
<command>askpass</command>, the default password prompter.
230
<xi:include href="../bugs.xml"/>
233
<refsect1 id="example">
234
<title>EXAMPLE</title>
236
Note that normally, command line options will not be given
237
directly, but via options for the Mandos <citerefentry
238
><refentrytitle>plugin-runner</refentrytitle>
239
<manvolnum>8mandos</manvolnum></citerefentry>.
243
Normal invocation needs no options:
246
<userinput>&COMMANDNAME;</userinput>
251
Show a prefix before the prompt; in this case, a host name.
252
It might be useful to be reminded of which host needs a
253
password, in case of <acronym>KVM</acronym> switches, etc.
257
<!-- do not wrap this line -->
258
<userinput>&COMMANDNAME; --prefix=host.example.org:</userinput>
267
<!-- do not wrap this line -->
268
<userinput>&COMMANDNAME; --debug</userinput>
273
<refsect1 id="security">
274
<title>SECURITY</title>
276
On its own, this program is very simple, and does not exactly
277
present any security risks. The one thing that could be
278
considered worthy of note is this: This program is meant to be
279
run by <citerefentry><refentrytitle
280
>plugin-runner</refentrytitle><manvolnum>8mandos</manvolnum>
281
</citerefentry>, and will, when run standalone, outside, in a
282
normal environment, immediately output on its standard output
283
any presumably secret password it just received. Therefore,
284
when running this program standalone (which should never
285
normally be done), take care not to type in any real secret
286
password by force of habit, since it would then immediately be
290
To further alleviate any risk of being locked out of a system,
291
the <citerefentry><refentrytitle>plugin-runner</refentrytitle>
292
<manvolnum>8mandos</manvolnum></citerefentry> has a fallback
293
mode which does the same thing as this program, only with less
298
<refsect1 id="see_also">
299
<title>SEE ALSO</title>
301
<citerefentry><refentrytitle>intro</refentrytitle>
302
<manvolnum>8mandos</manvolnum></citerefentry>
303
<citerefentry><refentrytitle>crypttab</refentrytitle>
304
<manvolnum>5</manvolnum></citerefentry>
305
<citerefentry><refentrytitle>mandos-client</refentrytitle>
306
<manvolnum>8mandos</manvolnum></citerefentry>
307
<citerefentry><refentrytitle>plugin-runner</refentrytitle>
308
<manvolnum>8mandos</manvolnum></citerefentry>,
312
<!-- Local Variables: -->
313
<!-- time-stamp-start: "<!ENTITY TIMESTAMP [\"']" -->
314
<!-- time-stamp-end: "[\"']>" -->
315
<!-- time-stamp-format: "%:y-%02m-%02d" -->