67
47
<refname><command>&COMMANDNAME;</command></refname>
69
Passprompt for luks during boot sequence
48
<refpurpose>Prompt for a password and output it.</refpurpose>
75
53
<command>&COMMANDNAME;</command>
76
<arg choice='opt'>--prefix<arg choice='plain'>PREFIX</arg></arg>
77
<arg choice='opt'>--debug</arg>
80
<command>&COMMANDNAME;</command>
81
<arg choice='plain'>--help</arg>
84
<command>&COMMANDNAME;</command>
85
<arg choice='plain'>--usage</arg>
88
<command>&COMMANDNAME;</command>
89
<arg choice='plain'>--version</arg>
55
<arg choice="plain"><option>--prefix <replaceable
56
>PREFIX</replaceable></option></arg>
57
<arg choice="plain"><option>-p </option><replaceable
58
>PREFIX</replaceable></arg>
61
<arg choice="opt"><option>--debug</option></arg>
64
<command>&COMMANDNAME;</command>
66
<arg choice="plain"><option>--help</option></arg>
67
<arg choice="plain"><option>-?</option></arg>
71
<command>&COMMANDNAME;</command>
72
<arg choice="plain"><option>--usage</option></arg>
75
<command>&COMMANDNAME;</command>
77
<arg choice="plain"><option>--version</option></arg>
78
<arg choice="plain"><option>-V</option></arg>
93
83
<refsect1 id="description">
94
84
<title>DESCRIPTION</title>
96
<command>&COMMANDNAME;</command> is a terminal program that ask for
97
passwords during boot sequence. It is a plugin to
98
<firstterm>mandos</firstterm>, and is used as a fallback and
99
alternative to retriving passwords from a mandos server. During
100
boot sequence the user is prompted for the disk password, and
101
when a password is given it then gets forwarded to
102
<acronym>LUKS</acronym>.
86
All <command>&COMMANDNAME;</command> does is prompt for a
87
password and output any given password to standard output. This
88
is not very useful on its own. This program is really meant to
89
run as a plugin in the <application>Mandos</application>
90
client-side system, where it is used as a fallback and
91
alternative to retrieving passwords from a <application
92
>Mandos</application> server.
95
This program is little more than a <citerefentry><refentrytitle
96
>getpass</refentrytitle><manvolnum>3</manvolnum></citerefentry>
97
wrapper, although actual use of that function is not guaranteed
106
102
<refsect1 id="options">
107
103
<title>OPTIONS</title>
109
Commonly not invoked as command lines but from configuration
110
file of plugin runner.
105
This program is commonly not invoked from the command line; it
106
is normally started by the <application>Mandos</application>
107
plugin runner, see <citerefentry><refentrytitle
108
>plugin-runner</refentrytitle><manvolnum>8mandos</manvolnum>
109
</citerefentry>. Any command line options this program accepts
110
are therefore normally provided by the plugin runner, and not
115
<term><literal>-p</literal>, <literal>--prefix=<replaceable>PREFIX
116
</replaceable></literal></term>
119
Prefix used before the passprompt
125
<term><literal>--debug</literal></term>
134
<term><literal>-?</literal>, <literal>--help</literal></term>
143
<term><literal>--usage</literal></term>
146
Gives a short usage message
152
<term><literal>-V</literal>, <literal>--version</literal></term>
155
Prints the program version
116
<term><option>--prefix=<replaceable
117
>PREFIX</replaceable></option></term>
119
<replaceable>PREFIX</replaceable></option></term>
122
Prefix string shown before the password prompt.
128
<term><option>--debug</option></term>
131
Enable debug mode. This will enable a lot of output to
132
standard error about what the program is doing. The
133
program will still perform all other functions normally.
139
<term><option>--help</option></term>
140
<term><option>-?</option></term>
143
Gives a help message about options and their meanings.
149
<term><option>--usage</option></term>
152
Gives a short usage message.
158
<term><option>--version</option></term>
159
<term><option>-V</option></term>
162
Prints the program version.
162
169
<refsect1 id="exit_status">
163
170
<title>EXIT STATUS</title>
172
If exit status is 0, the output from the program is the password
173
as it was read. Otherwise, if exit status is other than 0, the
174
program has encountered an error, and any output so far could be
175
corrupt and/or truncated, and should therefore be ignored.
168
179
<refsect1 id="environment">
169
180
<title>ENVIRONMENT</title>
174
<refsect1 id="files">
183
<term><envar>cryptsource</envar></term>
184
<term><envar>crypttarget</envar></term>
187
If set, these environment variables will be assumed to
188
contain the source device name and the target device
189
mapper name, respectively, and will be shown as part of
193
These variables will normally be inherited from
194
<citerefentry><refentrytitle>plugin-runner</refentrytitle>
195
<manvolnum>8mandos</manvolnum></citerefentry>, which will
196
normally have inherited them from
197
<filename>/scripts/local-top/cryptroot</filename> in the
198
initial <acronym>RAM</acronym> disk environment, which will
199
have set them from parsing kernel arguments and
200
<filename>/conf/conf.d/cryptroot</filename> (also in the
201
initial RAM disk environment), which in turn will have been
202
created when the initial RAM disk image was created by
204
>/usr/share/initramfs-tools/hooks/cryptroot</filename>, by
205
extracting the information of the root file system from
206
<filename >/etc/crypttab</filename>.
209
This behavior is meant to exactly mirror the behavior of
210
<command>askpass</command>, the default password prompter.
180
217
<refsect1 id="bugs">
181
218
<title>BUGS</title>
220
None are known at this time.
186
224
<refsect1 id="example">
187
225
<title>EXAMPLE</title>
227
Note that normally, command line options will not be given
228
directly, but via options for the Mandos <citerefentry
229
><refentrytitle>plugin-runner</refentrytitle>
230
<manvolnum>8mandos</manvolnum></citerefentry>.
234
Normal invocation needs no options:
237
<userinput>&COMMANDNAME;</userinput>
242
Show a prefix before the prompt; in this case, a host name.
243
It might be useful to be reminded of which host needs a
244
password, in case of <acronym>KVM</acronym> switches, etc.
248
<!-- do not wrap this line -->
249
<userinput>&COMMANDNAME; --prefix=host.example.org:</userinput>
258
<!-- do not wrap this line -->
259
<userinput>&COMMANDNAME; --debug</userinput>
192
264
<refsect1 id="security">
193
265
<title>SECURITY</title>
267
On its own, this program is very simple, and does not exactly
268
present any security risks. The one thing that could be
269
considered worthy of note is this: This program is meant to be
270
run by <citerefentry><refentrytitle
271
>plugin-runner</refentrytitle><manvolnum>8mandos</manvolnum>
272
</citerefentry>, and will, when run standalone, outside, in a
273
normal environment, immediately output on its standard output
274
any presumably secret password it just received. Therefore,
275
when running this program standalone (which should never
276
normally be done), take care not to type in any real secret
277
password by force of habit, since it would then immediately be
281
To further alleviate any risk of being locked out of a system,
282
the <citerefentry><refentrytitle>plugin-runner</refentrytitle>
283
<manvolnum>8mandos</manvolnum></citerefentry> has a fallback
284
mode which does the same thing as this program, only with less
198
289
<refsect1 id="see_also">
199
290
<title>SEE ALSO</title>
201
<citerefentry><refentrytitle>mandos</refentrytitle>
202
<manvolnum>8</manvolnum></citerefentry>, <citerefentry>
203
<refentrytitle>plugin-runner</refentrytitle>
204
<manvolnum>8mandos</manvolnum></citerefentry> and <citerefentry>
205
<refentrytitle>password-request</refentrytitle>
292
<citerefentry><refentrytitle>crypttab</refentrytitle>
293
<manvolnum>5</manvolnum></citerefentry>
294
<citerefentry><refentrytitle>mandos-client</refentrytitle>
206
295
<manvolnum>8mandos</manvolnum></citerefentry>
296
<citerefentry><refentrytitle>plugin-runner</refentrytitle>
297
<manvolnum>8mandos</manvolnum></citerefentry>,
301
<!-- Local Variables: -->
302
<!-- time-stamp-start: "<!ENTITY TIMESTAMP [\"']" -->
303
<!-- time-stamp-end: "[\"']>" -->
304
<!-- time-stamp-format: "%:y-%02m-%02d" -->