/mandos/trunk : revision 237.4.1

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to plugins.d/password-prompt.xml

Committer: Teddy Hogeborn
Date: 2010-09-28 18:39:30 UTC
mfrom: (449 mandos-local)
mto: (24.1.170 mandos) (237.4.29 release)
mto: This revision was merged to the branch mainline in revision 450.
Revision ID: teddy@fukt.bsnet.se-20100928183930-i0r0cb2e2v5w6dfe

Merge from trunk.  D-Bus usage is now standard, and there are two new
utilities (mandos-monitor and mandos-ctl) which uses it.  Also, a new
plugin for Plymouth.  Also fixes Debian bug #557076.

files added:
.bzr-builddeb

.bzr-builddeb/default.conf

.bzrignore

DBUS-API

INSTALL

NEWS

README

common.ent

dbus-mandos.conf

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/po

debian/rules

debian/watch

default-mandos

init.d-mandos

legalnotice.xml

mandos-ctl

mandos-ctl.xml

mandos-monitor

mandos-monitor.xml

mandos-options.xml

mandos.lsm

plugin-runner.conf

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

files removed:
plugins.d/usplash

files renamed:
plugins.d/password-request.c => plugins.d/mandos-client.c

plugins.d/password-request.xml => plugins.d/mandos-client.xml

files modified:
Makefile

TODO

clients.conf

initramfs-tools-hook

initramfs-tools-hook-conf

initramfs-tools-script

mandos

mandos-clients.conf.xml

mandos-keygen

mandos-keygen.xml

mandos.conf

mandos.conf.xml

mandos.xml

overview.xml

plugin-runner.c

plugin-runner.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

Show diffs side-by-side

added added

removed removed

plugins.d/password-prompt.xml

<?xml version='1.0' encoding='UTF-8'?>

<?xml-stylesheet type="text/xsl"

href="http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl"?>

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY VERSION "1.0">

<!ENTITY COMMANDNAME "password-prompt">

<!ENTITY TIMESTAMP "2009-10-30">

<!ENTITY % common SYSTEM "../common.ent">

%common;

<title>&COMMANDNAME;</title>

<productname>&COMMANDNAME;</productname>

<productnumber>&VERSION;</productnumber>

<title>Mandos Manual</title>

<productname>Mandos</productname>

<productnumber>&version;</productnumber>

<date>&TIMESTAMP;</date>

<firstname>Björn</firstname>

</authorgroup>

<holder>Teddy Hogeborn & Björn Påhlsson</holder>

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

<para>

This manual page is free software: you can redistribute it

and/or modify it under the terms of the GNU General Public

License as published by the Free Software Foundation,

either version 3 of the License, or (at your option) any

later version.

</para>

<para>

This manual page is distributed in the hope that it will

be useful, but WITHOUT ANY WARRANTY; without even the

implied warranty of MERCHANTABILITY or FITNESS FOR A

PARTICULAR PURPOSE. See the GNU General Public License

for more details.

</para>

<para>

You should have received a copy of the GNU General Public

License along with this program; If not, see

<ulink url="http://www.gnu.org/licenses/"/>.

</para>

</legalnotice>

<xi:include href="../legalnotice.xml"/>

</refentryinfo>

<refentrytitle>&COMMANDNAME;</refentrytitle>

<manvolnum>8mandos</manvolnum>

<refname><command>&COMMANDNAME;</command></refname>

Passprompt for luks during boot sequence

</refpurpose>

<refpurpose>Prompt for a password and output it.</refpurpose>

</refnamediv>

<command>&COMMANDNAME;</command>

<arg choice='opt'>--prefix<arg choice='plain'>PREFIX</arg></arg>

<arg choice='opt'>--debug</arg>

</cmdsynopsis>

<command>&COMMANDNAME;</command>

</cmdsynopsis>

<command>&COMMANDNAME;</command>

<arg choice='plain'>--usage</arg>

</cmdsynopsis>

<command>&COMMANDNAME;</command>

<arg choice='plain'>--version</arg>

</cmdsynopsis>

<arg choice="plain"><option>--prefix <replaceable

>PREFIX</replaceable></option></arg>

<arg choice="plain"><option>-p </option><replaceable

>PREFIX</replaceable></arg>

</group>

<sbr/>

<arg choice="opt"><option>--debug</option></arg>

</cmdsynopsis>

<command>&COMMANDNAME;</command>

</group>

</cmdsynopsis>

<command>&COMMANDNAME;</command>

<arg choice="plain"><option>--usage</option></arg>

</cmdsynopsis>

<command>&COMMANDNAME;</command>

<arg choice="plain"><option>--version</option></arg>

</group>

</cmdsynopsis>

</refsynopsisdiv>

<title>DESCRIPTION</title>

<para>

<command>&COMMANDNAME;</command> is a terminal program that ask for

passwords during boot sequence. It is a plugin to

<firstterm>mandos</firstterm>, and is used as a fallback and

alternative to retriving passwords from a mandos server. During

100

boot sequence the user is prompted for the disk password, and

101

when a password is given it then gets forwarded to

102

<acronym>LUKS</acronym>.

All <command>&COMMANDNAME;</command> does is prompt for a

password and output any given password to standard output.

</para>

<para>

This program is not very useful on its own. This program is

really meant to run as a plugin in the <application

>Mandos</application> client-side system, where it is used as a

fallback and alternative to retrieving passwords from a

<application >Mandos</application> server.

</para>

<para>

This program is little more than a <citerefentry><refentrytitle

>getpass</refentrytitle><manvolnum>3</manvolnum></citerefentry>

100

wrapper, although actual use of that function is not guaranteed

101

or implied.

103

102

</para>

104

103

</refsect1>

105

104

106

105

107

106

<title>OPTIONS</title>

108

107

<para>

109

Commonly not invoked as command lines but from configuration

110

file of plugin runner.

108

This program is commonly not invoked from the command line; it

109

is normally started by the <application>Mandos</application>

110

plugin runner, see <citerefentry><refentrytitle

111

>plugin-runner</refentrytitle><manvolnum>8mandos</manvolnum>

112

</citerefentry>. Any command line options this program accepts

113

are therefore normally provided by the plugin runner, and not

114

directly.

111

115

</para>

112

116

113

117

114

118

115

<term><literal>-p</literal>, <literal>--prefix=<replaceable>PREFIX

116

</replaceable></literal></term>

117

118

<para>

119

Prefix used before the passprompt

120

</para>

121

</listitem>

122

</varlistentry>

123

124

125

<term><literal>--debug</literal></term>

126

127

<para>

128

Debug mode

129

</para>

130

</listitem>

131

</varlistentry>

132

133

134

135

136

<para>

137

Gives a help message

138

</para>

139

</listitem>

140

</varlistentry>

141

142

143

<term><literal>--usage</literal></term>

144

145

<para>

146

Gives a short usage message

147

</para>

148

</listitem>

149

</varlistentry>

150

151

152

<term><literal>-V</literal>, <literal>--version</literal></term>

153

154

<para>

155

Prints the program version

156

</para>

157

</listitem>

158

</varlistentry>

119

<term><option>--prefix=<replaceable

120

>PREFIX</replaceable></option></term>

121

<term><option>-p

122

<replaceable>PREFIX</replaceable></option></term>

123

124

<para>

125

Prefix string shown before the password prompt.

126

</para>

127

</listitem>

128

</varlistentry>

129

130

131

<term><option>--debug</option></term>

132

133

<para>

134

Enable debug mode. This will enable a lot of output to

135

standard error about what the program is doing. The

136

program will still perform all other functions normally.

137

</para>

138

</listitem>

139

</varlistentry>

140

141

142

143

144

145

<para>

146

Gives a help message about options and their meanings.

147

</para>

148

</listitem>

149

</varlistentry>

150

151

152

<term><option>--usage</option></term>

153

154

<para>

155

Gives a short usage message.

156

</para>

157

</listitem>

158

</varlistentry>

159

160

161

<term><option>--version</option></term>

162

163

164

<para>

165

Prints the program version.

166

</para>

167

</listitem>

168

</varlistentry>

159

169

</variablelist>

160

170

</refsect1>

161

171

162

172

163

173

<title>EXIT STATUS</title>

164

174

<para>

175

If exit status is 0, the output from the program is the password

176

as it was read. Otherwise, if exit status is other than 0, the

177

program has encountered an error, and any output so far could be

178

corrupt and/or truncated, and should therefore be ignored.

165

179

</para>

166

180

</refsect1>

167

181

168

182

169

183

<title>ENVIRONMENT</title>

170

<para>

171

</para>

172

</refsect1>

173

174

175

<title>FILES</title>

176

<para>

177

</para>

184

185

186

<term><envar>CRYPTTAB_SOURCE</envar></term>

187

<term><envar>CRYPTTAB_NAME</envar></term>

188

189

<para>

190

If set, these environment variables will be assumed to

191

contain the source device name and the target device

192

mapper name, respectively, and will be shown as part of

193

the prompt.

194

</para>

195

<para>

196

These variables will normally be inherited from

197

<citerefentry><refentrytitle>plugin-runner</refentrytitle>

198

<manvolnum>8mandos</manvolnum></citerefentry>, which will

199

normally have inherited them from

200

<filename>/scripts/local-top/cryptroot</filename> in the

201

initial <acronym>RAM</acronym> disk environment, which will

202

have set them from parsing kernel arguments and

203

<filename>/conf/conf.d/cryptroot</filename> (also in the

204

initial RAM disk environment), which in turn will have been

205

created when the initial RAM disk image was created by

206

<filename

207

>/usr/share/initramfs-tools/hooks/cryptroot</filename>, by

208

extracting the information of the root file system from

209

<filename >/etc/crypttab</filename>.

210

</para>

211

<para>

212

This behavior is meant to exactly mirror the behavior of

213

<command>askpass</command>, the default password prompter.

214

</para>

215

</listitem>

216

</varlistentry>

217

</variablelist>

178

218

</refsect1>

179

219

180

220

181

221

182

222

<para>

223

None are known at this time.

183

224

</para>

184

</refsect1>

185

225

</refsect1>

226

186

227

187

228

<title>EXAMPLE</title>

188

229

<para>

230

Note that normally, command line options will not be given

231

directly, but via options for the Mandos <citerefentry

232

><refentrytitle>plugin-runner</refentrytitle>

233

<manvolnum>8mandos</manvolnum></citerefentry>.

189

234

</para>

235

236

<para>

237

Normal invocation needs no options:

238

</para>

239

<para>

240

<userinput>&COMMANDNAME;</userinput>

241

</para>

242

</informalexample>

243

244

<para>

245

Show a prefix before the prompt; in this case, a host name.

246

It might be useful to be reminded of which host needs a

247

password, in case of <acronym>KVM</acronym> switches, etc.

248

</para>

249

<para>

250

251

252

<userinput>&COMMANDNAME; --prefix=host.example.org:</userinput>

253

254

</para>

255

</informalexample>

256

257

<para>

258

Run in debug mode.

259

</para>

260

<para>

261

262

<userinput>&COMMANDNAME; --debug</userinput>

263

</para>

264

</informalexample>

190

265

</refsect1>

191

266

192

267

193

268

<title>SECURITY</title>

194

269

<para>

270

On its own, this program is very simple, and does not exactly

271

present any security risks. The one thing that could be

272

considered worthy of note is this: This program is meant to be

273

run by <citerefentry><refentrytitle

274

>plugin-runner</refentrytitle><manvolnum>8mandos</manvolnum>

275

</citerefentry>, and will, when run standalone, outside, in a

276

normal environment, immediately output on its standard output

277

any presumably secret password it just received. Therefore,

278

when running this program standalone (which should never

279

normally be done), take care not to type in any real secret

280

password by force of habit, since it would then immediately be

281

shown as output.

282

</para>

283

<para>

284

To further alleviate any risk of being locked out of a system,

285

the <citerefentry><refentrytitle>plugin-runner</refentrytitle>

286

<manvolnum>8mandos</manvolnum></citerefentry> has a fallback

287

mode which does the same thing as this program, only with less

288

features.

195

289

</para>

196

290

</refsect1>

197

291

198

292

199

293

200

294

<para>

201

<citerefentry><refentrytitle>mandos</refentrytitle>

202

203

<refentrytitle>plugin-runner</refentrytitle>

204

<manvolnum>8mandos</manvolnum></citerefentry> and <citerefentry>

205

<refentrytitle>password-request</refentrytitle>

295

<citerefentry><refentrytitle>crypttab</refentrytitle>

296

297

<citerefentry><refentrytitle>mandos-client</refentrytitle>

206

298

<manvolnum>8mandos</manvolnum></citerefentry>

299

<citerefentry><refentrytitle>plugin-runner</refentrytitle>

300

<manvolnum>8mandos</manvolnum></citerefentry>,

207

301

</para>

208

</refsect1>

209

302

</refsect1>

210

303

</refentry>

304

305

306

307

308

Older »