/mandos/trunk : revision 24.1.69

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to plugins.d/password-prompt.xml

Committer: Björn Påhlsson
Date: 2008-08-25 07:53:43 UTC
mto: (24.1.154 mandos) (237.4.3 mandos-release)
mto: This revision was merged to the branch mainline in revision 107.
Revision ID: belorn@braxen-20080825075343-a7gsy6mkam9t1up9

added configfile as a optional argument to plugin-runner

Show diffs side-by-side

added added

removed removed

plugins.d/password-prompt.xml

<?xml version="1.0" encoding="UTF-8"?>

<?xml version='1.0' encoding='UTF-8'?>

<?xml-stylesheet type="text/xsl"

href="http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl"?>

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY VERSION "1.0">

<!ENTITY COMMANDNAME "password-prompt">

<!ENTITY TIMESTAMP "2008-09-04">

<title>Mandos Manual</title>

<productname>Mandos</productname>

<title>&COMMANDNAME;</title>

<productname>&COMMANDNAME;</productname>

<productnumber>&VERSION;</productnumber>

<date>&TIMESTAMP;</date>

<firstname>Björn</firstname>

</authorgroup>

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

<holder>Teddy Hogeborn & Björn Påhlsson</holder>

</copyright>

<xi:include href="../legalnotice.xml"/>

<para>

This manual page is free software: you can redistribute it

and/or modify it under the terms of the GNU General Public

License as published by the Free Software Foundation,

either version 3 of the License, or (at your option) any

later version.

</para>

<para>

This manual page is distributed in the hope that it will

be useful, but WITHOUT ANY WARRANTY; without even the

implied warranty of MERCHANTABILITY or FITNESS FOR A

PARTICULAR PURPOSE. See the GNU General Public License

for more details.

</para>

<para>

You should have received a copy of the GNU General Public

License along with this program; If not, see

<ulink url="http://www.gnu.org/licenses/"/>.

</para>

</legalnotice>

</refentryinfo>

<refentrytitle>&COMMANDNAME;</refentrytitle>

<manvolnum>8mandos</manvolnum>

<refname><command>&COMMANDNAME;</command></refname>

<refpurpose>Prompt for a password and output it.</refpurpose>

Passprompt for luks during boot sequence

</refpurpose>

</refnamediv>

<command>&COMMANDNAME;</command>

<arg choice="plain"><option>--prefix <replaceable

>PREFIX</replaceable></option></arg>

<arg choice="plain"><option>-p </option><replaceable

>PREFIX</replaceable></arg>

</group>

<sbr/>

<arg choice="opt"><option>--debug</option></arg>

</cmdsynopsis>

<command>&COMMANDNAME;</command>

</group>

</cmdsynopsis>

<command>&COMMANDNAME;</command>

<arg choice="plain"><option>--usage</option></arg>

</cmdsynopsis>

<command>&COMMANDNAME;</command>

<arg choice="plain"><option>--version</option></arg>

</group>

</cmdsynopsis>

<arg choice='opt'>--prefix<arg choice='plain'>PREFIX</arg></arg>

<arg choice='opt'>--debug</arg>

</cmdsynopsis>

<command>&COMMANDNAME;</command>

</cmdsynopsis>

<command>&COMMANDNAME;</command>

<arg choice='plain'>--usage</arg>

</cmdsynopsis>

<command>&COMMANDNAME;</command>

<arg choice='plain'>--version</arg>

</cmdsynopsis>

</refsynopsisdiv>

<title>DESCRIPTION</title>

<para>

All <command>&COMMANDNAME;</command> does is prompt for a

password and output any given password to standard output. This

is not very useful on its own. This program is really meant to

run as a plugin in the <application>Mandos</application>

client-side system, where it is used as a fallback and

alternative to retrieving passwords from a <application

>Mandos</application> server.

</para>

<para>

This program is little more than a <citerefentry><refentrytitle

>getpass</refentrytitle><manvolnum>3</manvolnum></citerefentry>

wrapper, although actual use of that function is not guaranteed

or implied.

<command>&COMMANDNAME;</command> is a terminal program that ask for

passwords during boot sequence. It is a plugin to

<firstterm>mandos</firstterm>, and is used as a fallback and

alternative to retriving passwords from a mandos server. During

100

boot sequence the user is prompted for the disk password, and

101

when a password is given it then gets forwarded to

102

<acronym>LUKS</acronym>.

103

</para>

104

</refsect1>

100

105

101

106

102

107

<title>OPTIONS</title>

103

108

<para>

104

This program is commonly not invoked from the command line; it

105

is normally started by the <application>Mandos</application>

106

plugin runner, see <citerefentry><refentrytitle

107

>plugin-runner</refentrytitle><manvolnum>8mandos</manvolnum>

108

</citerefentry>. Any command line options this program accepts

109

are therefore normally provided by the plugin runner, and not

110

directly.

109

Commonly not invoked as command lines but from configuration

110

file of plugin runner.

111

</para>

112

113

114

115

<term><option>--prefix=<replaceable

116

>PREFIX</replaceable></option></term>

117

<term><option>-p

118

<replaceable>PREFIX</replaceable></option></term>

119

120

<para>

121

Prefix string shown before the password prompt.

122

</para>

123

</listitem>

124

</varlistentry>

125

126

127

<term><option>--debug</option></term>

128

129

<para>

130

Enable debug mode. This will enable a lot of output to

131

standard error about what the program is doing. The

132

program will still perform all other functions normally.

133

</para>

134

</listitem>

135

</varlistentry>

136

137

138

139

140

141

<para>

142

Gives a help message about options and their meanings.

143

</para>

144

</listitem>

145

</varlistentry>

146

147

148

<term><option>--usage</option></term>

149

150

<para>

151

Gives a short usage message.

152

</para>

153

</listitem>

154

</varlistentry>

155

156

157

<term><option>--version</option></term>

158

159

160

<para>

161

Prints the program version.

162

</para>

163

</listitem>

164

</varlistentry>

115

<term><literal>-p</literal>, <literal>--prefix=<replaceable>PREFIX

116

</replaceable></literal></term>

117

118

<para>

119

Prefix used before the passprompt

120

</para>

121

</listitem>

122

</varlistentry>

123

124

125

<term><literal>--debug</literal></term>

126

127

<para>

128

Debug mode

129

</para>

130

</listitem>

131

</varlistentry>

132

133

134

135

136

<para>

137

Gives a help message

138

</para>

139

</listitem>

140

</varlistentry>

141

142

143

<term><literal>--usage</literal></term>

144

145

<para>

146

Gives a short usage message

147

</para>

148

</listitem>

149

</varlistentry>

150

151

152

<term><literal>-V</literal>, <literal>--version</literal></term>

153

154

<para>

155

Prints the program version

156

</para>

157

</listitem>

158

</varlistentry>

165

159

</variablelist>

166

160

</refsect1>

167

161

168

162

169

163

<title>EXIT STATUS</title>

170

164

<para>

171

If exit status is 0, the output from the program is the password

172

as it was read. Otherwise, if exit status is other than 0, the

173

program has encountered an error, and any output so far could be

174

corrupt and/or truncated, and should therefore be ignored.

175

165

</para>

176

166

</refsect1>

177

167

178

168

179

169

<title>ENVIRONMENT</title>

180

181

182

<term><envar>cryptsource</envar></term>

183

<term><envar>crypttarget</envar></term>

184

185

<para>

186

If set, these environment variables will be assumed to

187

contain the source device name and the target device

188

mapper name, respectively, and will be shown as part of

189

the prompt.

190

</para>

191

<para>

192

These variables will normally be inherited from

193

<citerefentry><refentrytitle>plugin-runner</refentrytitle>

194

<manvolnum>8mandos</manvolnum></citerefentry>, which will

195

normally have inherited them from

196

<filename>/scripts/local-top/cryptroot</filename> in the

197

initial <acronym>RAM</acronym> disk environment, which will

198

have set them from parsing kernel arguments and

199

<filename>/conf/conf.d/cryptroot</filename> (also in the

200

initial RAM disk environment), which in turn will have been

201

created when the initial RAM disk image was created by

202

<filename

203

>/usr/share/initramfs-tools/hooks/cryptroot</filename>, by

204

extracting the information of the root file system from

205

<filename >/etc/crypttab</filename>.

206

</para>

207

<para>

208

This behavior is meant to exactly mirror the behavior of

209

<command>askpass</command>, the default password prompter.

210

</para>

211

</listitem>

212

</varlistentry>

213

</variablelist>

170

<para>

171

</para>

172

</refsect1>

173

174

175

<title>FILES</title>

176

<para>

177

</para>

214

178

</refsect1>

215

179

216

180

217

181

218

182

<para>

219

None are known at this time.

220

183

</para>

221

</refsect1>

222

184

</refsect1>

185

223

186

224

187

<title>EXAMPLE</title>

225

188

<para>

226

Note that normally, command line options will not be given

227

directly, but via options for the Mandos <citerefentry

228

><refentrytitle>plugin-runner</refentrytitle>

229

<manvolnum>8mandos</manvolnum></citerefentry>.

230

189

</para>

231

232

<para>

233

Normal invocation needs no options:

234

</para>

235

<para>

236

<userinput>&COMMANDNAME;</userinput>

237

</para>

238

</informalexample>

239

240

<para>

241

Show a prefix before the prompt; in this case, a host name.

242

It might be useful to be reminded of which host needs a

243

password, in case of <acronym>KVM</acronym> switches, etc.

244

</para>

245

<para>

246

247

248

<userinput>&COMMANDNAME; --prefix=host.example.org:</userinput>

249

250

</para>

251

</informalexample>

252

253

<para>

254

Run in debug mode.

255

</para>

256

<para>

257

258

<userinput>&COMMANDNAME; --debug</userinput>

259

</para>

260

</informalexample>

261

190

</refsect1>

262

191

263

192

264

193

<title>SECURITY</title>

265

194

<para>

266

On its own, this program is very simple, and does not exactly

267

present any security risks. The one thing that could be

268

considered worthy of note is this: This program is meant to be

269

run by <citerefentry><refentrytitle

270

>plugin-runner</refentrytitle><manvolnum>8mandos</manvolnum>

271

</citerefentry>, and will, when run standalone, outside, in a

272

normal environment, immediately output on its standard output

273

any presumably secret password it just received. Therefore,

274

when running this program standalone (which should never

275

normally be done), take care not to type in any real secret

276

password by force of habit, since it would then immediately be

277

shown as output.

278

</para>

279

<para>

280

To further alleviate any risk of being locked out of a system,

281

the <citerefentry><refentrytitle>plugin-runner</refentrytitle>

282

<manvolnum>8mandos</manvolnum></citerefentry> has a fallback

283

mode which does the same thing as this program, only with less

284

features.

285

195

</para>

286

196

</refsect1>

287

197

288

198

289

199

290

200

<para>

291

<citerefentry><refentrytitle>crypttab</refentrytitle>

292

293

<citerefentry><refentrytitle>password-request</refentrytitle>

201

<citerefentry><refentrytitle>mandos</refentrytitle>

202

203

<refentrytitle>plugin-runner</refentrytitle>

204

<manvolnum>8mandos</manvolnum></citerefentry> and <citerefentry>

205

<refentrytitle>password-request</refentrytitle>

294

206

<manvolnum>8mandos</manvolnum></citerefentry>

295

<citerefentry><refentrytitle>plugin-runner</refentrytitle>

296

<manvolnum>8mandos</manvolnum></citerefentry>,

297

207

</para>

298

</refsect1>

208

</refsect1>

209

299

210

</refentry>

300

301

302

303

304

Older »