/mandos/trunk : revision 781

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to plugins.d/password-prompt.xml

Committer: Teddy Hogeborn
Date: 2015-08-02 16:45:29 UTC
Revision ID: teddy@recompile.se-20150802164529-pemtk1agiqluoiua

Deprecate some D-Bus methods in favor of D-Bus properties.

The following D-Bus methods on the interface
"se.recompile.Mandos.Client" are redundant, and are therefore
deprecated:  "Disable", "Enable", "StartChecker", and "StopChecker".
Instead, the D-Bus properties "Enabled" and "CheckerRunning" should be
set, as was always also possible.

* DBUS-API (se.recompile.Mandos.Client.Disable): Remove; deprecated.
  (se.recompile.Mandos.Client.Enable): - '' -
  (se.recompile.Mandos.Client.StartChecker): - '' -
  (se.recompile.Mandos.Client.StopChecker): - '' -
* mandos (ClientDBus.Enable): Annotate as deprecated.
  (ClientDBus.StartChecker): - '' -
  (ClientDBus.Disable): - '' -
  (ClientDBus.StopChecker): - '' -
* mandos-monitor (MandosClientWidget.keypress): Set properties instead
                                                of calling deprecated
                                                methods.

files added:
.bzr-builddeb

.bzr-builddeb/default.conf

.bzrignore

COPYING

DBUS-API

INSTALL

NEWS

README

common.ent

dbus-mandos.conf

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.examples

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/po

debian/rules

debian/source

debian/source/format

debian/source/local-options

debian/upstream

debian/upstream/signing-key.asc

debian/watch

default-mandos

init.d-mandos

initramfs-tools-hook

initramfs-tools-hook-conf

initramfs-tools-script

initramfs-unpack

intro.xml

legalnotice.xml

mandos-ctl

mandos-ctl.xml

mandos-keygen

mandos-keygen.xml

mandos-monitor

mandos-monitor.xml

mandos-options.xml

mandos.lsm

mandos.service

network-hooks.d

network-hooks.d/bridge

network-hooks.d/bridge.conf

network-hooks.d/openvpn

network-hooks.d/openvpn.conf

network-hooks.d/wireless

network-hooks.d/wireless.conf

overview.xml

plugin-helpers

plugin-helpers/mandos-client-iprouteadddel.c

plugin-runner.conf

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

files removed:
network-protocol.txt

files renamed:
clients.conf.xml => mandos-clients.conf.xml

mandos-client.c => plugin-runner.c

mandos-client.xml => plugin-runner.xml

plugins.d/password-request.c => plugins.d/mandos-client.c

plugins.d/password-request.xml => plugins.d/mandos-client.xml

files modified:
Makefile

TODO

clients.conf

mandos

mandos.conf

mandos.conf.xml

mandos.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

Show diffs side-by-side

added added

removed removed

plugins.d/password-prompt.xml

<?xml version='1.0' encoding='UTF-8'?>

<?xml-stylesheet type="text/xsl"

href="http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl"?>

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY VERSION "1.0">

<!ENTITY COMMANDNAME "password-prompt">

<!ENTITY TIMESTAMP "2015-07-20">

<!ENTITY % common SYSTEM "../common.ent">

%common;

<title>&COMMANDNAME;</title>

<productname>&COMMANDNAME;</productname>

<productnumber>&VERSION;</productnumber>

<title>Mandos Manual</title>

<productname>Mandos</productname>

<productnumber>&version;</productnumber>

<date>&TIMESTAMP;</date>

<firstname>Björn</firstname>

<surname>Påhlsson</surname>

<email>belorn@fukt.bsnet.se</email>

<email>belorn@recompile.se</email>

</address>

</author>

<firstname>Teddy</firstname>

<surname>Hogeborn</surname>

<email>teddy@fukt.bsnet.se</email>

<email>teddy@recompile.se</email>

</address>

</author>

</authorgroup>

<holder>Teddy Hogeborn & Björn Påhlsson</holder>

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

<para>

This manual page is free software: you can redistribute it

and/or modify it under the terms of the GNU General Public

License as published by the Free Software Foundation,

either version 3 of the License, or (at your option) any

later version.

</para>

<para>

This manual page is distributed in the hope that it will

be useful, but WITHOUT ANY WARRANTY; without even the

implied warranty of MERCHANTABILITY or FITNESS FOR A

PARTICULAR PURPOSE. See the GNU General Public License

for more details.

</para>

<para>

You should have received a copy of the GNU General Public

License along with this program; If not, see

<ulink url="http://www.gnu.org/licenses/"/>.

</para>

</legalnotice>

<xi:include href="../legalnotice.xml"/>

</refentryinfo>

<refentrytitle>&COMMANDNAME;</refentrytitle>

<manvolnum>8mandos</manvolnum>

<refname><command>&COMMANDNAME;</command></refname>

Passprompt for luks during boot sequence

</refpurpose>

<refpurpose>Prompt for a password and output it.</refpurpose>

</refnamediv>

<command>&COMMANDNAME;</command>

<arg choice='opt' rep='repeat'>OPTION</arg>

<arg choice="plain"><option>--prefix <replaceable

>PREFIX</replaceable></option></arg>

<arg choice="plain"><option>-p </option><replaceable

>PREFIX</replaceable></arg>

</group>

<sbr/>

<arg choice="opt"><option>--debug</option></arg>

</cmdsynopsis>

<command>&COMMANDNAME;</command>

</group>

</cmdsynopsis>

<command>&COMMANDNAME;</command>

<arg choice="plain"><option>--usage</option></arg>

</cmdsynopsis>

<command>&COMMANDNAME;</command>

<arg choice="plain"><option>--version</option></arg>

</group>

</cmdsynopsis>

</refsynopsisdiv>

<title>DESCRIPTION</title>

<para>

<command>&COMMANDNAME;</command> is a terminal program that ask for

passwords during boot sequence. It is a plugin to

<firstterm>mandos</firstterm>, and is used as a fallback and

alternative to retriving passwords from a mandos server. During

boot sequence the user is prompted for the disk password, and

when a password is given it then gets forwarded to

<acronym>LUKS</acronym>.

</para>

<term><literal>-p</literal>, <literal>--prefix=<replaceable>PREFIX

</replaceable></literal></term>

<para>

Prefix used before the passprompt

</para>

100

</listitem>

101

</varlistentry>

102

103

104

<term><literal>--debug</literal></term>

105

106

<para>

107

Debug mode

108

</para>

109

</listitem>

110

</varlistentry>

111

112

113

114

115

<para>

116

Gives a help message

117

</para>

118

</listitem>

119

</varlistentry>

120

121

122

<term><literal>--usage</literal></term>

123

124

<para>

125

Gives a short usage message

126

</para>

127

</listitem>

128

</varlistentry>

129

130

131

<term><literal>-V</literal>, <literal>--version</literal></term>

132

133

<para>

134

Prints the program version

135

</para>

136

</listitem>

137

</varlistentry>

138

</variablelist>

All <command>&COMMANDNAME;</command> does is prompt for a

password and output any given password to standard output.

</para>

<para>

This program is not very useful on its own. This program is

really meant to run as a plugin in the <application

>Mandos</application> client-side system, where it is used as a

100

fallback and alternative to retrieving passwords from a

101

<application >Mandos</application> server.

102

</para>

103

<para>

104

This program is little more than a <citerefentry><refentrytitle

105

>getpass</refentrytitle><manvolnum>3</manvolnum></citerefentry>

106

wrapper, although actual use of that function is not guaranteed

107

or implied.

108

</para>

109

</refsect1>

110

111

112

<title>OPTIONS</title>

113

<para>

114

This program is commonly not invoked from the command line; it

115

is normally started by the <application>Mandos</application>

116

plugin runner, see <citerefentry><refentrytitle

117

>plugin-runner</refentrytitle><manvolnum>8mandos</manvolnum>

118

</citerefentry>. Any command line options this program accepts

119

are therefore normally provided by the plugin runner, and not

120

directly.

121

</para>

122

123

124

125

<term><option>--prefix=<replaceable

126

>PREFIX</replaceable></option></term>

127

<term><option>-p

128

<replaceable>PREFIX</replaceable></option></term>

129

130

<para>

131

Prefix string shown before the password prompt.

132

</para>

133

</listitem>

134

</varlistentry>

135

136

137

<term><option>--debug</option></term>

138

139

<para>

140

Enable debug mode. This will enable a lot of output to

141

standard error about what the program is doing. The

142

program will still perform all other functions normally.

143

</para>

144

</listitem>

145

</varlistentry>

146

147

148

149

150

151

<para>

152

Gives a help message about options and their meanings.

153

</para>

154

</listitem>

155

</varlistentry>

156

157

158

<term><option>--usage</option></term>

159

160

<para>

161

Gives a short usage message.

162

</para>

163

</listitem>

164

</varlistentry>

165

166

167

<term><option>--version</option></term>

168

169

170

<para>

171

Prints the program version.

172

</para>

173

</listitem>

174

</varlistentry>

175

</variablelist>

176

</refsect1>

177

178

179

<title>EXIT STATUS</title>

180

<para>

181

If exit status is 0, the output from the program is the password

182

as it was read. Otherwise, if exit status is other than 0, the

183

program has encountered an error, and any output so far could be

184

corrupt and/or truncated, and should therefore be ignored.

185

</para>

186

</refsect1>

187

188

189

<title>ENVIRONMENT</title>

190

191

192

<term><envar>CRYPTTAB_SOURCE</envar></term>

193

<term><envar>CRYPTTAB_NAME</envar></term>

194

195

<para>

196

If set, these environment variables will be assumed to

197

contain the source device name and the target device

198

mapper name, respectively, and will be shown as part of

199

the prompt.

200

</para>

201

<para>

202

These variables will normally be inherited from

203

<citerefentry><refentrytitle>plugin-runner</refentrytitle>

204

<manvolnum>8mandos</manvolnum></citerefentry>, which will

205

normally have inherited them from

206

<filename>/scripts/local-top/cryptroot</filename> in the

207

initial <acronym>RAM</acronym> disk environment, which will

208

have set them from parsing kernel arguments and

209

<filename>/conf/conf.d/cryptroot</filename> (also in the

210

initial RAM disk environment), which in turn will have been

211

created when the initial RAM disk image was created by

212

<filename

213

>/usr/share/initramfs-tools/hooks/cryptroot</filename>, by

214

extracting the information of the root file system from

215

<filename >/etc/crypttab</filename>.

216

</para>

217

<para>

218

This behavior is meant to exactly mirror the behavior of

219

<command>askpass</command>, the default password prompter.

220

</para>

221

</listitem>

222

</varlistentry>

223

</variablelist>

224

</refsect1>

225

226

227

228

<para>

229

None are known at this time.

230

</para>

231

</refsect1>

232

233

234

<title>EXAMPLE</title>

235

<para>

236

Note that normally, command line options will not be given

237

directly, but via options for the Mandos <citerefentry

238

><refentrytitle>plugin-runner</refentrytitle>

239

<manvolnum>8mandos</manvolnum></citerefentry>.

240

</para>

241

242

<para>

243

Normal invocation needs no options:

244

</para>

245

<para>

246

<userinput>&COMMANDNAME;</userinput>

247

</para>

248

</informalexample>

249

250

<para>

251

Show a prefix before the prompt; in this case, a host name.

252

It might be useful to be reminded of which host needs a

253

password, in case of <acronym>KVM</acronym> switches, etc.

254

</para>

255

<para>

256

257

258

<userinput>&COMMANDNAME; --prefix=host.example.org:</userinput>

259

260

</para>

261

</informalexample>

262

263

<para>

264

Run in debug mode.

265

</para>

266

<para>

267

268

<userinput>&COMMANDNAME; --debug</userinput>

269

</para>

270

</informalexample>

271

</refsect1>

272

273

274

<title>SECURITY</title>

275

<para>

276

On its own, this program is very simple, and does not exactly

277

present any security risks. The one thing that could be

278

considered worthy of note is this: This program is meant to be

279

run by <citerefentry><refentrytitle

280

>plugin-runner</refentrytitle><manvolnum>8mandos</manvolnum>

281

</citerefentry>, and will, when run standalone, outside, in a

282

normal environment, immediately output on its standard output

283

any presumably secret password it just received. Therefore,

284

when running this program standalone (which should never

285

normally be done), take care not to type in any real secret

286

password by force of habit, since it would then immediately be

287

shown as output.

288

</para>

289

<para>

290

To further alleviate any risk of being locked out of a system,

291

the <citerefentry><refentrytitle>plugin-runner</refentrytitle>

292

<manvolnum>8mandos</manvolnum></citerefentry> has a fallback

293

mode which does the same thing as this program, only with less

294

features.

295

</para>

296

</refsect1>

297

298

299

300

<para>

301

<citerefentry><refentrytitle>intro</refentrytitle>

302

<manvolnum>8mandos</manvolnum></citerefentry>

303

<citerefentry><refentrytitle>crypttab</refentrytitle>

304

305

<citerefentry><refentrytitle>mandos-client</refentrytitle>

306

<manvolnum>8mandos</manvolnum></citerefentry>

307

<citerefentry><refentrytitle>plugin-runner</refentrytitle>

308

<manvolnum>8mandos</manvolnum></citerefentry>,

309

</para>

139

310

</refsect1>

140

311

</refentry>

312

313

314

315

316

Older »