1
<?xml version="1.0" encoding="UTF-8"?>
2
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4
<!ENTITY COMMANDNAME "password-prompt">
5
<!ENTITY TIMESTAMP "2015-07-20">
6
<!ENTITY % common SYSTEM "../common.ent">
10
<refentry xmlns:xi="http://www.w3.org/2001/XInclude">
12
<title>Mandos Manual</title>
13
<!-- NWalsh’s docbook scripts use this to generate the footer: -->
14
<productname>Mandos</productname>
15
<productnumber>&version;</productnumber>
16
<date>&TIMESTAMP;</date>
19
<firstname>Björn</firstname>
20
<surname>Påhlsson</surname>
22
<email>belorn@recompile.se</email>
26
<firstname>Teddy</firstname>
27
<surname>Hogeborn</surname>
29
<email>teddy@recompile.se</email>
42
<holder>Teddy Hogeborn</holder>
43
<holder>Björn Påhlsson</holder>
45
<xi:include href="../legalnotice.xml"/>
49
<refentrytitle>&COMMANDNAME;</refentrytitle>
50
<manvolnum>8mandos</manvolnum>
54
<refname><command>&COMMANDNAME;</command></refname>
55
<refpurpose>Prompt for a password and output it.</refpurpose>
60
<command>&COMMANDNAME;</command>
62
<arg choice="plain"><option>--prefix <replaceable
63
>PREFIX</replaceable></option></arg>
64
<arg choice="plain"><option>-p </option><replaceable
65
>PREFIX</replaceable></arg>
68
<arg choice="opt"><option>--debug</option></arg>
71
<command>&COMMANDNAME;</command>
73
<arg choice="plain"><option>--help</option></arg>
74
<arg choice="plain"><option>-?</option></arg>
78
<command>&COMMANDNAME;</command>
79
<arg choice="plain"><option>--usage</option></arg>
82
<command>&COMMANDNAME;</command>
84
<arg choice="plain"><option>--version</option></arg>
85
<arg choice="plain"><option>-V</option></arg>
90
<refsect1 id="description">
91
<title>DESCRIPTION</title>
93
All <command>&COMMANDNAME;</command> does is prompt for a
94
password and output any given password to standard output.
97
This program is not very useful on its own. This program is
98
really meant to run as a plugin in the <application
99
>Mandos</application> client-side system, where it is used as a
100
fallback and alternative to retrieving passwords from a
101
<application >Mandos</application> server.
104
This program is little more than a <citerefentry><refentrytitle
105
>getpass</refentrytitle><manvolnum>3</manvolnum></citerefentry>
106
wrapper, although actual use of that function is not guaranteed
111
<refsect1 id="options">
112
<title>OPTIONS</title>
114
This program is commonly not invoked from the command line; it
115
is normally started by the <application>Mandos</application>
116
plugin runner, see <citerefentry><refentrytitle
117
>plugin-runner</refentrytitle><manvolnum>8mandos</manvolnum>
118
</citerefentry>. Any command line options this program accepts
119
are therefore normally provided by the plugin runner, and not
125
<term><option>--prefix=<replaceable
126
>PREFIX</replaceable></option></term>
128
<replaceable>PREFIX</replaceable></option></term>
131
Prefix string shown before the password prompt.
137
<term><option>--debug</option></term>
140
Enable debug mode. This will enable a lot of output to
141
standard error about what the program is doing. The
142
program will still perform all other functions normally.
148
<term><option>--help</option></term>
149
<term><option>-?</option></term>
152
Gives a help message about options and their meanings.
158
<term><option>--usage</option></term>
161
Gives a short usage message.
167
<term><option>--version</option></term>
168
<term><option>-V</option></term>
171
Prints the program version.
178
<refsect1 id="exit_status">
179
<title>EXIT STATUS</title>
181
If exit status is 0, the output from the program is the password
182
as it was read. Otherwise, if exit status is other than 0, the
183
program has encountered an error, and any output so far could be
184
corrupt and/or truncated, and should therefore be ignored.
188
<refsect1 id="environment">
189
<title>ENVIRONMENT</title>
192
<term><envar>CRYPTTAB_SOURCE</envar></term>
193
<term><envar>CRYPTTAB_NAME</envar></term>
196
If set, these environment variables will be assumed to
197
contain the source device name and the target device
198
mapper name, respectively, and will be shown as part of
202
These variables will normally be inherited from
203
<citerefentry><refentrytitle>plugin-runner</refentrytitle>
204
<manvolnum>8mandos</manvolnum></citerefentry>, which will
205
normally have inherited them from
206
<filename>/scripts/local-top/cryptroot</filename> in the
207
initial <acronym>RAM</acronym> disk environment, which will
208
have set them from parsing kernel arguments and
209
<filename>/conf/conf.d/cryptroot</filename> (also in the
210
initial RAM disk environment), which in turn will have been
211
created when the initial RAM disk image was created by
213
>/usr/share/initramfs-tools/hooks/cryptroot</filename>, by
214
extracting the information of the root file system from
215
<filename >/etc/crypttab</filename>.
218
This behavior is meant to exactly mirror the behavior of
219
<command>askpass</command>, the default password prompter.
229
None are known at this time.
233
<refsect1 id="example">
234
<title>EXAMPLE</title>
236
Note that normally, command line options will not be given
237
directly, but via options for the Mandos <citerefentry
238
><refentrytitle>plugin-runner</refentrytitle>
239
<manvolnum>8mandos</manvolnum></citerefentry>.
243
Normal invocation needs no options:
246
<userinput>&COMMANDNAME;</userinput>
251
Show a prefix before the prompt; in this case, a host name.
252
It might be useful to be reminded of which host needs a
253
password, in case of <acronym>KVM</acronym> switches, etc.
257
<!-- do not wrap this line -->
258
<userinput>&COMMANDNAME; --prefix=host.example.org:</userinput>
267
<!-- do not wrap this line -->
268
<userinput>&COMMANDNAME; --debug</userinput>
273
<refsect1 id="security">
274
<title>SECURITY</title>
276
On its own, this program is very simple, and does not exactly
277
present any security risks. The one thing that could be
278
considered worthy of note is this: This program is meant to be
279
run by <citerefentry><refentrytitle
280
>plugin-runner</refentrytitle><manvolnum>8mandos</manvolnum>
281
</citerefentry>, and will, when run standalone, outside, in a
282
normal environment, immediately output on its standard output
283
any presumably secret password it just received. Therefore,
284
when running this program standalone (which should never
285
normally be done), take care not to type in any real secret
286
password by force of habit, since it would then immediately be
290
To further alleviate any risk of being locked out of a system,
291
the <citerefentry><refentrytitle>plugin-runner</refentrytitle>
292
<manvolnum>8mandos</manvolnum></citerefentry> has a fallback
293
mode which does the same thing as this program, only with less
298
<refsect1 id="see_also">
299
<title>SEE ALSO</title>
301
<citerefentry><refentrytitle>intro</refentrytitle>
302
<manvolnum>8mandos</manvolnum></citerefentry>
303
<citerefentry><refentrytitle>crypttab</refentrytitle>
304
<manvolnum>5</manvolnum></citerefentry>
305
<citerefentry><refentrytitle>mandos-client</refentrytitle>
306
<manvolnum>8mandos</manvolnum></citerefentry>
307
<citerefentry><refentrytitle>plugin-runner</refentrytitle>
308
<manvolnum>8mandos</manvolnum></citerefentry>,
312
<!-- Local Variables: -->
313
<!-- time-stamp-start: "<!ENTITY TIMESTAMP [\"']" -->
314
<!-- time-stamp-end: "[\"']>" -->
315
<!-- time-stamp-format: "%:y-%02m-%02d" -->