1
<?xml version='1.0' encoding='UTF-8'?>
2
<?xml-stylesheet type="text/xsl"
3
href="http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl"?>
1
<?xml version="1.0" encoding="UTF-8"?>
4
2
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
5
3
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
6
<!ENTITY VERSION "1.0">
7
4
<!ENTITY COMMANDNAME "password-prompt">
5
<!ENTITY TIMESTAMP "2016-02-28">
6
<!ENTITY % common SYSTEM "../common.ent">
10
<refentry xmlns:xi="http://www.w3.org/2001/XInclude">
12
<title>&COMMANDNAME;</title>
13
<!-- NWalsh's docbook scripts use this to generate the footer: -->
14
<productname>&COMMANDNAME;</productname>
15
<productnumber>&VERSION;</productnumber>
12
<title>Mandos Manual</title>
13
<!-- NWalsh’s docbook scripts use this to generate the footer: -->
14
<productname>Mandos</productname>
15
<productnumber>&version;</productnumber>
16
<date>&TIMESTAMP;</date>
18
19
<firstname>Björn</firstname>
19
20
<surname>Påhlsson</surname>
21
<email>belorn@fukt.bsnet.se</email>
22
<email>belorn@recompile.se</email>
25
26
<firstname>Teddy</firstname>
26
27
<surname>Hogeborn</surname>
28
<email>teddy@fukt.bsnet.se</email>
29
<email>teddy@recompile.se</email>
34
<holder>Teddy Hogeborn & Björn Påhlsson</holder>
43
<holder>Teddy Hogeborn</holder>
44
<holder>Björn Påhlsson</holder>
38
This manual page is free software: you can redistribute it
39
and/or modify it under the terms of the GNU General Public
40
License as published by the Free Software Foundation,
41
either version 3 of the License, or (at your option) any
46
This manual page is distributed in the hope that it will
47
be useful, but WITHOUT ANY WARRANTY; without even the
48
implied warranty of MERCHANTABILITY or FITNESS FOR A
49
PARTICULAR PURPOSE. See the GNU General Public License
54
You should have received a copy of the GNU General Public
55
License along with this program; If not, see
56
<ulink url="http://www.gnu.org/licenses/"/>.
46
<xi:include href="../legalnotice.xml"/>
62
50
<refentrytitle>&COMMANDNAME;</refentrytitle>
63
51
<manvolnum>8mandos</manvolnum>
67
55
<refname><command>&COMMANDNAME;</command></refname>
69
Passprompt for luks during boot sequence
56
<refpurpose>Prompt for a password and output it.</refpurpose>
75
61
<command>&COMMANDNAME;</command>
76
<arg choice='opt' rep='repeat'>OPTION</arg>
63
<arg choice="plain"><option>--prefix <replaceable
64
>PREFIX</replaceable></option></arg>
65
<arg choice="plain"><option>-p </option><replaceable
66
>PREFIX</replaceable></arg>
69
<arg choice="opt"><option>--debug</option></arg>
72
<command>&COMMANDNAME;</command>
74
<arg choice="plain"><option>--help</option></arg>
75
<arg choice="plain"><option>-?</option></arg>
79
<command>&COMMANDNAME;</command>
80
<arg choice="plain"><option>--usage</option></arg>
83
<command>&COMMANDNAME;</command>
85
<arg choice="plain"><option>--version</option></arg>
86
<arg choice="plain"><option>-V</option></arg>
80
91
<refsect1 id="description">
81
92
<title>DESCRIPTION</title>
83
<command>&COMMANDNAME;</command> is a terminal program that ask for
84
passwords during boot sequence. It is a plugin to
85
<firstterm>mandos</firstterm>, and is used as a fallback and
86
alternative to retriving passwords from a mandos server. During
87
boot sequence the user is prompted for the disk password, and
88
when a password is given it then gets forwarded to
89
<acronym>LUKS</acronym>.
94
<term><literal>-p</literal>, <literal>--prefix=<replaceable>PREFIX
95
</replaceable></literal></term>
98
Prefix used before the passprompt
104
<term><literal>--debug</literal></term>
113
<term><literal>-?</literal>, <literal>--help</literal></term>
122
<term><literal>--usage</literal></term>
125
Gives a short usage message
131
<term><literal>-V</literal>, <literal>--version</literal></term>
134
Prints the program version
94
All <command>&COMMANDNAME;</command> does is prompt for a
95
password and output any given password to standard output.
98
This program is not very useful on its own. This program is
99
really meant to run as a plugin in the <application
100
>Mandos</application> client-side system, where it is used as a
101
fallback and alternative to retrieving passwords from a
102
<application >Mandos</application> server.
105
This program is little more than a <citerefentry><refentrytitle
106
>getpass</refentrytitle><manvolnum>3</manvolnum></citerefentry>
107
wrapper, although actual use of that function is not guaranteed
112
<refsect1 id="options">
113
<title>OPTIONS</title>
115
This program is commonly not invoked from the command line; it
116
is normally started by the <application>Mandos</application>
117
plugin runner, see <citerefentry><refentrytitle
118
>plugin-runner</refentrytitle><manvolnum>8mandos</manvolnum>
119
</citerefentry>. Any command line options this program accepts
120
are therefore normally provided by the plugin runner, and not
126
<term><option>--prefix=<replaceable
127
>PREFIX</replaceable></option></term>
129
<replaceable>PREFIX</replaceable></option></term>
132
Prefix string shown before the password prompt.
138
<term><option>--debug</option></term>
141
Enable debug mode. This will enable a lot of output to
142
standard error about what the program is doing. The
143
program will still perform all other functions normally.
149
<term><option>--help</option></term>
150
<term><option>-?</option></term>
153
Gives a help message about options and their meanings.
159
<term><option>--usage</option></term>
162
Gives a short usage message.
168
<term><option>--version</option></term>
169
<term><option>-V</option></term>
172
Prints the program version.
179
<refsect1 id="exit_status">
180
<title>EXIT STATUS</title>
182
If exit status is 0, the output from the program is the password
183
as it was read. Otherwise, if exit status is other than 0, the
184
program has encountered an error, and any output so far could be
185
corrupt and/or truncated, and should therefore be ignored.
189
<refsect1 id="environment">
190
<title>ENVIRONMENT</title>
193
<term><envar>CRYPTTAB_SOURCE</envar></term>
194
<term><envar>CRYPTTAB_NAME</envar></term>
197
If set, these environment variables will be assumed to
198
contain the source device name and the target device
199
mapper name, respectively, and will be shown as part of
203
These variables will normally be inherited from
204
<citerefentry><refentrytitle>plugin-runner</refentrytitle>
205
<manvolnum>8mandos</manvolnum></citerefentry>, which will
206
normally have inherited them from
207
<filename>/scripts/local-top/cryptroot</filename> in the
208
initial <acronym>RAM</acronym> disk environment, which will
209
have set them from parsing kernel arguments and
210
<filename>/conf/conf.d/cryptroot</filename> (also in the
211
initial RAM disk environment), which in turn will have been
212
created when the initial RAM disk image was created by
214
>/usr/share/initramfs-tools/hooks/cryptroot</filename>, by
215
extracting the information of the root file system from
216
<filename >/etc/crypttab</filename>.
219
This behavior is meant to exactly mirror the behavior of
220
<command>askpass</command>, the default password prompter.
230
None are known at this time.
234
<refsect1 id="example">
235
<title>EXAMPLE</title>
237
Note that normally, command line options will not be given
238
directly, but via options for the Mandos <citerefentry
239
><refentrytitle>plugin-runner</refentrytitle>
240
<manvolnum>8mandos</manvolnum></citerefentry>.
244
Normal invocation needs no options:
247
<userinput>&COMMANDNAME;</userinput>
252
Show a prefix before the prompt; in this case, a host name.
253
It might be useful to be reminded of which host needs a
254
password, in case of <acronym>KVM</acronym> switches, etc.
258
<!-- do not wrap this line -->
259
<userinput>&COMMANDNAME; --prefix=host.example.org:</userinput>
268
<!-- do not wrap this line -->
269
<userinput>&COMMANDNAME; --debug</userinput>
274
<refsect1 id="security">
275
<title>SECURITY</title>
277
On its own, this program is very simple, and does not exactly
278
present any security risks. The one thing that could be
279
considered worthy of note is this: This program is meant to be
280
run by <citerefentry><refentrytitle
281
>plugin-runner</refentrytitle><manvolnum>8mandos</manvolnum>
282
</citerefentry>, and will, when run standalone, outside, in a
283
normal environment, immediately output on its standard output
284
any presumably secret password it just received. Therefore,
285
when running this program standalone (which should never
286
normally be done), take care not to type in any real secret
287
password by force of habit, since it would then immediately be
291
To further alleviate any risk of being locked out of a system,
292
the <citerefentry><refentrytitle>plugin-runner</refentrytitle>
293
<manvolnum>8mandos</manvolnum></citerefentry> has a fallback
294
mode which does the same thing as this program, only with less
299
<refsect1 id="see_also">
300
<title>SEE ALSO</title>
302
<citerefentry><refentrytitle>intro</refentrytitle>
303
<manvolnum>8mandos</manvolnum></citerefentry>
304
<citerefentry><refentrytitle>crypttab</refentrytitle>
305
<manvolnum>5</manvolnum></citerefentry>
306
<citerefentry><refentrytitle>mandos-client</refentrytitle>
307
<manvolnum>8mandos</manvolnum></citerefentry>
308
<citerefentry><refentrytitle>plugin-runner</refentrytitle>
309
<manvolnum>8mandos</manvolnum></citerefentry>,
313
<!-- Local Variables: -->
314
<!-- time-stamp-start: "<!ENTITY TIMESTAMP [\"']" -->
315
<!-- time-stamp-end: "[\"']>" -->
316
<!-- time-stamp-format: "%:y-%02m-%02d" -->