1
<?xml version='1.0' encoding='UTF-8'?>
2
<?xml-stylesheet type="text/xsl"
3
href="http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl"?>
1
<?xml version="1.0" encoding="UTF-8"?>
4
2
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
5
3
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
6
<!ENTITY VERSION "1.0">
7
4
<!ENTITY COMMANDNAME "password-prompt">
5
<!ENTITY TIMESTAMP "2018-02-08">
6
<!ENTITY % common SYSTEM "../common.ent">
10
<refentry xmlns:xi="http://www.w3.org/2001/XInclude">
12
<title>&COMMANDNAME;</title>
13
<!-- NWalsh's docbook scripts use this to generate the footer: -->
14
<productname>&COMMANDNAME;</productname>
15
<productnumber>&VERSION;</productnumber>
12
<title>Mandos Manual</title>
13
<!-- NWalsh’s docbook scripts use this to generate the footer: -->
14
<productname>Mandos</productname>
15
<productnumber>&version;</productnumber>
16
<date>&TIMESTAMP;</date>
18
19
<firstname>Björn</firstname>
19
20
<surname>Påhlsson</surname>
21
<email>belorn@fukt.bsnet.se</email>
22
<email>belorn@recompile.se</email>
25
26
<firstname>Teddy</firstname>
26
27
<surname>Hogeborn</surname>
28
<email>teddy@fukt.bsnet.se</email>
29
<email>teddy@recompile.se</email>
34
<holder>Teddy Hogeborn & Björn Påhlsson</holder>
45
<holder>Teddy Hogeborn</holder>
46
<holder>Björn Påhlsson</holder>
38
This manual page is free software: you can redistribute it
39
and/or modify it under the terms of the GNU General Public
40
License as published by the Free Software Foundation,
41
either version 3 of the License, or (at your option) any
46
This manual page is distributed in the hope that it will
47
be useful, but WITHOUT ANY WARRANTY; without even the
48
implied warranty of MERCHANTABILITY or FITNESS FOR A
49
PARTICULAR PURPOSE. See the GNU General Public License
54
You should have received a copy of the GNU General Public
55
License along with this program; If not, see
56
<ulink url="http://www.gnu.org/licenses/"/>.
48
<xi:include href="../legalnotice.xml"/>
62
52
<refentrytitle>&COMMANDNAME;</refentrytitle>
63
53
<manvolnum>8mandos</manvolnum>
67
57
<refname><command>&COMMANDNAME;</command></refname>
69
Passprompt for luks during boot sequence
58
<refpurpose>Prompt for a password and output it.</refpurpose>
75
63
<command>&COMMANDNAME;</command>
76
<arg choice='opt' rep='repeat'>OPTION</arg>
65
<arg choice="plain"><option>--prefix <replaceable
66
>PREFIX</replaceable></option></arg>
67
<arg choice="plain"><option>-p </option><replaceable
68
>PREFIX</replaceable></arg>
71
<arg choice="opt"><option>--debug</option></arg>
74
<command>&COMMANDNAME;</command>
76
<arg choice="plain"><option>--help</option></arg>
77
<arg choice="plain"><option>-?</option></arg>
81
<command>&COMMANDNAME;</command>
82
<arg choice="plain"><option>--usage</option></arg>
85
<command>&COMMANDNAME;</command>
87
<arg choice="plain"><option>--version</option></arg>
88
<arg choice="plain"><option>-V</option></arg>
80
93
<refsect1 id="description">
81
94
<title>DESCRIPTION</title>
83
<command>&COMMANDNAME;</command> is a terminal program that ask for
84
passwords during boot sequence. It is a plugin to
85
<firstterm>mandos</firstterm>, and is used as a fallback and
86
alternative to retriving passwords from a mandos server. During
87
boot sequence the user is prompted for the disk password, and
88
when a password is given it then gets forwarded to
89
<acronym>LUKS</acronym>.
94
<term><literal>-p</literal>, <literal>--prefix=<replaceable>PREFIX
95
</replaceable></literal></term>
98
Prefix used before the passprompt
104
<term><literal>--debug</literal></term>
113
<term><literal>-?</literal>, <literal>--help</literal></term>
122
<term><literal>--usage</literal></term>
125
Gives a short usage message
131
<term><literal>-V</literal>, <literal>--version</literal></term>
134
Prints the program version
96
All <command>&COMMANDNAME;</command> does is prompt for a
97
password and output any given password to standard output.
100
This program is not very useful on its own. This program is
101
really meant to run as a plugin in the <application
102
>Mandos</application> client-side system, where it is used as a
103
fallback and alternative to retrieving passwords from a
104
<application >Mandos</application> server.
107
This program is little more than a <citerefentry><refentrytitle
108
>getpass</refentrytitle><manvolnum>3</manvolnum></citerefentry>
109
wrapper, although actual use of that function is not guaranteed
114
<refsect1 id="options">
115
<title>OPTIONS</title>
117
This program is commonly not invoked from the command line; it
118
is normally started by the <application>Mandos</application>
119
plugin runner, see <citerefentry><refentrytitle
120
>plugin-runner</refentrytitle><manvolnum>8mandos</manvolnum>
121
</citerefentry>. Any command line options this program accepts
122
are therefore normally provided by the plugin runner, and not
128
<term><option>--prefix=<replaceable
129
>PREFIX</replaceable></option></term>
131
<replaceable>PREFIX</replaceable></option></term>
134
Prefix string shown before the password prompt.
140
<term><option>--debug</option></term>
143
Enable debug mode. This will enable a lot of output to
144
standard error about what the program is doing. The
145
program will still perform all other functions normally.
151
<term><option>--help</option></term>
152
<term><option>-?</option></term>
155
Gives a help message about options and their meanings.
161
<term><option>--usage</option></term>
164
Gives a short usage message.
170
<term><option>--version</option></term>
171
<term><option>-V</option></term>
174
Prints the program version.
181
<refsect1 id="exit_status">
182
<title>EXIT STATUS</title>
184
If exit status is 0, the output from the program is the password
185
as it was read. Otherwise, if exit status is other than 0, the
186
program has encountered an error, and any output so far could be
187
corrupt and/or truncated, and should therefore be ignored.
191
<refsect1 id="environment">
192
<title>ENVIRONMENT</title>
195
<term><envar>CRYPTTAB_SOURCE</envar></term>
196
<term><envar>CRYPTTAB_NAME</envar></term>
199
If set, these environment variables will be assumed to
200
contain the source device name and the target device
201
mapper name, respectively, and will be shown as part of
205
These variables will normally be inherited from
206
<citerefentry><refentrytitle>plugin-runner</refentrytitle>
207
<manvolnum>8mandos</manvolnum></citerefentry>, which will
208
normally have inherited them from
209
<filename>/scripts/local-top/cryptroot</filename> in the
210
initial <acronym>RAM</acronym> disk environment, which will
211
have set them from parsing kernel arguments and
212
<filename>/conf/conf.d/cryptroot</filename> (also in the
213
initial RAM disk environment), which in turn will have been
214
created when the initial RAM disk image was created by
216
>/usr/share/initramfs-tools/hooks/cryptroot</filename>, by
217
extracting the information of the root file system from
218
<filename >/etc/crypttab</filename>.
221
This behavior is meant to exactly mirror the behavior of
222
<command>askpass</command>, the default password prompter.
231
<xi:include href="../bugs.xml"/>
234
<refsect1 id="example">
235
<title>EXAMPLE</title>
237
Note that normally, command line options will not be given
238
directly, but via options for the Mandos <citerefentry
239
><refentrytitle>plugin-runner</refentrytitle>
240
<manvolnum>8mandos</manvolnum></citerefentry>.
244
Normal invocation needs no options:
247
<userinput>&COMMANDNAME;</userinput>
252
Show a prefix before the prompt; in this case, a host name.
253
It might be useful to be reminded of which host needs a
254
password, in case of <acronym>KVM</acronym> switches, etc.
258
<!-- do not wrap this line -->
259
<userinput>&COMMANDNAME; --prefix=host.example.org:</userinput>
268
<!-- do not wrap this line -->
269
<userinput>&COMMANDNAME; --debug</userinput>
274
<refsect1 id="security">
275
<title>SECURITY</title>
277
On its own, this program is very simple, and does not exactly
278
present any security risks. The one thing that could be
279
considered worthy of note is this: This program is meant to be
280
run by <citerefentry><refentrytitle
281
>plugin-runner</refentrytitle><manvolnum>8mandos</manvolnum>
282
</citerefentry>, and will, when run standalone, outside, in a
283
normal environment, immediately output on its standard output
284
any presumably secret password it just received. Therefore,
285
when running this program standalone (which should never
286
normally be done), take care not to type in any real secret
287
password by force of habit, since it would then immediately be
291
To further alleviate any risk of being locked out of a system,
292
the <citerefentry><refentrytitle>plugin-runner</refentrytitle>
293
<manvolnum>8mandos</manvolnum></citerefentry> has a fallback
294
mode which does the same thing as this program, only with less
299
<refsect1 id="see_also">
300
<title>SEE ALSO</title>
302
<citerefentry><refentrytitle>intro</refentrytitle>
303
<manvolnum>8mandos</manvolnum></citerefentry>
304
<citerefentry><refentrytitle>crypttab</refentrytitle>
305
<manvolnum>5</manvolnum></citerefentry>
306
<citerefentry><refentrytitle>mandos-client</refentrytitle>
307
<manvolnum>8mandos</manvolnum></citerefentry>
308
<citerefentry><refentrytitle>plugin-runner</refentrytitle>
309
<manvolnum>8mandos</manvolnum></citerefentry>,
313
<!-- Local Variables: -->
314
<!-- time-stamp-start: "<!ENTITY TIMESTAMP [\"']" -->
315
<!-- time-stamp-end: "[\"']>" -->
316
<!-- time-stamp-format: "%:y-%02m-%02d" -->
added
removed
plugins.d/password-prompt.xml
