[thirdparty/systemd.git] / man / systemd-ask-password.xml

<?xml version='1.0'?> <!--*- Mode: nxml; nxml-child-indent: 2; indent-tabs-mode: nil -*-->
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
  "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">

<!--
  SPDX-License-Identifier: LGPL-2.1+

  Copyright 2011 Lennart Poettering
-->

<refentry id="systemd-ask-password"
    xmlns:xi="http://www.w3.org/2001/XInclude">

  <refentryinfo>
    <title>systemd-ask-password</title>
    <productname>systemd</productname>

    <authorgroup>
      <author>
        <contrib>Developer</contrib>
        <firstname>Lennart</firstname>
        <surname>Poettering</surname>
        <email>lennart@poettering.net</email>
      </author>
    </authorgroup>
  </refentryinfo>

  <refmeta>
    <refentrytitle>systemd-ask-password</refentrytitle>
    <manvolnum>1</manvolnum>
  </refmeta>

  <refnamediv>
    <refname>systemd-ask-password</refname>
    <refpurpose>Query the user for a system password</refpurpose>
  </refnamediv>

  <refsynopsisdiv>
    <cmdsynopsis>
      <command>systemd-ask-password <arg choice="opt" rep="repeat">OPTIONS</arg> <arg choice="opt">MESSAGE</arg></command>
    </cmdsynopsis>
  </refsynopsisdiv>

  <refsect1>
    <title>Description</title>

    <para><command>systemd-ask-password</command> may be used to query
    a system password or passphrase from the user, using a question
    message specified on the command line. When run from a TTY it will
    query a password on the TTY and print it to standard output. When
    run with no TTY or with <option>--no-tty</option> it will use the
    system-wide query mechanism, which allows active users to respond via
    several agents, listed below.</para>

    <para>The purpose of this tool is to query system-wide passwords
    — that is passwords not attached to a specific user account.
    Examples include: unlocking encrypted hard disks when they are
    plugged in or at boot, entering an SSL certificate passphrase for
    web and VPN servers.</para>

    <para>Existing agents are:
    <itemizedlist>

      <listitem><para>A boot-time password agent asking the user for
      passwords using
      <citerefentry project='die-net'><refentrytitle>plymouth</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
      </para></listitem>

      <listitem><para>A boot-time password agent querying the user
      directly on the console —
      <citerefentry><refentrytitle>systemd-ask-password-console.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
      </para></listitem>

      <listitem><para>An agent requesting password input via a
      <citerefentry project='man-pages'><refentrytitle>wall</refentrytitle><manvolnum>1</manvolnum></citerefentry>
      message —
      <citerefentry><refentrytitle>systemd-ask-password-wall.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
      </para></listitem>

      <listitem><para>A TTY agent that is temporarily spawned during
      <citerefentry><refentrytitle>systemctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>
      invocations,</para></listitem>

      <listitem><para>A command line agent which can be started
      temporarily to process queued password
      requests — <command>systemd-tty-ask-password-agent --query</command>.
      </para></listitem>
    </itemizedlist></para>

    <para>Answering system-wide password queries is a privileged operation, hence
    all the agents listed above (except for the last one), run as privileged
    system services. The last one also needs elevated privileges, so
    should be run through
    <citerefentry project='die-net'><refentrytitle>sudo</refentrytitle><manvolnum>8</manvolnum></citerefentry>
    or similar.</para>

    <para>Additional password agents may be implemented according to
    the <ulink
    url="https://www.freedesktop.org/wiki/Software/systemd/PasswordAgents">systemd
    Password Agent Specification</ulink>.</para>

    <para>If a password is queried on a TTY, the user may press TAB to
    hide the asterisks normally shown for each character typed.
    Pressing Backspace as first key achieves the same effect.</para>

  </refsect1>

  <refsect1>
    <title>Options</title>

    <para>The following options are understood:</para>

    <variablelist>
      <varlistentry>
        <term><option>--icon=</option></term>

        <listitem><para>Specify an icon name alongside the password
        query, which may be used in all agents supporting graphical
        display. The icon name should follow the <ulink
        url="http://standards.freedesktop.org/icon-naming-spec/icon-naming-spec-latest.html">XDG
        Icon Naming Specification</ulink>.</para></listitem>
      </varlistentry>

      <varlistentry>
        <term><option>--id=</option></term>
        <listitem><para>Specify an identifier for this password
        query. This identifier is freely choosable and allows
        recognition of queries by involved agents. It should include
        the subsystem doing the query and the specific object the
        query is done for. Example:
        <literal>--id=cryptsetup:/dev/sda5</literal>.</para></listitem>
      </varlistentry>

      <varlistentry>
        <term><option>--keyname=</option></term>
        <listitem><para>Configure a kernel keyring key name to use as
        cache for the password. If set, then the tool will try to push
        any collected passwords into the kernel keyring of the root
        user, as a key of the specified name. If combined with
        <option>--accept-cached</option>, it will also try to retrieve
        such cached passwords from the key in the kernel keyring
        instead of querying the user right away. By using this option,
        the kernel keyring may be used as effective cache to avoid
        repeatedly asking users for passwords, if there are multiple
        objects that may be unlocked with the same password. The
        cached key will have a timeout of 2.5min set, after which it
        will be purged from the kernel keyring. Note that it is
        possible to cache multiple passwords under the same keyname,
        in which case they will be stored as NUL-separated list of
        passwords. Use
        <citerefentry project='die-net'><refentrytitle>keyctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>
        to access the cached key via the kernel keyring
        directly. Example: <literal>--keyname=cryptsetup</literal></para></listitem>
      </varlistentry>

      <varlistentry>
        <term><option>--timeout=</option></term>

        <listitem><para>Specify the query timeout in seconds. Defaults
        to 90s. A timeout of 0 waits indefinitely. </para></listitem>
      </varlistentry>

      <varlistentry>
        <term><option>--echo</option></term>

        <listitem><para>Echo the user input instead of masking it.
        This is useful when using
        <filename>systemd-ask-password</filename> to query for
        usernames. </para></listitem>
      </varlistentry>

      <varlistentry>
        <term><option>--no-tty</option></term>

        <listitem><para>Never ask for password on current TTY even if
        one is available. Always use agent system.</para></listitem>
      </varlistentry>

      <varlistentry>
        <term><option>--accept-cached</option></term>

        <listitem><para>If passed, accept cached passwords, i.e.
        passwords previously entered.</para></listitem>
      </varlistentry>

      <varlistentry>
        <term><option>--multiple</option></term>

        <listitem><para>When used in conjunction with
        <option>--accept-cached</option> accept multiple passwords.
        This will output one password per line.</para></listitem>
      </varlistentry>

      <varlistentry>
        <term><option>--no-output</option></term>

        <listitem><para>Do not print passwords to standard output.
        This is useful if you want to store a password in kernel
        keyring with <option>--keyname</option> but do not want it
        to show up on screen or in logs.</para></listitem>
      </varlistentry>

      <xi:include href="standard-options.xml" xpointer="help" />
    </variablelist>

  </refsect1>

  <refsect1>
    <title>Exit status</title>

    <para>On success, 0 is returned, a non-zero failure code
    otherwise.</para>
  </refsect1>

  <refsect1>
    <title>See Also</title>
    <para>
      <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
      <citerefentry><refentrytitle>systemd-ask-password-console.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
      <citerefentry><refentrytitle>systemd-tty-ask-password-agent</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
      <citerefentry project='die-net'><refentrytitle>keyctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
      <citerefentry project='die-net'><refentrytitle>plymouth</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
      <citerefentry project='man-pages'><refentrytitle>wall</refentrytitle><manvolnum>1</manvolnum></citerefentry>
    </para>
  </refsect1>

</refentry>
Commit	Line	Data
e287086b	1	<?xml version='1.0'?> <!--- Mode: nxml; nxml-child-indent: 2; indent-tabs-mode: nil --->
f3bc7fdc	2	<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
12b42c76	3	"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
f3bc7fdc LP	4
f3bc7fdc LP	5	<!--
572eb058 ZJS	6	SPDX-License-Identifier: LGPL-2.1+
572eb058 ZJS	7
f3bc7fdc	8	Copyright 2011 Lennart Poettering
f3bc7fdc LP	9	-->
f3bc7fdc LP	10
dfdebb1b	11	<refentry id="systemd-ask-password"
798d3a52 ZJS	12	xmlns:xi="http://www.w3.org/2001/XInclude">
	13
	14	<refentryinfo>
	15	<title>systemd-ask-password</title>
	16	<productname>systemd</productname>
	17
	18	<authorgroup>
	19	<author>
	20	<contrib>Developer</contrib>
	21	<firstname>Lennart</firstname>
	22	<surname>Poettering</surname>
	23	<email>lennart@poettering.net</email>
	24	</author>
	25	</authorgroup>
	26	</refentryinfo>
	27
	28	<refmeta>
	29	<refentrytitle>systemd-ask-password</refentrytitle>
	30	<manvolnum>1</manvolnum>
	31	</refmeta>
	32
	33	<refnamediv>
	34	<refname>systemd-ask-password</refname>
	35	<refpurpose>Query the user for a system password</refpurpose>
	36	</refnamediv>
	37
	38	<refsynopsisdiv>
	39	<cmdsynopsis>
	40	<command>systemd-ask-password <arg choice="opt" rep="repeat">OPTIONS</arg> <arg choice="opt">MESSAGE</arg></command>
	41	</cmdsynopsis>
	42	</refsynopsisdiv>
	43
	44	<refsect1>
	45	<title>Description</title>
	46
	47	<para><command>systemd-ask-password</command> may be used to query
	48	a system password or passphrase from the user, using a question
	49	message specified on the command line. When run from a TTY it will
	50	query a password on the TTY and print it to standard output. When
c65aafbb ZJS	51	run with no TTY or with <option>--no-tty</option> it will use the
	52	system-wide query mechanism, which allows active users to respond via
	53	several agents, listed below.</para>
798d3a52 ZJS	54
798d3a52 ZJS	55	<para>The purpose of this tool is to query system-wide passwords
ccddd104	56	— that is passwords not attached to a specific user account.
798d3a52 ZJS	57	Examples include: unlocking encrypted hard disks when they are
	58	plugged in or at boot, entering an SSL certificate passphrase for
	59	web and VPN servers.</para>
	60
e287086b LP	61	<para>Existing agents are:
	62	<itemizedlist>
	63
	64	<listitem><para>A boot-time password agent asking the user for
c65aafbb ZJS	65	passwords using
	66	<citerefentry project='die-net'><refentrytitle>plymouth</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
	67	</para></listitem>
e287086b LP	68
e287086b LP	69	<listitem><para>A boot-time password agent querying the user
c65aafbb ZJS	70	directly on the console —
	71	<citerefentry><refentrytitle>systemd-ask-password-console.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
	72	</para></listitem>
e287086b LP	73
e287086b LP	74	<listitem><para>An agent requesting password input via a
c65aafbb ZJS	75	<citerefentry project='man-pages'><refentrytitle>wall</refentrytitle><manvolnum>1</manvolnum></citerefentry>
	76	message —
	77	<citerefentry><refentrytitle>systemd-ask-password-wall.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
	78	</para></listitem>
e287086b LP	79
	80	<listitem><para>A TTY agent that is temporarily spawned during
	81	<citerefentry><refentrytitle>systemctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>
c65aafbb ZJS	82	invocations,</para></listitem>
	83
	84	<listitem><para>A command line agent which can be started
	85	temporarily to process queued password
	86	requests — <command>systemd-tty-ask-password-agent --query</command>.
	87	</para></listitem>
e287086b	88	</itemizedlist></para>
798d3a52	89
c65aafbb ZJS	90	<para>Answering system-wide password queries is a privileged operation, hence
	91	all the agents listed above (except for the last one), run as privileged
	92	system services. The last one also needs elevated privileges, so
	93	should be run through
	94	<citerefentry project='die-net'><refentrytitle>sudo</refentrytitle><manvolnum>8</manvolnum></citerefentry>
	95	or similar.</para>
	96
798d3a52 ZJS	97	<para>Additional password agents may be implemented according to
798d3a52 ZJS	98	the <ulink
28a0ad81	99	url="https://www.freedesktop.org/wiki/Software/systemd/PasswordAgents">systemd
798d3a52 ZJS	100	Password Agent Specification</ulink>.</para>
	101
	102	<para>If a password is queried on a TTY, the user may press TAB to
	103	hide the asterisks normally shown for each character typed.
	104	Pressing Backspace as first key achieves the same effect.</para>
	105
	106	</refsect1>
	107
	108	<refsect1>
	109	<title>Options</title>
	110
	111	<para>The following options are understood:</para>
	112
	113	<variablelist>
	114	<varlistentry>
	115	<term><option>--icon=</option></term>
	116
	117	<listitem><para>Specify an icon name alongside the password
	118	query, which may be used in all agents supporting graphical
	119	display. The icon name should follow the <ulink
	120	url="http://standards.freedesktop.org/icon-naming-spec/icon-naming-spec-latest.html">XDG
	121	Icon Naming Specification</ulink>.</para></listitem>
	122	</varlistentry>
	123
e287086b LP	124	<varlistentry>
	125	<term><option>--id=</option></term>
	126	<listitem><para>Specify an identifier for this password
	127	query. This identifier is freely choosable and allows
	128	recognition of queries by involved agents. It should include
	129	the subsystem doing the query and the specific object the
	130	query is done for. Example:
	131	<literal>--id=cryptsetup:/dev/sda5</literal>.</para></listitem>
	132	</varlistentry>
	133
	134	<varlistentry>
	135	<term><option>--keyname=</option></term>
	136	<listitem><para>Configure a kernel keyring key name to use as
	137	cache for the password. If set, then the tool will try to push
	138	any collected passwords into the kernel keyring of the root
	139	user, as a key of the specified name. If combined with
b938cb90	140	<option>--accept-cached</option>, it will also try to retrieve
a8eaaee7	141	such cached passwords from the key in the kernel keyring
b938cb90	142	instead of querying the user right away. By using this option,
e287086b LP	143	the kernel keyring may be used as effective cache to avoid
	144	repeatedly asking users for passwords, if there are multiple
	145	objects that may be unlocked with the same password. The
	146	cached key will have a timeout of 2.5min set, after which it
	147	will be purged from the kernel keyring. Note that it is
	148	possible to cache multiple passwords under the same keyname,
	149	in which case they will be stored as NUL-separated list of
	150	passwords. Use
524f3e5c	151	<citerefentry project='die-net'><refentrytitle>keyctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>
e287086b LP	152	to access the cached key via the kernel keyring
	153	directly. Example: <literal>--keyname=cryptsetup</literal></para></listitem>
	154	</varlistentry>
	155
798d3a52 ZJS	156	<varlistentry>
	157	<term><option>--timeout=</option></term>
	158
	159	<listitem><para>Specify the query timeout in seconds. Defaults
	160	to 90s. A timeout of 0 waits indefinitely. </para></listitem>
	161	</varlistentry>
	162
	163	<varlistentry>
	164	<term><option>--echo</option></term>
	165
	166	<listitem><para>Echo the user input instead of masking it.
	167	This is useful when using
	168	<filename>systemd-ask-password</filename> to query for
	169	usernames. </para></listitem>
	170	</varlistentry>
	171
	172	<varlistentry>
	173	<term><option>--no-tty</option></term>
	174
	175	<listitem><para>Never ask for password on current TTY even if
	176	one is available. Always use agent system.</para></listitem>
	177	</varlistentry>
	178
	179	<varlistentry>
	180	<term><option>--accept-cached</option></term>
	181
	182	<listitem><para>If passed, accept cached passwords, i.e.
a8eaaee7	183	passwords previously entered.</para></listitem>
798d3a52 ZJS	184	</varlistentry>
	185
	186	<varlistentry>
	187	<term><option>--multiple</option></term>
	188
	189	<listitem><para>When used in conjunction with
	190	<option>--accept-cached</option> accept multiple passwords.
	191	This will output one password per line.</para></listitem>
	192	</varlistentry>
	193
a5a4e365 CH	194	<varlistentry>
	195	<term><option>--no-output</option></term>
	196
a5201ed6 LP	197	<listitem><para>Do not print passwords to standard output.
	198	This is useful if you want to store a password in kernel
	199	keyring with <option>--keyname</option> but do not want it
	200	to show up on screen or in logs.</para></listitem>
a5a4e365 CH	201	</varlistentry>
a5a4e365 CH	202
798d3a52 ZJS	203	<xi:include href="standard-options.xml" xpointer="help" />
	204	</variablelist>
	205
	206	</refsect1>
	207
	208	<refsect1>
	209	<title>Exit status</title>
	210
	211	<para>On success, 0 is returned, a non-zero failure code
	212	otherwise.</para>
	213	</refsect1>
	214
	215	<refsect1>
	216	<title>See Also</title>
	217	<para>
	218	<citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
c65aafbb	219	<citerefentry><refentrytitle>systemd-ask-password-console.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
3f1dc090	220	<citerefentry><refentrytitle>systemd-tty-ask-password-agent</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
524f3e5c	221	<citerefentry project='die-net'><refentrytitle>keyctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
798d3a52 ZJS	222	<citerefentry project='die-net'><refentrytitle>plymouth</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
	223	<citerefentry project='man-pages'><refentrytitle>wall</refentrytitle><manvolnum>1</manvolnum></citerefentry>
	224	</para>
	225	</refsect1>
f3bc7fdc LP	226
f3bc7fdc LP	227	</refentry>