[thirdparty/systemd.git] / man / systemd-ask-password.xml

<?xml version='1.0'?> <!--*- Mode: nxml; nxml-child-indent: 2; indent-tabs-mode: nil -*-->
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
  "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">

<!--
  SPDX-License-Identifier: LGPL-2.1+

  This file is part of systemd.

  Copyright 2011 Lennart Poettering

  systemd is free software; you can redistribute it and/or modify it
  under the terms of the GNU Lesser General Public License as published by
  the Free Software Foundation; either version 2.1 of the License, or
  (at your option) any later version.

  systemd is distributed in the hope that it will be useful, but
  WITHOUT ANY WARRANTY; without even the implied warranty of
  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  Lesser General Public License for more details.

  You should have received a copy of the GNU Lesser General Public License
  along with systemd; If not, see <http://www.gnu.org/licenses/>.
-->

<refentry id="systemd-ask-password"
    xmlns:xi="http://www.w3.org/2001/XInclude">

  <refentryinfo>
    <title>systemd-ask-password</title>
    <productname>systemd</productname>

    <authorgroup>
      <author>
        <contrib>Developer</contrib>
        <firstname>Lennart</firstname>
        <surname>Poettering</surname>
        <email>lennart@poettering.net</email>
      </author>
    </authorgroup>
  </refentryinfo>

  <refmeta>
    <refentrytitle>systemd-ask-password</refentrytitle>
    <manvolnum>1</manvolnum>
  </refmeta>

  <refnamediv>
    <refname>systemd-ask-password</refname>
    <refpurpose>Query the user for a system password</refpurpose>
  </refnamediv>

  <refsynopsisdiv>
    <cmdsynopsis>
      <command>systemd-ask-password <arg choice="opt" rep="repeat">OPTIONS</arg> <arg choice="opt">MESSAGE</arg></command>
    </cmdsynopsis>
  </refsynopsisdiv>

  <refsect1>
    <title>Description</title>

    <para><command>systemd-ask-password</command> may be used to query
    a system password or passphrase from the user, using a question
    message specified on the command line. When run from a TTY it will
    query a password on the TTY and print it to standard output. When
    run with no TTY or with <option>--no-tty</option> it will use the
    system-wide query mechanism, which allows active users to respond via
    several agents, listed below.</para>

    <para>The purpose of this tool is to query system-wide passwords
    — that is passwords not attached to a specific user account.
    Examples include: unlocking encrypted hard disks when they are
    plugged in or at boot, entering an SSL certificate passphrase for
    web and VPN servers.</para>

    <para>Existing agents are:
    <itemizedlist>

      <listitem><para>A boot-time password agent asking the user for
      passwords using
      <citerefentry project='die-net'><refentrytitle>plymouth</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
      </para></listitem>

      <listitem><para>A boot-time password agent querying the user
      directly on the console —
      <citerefentry><refentrytitle>systemd-ask-password-console.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
      </para></listitem>

      <listitem><para>An agent requesting password input via a
      <citerefentry project='man-pages'><refentrytitle>wall</refentrytitle><manvolnum>1</manvolnum></citerefentry>
      message —
      <citerefentry><refentrytitle>systemd-ask-password-wall.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
      </para></listitem>

      <listitem><para>A TTY agent that is temporarily spawned during
      <citerefentry><refentrytitle>systemctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>
      invocations,</para></listitem>

      <listitem><para>A command line agent which can be started
      temporarily to process queued password
      requests — <command>systemd-tty-ask-password-agent --query</command>.
      </para></listitem>
    </itemizedlist></para>

    <para>Answering system-wide password queries is a privileged operation, hence
    all the agents listed above (except for the last one), run as privileged
    system services. The last one also needs elevated privileges, so
    should be run through
    <citerefentry project='die-net'><refentrytitle>sudo</refentrytitle><manvolnum>8</manvolnum></citerefentry>
    or similar.</para>

    <para>Additional password agents may be implemented according to
    the <ulink
    url="https://www.freedesktop.org/wiki/Software/systemd/PasswordAgents">systemd
    Password Agent Specification</ulink>.</para>

    <para>If a password is queried on a TTY, the user may press TAB to
    hide the asterisks normally shown for each character typed.
    Pressing Backspace as first key achieves the same effect.</para>

  </refsect1>

  <refsect1>
    <title>Options</title>

    <para>The following options are understood:</para>

    <variablelist>
      <varlistentry>
        <term><option>--icon=</option></term>

        <listitem><para>Specify an icon name alongside the password
        query, which may be used in all agents supporting graphical
        display. The icon name should follow the <ulink
        url="http://standards.freedesktop.org/icon-naming-spec/icon-naming-spec-latest.html">XDG
        Icon Naming Specification</ulink>.</para></listitem>
      </varlistentry>

      <varlistentry>
        <term><option>--id=</option></term>
        <listitem><para>Specify an identifier for this password
        query. This identifier is freely choosable and allows
        recognition of queries by involved agents. It should include
        the subsystem doing the query and the specific object the
        query is done for. Example:
        <literal>--id=cryptsetup:/dev/sda5</literal>.</para></listitem>
      </varlistentry>

      <varlistentry>
        <term><option>--keyname=</option></term>
        <listitem><para>Configure a kernel keyring key name to use as
        cache for the password. If set, then the tool will try to push
        any collected passwords into the kernel keyring of the root
        user, as a key of the specified name. If combined with
        <option>--accept-cached</option>, it will also try to retrieve
        such cached passwords from the key in the kernel keyring
        instead of querying the user right away. By using this option,
        the kernel keyring may be used as effective cache to avoid
        repeatedly asking users for passwords, if there are multiple
        objects that may be unlocked with the same password. The
        cached key will have a timeout of 2.5min set, after which it
        will be purged from the kernel keyring. Note that it is
        possible to cache multiple passwords under the same keyname,
        in which case they will be stored as NUL-separated list of
        passwords. Use
        <citerefentry project='die-net'><refentrytitle>keyctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>
        to access the cached key via the kernel keyring
        directly. Example: <literal>--keyname=cryptsetup</literal></para></listitem>
      </varlistentry>

      <varlistentry>
        <term><option>--timeout=</option></term>

        <listitem><para>Specify the query timeout in seconds. Defaults
        to 90s. A timeout of 0 waits indefinitely. </para></listitem>
      </varlistentry>

      <varlistentry>
        <term><option>--echo</option></term>

        <listitem><para>Echo the user input instead of masking it.
        This is useful when using
        <filename>systemd-ask-password</filename> to query for
        usernames. </para></listitem>
      </varlistentry>

      <varlistentry>
        <term><option>--no-tty</option></term>

        <listitem><para>Never ask for password on current TTY even if
        one is available. Always use agent system.</para></listitem>
      </varlistentry>

      <varlistentry>
        <term><option>--accept-cached</option></term>

        <listitem><para>If passed, accept cached passwords, i.e.
        passwords previously entered.</para></listitem>
      </varlistentry>

      <varlistentry>
        <term><option>--multiple</option></term>

        <listitem><para>When used in conjunction with
        <option>--accept-cached</option> accept multiple passwords.
        This will output one password per line.</para></listitem>
      </varlistentry>

      <varlistentry>
        <term><option>--no-output</option></term>

	<listitem><para>Do not print passwords to standard output.
	This is useful if you want to store a password in kernel
	keyring with <option>--keyname</option> but do not want it
	to show up on screen or in logs.</para></listitem>
      </varlistentry>

      <xi:include href="standard-options.xml" xpointer="help" />
    </variablelist>

  </refsect1>

  <refsect1>
    <title>Exit status</title>

    <para>On success, 0 is returned, a non-zero failure code
    otherwise.</para>
  </refsect1>

  <refsect1>
    <title>See Also</title>
    <para>
      <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
      <citerefentry><refentrytitle>systemd-ask-password-console.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
      <citerefentry><refentrytitle>systemd-tty-ask-password-agent</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
      <citerefentry project='die-net'><refentrytitle>keyctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
      <citerefentry project='die-net'><refentrytitle>plymouth</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
      <citerefentry project='man-pages'><refentrytitle>wall</refentrytitle><manvolnum>1</manvolnum></citerefentry>
    </para>
  </refsect1>

</refentry>
Commit	Line	Data
e287086b	1	<?xml version='1.0'?> <!--- Mode: nxml; nxml-child-indent: 2; indent-tabs-mode: nil --->
f3bc7fdc	2	<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
12b42c76	3	"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
f3bc7fdc LP	4
f3bc7fdc LP	5	<!--
572eb058 ZJS	6	SPDX-License-Identifier: LGPL-2.1+
572eb058 ZJS	7
f3bc7fdc LP	8	This file is part of systemd.
	9
	10	Copyright 2011 Lennart Poettering
	11
	12	systemd is free software; you can redistribute it and/or modify it
5430f7f2 LP	13	under the terms of the GNU Lesser General Public License as published by
5430f7f2 LP	14	the Free Software Foundation; either version 2.1 of the License, or
f3bc7fdc LP	15	(at your option) any later version.
	16
	17	systemd is distributed in the hope that it will be useful, but
	18	WITHOUT ANY WARRANTY; without even the implied warranty of
	19	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
5430f7f2	20	Lesser General Public License for more details.
f3bc7fdc	21
5430f7f2	22	You should have received a copy of the GNU Lesser General Public License
f3bc7fdc LP	23	along with systemd; If not, see <http://www.gnu.org/licenses/>.
	24	-->
	25
dfdebb1b	26	<refentry id="systemd-ask-password"
798d3a52 ZJS	27	xmlns:xi="http://www.w3.org/2001/XInclude">
	28
	29	<refentryinfo>
	30	<title>systemd-ask-password</title>
	31	<productname>systemd</productname>
	32
	33	<authorgroup>
	34	<author>
	35	<contrib>Developer</contrib>
	36	<firstname>Lennart</firstname>
	37	<surname>Poettering</surname>
	38	<email>lennart@poettering.net</email>
	39	</author>
	40	</authorgroup>
	41	</refentryinfo>
	42
	43	<refmeta>
	44	<refentrytitle>systemd-ask-password</refentrytitle>
	45	<manvolnum>1</manvolnum>
	46	</refmeta>
	47
	48	<refnamediv>
	49	<refname>systemd-ask-password</refname>
	50	<refpurpose>Query the user for a system password</refpurpose>
	51	</refnamediv>
	52
	53	<refsynopsisdiv>
	54	<cmdsynopsis>
	55	<command>systemd-ask-password <arg choice="opt" rep="repeat">OPTIONS</arg> <arg choice="opt">MESSAGE</arg></command>
	56	</cmdsynopsis>
	57	</refsynopsisdiv>
	58
	59	<refsect1>
	60	<title>Description</title>
	61
	62	<para><command>systemd-ask-password</command> may be used to query
	63	a system password or passphrase from the user, using a question
	64	message specified on the command line. When run from a TTY it will
	65	query a password on the TTY and print it to standard output. When
c65aafbb ZJS	66	run with no TTY or with <option>--no-tty</option> it will use the
	67	system-wide query mechanism, which allows active users to respond via
	68	several agents, listed below.</para>
798d3a52 ZJS	69
798d3a52 ZJS	70	<para>The purpose of this tool is to query system-wide passwords
ccddd104	71	— that is passwords not attached to a specific user account.
798d3a52 ZJS	72	Examples include: unlocking encrypted hard disks when they are
	73	plugged in or at boot, entering an SSL certificate passphrase for
	74	web and VPN servers.</para>
	75
e287086b LP	76	<para>Existing agents are:
	77	<itemizedlist>
	78
	79	<listitem><para>A boot-time password agent asking the user for
c65aafbb ZJS	80	passwords using
	81	<citerefentry project='die-net'><refentrytitle>plymouth</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
	82	</para></listitem>
e287086b LP	83
e287086b LP	84	<listitem><para>A boot-time password agent querying the user
c65aafbb ZJS	85	directly on the console —
	86	<citerefentry><refentrytitle>systemd-ask-password-console.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
	87	</para></listitem>
e287086b LP	88
e287086b LP	89	<listitem><para>An agent requesting password input via a
c65aafbb ZJS	90	<citerefentry project='man-pages'><refentrytitle>wall</refentrytitle><manvolnum>1</manvolnum></citerefentry>
	91	message —
	92	<citerefentry><refentrytitle>systemd-ask-password-wall.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
	93	</para></listitem>
e287086b LP	94
	95	<listitem><para>A TTY agent that is temporarily spawned during
	96	<citerefentry><refentrytitle>systemctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>
c65aafbb ZJS	97	invocations,</para></listitem>
	98
	99	<listitem><para>A command line agent which can be started
	100	temporarily to process queued password
	101	requests — <command>systemd-tty-ask-password-agent --query</command>.
	102	</para></listitem>
e287086b	103	</itemizedlist></para>
798d3a52	104
c65aafbb ZJS	105	<para>Answering system-wide password queries is a privileged operation, hence
	106	all the agents listed above (except for the last one), run as privileged
	107	system services. The last one also needs elevated privileges, so
	108	should be run through
	109	<citerefentry project='die-net'><refentrytitle>sudo</refentrytitle><manvolnum>8</manvolnum></citerefentry>
	110	or similar.</para>
	111
798d3a52 ZJS	112	<para>Additional password agents may be implemented according to
798d3a52 ZJS	113	the <ulink
28a0ad81	114	url="https://www.freedesktop.org/wiki/Software/systemd/PasswordAgents">systemd
798d3a52 ZJS	115	Password Agent Specification</ulink>.</para>
	116
	117	<para>If a password is queried on a TTY, the user may press TAB to
	118	hide the asterisks normally shown for each character typed.
	119	Pressing Backspace as first key achieves the same effect.</para>
	120
	121	</refsect1>
	122
	123	<refsect1>
	124	<title>Options</title>
	125
	126	<para>The following options are understood:</para>
	127
	128	<variablelist>
	129	<varlistentry>
	130	<term><option>--icon=</option></term>
	131
	132	<listitem><para>Specify an icon name alongside the password
	133	query, which may be used in all agents supporting graphical
	134	display. The icon name should follow the <ulink
	135	url="http://standards.freedesktop.org/icon-naming-spec/icon-naming-spec-latest.html">XDG
	136	Icon Naming Specification</ulink>.</para></listitem>
	137	</varlistentry>
	138
e287086b LP	139	<varlistentry>
	140	<term><option>--id=</option></term>
	141	<listitem><para>Specify an identifier for this password
	142	query. This identifier is freely choosable and allows
	143	recognition of queries by involved agents. It should include
	144	the subsystem doing the query and the specific object the
	145	query is done for. Example:
	146	<literal>--id=cryptsetup:/dev/sda5</literal>.</para></listitem>
	147	</varlistentry>
	148
	149	<varlistentry>
	150	<term><option>--keyname=</option></term>
	151	<listitem><para>Configure a kernel keyring key name to use as
	152	cache for the password. If set, then the tool will try to push
	153	any collected passwords into the kernel keyring of the root
	154	user, as a key of the specified name. If combined with
b938cb90	155	<option>--accept-cached</option>, it will also try to retrieve
a8eaaee7	156	such cached passwords from the key in the kernel keyring
b938cb90	157	instead of querying the user right away. By using this option,
e287086b LP	158	the kernel keyring may be used as effective cache to avoid
	159	repeatedly asking users for passwords, if there are multiple
	160	objects that may be unlocked with the same password. The
	161	cached key will have a timeout of 2.5min set, after which it
	162	will be purged from the kernel keyring. Note that it is
	163	possible to cache multiple passwords under the same keyname,
	164	in which case they will be stored as NUL-separated list of
	165	passwords. Use
524f3e5c	166	<citerefentry project='die-net'><refentrytitle>keyctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>
e287086b LP	167	to access the cached key via the kernel keyring
	168	directly. Example: <literal>--keyname=cryptsetup</literal></para></listitem>
	169	</varlistentry>
	170
798d3a52 ZJS	171	<varlistentry>
	172	<term><option>--timeout=</option></term>
	173
	174	<listitem><para>Specify the query timeout in seconds. Defaults
	175	to 90s. A timeout of 0 waits indefinitely. </para></listitem>
	176	</varlistentry>
	177
	178	<varlistentry>
	179	<term><option>--echo</option></term>
	180
	181	<listitem><para>Echo the user input instead of masking it.
	182	This is useful when using
	183	<filename>systemd-ask-password</filename> to query for
	184	usernames. </para></listitem>
	185	</varlistentry>
	186
	187	<varlistentry>
	188	<term><option>--no-tty</option></term>
	189
	190	<listitem><para>Never ask for password on current TTY even if
	191	one is available. Always use agent system.</para></listitem>
	192	</varlistentry>
	193
	194	<varlistentry>
	195	<term><option>--accept-cached</option></term>
	196
	197	<listitem><para>If passed, accept cached passwords, i.e.
a8eaaee7	198	passwords previously entered.</para></listitem>
798d3a52 ZJS	199	</varlistentry>
	200
	201	<varlistentry>
	202	<term><option>--multiple</option></term>
	203
	204	<listitem><para>When used in conjunction with
	205	<option>--accept-cached</option> accept multiple passwords.
	206	This will output one password per line.</para></listitem>
	207	</varlistentry>
	208
a5a4e365 CH	209	<varlistentry>
	210	<term><option>--no-output</option></term>
	211
	212	<listitem><para>Do not print passwords to standard output.
	213	This is useful if you want to store a password in kernel
	214	keyring with <option>--keyname</option> but do not want it
	215	to show up on screen or in logs.</para></listitem>
	216	</varlistentry>
	217
798d3a52 ZJS	218	<xi:include href="standard-options.xml" xpointer="help" />
	219	</variablelist>
	220
	221	</refsect1>
	222
	223	<refsect1>
	224	<title>Exit status</title>
	225
	226	<para>On success, 0 is returned, a non-zero failure code
	227	otherwise.</para>
	228	</refsect1>
	229
	230	<refsect1>
	231	<title>See Also</title>
	232	<para>
	233	<citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
c65aafbb	234	<citerefentry><refentrytitle>systemd-ask-password-console.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
3f1dc090	235	<citerefentry><refentrytitle>systemd-tty-ask-password-agent</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
524f3e5c	236	<citerefentry project='die-net'><refentrytitle>keyctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
798d3a52 ZJS	237	<citerefentry project='die-net'><refentrytitle>plymouth</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
	238	<citerefentry project='man-pages'><refentrytitle>wall</refentrytitle><manvolnum>1</manvolnum></citerefentry>
	239	</para>
	240	</refsect1>
f3bc7fdc LP	241
f3bc7fdc LP	242	</refentry>