[thirdparty/systemd.git] / man / systemd-ask-password.xml

<?xml version='1.0'?> <!--*- Mode: nxml; nxml-child-indent: 2; indent-tabs-mode: nil -*-->
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
  "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">

<!--
  This file is part of systemd.

  Copyright 2011 Lennart Poettering

  systemd is free software; you can redistribute it and/or modify it
  under the terms of the GNU Lesser General Public License as published by
  the Free Software Foundation; either version 2.1 of the License, or
  (at your option) any later version.

  systemd is distributed in the hope that it will be useful, but
  WITHOUT ANY WARRANTY; without even the implied warranty of
  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  Lesser General Public License for more details.

  You should have received a copy of the GNU Lesser General Public License
  along with systemd; If not, see <http://www.gnu.org/licenses/>.
-->

<refentry id="systemd-ask-password"
    xmlns:xi="http://www.w3.org/2001/XInclude">

  <refentryinfo>
    <title>systemd-ask-password</title>
    <productname>systemd</productname>

    <authorgroup>
      <author>
        <contrib>Developer</contrib>
        <firstname>Lennart</firstname>
        <surname>Poettering</surname>
        <email>lennart@poettering.net</email>
      </author>
    </authorgroup>
  </refentryinfo>

  <refmeta>
    <refentrytitle>systemd-ask-password</refentrytitle>
    <manvolnum>1</manvolnum>
  </refmeta>

  <refnamediv>
    <refname>systemd-ask-password</refname>
    <refpurpose>Query the user for a system password</refpurpose>
  </refnamediv>

  <refsynopsisdiv>
    <cmdsynopsis>
      <command>systemd-ask-password <arg choice="opt" rep="repeat">OPTIONS</arg> <arg choice="opt">MESSAGE</arg></command>
    </cmdsynopsis>
  </refsynopsisdiv>

  <refsect1>
    <title>Description</title>

    <para><command>systemd-ask-password</command> may be used to query
    a system password or passphrase from the user, using a question
    message specified on the command line. When run from a TTY it will
    query a password on the TTY and print it to standard output. When
    run with no TTY or with <option>--no-tty</option> it will query
    the password system-wide and allow active users to respond via
    several agents. The latter is only available to privileged
    processes.</para>

    <para>The purpose of this tool is to query system-wide passwords
    -- that is passwords not attached to a specific user account.
    Examples include: unlocking encrypted hard disks when they are
    plugged in or at boot, entering an SSL certificate passphrase for
    web and VPN servers.</para>

    <para>Existing agents are:
    <itemizedlist>

      <listitem><para>A boot-time password agent asking the user for
      passwords using Plymouth</para></listitem>

      <listitem><para>A boot-time password agent querying the user
      directly on the console</para></listitem>

      <listitem><para>An agent requesting password input via a
      <citerefentry
      project='man-pages'><refentrytitle>wall</refentrytitle><manvolnum>1</manvolnum></citerefentry>
      message</para></listitem>

      <listitem><para>A command line agent which can be started
      temporarily to process queued password
      requests</para></listitem>

      <listitem><para>A TTY agent that is temporarily spawned during
      <citerefentry><refentrytitle>systemctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>
      invocations</para></listitem>
    </itemizedlist></para>

    <para>Additional password agents may be implemented according to
    the <ulink
    url="http://www.freedesktop.org/wiki/Software/systemd/PasswordAgents">systemd
    Password Agent Specification</ulink>.</para>

    <para>If a password is queried on a TTY, the user may press TAB to
    hide the asterisks normally shown for each character typed.
    Pressing Backspace as first key achieves the same effect.</para>

  </refsect1>

  <refsect1>
    <title>Options</title>

    <para>The following options are understood:</para>

    <variablelist>
      <varlistentry>
        <term><option>--icon=</option></term>

        <listitem><para>Specify an icon name alongside the password
        query, which may be used in all agents supporting graphical
        display. The icon name should follow the <ulink
        url="http://standards.freedesktop.org/icon-naming-spec/icon-naming-spec-latest.html">XDG
        Icon Naming Specification</ulink>.</para></listitem>
      </varlistentry>

      <varlistentry>
        <term><option>--id=</option></term>
        <listitem><para>Specify an identifier for this password
        query. This identifier is freely choosable and allows
        recognition of queries by involved agents. It should include
        the subsystem doing the query and the specific object the
        query is done for. Example:
        <literal>--id=cryptsetup:/dev/sda5</literal>.</para></listitem>
      </varlistentry>

      <varlistentry>
        <term><option>--keyname=</option></term>
        <listitem><para>Configure a kernel keyring key name to use as
        cache for the password. If set, then the tool will try to push
        any collected passwords into the kernel keyring of the root
        user, as a key of the specified name. If combined with
        <option>--accept-cached</option>, it will also try to retrieve
        such cached passwords from the key in the kernel keyring
        instead of querying the user right away. By using this option,
        the kernel keyring may be used as effective cache to avoid
        repeatedly asking users for passwords, if there are multiple
        objects that may be unlocked with the same password. The
        cached key will have a timeout of 2.5min set, after which it
        will be purged from the kernel keyring. Note that it is
        possible to cache multiple passwords under the same keyname,
        in which case they will be stored as NUL-separated list of
        passwords. Use
        <citerefentry><refentrytitle>keyctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>
        to access the cached key via the kernel keyring
        directly. Example: <literal>--keyname=cryptsetup</literal></para></listitem>
      </varlistentry>

      <varlistentry>
        <term><option>--timeout=</option></term>

        <listitem><para>Specify the query timeout in seconds. Defaults
        to 90s. A timeout of 0 waits indefinitely. </para></listitem>
      </varlistentry>

      <varlistentry>
        <term><option>--echo</option></term>

        <listitem><para>Echo the user input instead of masking it.
        This is useful when using
        <filename>systemd-ask-password</filename> to query for
        usernames. </para></listitem>
      </varlistentry>

      <varlistentry>
        <term><option>--no-tty</option></term>

        <listitem><para>Never ask for password on current TTY even if
        one is available. Always use agent system.</para></listitem>
      </varlistentry>

      <varlistentry>
        <term><option>--accept-cached</option></term>

        <listitem><para>If passed, accept cached passwords, i.e.
        passwords previously entered.</para></listitem>
      </varlistentry>

      <varlistentry>
        <term><option>--multiple</option></term>

        <listitem><para>When used in conjunction with
        <option>--accept-cached</option> accept multiple passwords.
        This will output one password per line.</para></listitem>
      </varlistentry>

      <xi:include href="standard-options.xml" xpointer="help" />
    </variablelist>

  </refsect1>

  <refsect1>
    <title>Exit status</title>

    <para>On success, 0 is returned, a non-zero failure code
    otherwise.</para>
  </refsect1>

  <refsect1>
    <title>See Also</title>
    <para>
      <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
      <citerefentry><refentrytitle>systemctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
      <citerefentry><refentrytitle>keyctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
      <citerefentry project='die-net'><refentrytitle>plymouth</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
      <citerefentry project='man-pages'><refentrytitle>wall</refentrytitle><manvolnum>1</manvolnum></citerefentry>
    </para>
  </refsect1>

</refentry>
Commit	Line	Data
e287086b	1	<?xml version='1.0'?> <!--- Mode: nxml; nxml-child-indent: 2; indent-tabs-mode: nil --->
f3bc7fdc	2	<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
12b42c76	3	"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
f3bc7fdc LP	4
	5	<!--
	6	This file is part of systemd.
	7
	8	Copyright 2011 Lennart Poettering
	9
	10	systemd is free software; you can redistribute it and/or modify it
5430f7f2 LP	11	under the terms of the GNU Lesser General Public License as published by
5430f7f2 LP	12	the Free Software Foundation; either version 2.1 of the License, or
f3bc7fdc LP	13	(at your option) any later version.
	14
	15	systemd is distributed in the hope that it will be useful, but
	16	WITHOUT ANY WARRANTY; without even the implied warranty of
	17	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
5430f7f2	18	Lesser General Public License for more details.
f3bc7fdc	19
5430f7f2	20	You should have received a copy of the GNU Lesser General Public License
f3bc7fdc LP	21	along with systemd; If not, see <http://www.gnu.org/licenses/>.
	22	-->
	23
dfdebb1b	24	<refentry id="systemd-ask-password"
798d3a52 ZJS	25	xmlns:xi="http://www.w3.org/2001/XInclude">
	26
	27	<refentryinfo>
	28	<title>systemd-ask-password</title>
	29	<productname>systemd</productname>
	30
	31	<authorgroup>
	32	<author>
	33	<contrib>Developer</contrib>
	34	<firstname>Lennart</firstname>
	35	<surname>Poettering</surname>
	36	<email>lennart@poettering.net</email>
	37	</author>
	38	</authorgroup>
	39	</refentryinfo>
	40
	41	<refmeta>
	42	<refentrytitle>systemd-ask-password</refentrytitle>
	43	<manvolnum>1</manvolnum>
	44	</refmeta>
	45
	46	<refnamediv>
	47	<refname>systemd-ask-password</refname>
	48	<refpurpose>Query the user for a system password</refpurpose>
	49	</refnamediv>
	50
	51	<refsynopsisdiv>
	52	<cmdsynopsis>
	53	<command>systemd-ask-password <arg choice="opt" rep="repeat">OPTIONS</arg> <arg choice="opt">MESSAGE</arg></command>
	54	</cmdsynopsis>
	55	</refsynopsisdiv>
	56
	57	<refsect1>
	58	<title>Description</title>
	59
	60	<para><command>systemd-ask-password</command> may be used to query
	61	a system password or passphrase from the user, using a question
	62	message specified on the command line. When run from a TTY it will
	63	query a password on the TTY and print it to standard output. When
	64	run with no TTY or with <option>--no-tty</option> it will query
	65	the password system-wide and allow active users to respond via
	66	several agents. The latter is only available to privileged
	67	processes.</para>
	68
	69	<para>The purpose of this tool is to query system-wide passwords
	70	-- that is passwords not attached to a specific user account.
	71	Examples include: unlocking encrypted hard disks when they are
	72	plugged in or at boot, entering an SSL certificate passphrase for
	73	web and VPN servers.</para>
	74
e287086b LP	75	<para>Existing agents are:
	76	<itemizedlist>
	77
	78	<listitem><para>A boot-time password agent asking the user for
	79	passwords using Plymouth</para></listitem>
	80
	81	<listitem><para>A boot-time password agent querying the user
	82	directly on the console</para></listitem>
	83
	84	<listitem><para>An agent requesting password input via a
	85	<citerefentry
	86	project='man-pages'><refentrytitle>wall</refentrytitle><manvolnum>1</manvolnum></citerefentry>
	87	message</para></listitem>
	88
	89	<listitem><para>A command line agent which can be started
	90	temporarily to process queued password
	91	requests</para></listitem>
	92
	93	<listitem><para>A TTY agent that is temporarily spawned during
	94	<citerefentry><refentrytitle>systemctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>
	95	invocations</para></listitem>
	96	</itemizedlist></para>
798d3a52 ZJS	97
	98	<para>Additional password agents may be implemented according to
	99	the <ulink
	100	url="http://www.freedesktop.org/wiki/Software/systemd/PasswordAgents">systemd
	101	Password Agent Specification</ulink>.</para>
	102
	103	<para>If a password is queried on a TTY, the user may press TAB to
	104	hide the asterisks normally shown for each character typed.
	105	Pressing Backspace as first key achieves the same effect.</para>
	106
	107	</refsect1>
	108
	109	<refsect1>
	110	<title>Options</title>
	111
	112	<para>The following options are understood:</para>
	113
	114	<variablelist>
	115	<varlistentry>
	116	<term><option>--icon=</option></term>
	117
	118	<listitem><para>Specify an icon name alongside the password
	119	query, which may be used in all agents supporting graphical
	120	display. The icon name should follow the <ulink
	121	url="http://standards.freedesktop.org/icon-naming-spec/icon-naming-spec-latest.html">XDG
	122	Icon Naming Specification</ulink>.</para></listitem>
	123	</varlistentry>
	124
e287086b LP	125	<varlistentry>
	126	<term><option>--id=</option></term>
	127	<listitem><para>Specify an identifier for this password
	128	query. This identifier is freely choosable and allows
	129	recognition of queries by involved agents. It should include
	130	the subsystem doing the query and the specific object the
	131	query is done for. Example:
	132	<literal>--id=cryptsetup:/dev/sda5</literal>.</para></listitem>
	133	</varlistentry>
	134
	135	<varlistentry>
	136	<term><option>--keyname=</option></term>
	137	<listitem><para>Configure a kernel keyring key name to use as
	138	cache for the password. If set, then the tool will try to push
	139	any collected passwords into the kernel keyring of the root
	140	user, as a key of the specified name. If combined with
b938cb90	141	<option>--accept-cached</option>, it will also try to retrieve
a8eaaee7	142	such cached passwords from the key in the kernel keyring
b938cb90	143	instead of querying the user right away. By using this option,
e287086b LP	144	the kernel keyring may be used as effective cache to avoid
	145	repeatedly asking users for passwords, if there are multiple
	146	objects that may be unlocked with the same password. The
	147	cached key will have a timeout of 2.5min set, after which it
	148	will be purged from the kernel keyring. Note that it is
	149	possible to cache multiple passwords under the same keyname,
	150	in which case they will be stored as NUL-separated list of
	151	passwords. Use
	152	<citerefentry><refentrytitle>keyctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>
	153	to access the cached key via the kernel keyring
	154	directly. Example: <literal>--keyname=cryptsetup</literal></para></listitem>
	155	</varlistentry>
	156
798d3a52 ZJS	157	<varlistentry>
	158	<term><option>--timeout=</option></term>
	159
	160	<listitem><para>Specify the query timeout in seconds. Defaults
	161	to 90s. A timeout of 0 waits indefinitely. </para></listitem>
	162	</varlistentry>
	163
	164	<varlistentry>
	165	<term><option>--echo</option></term>
	166
	167	<listitem><para>Echo the user input instead of masking it.
	168	This is useful when using
	169	<filename>systemd-ask-password</filename> to query for
	170	usernames. </para></listitem>
	171	</varlistentry>
	172
	173	<varlistentry>
	174	<term><option>--no-tty</option></term>
	175
	176	<listitem><para>Never ask for password on current TTY even if
	177	one is available. Always use agent system.</para></listitem>
	178	</varlistentry>
	179
	180	<varlistentry>
	181	<term><option>--accept-cached</option></term>
	182
	183	<listitem><para>If passed, accept cached passwords, i.e.
a8eaaee7	184	passwords previously entered.</para></listitem>
798d3a52 ZJS	185	</varlistentry>
	186
	187	<varlistentry>
	188	<term><option>--multiple</option></term>
	189
	190	<listitem><para>When used in conjunction with
	191	<option>--accept-cached</option> accept multiple passwords.
	192	This will output one password per line.</para></listitem>
	193	</varlistentry>
	194
	195	<xi:include href="standard-options.xml" xpointer="help" />
	196	</variablelist>
	197
	198	</refsect1>
	199
	200	<refsect1>
	201	<title>Exit status</title>
	202
	203	<para>On success, 0 is returned, a non-zero failure code
	204	otherwise.</para>
	205	</refsect1>
	206
	207	<refsect1>
	208	<title>See Also</title>
	209	<para>
	210	<citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
	211	<citerefentry><refentrytitle>systemctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
e287086b	212	<citerefentry><refentrytitle>keyctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
798d3a52 ZJS	213	<citerefentry project='die-net'><refentrytitle>plymouth</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
	214	<citerefentry project='man-pages'><refentrytitle>wall</refentrytitle><manvolnum>1</manvolnum></citerefentry>
	215	</para>
	216	</refsect1>
f3bc7fdc LP	217
f3bc7fdc LP	218	</refentry>