<refsect1>
<title>Description</title>
- <para><command>systemd-ask-password</command> may be used to query
- a system password or passphrase from the user, using a question
- message specified on the command line. When run from a TTY it will
- query a password on the TTY and print it to standard output. When
- run with no TTY or with <option>--no-tty</option> it will use the
- system-wide query mechanism, which allows active users to respond via
- several agents, listed below.</para>
-
- <para>The purpose of this tool is to query system-wide passwords
- — that is passwords not attached to a specific user account.
- Examples include: unlocking encrypted hard disks when they are
- plugged in or at boot, entering an SSL certificate passphrase for
- web and VPN servers.</para>
-
- <para>Existing agents are:
+ <para><command>systemd-ask-password</command> may be used to query a password or passphrase interactively
+ from the user, using a question prompt specified on the command line. When run from a TTY it will query a
+ password on the TTY and print it to standard output. When run with no TTY or with
+ <option>--no-tty</option> it will use a system-wide or per-user agent-based query mechanism, which allows
+ active users to respond via several agents, listed below.</para>
+
+ <para>The purpose of this tool is to query system-wide or per-user passwords — the former includes
+ passwords possibly not associated to a specific user account. Examples include: unlocking encrypted hard
+ disks when they are plugged in or at boot, entering an SSL certificate passphrase for web and VPN
+ servers.</para>
+
+ <para>Existing system-level agents are:
<itemizedlist>
- <listitem><para>A boot-time password agent asking the user for
- passwords using
- <citerefentry project='die-net'><refentrytitle>plymouth</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
+ <listitem><para>A boot-time password agent asking the user for passwords using <citerefentry
+ project='die-net'><refentrytitle>plymouth</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
</para></listitem>
<listitem><para>A boot-time password agent querying the user
all the agents listed above (except for the last one), run as privileged
system services. The last one also needs elevated privileges, so
should be run through
- <citerefentry project='die-net'><refentrytitle>sudo</refentrytitle><manvolnum>8</manvolnum></citerefentry>
+ <citerefentry><refentrytitle>run0</refentrytitle><manvolnum>1</manvolnum></citerefentry>
or similar.</para>
- <para>Additional password agents may be implemented according to
- the <ulink url="https://systemd.io/PASSWORD_AGENTS/">systemd Password Agent
- Specification</ulink>.</para>
+ <para>Additional password agents may be implemented according to the <ulink
+ url="https://systemd.io/PASSWORD_AGENTS/">systemd Password Agent Specification</ulink>.</para>
<para>If a password is queried on a TTY, the user may press TAB to
hide the asterisks normally shown for each character typed.
Pressing Backspace as first key achieves the same effect.</para>
-
</refsect1>
<refsect1>
<xi:include href="version-info.xml" xpointer="v249"/></listitem>
</varlistentry>
+ <varlistentry>
+ <term><option>--user</option></term>
+ <term><option>--system</option></term>
+
+ <listitem><para>Controls whether to query the system-wide or the per-user password agents. By default
+ if invoked privileged the system-wide agents are queried, otherwise the per-user ones. These options
+ allow to override this automatic behaviour.</para>
+
+ <xi:include href="version-info.xml" xpointer="v257"/></listitem>
+ </varlistentry>
+
<xi:include href="standard-options.xml" xpointer="help" />
</variablelist>
return log_oom();
printf("%1$s [OPTIONS...] MESSAGE\n\n"
- "%3$sQuery the user for a system passphrase, via the TTY or a UI agent.%4$s\n\n"
+ "%3$sQuery the user for a passphrase, via the TTY or a UI agent.%4$s\n\n"
" -h --help Show this help\n"
" --icon=NAME Icon name\n"
" --id=ID Query identifier (e.g. \"cryptsetup:/dev/sda5\")\n"
" --no-output Do not print password to standard output\n"
" -n Do not suffix password written to standard output with\n"
" newline\n"
+ " --user Ask only our own user's agents\n"
+ " --system Ask agents of the system and of all users\n"
"\nSee the %2$s for details.\n",
program_invocation_short_name,
link,
ARG_NO_OUTPUT,
ARG_VERSION,
ARG_CREDENTIAL,
+ ARG_USER,
+ ARG_SYSTEM,
};
static const struct option options[] = {
{ "keyname", required_argument, NULL, ARG_KEYNAME },
{ "no-output", no_argument, NULL, ARG_NO_OUTPUT },
{ "credential", required_argument, NULL, ARG_CREDENTIAL },
+ { "user", no_argument, NULL, ARG_USER },
+ { "system", no_argument, NULL, ARG_SYSTEM },
{}
};
arg_credential_name = optarg;
break;
+ case ARG_USER:
+ arg_flags |= ASK_PASSWORD_USER;
+ break;
+
+ case ARG_SYSTEM:
+ arg_flags &= ~ASK_PASSWORD_USER;
+ break;
+
case 'n':
arg_newline = false;
break;
log_setup();
+ /* Unprivileged? Then imply ASK_PASSWORD_USER by default */
+ SET_FLAG(arg_flags, ASK_PASSWORD_USER, geteuid() != 0);
+
r = parse_argv(argc, argv);
if (r <= 0)
return r;
projects / thirdparty / systemd.git / commitdiff
