'\" t .\" Title: password-agent .\" Author: Bj\(:orn P\(oahlsson .\" Generator: DocBook XSL Stylesheets vsnapshot .\" Date: 2020-09-16 .\" Manual: Mandos Manual .\" Source: Mandos 1.8.16 .\" Language: English .\" .TH "PASSWORD\-AGENT" "8mandos" "2020\-09\-16" "Mandos 1.8.16" "Mandos Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .\" http://bugs.debian.org/507673 .\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" ----------------------------------------------------------------- .\" * set default formatting .\" ----------------------------------------------------------------- .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) .ad l .\" ----------------------------------------------------------------- .\" * MAIN CONTENT STARTS HERE * .\" ----------------------------------------------------------------- .SH "NAME" password-agent \- Run Mandos client as a systemd password agent\&. .SH "SYNOPSIS" .HP \w'\fBpassword\-agent\fR\ 'u \fBpassword\-agent\fR [\fB\-\-agent\-directory=\fR\fB\fIDIRECTORY\fR\fR] .br [\fB\-\-helper\-directory=\fR\fB\fIDIRECTORY\fR\fR] .br [\fB\-\-user=\fR\fB\fIUSERID\fR\fR] .br [\fB\-\-group=\fR\fB\fIGROUPID\fR\fR] .br [\-\-] [\fIMANDOS_CLIENT\fR\ [\fIOPTIONS\fR...]] .HP \w'\fBpassword\-agent\fR\ 'u \fBpassword\-agent\fR \fB\-\-test\fR .HP \w'\fBpassword\-agent\fR\ 'u \fBpassword\-agent\fR {\fB\-\-help\fR | \fB\-?\fR} .HP \w'\fBpassword\-agent\fR\ 'u \fBpassword\-agent\fR \fB\-\-usage\fR .HP \w'\fBpassword\-agent\fR\ 'u \fBpassword\-agent\fR {\fB\-\-version\fR | \fB\-V\fR} .SH "DESCRIPTION" .PP \fBpassword\-agent\fR is a program which is meant to be a \fBsystemd\fR(1) \(lqPassword Agent\(rq (See \m[blue]\fBPassword Agents\fR\m[]\&\s-2\u[1]\d\s+2)\&. The aim of this program is therefore to acquire and then send a password to some other program which will use the password to unlock the encrypted root disk\&. .PP This program is not meant to be invoked directly, but can be in order to test it\&. .SH "PURPOSE" .PP The purpose of this is to enable \fIremote and unattended rebooting\fR of client host computer with an \fIencrypted root file system\fR\&. See the section called \(lqOVERVIEW\(rq for details\&. .SH "OPTIONS" .PP \fB\-\-agent\-directory \fR\fB\fIDIRECTORY\fR\fR .RS 4 Specify a different agent directory\&. The default is \(lq/run/systemd/ask\-password\(rq as per the \m[blue]\fBPassword Agents\fR\m[]\&\s-2\u[1]\d\s+2 specification\&. .RE .PP \fB\-\-helper\-directory \fR\fB\fIDIRECTORY\fR\fR .RS 4 Specify a different helper directory\&. The default is \(lq/lib/mandos/plugin\-helpers\(rq, which will exist in the initial RAM disk environment\&. (This will simply be passed to the \fIMANDOS_CLIENT\fR program via the \fBMANDOSPLUGINHELPERDIR\fR environment variable\&. See \fBmandos-client\fR(8mandos)\&.) .RE .PP \fB\-\-user \fR\fB\fIUSERID\fR\fR .RS 4 Change real user ID to \fIUSERID\fR when running \fIMANDOS_CLIENT\fR\&. The default is 65534\&. \fINote:\fR This must be a number, not a name\&. .RE .PP \fB\-\-group \fR\fB\fIGROUPID\fR\fR .RS 4 Change real group ID to \fIGROUPID\fR when running \fIMANDOS_CLIENT\fR\&. The default is 65534\&. \fINote:\fR This must be a number, not a name\&. .RE .PP \fIMANDOS_CLIENT\fR .RS 4 This specifies the file name for \fBmandos-client\fR(8mandos)\&. If the \(lq\fB\-\-\fR\(rq option is given, any following options are passed to the \fIMANDOS_CLIENT\fR program\&. The default is \(lq/lib/mandos/plugins\&.d/mandos\-client\(rq (which is the correct location for the initial RAM disk environment) without any options\&. .RE .PP \fB\-\-help\fR, \fB\-?\fR .RS 4 Gives a help message about options and their meanings\&. .RE .PP \fB\-\-test\fR .RS 4 Ignore normal operation; instead only run self\-tests\&. Adding the \fB\-\-help\fR option may show more options possible in combination with \fB\-\-test\fR\&. .RE .PP \fB\-\-usage\fR .RS 4 Gives a short usage message\&. .RE .PP \fB\-\-version\fR, \fB\-V\fR .RS 4 Prints the program version\&. .RE .SH "OVERVIEW" .PP This is part of the Mandos system for allowing computers to have encrypted root file systems and at the same time be capable of remote and/or unattended reboots\&. The computers run a small client program in the initial RAM disk environment which will communicate with a server over a network\&. All network communication is encrypted using TLS\&. The clients are identified by the server using a TLS key; each client has one unique to it\&. The server sends the clients an encrypted password\&. The encrypted password is decrypted by the clients using a separate OpenPGP key, and the password is then used to unlock the root file system, whereupon the computers can continue booting normally\&. .PP This program, password\-agent, will run on the client side in the initial RAM disk environment, and is responsible for getting a password from the Mandos client program itself, and to send that password to whatever is currently asking for a password using the systemd \m[blue]\fBPassword Agents\fR\m[]\&\s-2\u[1]\d\s+2 mechanism\&. .PP To accomplish this, password\-agent runs the \fBmandos\-client\fR program (which is the actual client program communicating with the Mandos server) or, alternatively, any executable file specified as \fIMANDOS_CLIENT\fR, and, as soon as a password is acquired from the \fIMANDOS_CLIENT\fR program, sends that password (as per the \m[blue]\fBPassword Agents\fR\m[]\&\s-2\u[1]\d\s+2 specification) to all currently unanswered password questions\&. .PP This program should be started (normally as a systemd service, which in turn is normally started by a \fBsystemd.path\fR(5) file) as a reaction to files named \(lqask\&.\fIxxxx\fR\(rq appearing in the agent directory \(lq/run/systemd/ask\-password\(rq (or the directory specified by \fB\-\-agent\-directory\fR)\&. .SH "EXIT STATUS" .PP Exit status of this program is zero if no errors were encountered, and otherwise not\&. .SH "ENVIRONMENT" .PP This program does not use any environment variables itself, it only passes on its environment to \fIMANDOS_CLIENT\fR\&. Also, the \fB\-\-helper\-directory\fR option will affect the environment variable \fBMANDOSPLUGINHELPERDIR\fR for \fIMANDOS_CLIENT\fR\&. .SH "FILES" .PP .PP /run/systemd/ask\-password .RS 4 The default directory to watch for password questions as per the \m[blue]\fBPassword Agents\fR\m[]\&\s-2\u[1]\d\s+2 specification; can be changed by the \fB\-\-agent\-directory\fR option\&. .RE .PP /lib/mandos/plugin\-helpers .RS 4 The helper directory as supplied to \fIMANDOS_CLIENT\fR via the \fBMANDOSPLUGINHELPERDIR\fR environment variable; can be changed by the \fB\-\-helper\-directory\fR option\&. .RE .SH "BUGS" .PP Please report bugs to the Mandos development mailing list: (subscription required)\&. Note that this list is public\&. The developers can be reached privately at (OpenPGP key fingerprint 153A 37F1 0BBA 0435 987F 2C4A 7223 2973 CA34 C2C4 for encrypted mail)\&. .SH "EXAMPLE" .PP Normal invocation needs no options: .PP \fBpassword\-agent\fR .PP Run an alternative \fIMANDOS_CLIENT\fR program:: .PP \fBpassword\-agent /usr/local/sbin/alternate\fR .PP Use alternative locations for the helper directory and the Mandos client, and add extra options suitable for running in the normal file system: .PP \fBpassword\-agent \-\-helper\-directory=/usr/lib/x86_64\-linux\-gnu/mandos/plugin\-helpers \-\- /usr/lib/x86_64\-linux\-gnu/mandos/plugins\&.d/mandos\-client \-\-pubkey=/etc/keys/mandos/pubkey\&.txt \-\-seckey=/etc/keys/mandos/seckey\&.txt \-\-tls\-pubkey=/etc/keys/mandos/tls\-pubkey\&.pem \-\-tls\-privkey=/etc/keys/mandos/tls\-privkey\&.pem\fR .PP Use the default location for \fBmandos-client\fR(8mandos), but add many options to it: .PP \fBpassword\-agent \-\- /lib/mandos/plugins\&.d/mandos\-client \-\-pubkey=/etc/mandos/keys/pubkey\&.txt \-\-seckey=/etc/mandos/keys/seckey\&.txt \-\-tls\-pubkey=/etc/mandos/keys/tls\-pubkey\&.pem \-\-tls\-privkey=/etc/mandos/keys/tls\-privkey\&.pem\fR .PP Only run the self\-tests: .PP \fBpassword\-agent \-\-test\fR .SH "SECURITY" .PP This program will need to run as the root user in order to read the agent directory and the \(lqask\&.\fIxxxx\fR\(rq files there, and will, when starting the Mandos client program, require the ability to set the \(lqreal\(rq user and group ids to another user, by default user and group 65534, which are assumed to be non\-privileged\&. This is done in order to match the expectations of \fBmandos-client\fR(8mandos), which assumes that its executable file is owned by the root user and also has the set\-user\-ID bit set (see \fBexecve\fR(2))\&. .SH "SEE ALSO" .PP \fBintro\fR(8mandos), \fBmandos-client\fR(8mandos), \fBsystemd\fR(1), .PP \m[blue]\fBPassword Agents\fR\m[]\&\s-2\u[1]\d\s+2 .RS 4 The specification for systemd \(lqPassword Agent\(rq programs, which \fBpassword\-agent\fR follows\&. .RE .SH "COPYRIGHT" .br Copyright \(co 2019-2020 Teddy Hogeborn, Bj\(:orn P\(oahlsson .br .PP This manual page is part of Mandos\&. .PP Mandos is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version\&. .PP Mandos is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE\&. See the GNU General Public License for more details\&. .PP You should have received a copy of the GNU General Public License along with Mandos\&. If not, see \m[blue]\fBhttp://www\&.gnu\&.org/licenses/\fR\m[]\&. .sp .SH "NOTES" .IP " 1." 4 Password Agents .RS 4 \%https://systemd.io/PASSWORD_AGENTS/ .RE