1 <?xml version='
1.0'
?> <!--*- Mode: nxml; nxml-child-indent: 2; indent-tabs-mode: nil -*-->
2 <!DOCTYPE refentry PUBLIC
"-//OASIS//DTD DocBook XML V4.2//EN"
3 "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
6 This file is part of systemd.
8 Copyright 2011 Lennart Poettering
10 systemd is free software; you can redistribute it and/or modify it
11 under the terms of the GNU Lesser General Public License as published by
12 the Free Software Foundation; either version 2.1 of the License, or
13 (at your option) any later version.
15 systemd is distributed in the hope that it will be useful, but
16 WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
18 Lesser General Public License for more details.
20 You should have received a copy of the GNU Lesser General Public License
21 along with systemd; If not, see <http://www.gnu.org/licenses/>.
24 <refentry id=
"systemd-ask-password"
25 xmlns:
xi=
"http://www.w3.org/2001/XInclude">
28 <title>systemd-ask-password
</title>
29 <productname>systemd
</productname>
33 <contrib>Developer
</contrib>
34 <firstname>Lennart
</firstname>
35 <surname>Poettering
</surname>
36 <email>lennart@poettering.net
</email>
42 <refentrytitle>systemd-ask-password
</refentrytitle>
43 <manvolnum>1</manvolnum>
47 <refname>systemd-ask-password
</refname>
48 <refpurpose>Query the user for a system password
</refpurpose>
53 <command>systemd-ask-password
<arg choice=
"opt" rep=
"repeat">OPTIONS
</arg> <arg choice=
"opt">MESSAGE
</arg></command>
58 <title>Description
</title>
60 <para><command>systemd-ask-password
</command> may be used to query
61 a system password or passphrase from the user, using a question
62 message specified on the command line. When run from a TTY it will
63 query a password on the TTY and print it to standard output. When
64 run with no TTY or with
<option>--no-tty
</option> it will query
65 the password system-wide and allow active users to respond via
66 several agents. The latter is only available to privileged
69 <para>The purpose of this tool is to query system-wide passwords
70 -- that is passwords not attached to a specific user account.
71 Examples include: unlocking encrypted hard disks when they are
72 plugged in or at boot, entering an SSL certificate passphrase for
73 web and VPN servers.
</para>
75 <para>Existing agents are:
78 <listitem><para>A boot-time password agent asking the user for
79 passwords using Plymouth
</para></listitem>
81 <listitem><para>A boot-time password agent querying the user
82 directly on the console
</para></listitem>
84 <listitem><para>An agent requesting password input via a
86 project='man-pages'
><refentrytitle>wall
</refentrytitle><manvolnum>1</manvolnum></citerefentry>
87 message
</para></listitem>
89 <listitem><para>A command line agent which can be started
90 temporarily to process queued password
91 requests
</para></listitem>
93 <listitem><para>A TTY agent that is temporarily spawned during
94 <citerefentry><refentrytitle>systemctl
</refentrytitle><manvolnum>1</manvolnum></citerefentry>
95 invocations
</para></listitem>
96 </itemizedlist></para>
98 <para>Additional password agents may be implemented according to
100 url=
"http://www.freedesktop.org/wiki/Software/systemd/PasswordAgents">systemd
101 Password Agent Specification
</ulink>.
</para>
103 <para>If a password is queried on a TTY, the user may press TAB to
104 hide the asterisks normally shown for each character typed.
105 Pressing Backspace as first key achieves the same effect.
</para>
110 <title>Options
</title>
112 <para>The following options are understood:
</para>
116 <term><option>--icon=
</option></term>
118 <listitem><para>Specify an icon name alongside the password
119 query, which may be used in all agents supporting graphical
120 display. The icon name should follow the
<ulink
121 url=
"http://standards.freedesktop.org/icon-naming-spec/icon-naming-spec-latest.html">XDG
122 Icon Naming Specification
</ulink>.
</para></listitem>
126 <term><option>--id=
</option></term>
127 <listitem><para>Specify an identifier for this password
128 query. This identifier is freely choosable and allows
129 recognition of queries by involved agents. It should include
130 the subsystem doing the query and the specific object the
131 query is done for. Example:
132 <literal>--id=cryptsetup:/dev/sda5
</literal>.
</para></listitem>
136 <term><option>--keyname=
</option></term>
137 <listitem><para>Configure a kernel keyring key name to use as
138 cache for the password. If set, then the tool will try to push
139 any collected passwords into the kernel keyring of the root
140 user, as a key of the specified name. If combined with
141 <option>--accept-cached
</option>, it will also try to retrieve
142 such cached passwords from the key in the kernel keyring
143 instead of querying the user right away. By using this option,
144 the kernel keyring may be used as effective cache to avoid
145 repeatedly asking users for passwords, if there are multiple
146 objects that may be unlocked with the same password. The
147 cached key will have a timeout of
2.5min set, after which it
148 will be purged from the kernel keyring. Note that it is
149 possible to cache multiple passwords under the same keyname,
150 in which case they will be stored as NUL-separated list of
152 <citerefentry project='die-net'
><refentrytitle>keyctl
</refentrytitle><manvolnum>1</manvolnum></citerefentry>
153 to access the cached key via the kernel keyring
154 directly. Example:
<literal>--keyname=cryptsetup
</literal></para></listitem>
158 <term><option>--timeout=
</option></term>
160 <listitem><para>Specify the query timeout in seconds. Defaults
161 to
90s. A timeout of
0 waits indefinitely.
</para></listitem>
165 <term><option>--echo
</option></term>
167 <listitem><para>Echo the user input instead of masking it.
168 This is useful when using
169 <filename>systemd-ask-password
</filename> to query for
170 usernames.
</para></listitem>
174 <term><option>--no-tty
</option></term>
176 <listitem><para>Never ask for password on current TTY even if
177 one is available. Always use agent system.
</para></listitem>
181 <term><option>--accept-cached
</option></term>
183 <listitem><para>If passed, accept cached passwords, i.e.
184 passwords previously entered.
</para></listitem>
188 <term><option>--multiple
</option></term>
190 <listitem><para>When used in conjunction with
191 <option>--accept-cached
</option> accept multiple passwords.
192 This will output one password per line.
</para></listitem>
195 <xi:include href=
"standard-options.xml" xpointer=
"help" />
201 <title>Exit status
</title>
203 <para>On success,
0 is returned, a non-zero failure code
208 <title>See Also
</title>
210 <citerefentry><refentrytitle>systemd
</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
211 <citerefentry><refentrytitle>systemctl
</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
212 <citerefentry project='die-net'
><refentrytitle>keyctl
</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
213 <citerefentry project='die-net'
><refentrytitle>plymouth
</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
214 <citerefentry project='man-pages'
><refentrytitle>wall
</refentrytitle><manvolnum>1</manvolnum></citerefentry>