1 .\" This program is free software; you can redistribute it and/or modify
2 .\" it under the terms of the GNU General Public License as published by
3 .\" the Free Software Foundation; either version 2 of the License, or
4 .\" (at your option) any later version.
6 .\" This program is distributed in the hope that it will be useful,
7 .\" but WITHOUT ANY WARRANTY; without even the implied warranty of
8 .\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
9 .\" GNU General Public License for more details.
11 .\" You should have received a copy of the GNU General Public License
12 .\" along with this program; if not, write to the Free Software
13 .\" Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02110-1301 USA
15 \\$2 \(laURL: \\$1 \(ra\\$3
17 .if \n[.g] .mso www.tmac
18 .TH PWMD 1 "11 Nov 2010" "Password Manager Client" "Password Manager Client"
21 pwmc \- send a command to a pwmd server
35 A server command is read from standard input and the command result, if any,
36 is sent to either a file descriptor or standard output.
41 A string to parse that can be used for remote pwmd server details rather than
42 the other command line options.
48 Connect to the specified local domain socket. The default is
53 Don't lock the data file upon opening it.
56 .I "\--host, -h <hostname>"
57 Establish an SSH connection to the specified hostname. See
59 below for how to setup the SSH host to use
64 .I "\--port, -p <port>"
65 The port of the hostname to connect to. The default is 22.
68 .I "\--known-hosts, -k <filename>"
69 An OpenSSH formatted known_hosts file that
71 will verify the hostkey against while connecting to a remote host. The default
73 .B ~/.ssh/known_hosts.
77 Retrieve the private key for the connected host from an ssh-agent. Read
82 .I "\--identity, -i <filename>"
85 identity file to use for public key authentication. This is the only supported
86 method of SSH authentication. Both the public and private key must be
90 .I "\--user, -u <username>"
91 The username to login as on the remote SSH server. The default is the invoking
95 .I "\--get-hostkey, -g"
96 Retrieve the OpenSSH formatted host key of the remote SSH hostname specified
99 The result should be appended to the known hosts file.
103 Connect to an IPv4 host only. The default is to try an IPv6 host first, then
108 Connect to an IPv6 host only. The default is to try an IPv6 host first, then
112 .I "\--name, -n <string>"
113 Set the client name to the specified string. This string is what shows up in
116 log files. The default is "pwmc".
120 Don't show server status messages. By default, status messages are written to
125 Use an interactive pwmc shell. This will let you send more than one command
131 .I "\--inquire <COMMAND>"
132 Use this option to send commands that use a server inquire to retrieve data.
133 Only the command name and any command options should be specified. The
134 command data will be read from the inquire file descriptor or stdin by
138 .I "\--inquire-fd <FD>"
141 This option sets the file descriptor to read data from. The default is stdin
145 .I "\--output-fd <FD>"
146 Redirect output to the specified file descriptor. The default is stdout.
149 .I "\--cipher <string>"
150 When saving, encrypt with the specified cipher.
153 .I "\--iterations, -I <integer>"
154 Specifies the number of encryption iterations to use when
156 is used. The default is specified in the
158 server configuration.
162 After the command has been processed and no error occurred, send the SAVE
163 command to the server.
166 .I "\--passphrase, -P <string>"
167 The passphrase to use when required. If not set then a
169 will be used if available.
172 .I "\--key-file <filename>"
173 Read the passphrase from the specified filename.
177 Specifies that the passphrase is Base64 encoded.
179 will decode the passphrase before encryption and decryption.
182 .I "\--pinentry, <path>"
183 The full path to the pinentry binary. The default is the
185 server configured setting.
188 .I "\--ttyname, <path>"
189 The full path of the TTY for
191 to prompt on. The default is the current terminal.
194 .I "\--ttytype, <string>"
195 The terminal type of the specified TTY that
197 should use. This is required if
202 .I "\--display, <string>"
205 should use. Note that a remote SSH
207 is currently not supported. The default is the current DISPLAY if set.
210 .I "\--lc-ctype, <string>"
216 .I "\--lc-messages, <string>"
223 The number of times before failing when an invalid passphrase is entered in
226 dialog. The default is 3.
229 .I "\--timeout, <seconds>"
230 The number of seconds before
232 will timeout while waiting for a passphrase. The default is 30.
235 .I "\--local-pinentry"
236 Force using the local pinentry for passphrase retrieval. This has the same
247 but expire any cache entry on the server before saving. When used with
249 the initial passphrase is also cleared.
260 In order to get this to work you need to put the following in your
261 .B ~/.ssh/authorized_keys
262 file on the remote SSH host. It should be prepended to the hash of the public
263 key that was generated using
265 and specified using the
269 command="socat gopen:$HOME/.pwmd/socket -"
273 command can be replaced with any utility that can read from stdin and write
274 to a local domain socket, and vice-versa.
279 is a program that prompts the user for input of a passphrase. This is
280 currently not supported when connected to a remote pwmd server since X11 port
281 forwarding is not done yet. If a pinentry is required then a local pinentry
284 The terminal, terminal type or DISPLAY that pinentry will prompt on is either
285 set with the command line options or uses options set in
286 .B ~/.pwmd/pinentry.conf
287 when available. Otherwise the current terminal and terminal type or X11
291 .B ~/.pwmd/pinentry.conf
292 file contains one NAME=VALUE pair per line. Comments begin with a '#'.
295 The full path to the location of the pinentry binary.
298 The X11 display to use.
301 The full path to the tty that pinentry should prompt on.
304 The terminal type of the tty (i.e., vt100) which is required if DISPLAY is not
313 a shell like interface can be used. This allows sending more than one command
314 during a connection. It's a little tricky to get server inquires to work right
315 so two special commands were added to the shell:
326 is the inquire command to send with any needed command options. The data is
327 read from stdin or from the specified
329 All other commands are sent directly to
334 without modification.
336 Since interactive mode uses the
338 library, the TAB character is normally interpreted as the line completion
339 character. This conflicts with the
341 element separation character. In order to insert a TAB you'd first need to
342 press CTRL-V then press TAB. See
344 for more information about line history and completion.
348 To list the available accounts and use
350 to get the passphrase (if required):
352 echo list | pwmc filename
355 To store an element path and save the file afterwards:
357 echo -ne 'isp\\tsmtp\\thostname\\tsomehost.com' | pwmc --inquire STORE -S filename
359 And then to get the content:
361 echo -ne 'get isp\\tsmtp\\thostname' | pwmc filename
366 echo -ne 'some\\telement\\tpath\\t' | cat - data_file | pwmc -S filename --inquire STORE
369 Clear the file cache for a single file:
371 echo 'clearcache filename' | pwmc
374 To list root elements of a data file which is stored on a remote pwmd server
375 over an SSH connection:
377 echo list | pwmc --url ssh://user@hostname,~/identity,~/known_hosts filename
383 Default socket to connect to.
385 .B ~/.pwmd/pinentry.conf
386 Default settings that
388 will use for the terminal, terminal type or X11 display.
391 Default location of the
396 Ben Kibbey <bjk@luxsci.net>
398 .URL "http://bjk.sourceforge.net/pwmd/" "PWMD Homepage" .
404 .BR authorized_keys (5),