1 .\" Copyright (C) 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013
2 .\" Ben Kibbey <bjk@luxsci.net>
4 .\" This file is part of libpwmd.
6 .\" Libwmd is free software: you can redistribute it and/or modify
7 .\" it under the terms of the GNU General Public License as published by
8 .\" the Free Software Foundation, either version 2 of the License, or
9 .\" (at your option) any later version.
11 .\" Libwmd is distributed in the hope that it will be useful,
12 .\" but WITHOUT ANY WARRANTY; without even the implied warranty of
13 .\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 .\" GNU General Public License for more details.
16 .\" You should have received a copy of the GNU General Public License
17 .\" along with Libpwmd. If not, see <http://www.gnu.org/licenses/>.
19 \\$2 \(laURL: \\$1 \(ra\\$3
21 .if \n[.g] .mso www.tmac
22 .TH PWMC 1 "25 Feb 2013" "@VERSION@" "Password Manager Client"
25 pwmc \- send a command to a pwmd server
36 Pwmc reads pwmd protocol commands from either standard input or
37 interactively by using libreadline to prompt for input. The
38 interactive mode allows for more than one command to be sent to the
44 A pwmd URL to connect to. The available URL types depend on options
45 enabled at compile-time. The default when not specified is
52 .I "\--connect-timeout <seconds>"
53 The number of seconds before timing out when connecting to a remote
54 server. The default is 120 seconds.
57 .I "\--socket-timeout <seconds>"
58 The number of seconds before a remote command will timeout. The
59 default is 300 seconds.
62 .I "\--ca-cert, <filename>"
63 The X509 certificate authority file to use when validating the pwmd
64 TLS server certificate. Required when connecting via TLS.
67 .I "\--client-cert, <filename>"
68 The X509 client certificate to use when authenticating a TLS
69 connection. Required when connecting via TLS.
72 .I "\--client-key, <filename>"
73 The X509 key file to use to unlock the client certificate. Required
74 when connecting via TLS.
77 .I "\--tls-priority, <string>"
78 A string representing compression, cipher and hashing algorithm priorities for
79 a TLS connection. See the GnuTLS documentation for details. The default is
84 Verify the TLS server hostname stored in the server certificate to the
85 connected hostname. The default is disabled.
88 .I "\--tls-fingerprint <string>"
89 Verify the SHA-1 hash of the servers certificate against the specified
94 Normally, when the SSH_AUTH_SOCK environment variable is set, pwmc will get
95 authentication details from the ssh agent. When this option is specified or
96 when the environment variable is unset, a private key must be specified on the
101 for how to add a private key to the ssh agent. Note that the
103 command line option has priority over the ssh agent.
106 .I "\-\-identity, -i <filename>"
107 The SSH identity file use when connecting via SSH.
110 .I "\-\-knownhosts, -k <filename"
111 The SSH knownhosts file to use when connection via SSH. The default is
116 Do not lock the data file upon opening it. Locking the data file
117 prevents other clients from opening the same file.
120 .I "\--lock-timeout <N>"
121 The time in tenths of a second to wait for another client to release the lock
122 held on a data file before returning an error. When not specified or 0, pwmc
123 will wait indefinately. When -1, an error will be returned
124 immediately. The default is 50.
127 .I "\--name, -n <string>"
128 Set the client name to the specified string. This string is what is shown in
131 log files. The default is "pwmc".
134 .I "\--pinentry, <path>"
135 The full path to the pinentry binary. The default is specified at
139 .I "\--local-pinentry"
140 Force use of the local pinentry for passphrase retrieval. This will
141 disable pwmd's pinentry and use a pinentry fork'ed from libpwmd.
145 Disable the use of pinentry entirely. Both pwmd and libpwmd's local
146 pinentry will be disabled. Pwmc will prompt for the passphrase via
150 .I "\--ttyname, -y <path>"
151 The full path of the TTY for
153 to prompt on. The default is the current terminal.
156 .I "\--ttytype, -t <string>"
157 The terminal type of the specified TTY that
159 should use. This is required if
164 .I "\--display, -d <string>"
167 should use. Note that remote connections to pwmd do not use pwmd's
168 pinentry but use a pinentry fork'ed from libpwmd instead. The default
171 environment variable.
174 .I "\--lc-ctype, <string>"
180 .I "\--lc-messages, <string>"
187 The number of times before failing when an invalid passphrase is entered in
190 dialog. The default is 3.
193 .I "\-\-timeout, <seconds>"
194 The number of seconds before
196 will timeout while waiting for a passphrase. The default is 30.
199 .I "\--inquire <command>"
200 Some pwmd protocol commands use what is called an INQUIRE to retrieve
201 data from the client. This options argument should be the command name
202 that uses an inquire. The command data will be read from the file
203 descriptor specified by the
205 option or stdin by default.
208 .I "\--inquire-line, -L <string>"
209 The initial line to send during an inquire and before any other data read from
210 the inquire file descriptor. This option is useful to specify an
211 element path without needing to modify the remaining inquire data. See
216 .I "\--inquire-fd <fd>"
217 Read inquire data from the specified file descriptor. For use with the
219 option. By default, inquire data is read from stdin. Use
220 .I "\-\-inquire-line"
221 to send an initial line before the actual data.
224 .I "\-\-inquire-file <filename>"
225 Read inquire data from the specified filename. For use with the
227 option. By default, inquire data is read from stdin. Use
228 .I "\-\-inquire-line"
229 to send an initial line before the actual data.
232 .I "\--output-fd <fd>"
233 Redirect the output of the pwmd command to the specified file
234 descriptor. The default is stdout.
238 After the command has been processed without error, send the SAVE
239 command to the server to write any changes to disk.
245 but expire any cached passphrase on the server before saving. This
246 will require a passphrase, if needed, when saving.
249 .I "\-\-no\-passphrase"
250 When saving to a new file, do not prompt for a passphrase. This will
251 allow the data file to be opened without a passphrase.
254 .I "\-\-no-gpg-agent"
259 support and gpg-agent usage is enabled, pwmd will default to using
260 the gpg-agent key-pair encryption mechanism rather than symmetric
261 encryption of the data file. Use this option to force symmetric
262 encryption of the data file without using gpg-agent. Note that this
263 option only has an affect when saving to a new file.
266 .I "\--key-file <filename>"
267 Read the passphrase used to open a file from the specified filename.
270 .I "\--new-key-file <filename>"
271 Read a passphrase from the specified filename that is to be used for a
272 new data file or when changing the passphrase for an existing data
276 .I "\--cipher <string>"
277 When saving, encrypt with the specified cipher algorithm. See the
278 pwmd documentation for available ciphers. The default is "aes256".
281 .I "\--cipher-iterations <N>"
282 The number of cipher encryption iterations of the XML data. This is
286 .I "\-\-key\-params <string>"
287 When saving, use the specified key parameters rather than the pwmd
288 default. This should be a valid S-expression. See the libgcrypt
289 documentation for details.
292 .I "\-\-keygrip <hex-string>"
293 Encrypt the XML data using the specified key grip. The key can be any
299 .I "\-\-sign-keygrip <hex-string>"
300 Sign the encrypted XML data using the specified key grip. The key can
306 .I "\--s2k-count <n>"
307 The number of passphrase hashing iterations for a new file.
311 Do not show server status messages. By default, status messages are
316 Do not show informational messages from pwmc. Implies --no-status.
320 Use an interactive pwmc shell. This will let you send more than one command
321 per connection and is the default when input is from a terminal. See
323 for more information.
334 Pwmc can connect to a remote pwmd server over an SSH connection by
335 using a proxy program that can read from stdin and write to a UNIX
336 domain socket and vice-versa.
338 Most SSH servers allow special options in the
340 file that do various things. One such option is the
342 option that will launch a program when an SSH client connects. We can
343 use this to start a proxy program that connects to the UNIX domain
344 socket that pwmd listens on by putting the following in
346 .B ~/.ssh/authorized_keys
347 file on the remote SSH host:
349 command="socat gopen:$HOME/.pwmd/socket -" [...public.key...]
353 is prepended to the public key that was
356 and specified using the
362 command can be replaced with any utility that can read from stdin and write
363 to a local domain socket.
368 is a program that prompts a user for input. This is currently not
369 supported when connected to a remote pwmd server since X11 port
370 forwarding has yet to be implemented. If a pinentry is required over a
371 remote connection then a local pinentry fork'ed from libpwmd will be
373 .I "\\-\-no\-pinentry"
374 command line option was specified.
376 The terminal, terminal type or
378 that pinentry will prompt on is either
379 set with the command line options or uses options set in
380 .B ~/.pwmd/pinentry.conf
381 when available (see below). Otherwise the current terminal and
387 .B ~/.pwmd/pinentry.conf
390 pair per line. Comments begin with a '#'.
393 The full path to the location of the pinentry binary.
396 The X11 display to use.
399 The full path to the tty that pinentry should prompt on.
402 The terminal type of the tty (i.e., vt100) which is required if DISPLAY is not
406 For pinentry localization.
409 For pinentry localization.
413 Since interactive mode uses the
415 library, the TAB character is normally interpreted as the line completion
416 character. This conflicts with the
418 element separation character. In order to insert a TAB you will first need to
419 press CTRL-V then press TAB. See
421 for more information about line history and completion.
423 Interactive mode also has a few dot commands. Dot commands (an idea
426 command line program), begin with a
428 followed by the command name and any arguments. Here are the available
429 pwmc interactive commands:
435 while losing any changes to the current filename. Although the
437 protocol command can be used to open a file, this dot command is
438 recommended because it takes care of pinentry settings among other
442 .I .read [--prefix <string>] <filename> <command> [args ...]
445 that uses a server INQUIRE. The
447 option behaves like the
448 .I "\-\-inquire-line"
449 command line option. It is the initial line to send before any data
454 .I .redir <filename> <command>
455 Redirect the output of
461 .I .set help | <name> [<value>] [...]
468 is specified, the option
473 .I keyfile <datafile> [<filename>]
476 containing the passphrase to open
478 for the next command requiring a passphrase. This is equivalent to the
480 command line option. This value will be unset after the next protocol
481 command to prevent misuse.
483 .I new-keyfile <datafile> [<filename>]
486 containing the passphrase to use to save
488 for the next command requiring a new passphrase. This is equivalent to the
489 .I "\-\-new-key-file"
490 command line option. This value will be unset after the next protocol
491 command to prevent misuse.
493 .I pinentry-timeout <seconds>
494 Set the amount of seconds before the pinentry program will close and return an
495 error while waiting for user input.
500 Save changes of the document to disk. Using this dot command rather than
503 protocol command is recommended since it determines whether to use
508 Show available interactive commands.
511 To list all XML root elements of the data file and use
513 to retrieve the passphrase (if required):
515 .I echo list | pwmc filename
518 To store an element path and save the file afterwards:
520 .I echo -ne 'isp\\\\tsmtp\\\\thostname\\\\tsomehost.com' | pwmc --inquire STORE -S filename
522 And then to get the content:
524 .I echo -ne 'get isp\\\\tsmtp\\\\thostname' | pwmc filename
529 .I echo -ne 'some\\\\telement\\\\tpath\\\\t' | cat - data_file | pwmc --inquire STORE -S filename
533 .I pwmc --inquire STORE --inquire-line 'some\\\\telement\\\\tpath\\\\t' -S filename < data_file
536 Clear the file cache for a single file:
538 .I echo 'clearcache filename' | pwmc
541 To list root elements of a data file which is stored on a remote pwmd server
542 over an SSH connection:
544 .I echo list | pwmc --url ssh://user@hostname -i ~/.ssh/identity filename
547 Connect to a remote pwmd server over TLS, interactively:
549 .I pwmc --url tls://hostname --ca-cert cafile.pem --client-cert client.pem --client-key clientkey.pem filename
552 Connect to a remote pwmd server over TLS and generate a new keypair
553 for a data file that may not already exist using a keyfile as
554 passphrase and inquire data from a file descriptor:
556 .I pwmc --url tls://hostname --ca-cert cafile.pem --client-cert client.pem --client-key clientkey.pem --inquire STORE --inquire-line 'some\\\\telement\\\\t' --inquire-fd 3 --key-file old_key --new-key-file new_key --cipher serpent128 --cipher-iterations 4000 --key-params '(genkey (rsa (nbits 4:1024)))' -S datafile 3<inquire_data
560 Be careful of newline characters when storing data. The data is transfered and
561 stored exactly as the input is read, newlines and all. If you wonder why your
562 new passphrase for a service doesn't work then a trailing newline character
568 Default pwmd socket to connect to.
570 .B ~/.pwmd/pinentry.conf
571 Default settings that
573 will use for the terminal, terminal type or X11 display.
576 Default location of the
581 Ben Kibbey <bjk@luxsci.net>
583 .URL "http://libpwmd.sourceforge.net/" "libpwmd Homepage" .
589 .BR authorized_keys (5),
593 And the pwmd texinfo manual for protocol commands and their syntax.