Renamed socket:// to local://.

[libpwmd.git] / doc / pwmc.1.in

.\" This program is free software; you can redistribute it and/or modify
.\" it under the terms of the GNU General Public License as published by
.\" the Free Software Foundation; either version 2 of the License, or
.\" (at your option) any later version.
.\" 
.\" This program is distributed in the hope that it will be useful,
.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
.\" GNU General Public License for more details.
.\" 
.\" You should have received a copy of the GNU General Public License
.\" along with this program; if not, write to the Free Software
.\" Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02110-1301  USA
.de URL
\\$2 \(laURL: \\$1 \(ra\\$3
..
.if \n[.g] .mso www.tmac
.TH PWMD 1 "16 Apr 2009" "Password Manager Client" "Password Manager Client"
.SH NAME

pwmc \- send a command to a pwmd server
.SH SYNOPSIS
.B pwmc
[options] [file]

.SH DESCRIPTION
.B pwmc
is a
.BR libpwmd (3)
client for
.BR pwmd (1) .
A server command is read from standard input and the command result, if any,
is sent to either a file descriptor or standard output.

.SH OPTIONS
.TP
.I "\--url <string>"
A string to parse that can be used for remote pwmd server details rather than
the other command line options.
See
.B EXAMPLES .

.TP
.I "\--socket <path>"
Connect to the specified local domain socket.  The default is
\fB~/.pwmd/socket\fR.

.TP
.I "\--host, -h <hostname>"
Establish an SSH connection to the specified hostname. See
.B SSH
below for how to setup the SSH host to use
.BR pwmd (1)
via a proxy.

.TP
.I "\--port, -p <port>"
The port of the hostname to connect to. The default is 22.

.TP
.I "\--known-hosts, -k <filename>"
A file containing a list of SHA1 fingerprints of remote SSH servers that
.BR libpwmd (3)
will check against while authenticating the remote host. Note that this file
format differs from the usual
.BR ssh (1)
known_hosts file format.

.TP
.I "\--identity, -i <filename>"
The
.BR ssh (1)
identity file to use for public key authentication. This is the only supported
method of SSH authentication. Both the public and private key must be
available.

.TP
.I "\--user, -u <username>"
The username to login as on the remote SSH server. The default is the invoking
user.

.TP
.I "\--get-hostkey, -g"
Retrieve the SHA1 fingerprint of the remote SSH hostname specified with
.B -h .
The result should be appended to the known hosts file.

.TP
.I "\--ipv4, -4"
Connect to an IPv4 host only. The default is to try an IPv6 host first, then
an IPv4 host.

.TP
.I "\--ipv4, -6"
Connect to an IPv6 host only. The default is to try an IPv6 host first, then
an IPv4 host.

.TP
.I "\--name, -n <string>"
Set the client name to the specified string. This string is what shows up in
the
.BR pwmd (1)
log files. The default is "pwmc".

.TP
.I "\--no-status"
Don't show server status messages. By default, status messages are written to
stderr.

.TP
.I "\--inquire-fd <FD>"
For commands that use an INQUIRE from the server (STORE and IMPORT), this sets
the file descriptor that the data will be read from. By default, stdin is
used.

.TP
.I "\--output-fd <FD>"
Redirect output to the specified file descriptor. The default is stdout.

.TP
.I "\--save, -S"
After the command has been processed and no error occurred, send the SAVE
command to the server.

.TP
.I "\--iterations, -I <integer>"
Specifies the number of encryption iterations to use when
.B -S
is used. The default is specified in the
.BR pwmd (1)
server configuration.

.TP
.I "\--passphrase, -P <string>"
The passphrase to use when required. If not set then a
.BR pinentry (1)
will be used if available.

.TP
.I "\--pinentry, <path>"
The full path to the pinentry binary. The default is the
.BR pwmd (1)
server configured setting.

.TP
.I "\--ttyname, <path>"
The full path of the TTY for
.BR pinentry (1)
to prompt on. The default is the current terminal.

.TP
.I "\--ttytype, <string>"
The terminal type of the specified TTY that
.BR pinentry (1)
should use. This is required if
.B --ttyname
is specified.

.TP
.I "\--display, <string>"
The X11 display that
.BR pinentry (1)
should use. Note that a remote SSH
.BR pinentry (1)
is currently not supported. The default is the current DISPLAY if set.

.TP
.I "\--lc-ctype, <string>"
For
.BR pinentry (1)
localization.

.TP
.I "\--lc-messages, <string>"
For
.BR pinentry (1)
localization.

.TP
.I "\--tries, <N>"
The number of times before failing when an invalid passphrase is entered in
the
.BR pinentry (1)
dialog. The default is 3.

.TP
.I "\--timeout, <seconds>"
The number of seconds before
.BR pinentry (1)
will timeout while waiting for a passphrase. The default is 30.

.TP
.I "\--local-pinentry"
Force using the local pinentry for passphrase retrieval. This has the same
effect as specifying
.B --passphrase
after the
.BR pinentry (1)
dialog is closed.

.TP
.I "\--force-save"
Like
.B --save
but expire any cache entry on the server before saving. When used with
.B --local-pinentry,
the initial passphrase is also cleared.

.TP
.I "\--version"
Version information.
.TP
.I "\--help"
Help text.


.SH SSH
In order to get this to work you need to put the following in your
.B ~/.ssh/authorized_keys
file on the remote SSH host. It should be prepended to the hash of the public
key that was generated using
.BR ssh-keygen (1)
and specified using the
.B --identity
command line option:

    command="socat gopen:$HOME/.pwmd/socket -"

The
.BR socat (1)
command can be replaced with any utility that can read from stdin and write
to a local domain socket, and vice-versa.


.SH PINENTRY
.BR pinentry (1)
is a program that prompts the user for input of a passphrase. This is
currently not supported when connected to a remote pwmd server since X11 port
forwarding is not done yet.

The terminal, terminal type or DISPLAY that pinentry will prompt on is either
set with the command line options or uses options set in
.B ~/.pwmd/pinentry.conf
when available. Otherwise the current terminal and terminal type or X11
DISPLAY is used.

The
.B ~/.pwmd/pinentry.conf
file contains one NAME=VALUE pair per line. Comments begin with a '#'.

.B PATH
The full path to the location of the pinentry binary.

.B DISPLAY
The X11 display to use.

.B TTYNAME
The full path to the tty that pinentry should prompt on.

.B TTYTYPE
The terminal type of the tty (i.e., vt100) which is required if DISPLAY is not
set.


.SH EXAMPLES
To list the available accounts and use
.BR pinentry (1)
to get the passphrase (if required):
.RS
echo list | pwmc filename
.RE
.P
To store an element path and save the file afterwards:
.RS
echo -ne 'store isp\\tsmtp\\thostname\\tsomehost.com' | pwmc -S filename
.RE
.P
Store a large file:
.RS
echo -en 'store blah\\tstuff\\t' | pwmc -S -I 3 filename 3<data_file
.P
And then to get the content:
.P
echo -e 'get blah\\tstuff' | pwmc filename
.RE
.P
Clear the file cache for a single file:
.RS
echo 'clearcache filename' | pwmc
.RE
.P
To list the contents of a data file which is stored on a  remote pwmd server
over an SSH connection:
.RS
echo list | pwmc --url ssh://user@hostname,~/identity,~/known_hosts filename
.RE

.SH FILES
.TP
.B ~/.pwmd/socket
Default socket to connect to.
.TP
.B ~/.pwmd/pinentry.conf
Default settings that
.BR pinentry (1)
will use for the terminal, terminal type or X11 display.
.TP
.B @pinentry@
Default location of the
.BR pinentry (1)
binary.

.SH AUTHOR
Ben Kibbey <bjk@luxsci.net>
.br
.URL "http://bjk.sourceforge.net/pwmd/" "PWMD Homepage" .

.SH "SEE ALSO"
.BR pwmd (1),
.BR pinentry (1),
.BR ssh-keygen (1),
.BR authorized_keys (5),
.BR socat (1),
.BR libpwmd (3)