Reimplement GnuTLS support.

[libpwmd.git] / doc / pwmc.1.in

.\" Copyright (C) 2006, 2007, 2008, 2009, 2010, 2011, 2012
.\" Ben Kibbey <bjk@luxsci.net>
.\" 
.\" This file is part of libpwmd.
.\" 
.\" Libwmd is free software: you can redistribute it and/or modify
.\" it under the terms of the GNU General Public License as published by
.\" the Free Software Foundation, either version 2 of the License, or
.\" (at your option) any later version.
.\" 
.\" Libwmd is distributed in the hope that it will be useful,
.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
.\" GNU General Public License for more details.
.\" 
.\" You should have received a copy of the GNU General Public License
.\" along with Libpwmd.  If not, see <http://www.gnu.org/licenses/>.
.de URL
\\$2 \(laURL: \\$1 \(ra\\$3
..
.if \n[.g] .mso www.tmac
.TH PWMD 1 "20 May 2012" "Password Manager Client" "Password Manager Client"
.SH NAME

pwmc \- send a command to a pwmd server
.SH SYNOPSIS
.B pwmc
[options] [file]
.P
.B pwmsh
[options] [file]

.SH DESCRIPTION
.B pwmc
is a
.BR libpwmd (3)
client for
.BR pwmd (1) .
A server command is read from standard input and the command result, if any,
is sent to either a file descriptor or standard output.

.SH OPTIONS
.TP
.I "\--url <string>"
A string to parse that can be used for remote pwmd server details rather than
the other command line options.
See
.B EXAMPLES .

.TP
.I "\--no-lock"
Don't lock the data file upon opening it.

.TP
.I "\--no-ssh-agent"
Normally, when the SSH_AUTH_SOCK environment variable is set, pwmc will get
authentication details from the ssh agent. When this option is specified or
when the environment variable is unset, a private key must be specified on the
command line with the
.B -i
or
.B --url
options. See
.B ssh-add(1)
for how to add a private key to the ssh agent. Note that the
.B -i
command line option has priority over the ssh agent. It is not possible for
the
.B --url
option to have priority.

.TP
.I "\--ssh-timeout <seconds>"
The number of seconds before a remote command will timeout.

.TP
.I "\--ssh-keepalive <seconds>"
The interval in seconds to send a keepalive message to the remote SSH server.
When the keepalive fails the connection will be closed.

.TP
.I "\--name, -n <string>"
Set the client name to the specified string. This string is what shows up in
the
.BR pwmd (1)
log files. The default is "pwmc".

.TP
.I "\--no-status"
Don't show server status messages. By default, status messages are written to
stderr.

.TP
.I "\--interactive"
Use an interactive pwmc shell. This will let you send more than one command
per connection. See
.B INTERACTIVE
below for commands.

.TP
.I "\--inquire <COMMAND>"
Use this option to send commands that use a server inquire to retrieve data.
Only the command name and any command options should be specified.  The
command data will be read from the inquire file descriptor or stdin by
default.

.TP
.I "\--inquire-line, -L <STRING>"
The initial line to send during an inquire and before any other data read from
the inquire file descriptor. Use this to specify an element path without
having to modify the inquire data. See
.B EXAMPLES
below.

.TP
.I "\--inquire-fd <FD>"
For use with
.I "\--inquire"
This option sets the file descriptor to read data from. The default is stdin
or 0. Also see
.B --inquire-line.

.TP
.I "\-\-inquire-file <filename>"
Read the data to send from the specified filename. Also see
.B --inquire-line.

.TP
.I "\--output-fd <FD>"
Redirect output to the specified file descriptor. The default is stdout.

.TP
.I "\--cipher <string>"
When saving, encrypt with the specified cipher.

.TP
.I "\-\-key\-params <string>"
When saving, use the specified key parameters rather than pwmds' default. This
should be a valid S-expression.

.TP
.I "\--save, -S"
After the command has been processed and no error occurred, send the SAVE
command to the server.

.TP
.I "\--key-file <filename>"
Read the passphrase from the specified filename.

.TP
.I "\--s2k-count <N>"
The number of hashing iterations for a new file.

.TP
.I "\--no-pinentry"
Disable the use pinentry entirely, both with pwmd and libpwmd.

.TP
.I "\--pinentry, <path>"
The full path to the pinentry binary. The default is the
.BR pwmd (1)
server configured setting.

.TP
.I "\--ttyname, <path>"
The full path of the TTY for
.BR pinentry (1)
to prompt on. The default is the current terminal.

.TP
.I "\--ttytype, <string>"
The terminal type of the specified TTY that
.BR pinentry (1)
should use. This is required if
.B --ttyname
is specified.

.TP
.I "\--display, <string>"
The X11 display that
.BR pinentry (1)
should use. Note that a remote SSH
.BR pinentry (1)
is currently not supported. The default is the current DISPLAY if set.

.TP
.I "\--lc-ctype, <string>"
For
.BR pinentry (1)
localization.

.TP
.I "\--lc-messages, <string>"
For
.BR pinentry (1)
localization.

.TP
.I "\--tries, <N>"
The number of times before failing when an invalid passphrase is entered in
the
.BR pinentry (1)
dialog. The default is 3.

.TP
.I "\--timeout, <seconds>"
The number of seconds before
.BR pinentry (1)
will timeout while waiting for a passphrase. The default is 30.

.TP
.I "\--local-pinentry"
Force using the local pinentry for passphrase retrieval.

.TP
.I "\--force-save"
Like
.B --save
but expire any cache entry on the server before saving. When used with
.B --local-pinentry,
the initial passphrase is also cleared.

.TP
.I \"--ca-cert, <filename>"
An X509 certificate authority file to use to validate a TLS server
certificate. Required for a TLS connection.

.TP
.I \"--client-cert, <filename>"
An X509 certificate to use for authenticating a TLS connection. Required for a
TLS connection.

.TP
.I \"--client-key, <filename>"
An X509 private key to use for decrypting the client certificate when
authenticating a TLS connection. Required for a TLS connection.

.TP
.I \"--tls-priority, <string>"
A string representing compression, cipher and hashing algorithm priorities for
a TLS connection. See the GnuTLS documentation for details. The default is
"SECURE256".

.TP
.I \"--tls-verify"
Verify the TLS server hostname stored in the server certificate against the
connected hostname. The default is disabled.

.TP
.I "\--version"
Version information.
.TP
.I "\--help"
Help text.


.SH SSH
In order to get this to work you need to put the following in your
.B ~/.ssh/authorized_keys
file on the remote SSH host. It should be prepended to the public key that was
generated using
.BR ssh-keygen (1)
and specified using the
.B --identity
command line option:

    command="socat gopen:$HOME/.pwmd/socket -"

The
.BR socat (1)
command can be replaced with any utility that can read from stdin and write
to a local domain socket, and vice-versa.


.SH PINENTRY
.BR pinentry (1)
is a program that prompts the user for input of a passphrase. This is
currently not supported when connected to a remote pwmd server since X11 port
forwarding is not done yet. If a pinentry is required then a local pinentry
will be tried.

The terminal, terminal type or DISPLAY that pinentry will prompt on is either
set with the command line options or uses options set in
.B ~/.pwmd/pinentry.conf
when available. Otherwise the current terminal and terminal type or X11
DISPLAY is used.

The
.B ~/.pwmd/pinentry.conf
file contains one NAME=VALUE pair per line. Comments begin with a '#'.

.B PATH
The full path to the location of the pinentry binary.

.B DISPLAY
The X11 display to use.

.B TTYNAME
The full path to the tty that pinentry should prompt on.

.B TTYTYPE
The terminal type of the tty (i.e., vt100) which is required if DISPLAY is not
set.


.SH INTERACTIVE
When passed the 
.B --interactive
option or started as
.B pwmsh
a shell like interface can be used. This allows sending more than one command
during a connection. It's a little tricky to get server inquires to work right
so two special commands were added to the shell:
.P
.B INQUIRE
.I <COMMAND>
.P
.B INQUIRE_FILE
.I <FILENAME>
.I <COMMAND>
.P
The
.I COMMAND
is the inquire command to send with any needed command options. The data is
read from stdin or from the specified
.I FILENAME.
All other commands are sent directly to
.B pwmd(1)
via
.B libpwmd(3)
.I pwmd_command()
without modification.
.P
Since interactive mode uses the
.B readline(3)
library, the TAB character is normally interpreted as the line completion
character. This conflicts with the
.B pwmd(1)
element separation character. In order to insert a TAB you'd first need to
press CTRL-V then press TAB. See
.B readline(3)
for more information about line history and completion.


.SH EXAMPLES
To list the available accounts and use
.BR pinentry (1)
to get the passphrase (if required):
.RS
echo list | pwmc filename
.RE
.P
To store an element path and save the file afterwards:
.RS
echo -ne 'isp\\tsmtp\\thostname\\tsomehost.com' | pwmc --inquire STORE -S filename
.P
And then to get the content:
.P
echo -ne 'get isp\\tsmtp\\thostname' | pwmc filename
.RE
.P
Store a larger file:
.RS
echo -ne 'some\\telement\\tpath\\t' | cat - data_file | pwmc -S filename --inquire STORE
.RE
or
.RS
pwmc -S filename --inquire STORE --inquire-line 'some\\telement\\tpath\\t' <
data_file
.RE
.P
Clear the file cache for a single file:
.RS
echo 'clearcache filename' | pwmc
.RE
.P
To list root elements of a data file which is stored on a remote pwmd server
over an SSH connection:
.RS
echo list | pwmc --url ssh://user@hostname,~/identity,~/known_hosts filename
.RE
.P
Start an interactive session over an SSH channel and use the SSH agent to
retrieve the private key and save when finished:
.RS
pwmc --url ssh://user@hostname --use-agent -S filename
.RE
.P
Connect to a pwmd server over TLS:
.RS
pwmc --url tls://hostname --ca-cert cafile.pem --client-cert client.pem --client-key clientkey.pem datafile
.RE

.SH NOTES
Be careful of newline characters when storing data. The data is transfered and
stored exactly as the input is read, newlines and all. If you wonder why your
new passphrase for a service doesn't work then a trailing newline character
may be the reason.

.SH FILES
.TP
.B ~/.pwmd/socket
Default socket to connect to.
.TP
.B ~/.pwmd/pinentry.conf
Default settings that
.BR pinentry (1)
will use for the terminal, terminal type or X11 display.
.TP
.B @pinentry@
Default location of the
.BR pinentry (1)
binary.

.SH AUTHOR
Ben Kibbey <bjk@luxsci.net>
.br
.URL "http://libpwmd.sourceforge.net/" "libpwmd Homepage" .

.SH "SEE ALSO"
.BR pwmd (1),
.BR pinentry (1),
.BR ssh-keygen (1),
.BR authorized_keys (5),
.BR socat (1),
.BR libpwmd (3)