1 .\" Copyright (C) 2006, 2007, 2008, 2009, 2010, 2011, 2012
2 .\" Ben Kibbey <bjk@luxsci.net>
4 .\" This file is part of libpwmd.
6 .\" Libwmd is free software: you can redistribute it and/or modify
7 .\" it under the terms of the GNU General Public License as published by
8 .\" the Free Software Foundation, either version 2 of the License, or
9 .\" (at your option) any later version.
11 .\" Libwmd is distributed in the hope that it will be useful,
12 .\" but WITHOUT ANY WARRANTY; without even the implied warranty of
13 .\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 .\" GNU General Public License for more details.
16 .\" You should have received a copy of the GNU General Public License
17 .\" along with Libpwmd. If not, see <http://www.gnu.org/licenses/>.
19 \\$2 \(laURL: \\$1 \(ra\\$3
21 .if \n[.g] .mso www.tmac
22 .TH PWMD 1 "20 May 2012" "Password Manager Client" "Password Manager Client"
25 pwmc \- send a command to a pwmd server
39 A server command is read from standard input and the command result, if any,
40 is sent to either a file descriptor or standard output.
45 A string to parse that can be used for remote pwmd server details rather than
46 the other command line options.
52 Don't lock the data file upon opening it.
56 Normally, when the SSH_AUTH_SOCK environment variable is set, pwmc will get
57 authentication details from the ssh agent. When this option is specified or
58 when the environment variable is unset, a private key must be specified on the
65 for how to add a private key to the ssh agent. Note that the
67 command line option has priority over the ssh agent. It is not possible for
70 option to have priority.
73 .I "\--ssh-timeout <seconds>"
74 The number of seconds before a remote command will timeout.
77 .I "\--ssh-keepalive <seconds>"
78 The interval in seconds to send a keepalive message to the remote SSH server.
79 When the keepalive fails the connection will be closed.
82 .I "\--name, -n <string>"
83 Set the client name to the specified string. This string is what shows up in
86 log files. The default is "pwmc".
90 Don't show server status messages. By default, status messages are written to
95 Use an interactive pwmc shell. This will let you send more than one command
101 .I "\--inquire <COMMAND>"
102 Use this option to send commands that use a server inquire to retrieve data.
103 Only the command name and any command options should be specified. The
104 command data will be read from the inquire file descriptor or stdin by
108 .I "\--inquire-line, -L <STRING>"
109 The initial line to send during an inquire and before any other data read from
110 the inquire file descriptor. Use this to specify an element path without
111 having to modify the inquire data. See
116 .I "\--inquire-fd <FD>"
119 This option sets the file descriptor to read data from. The default is stdin
124 .I "\-\-inquire-file <filename>"
125 Read the data to send from the specified filename. Also see
129 .I "\--output-fd <FD>"
130 Redirect output to the specified file descriptor. The default is stdout.
133 .I "\--cipher <string>"
134 When saving, encrypt with the specified cipher.
137 .I "\-\-key\-params <string>"
138 When saving, use the specified key parameters rather than pwmds' default. This
139 should be a valid S-expression.
143 After the command has been processed and no error occurred, send the SAVE
144 command to the server.
147 .I "\--key-file <filename>"
148 Read the passphrase from the specified filename.
151 .I "\--s2k-count <N>"
152 The number of hashing iterations for a new file.
156 Disable the use pinentry entirely, both with pwmd and libpwmd.
159 .I "\--pinentry, <path>"
160 The full path to the pinentry binary. The default is the
162 server configured setting.
165 .I "\--ttyname, <path>"
166 The full path of the TTY for
168 to prompt on. The default is the current terminal.
171 .I "\--ttytype, <string>"
172 The terminal type of the specified TTY that
174 should use. This is required if
179 .I "\--display, <string>"
182 should use. Note that a remote SSH
184 is currently not supported. The default is the current DISPLAY if set.
187 .I "\--lc-ctype, <string>"
193 .I "\--lc-messages, <string>"
200 The number of times before failing when an invalid passphrase is entered in
203 dialog. The default is 3.
206 .I "\--timeout, <seconds>"
207 The number of seconds before
209 will timeout while waiting for a passphrase. The default is 30.
212 .I "\--local-pinentry"
213 Force using the local pinentry for passphrase retrieval.
219 but expire any cache entry on the server before saving. When used with
221 the initial passphrase is also cleared.
224 .I \"--ca-cert, <filename>"
225 An X509 certificate authority file to use to validate a TLS server
226 certificate. Required for a TLS connection.
229 .I \"--client-cert, <filename>"
230 An X509 certificate to use for authenticating a TLS connection. Required for a
234 .I \"--client-key, <filename>"
235 An X509 private key to use for decrypting the client certificate when
236 authenticating a TLS connection. Required for a TLS connection.
239 .I \"--tls-priority, <string>"
240 A string representing compression, cipher and hashing algorithm priorities for
241 a TLS connection. See the GnuTLS documentation for details. The default is
246 Verify the TLS server hostname stored in the server certificate against the
247 connected hostname. The default is disabled.
258 In order to get this to work you need to put the following in your
259 .B ~/.ssh/authorized_keys
260 file on the remote SSH host. It should be prepended to the public key that was
263 and specified using the
267 command="socat gopen:$HOME/.pwmd/socket -"
271 command can be replaced with any utility that can read from stdin and write
272 to a local domain socket, and vice-versa.
277 is a program that prompts the user for input of a passphrase. This is
278 currently not supported when connected to a remote pwmd server since X11 port
279 forwarding is not done yet. If a pinentry is required then a local pinentry
282 The terminal, terminal type or DISPLAY that pinentry will prompt on is either
283 set with the command line options or uses options set in
284 .B ~/.pwmd/pinentry.conf
285 when available. Otherwise the current terminal and terminal type or X11
289 .B ~/.pwmd/pinentry.conf
290 file contains one NAME=VALUE pair per line. Comments begin with a '#'.
293 The full path to the location of the pinentry binary.
296 The X11 display to use.
299 The full path to the tty that pinentry should prompt on.
302 The terminal type of the tty (i.e., vt100) which is required if DISPLAY is not
311 a shell like interface can be used. This allows sending more than one command
312 during a connection. It's a little tricky to get server inquires to work right
313 so two special commands were added to the shell:
324 is the inquire command to send with any needed command options. The data is
325 read from stdin or from the specified
327 All other commands are sent directly to
332 without modification.
334 Since interactive mode uses the
336 library, the TAB character is normally interpreted as the line completion
337 character. This conflicts with the
339 element separation character. In order to insert a TAB you'd first need to
340 press CTRL-V then press TAB. See
342 for more information about line history and completion.
346 To list the available accounts and use
348 to get the passphrase (if required):
350 echo list | pwmc filename
353 To store an element path and save the file afterwards:
355 echo -ne 'isp\\tsmtp\\thostname\\tsomehost.com' | pwmc --inquire STORE -S filename
357 And then to get the content:
359 echo -ne 'get isp\\tsmtp\\thostname' | pwmc filename
364 echo -ne 'some\\telement\\tpath\\t' | cat - data_file | pwmc -S filename --inquire STORE
368 pwmc -S filename --inquire STORE --inquire-line 'some\\telement\\tpath\\t' <
372 Clear the file cache for a single file:
374 echo 'clearcache filename' | pwmc
377 To list root elements of a data file which is stored on a remote pwmd server
378 over an SSH connection:
380 echo list | pwmc --url ssh://user@hostname,~/identity,~/known_hosts filename
383 Start an interactive session over an SSH channel and use the SSH agent to
384 retrieve the private key and save when finished:
386 pwmc --url ssh://user@hostname --use-agent -S filename
389 Connect to a pwmd server over TLS:
391 pwmc --url tls://hostname --ca-cert cafile.pem --client-cert client.pem --client-key clientkey.pem datafile
395 Be careful of newline characters when storing data. The data is transfered and
396 stored exactly as the input is read, newlines and all. If you wonder why your
397 new passphrase for a service doesn't work then a trailing newline character
403 Default socket to connect to.
405 .B ~/.pwmd/pinentry.conf
406 Default settings that
408 will use for the terminal, terminal type or X11 display.
411 Default location of the
416 Ben Kibbey <bjk@luxsci.net>
418 .URL "http://libpwmd.sourceforge.net/" "libpwmd Homepage" .
424 .BR authorized_keys (5),