1 .\" Copyright (C) 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015
3 .\" Ben Kibbey <bjk@luxsci.net>
5 .\" This file is part of libpwmd.
7 .\" Libwmd is free software: you can redistribute it and/or modify
8 .\" it under the terms of the GNU General Public License as published by
9 .\" the Free Software Foundation, either version 2 of the License, or
10 .\" (at your option) any later version.
12 .\" Libwmd is distributed in the hope that it will be useful,
13 .\" but WITHOUT ANY WARRANTY; without even the implied warranty of
14 .\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 .\" GNU General Public License for more details.
17 .\" You should have received a copy of the GNU General Public License
18 .\" along with Libpwmd. If not, see <http://www.gnu.org/licenses/>.
20 \\$2 \(laURL: \\$1 \(ra\\$3
22 .if \n[.g] .mso www.tmac
23 .TH PWMC 1 "18 Sep 2016" "@VERSION@" "Password Manager Client"
26 pwmc \- send a command to a pwmd server
37 Pwmc reads pwmd protocol commands from either standard input or
38 interactively by using libreadline to prompt for input. The
39 interactive mode allows for more than one command to be sent to the
44 .I "\-\-socket <string>"
45 A pwmd socket to connect to. The available URL types depend on options
46 enabled at compile-time. The default when not specified is
53 .I "\-\-connect\-timeout <seconds>"
54 The number of seconds before timing out when connecting to a remote
55 server. The default is 120 seconds.
58 .I "\-\-socket\-timeout <seconds>"
59 The number of seconds before a remote command will timeout. The
60 default is 300 seconds.
63 .I "\-\-ca\-cert, <filename>"
64 The X509 certificate authority file to use when validating the pwmd
65 TLS server certificate. Required when connecting via TLS.
68 .I "\-\-client\-cert, <filename>"
69 The X509 client certificate to use when authenticating a TLS
70 connection. Required when connecting via TLS.
73 .I "\-\-client\-key, <filename>"
74 The X509 key file to use to unlock the client certificate. Required
75 when connecting via TLS.
78 .I "\-\-tls\-priority, <string>"
79 A string representing compression, cipher and hashing algorithm priorities for
80 a TLS connection. See the GnuTLS documentation for details. The default is
81 .B SECURE256:SECURE192:SECURE128:\-VERS\-SSL3.0.
84 .I "\-\-no\-tls\-verify"
85 Disable verification of the TLS server hostname stored in the server
86 certificate. The default is enabled.
89 .I "\-\-tls\-fingerprint <string>"
92 TLS server certificate against the specified SHA\-256 hash.
95 .I "\-\-no\-ssh\-agent"
96 Normally when the SSH_AUTH_SOCK environment variable is set pwmc will get
97 authentication details from the ssh agent. When this option is specified or
98 when the environment variable is not set a private key must be specified on
99 the command line with the
103 for how to add a private key to the ssh agent. Note that the
105 command line option has priority over the ssh agent.
108 .I "\-\-identity, \-i <filename>"
109 The SSH identity file use when connecting via SSH.
112 .I "\-\-knownhosts, \-k <filename"
113 The SSH knownhosts file to use when connection via SSH. The default is
117 .I "\-\-ssh\-passphrase\-file <filename>"
118 Obtain the passphrase to decrypt the SSH private key from the specified
119 filename. Note that libssh2 needs to be built with OpenSSL to support
120 decryption of a private SSH key.
124 Do not lock the data file upon opening it. Locking the data file
125 prevents other clients from opening the same file.
128 .I "\-\-lock\-timeout <N>"
129 The time in tenths of a second to wait for another client to release the lock
130 held on a data file before returning an error. When not specified or 0, pwmc
131 will wait indefinitely. When \-1, an error will be returned immediately. The
135 .I "\-\-name, \-n <string>"
136 Set the client name to the specified string. This string is what is shown in
139 log files. The default is "pwmc".
142 .I "\-\-local\-pinentry"
143 Force use of the local pinentry for passphrase retrieval. This will
144 disable pwmd's pinentry and use a pinentry fork(2)'ed from libpwmd.
147 .I "\-\-no\-pinentry"
148 Disable the use of pinentry entirely. Both pwmd and libpwmd's local
149 pinentry will be disabled. Pwmc will prompt for the passphrase via
153 .I "\-\-ttyname, \-y <path>"
154 The full path of the TTY for
156 to prompt on. The default is the current terminal.
159 .I "\-\-ttytype, \-t <string>"
160 The terminal type of the specified TTY that
162 should use. This is required if
167 .I "\-\-display, \-d <string>"
170 should use. Note that remote connections to pwmd do not use pwmd's
171 pinentry but use a pinentry fork(2)'ed from libpwmd instead. The default
174 environment variable.
177 .I "\-\-lc\-ctype, <string>"
183 .I "\-\-lc\-messages, <string>"
190 The number of times before failing when an invalid passphrase is entered in
193 dialog. The default is 3.
196 .I "\-\-timeout, <seconds>"
197 The number of seconds before
199 will timeout while waiting for a passphrase. The default is 30.
202 .I "\-\-inquire <command>"
203 Some pwmd protocol commands use what is called an INQUIRE to retrieve
204 data from the client. This options argument should be the command name
205 that uses an inquire. The command data will be read from the file
206 descriptor specified by the
208 option or stdin by default.
211 .I "\-\-inquire\-line, \-L <string>"
212 The initial line to send during an inquire and before any other data read from
213 the inquire file descriptor. This option is useful to specify an
214 element path without needing to modify the remaining inquire data. See
219 .I "\-\-inquire\-fd <fd>"
220 Read inquire data from the specified file descriptor. For use with the
222 option. By default, inquire data is read from stdin. Use
223 .I "\-\-inquire\-line"
224 to send an initial line before the actual data.
227 .I "\-\-inquire\-file <filename>"
228 Read inquire data from the specified filename. For use with the
230 option. By default, inquire data is read from stdin. Use
231 .I "\-\-inquire\-line"
232 to send an initial line before the actual data.
235 .I "\-\-output\-fd <fd>"
236 Redirect the output of the pwmd command to the specified file
237 descriptor. The default is stdout.
241 After the command has been processed without error, send the SAVE
242 command to the server to write any changes to disk.
245 .I "\-\-passphrase\-file <filename>"
246 Read the passphrase used to open a data file from the specified filename.
249 .I "\-\-new\-passphrase\-file <filename>"
250 Read a passphrase from the specified filename that is to be used for a
251 new data file or when changing the passphrase for an existing data
255 .I "\-\-sign\-passphrase\-file <filename>"
256 Read a passphrase from the specified filename that is to be used for signing
257 of a symmetrically encrypted data file.
260 .I "\-\-key\-params <filename>"
261 When saving, use the key parameters obtained from
265 defaults. The parameters are in GnuPG XML format.
268 .I "\-\-keyid <fingerprint>[,...]"
269 Encrypt the XML data to the specified recipients. When not specified, the same
270 recipients for an existing data file will be used. Otherwise, a new key pair
274 .I "\-\-sign\-keyid <fingerprint>[,...]"
275 Sign the encrypted XML data using the specified signing key(s).
279 Conventionally encrypt a new data file rather than creating a new key pair.
280 Note that a signer can also be specified.
284 Do not show server status messages. By default, status messages are
288 .I "\-\-status\-fd <FD>
289 Redirect status messages to the specified file descriptor. The default is
293 .I "\-\-status\-ignore <string[,...]>
294 A list of status messages that are ignored or not displayed. This may be
295 useful in interactive mode to prevent messing up or confusing the input line.
297 .B KEEPALIVE,STATE,GPGME,PASSPHRASE_INFO,PASSPHRASE_HINT.
300 .I "\-\-status\-state
301 Enable receiving of client STATE status messages.
305 Do not show informational messages from pwmc. Implies \--no\-status.
308 .I "\-\-no\-interactive"
309 Disable interactive mode. By default, interactive mode is enabled when input
310 is from a terminal. Interactive mode allows for sending more than one command
313 for more information.
320 Show available command line options and syntax.
324 Pwmc can connect to a remote pwmd server over an SSH connection by
325 using a proxy program that can read from stdin and write to a UNIX
326 domain socket and vice-versa.
328 Most SSH servers allow special options in the
330 file that do various things. One such option is the
332 option that will launch a program when an SSH client connects. We can
333 use this to start a proxy program that connects to the UNIX domain
334 socket that pwmd listens on by putting the following in
336 .B ~/.ssh/authorized_keys
337 file on the remote SSH host:
339 command="socat gopen:$HOME/.pwmd/socket \-" [...public.key...]
343 is prepended to the public key that was
346 and specified using the
352 command can be replaced with any utility that can read from stdin and write
353 to a UNIX domain socket.
358 is a program that prompts a user for input. This is currently not
359 supported when connected to a remote pwmd server since X11 port
360 forwarding has yet to be implemented. If a pinentry is required over a
361 remote connection then a local pinentry fork'ed from libpwmd will be
363 .I "\-\-no\-pinentry"
364 command line option was specified.
366 The terminal, terminal type or
368 that pinentry will prompt on is either
369 set with the command line options or uses options set in
370 .B ~/.config/libpwmd.conf
371 when available (see below). Otherwise the current terminal and
377 .SH CONFIGURATION FILE
379 .B ~/.config/libpwmd.conf
382 pair per line. Comments begin with a '#'. Options specified on the command
383 line override the settings in this file.
386 .I pinentry\-path = /path
387 Same as \-\-pinentry.
390 .I pinentry\-display = string
394 .I pinentry\-ttyname = /path
398 .I pinentry\-ttytype = string
402 .I pinentry\-lc\-messages = string
403 Same as \-\-lc\-messages.
406 .I pinentry\-lc\-ctype = string
407 Same as \-\-lc\-ctype.
410 .I pinentry\-tries = N
414 .I pinentry\-timeout = N
418 .I no\-pinentry = 0|1
419 Same as \-\-no\-pinentry.
422 .I local\-pinentry = 0|1
423 Same as \-\-local\-pinentry.
426 .I no\-ssh\-agent = 0|1
427 Same as \-\-no\-ssh\-agent.
430 .I no\-tls\-verify = 0|1
431 Same as \-\-no\-tls\-verify.
434 .I tls\-priority = <string>
435 Same as \-\-tls\-priority.
438 .I socket\-timeout = N
439 Same as \-\-socket\-timeout.
443 Same as \-\-no\-lock.
446 .I include = filename
447 Path to a filename containing additional
449 configuration settings. May be useful for a file containing pinentry settings
450 which is updated as needed.
453 Interactive mode has a few dot commands. Dot commands (an idea borrowed from
456 command line program), begin with a
458 followed by the command name and any arguments. Here are the available
459 pwmc interactive commands:
465 while losing any changes to the current filename. Although the
467 protocol command can be used to open a file, this dot command is
468 recommended because it takes care of pinentry settings among other
472 .I .read [\-\-prefix <string>] <filename> <command> [args ...]
475 that uses a server INQUIRE. The
477 option behaves like the
478 .I "\-\-inquire\-line"
479 command line option. It is the initial line to send before any data
484 .I .redir <filename> <command>
485 Redirect the output of
491 .I .set help | <name> [<value>] [...]
498 is specified, the option
504 .I passphrase\-file [<filename>]
505 Obtain the passphrase from
507 for the next command requiring a passphrase. This is equivalent to the
508 .I "\-\-passphrase\-file"
509 command line option. This value will be unset after the next protocol
510 command to prevent misuse.
513 .I new\-passphrase\-file [<filename>]
514 Obtain the passphrase from
516 for the next command requiring a new passphrase. This is equivalent to the
517 .I "\-\-new\-passphrase\-file"
518 command line option. This value will be unset after the next protocol
519 command to prevent misuse.
522 .I sign\-passphrase\-file [<filename>]
523 Obtain the passphrase from
525 for the next command requiring a passphrase used for signing. This is
527 .I "\-\-sign\-passphrase\-file"
528 command line option and is optionally used for signing a symmetrically
529 encrypted data file. This value will be unset after the next protocol command
533 .I pinentry\-timeout <seconds>
534 Set the amount of seconds before the pinentry program will close and return an
535 error while waiting for user input.
540 Save changes of the document to disk. Using this dot command rather than
543 protocol command is recommended since it determines whether to use
548 Change the passphrase for the secret key of the opened data file. Using this
549 dot command rather than the pwmd
551 protocol command is recommended since it determines whether to use
552 pinentry or not. For symmetrically encrypted data files, use the
557 .I .listkeys [\-\-options] [pattern[,...]]
558 Display human readable output of the LISTKEYS protocol command.
562 Show available interactive commands.
565 To list all XML root elements of the data file and use
567 to retrieve the passphrase (if required):
569 .I echo list | pwmc filename
572 To store an element path and save the file afterwards:
574 .I echo \-ne 'isp\\\\tsmtp\\\\thostname\\\\tsomehost.com' | pwmc \-\-inquire STORE \-S filename
576 And then to get the content:
578 .I echo \-ne 'get isp\\\\tsmtp\\\\thostname' | pwmc filename
583 .I echo \-ne 'some\\\\telement\\\\tpath\\\\t' | cat \- data_file | pwmc \-\-inquire STORE \-S filename
587 .I pwmc \-\-inquire STORE \-\-inquire\-line 'some\\\\telement\\\\tpath\\\\t' \-S filename < data_file
590 Clear the file cache for a single file:
592 .I echo 'clearcache filename' | pwmc
595 To list root elements of a data file which is stored on a remote pwmd server
596 over an SSH connection:
598 .I echo list | pwmc \-\-socket ssh://user@hostname \-i ~/.ssh/identity filename
601 Connect to a remote pwmd server over TLS, interactively:
603 .I pwmc \-\-socket tls://hostname \-\-ca\-cert cafile.pem \-\-client\-cert client.pem \-\-client\-key clientkey.pem filename
607 Be careful of newline characters when storing data. The data is transferred
608 and stored exactly as the input is read, newlines and all. If you wonder why
609 your new passphrase for a service doesn't work then a trailing newline
610 character may be the reason.
615 Default pwmd socket to connect to.
617 .B ~/.config/libpwmd.conf
618 Default settings that
620 will use for the terminal, terminal type or X11 display.
623 Default location of the
628 Ben Kibbey <bjk@luxsci.net>
630 .URL "https://gitlab.com/bjk/libpwmd/wikis" "libpwmd Homepage" .
636 .BR authorized_keys (5),
640 And the pwmd texinfo manual for protocol commands and their syntax.