1 .\" This program is free software; you can redistribute it and/or modify
2 .\" it under the terms of the GNU General Public License as published by
3 .\" the Free Software Foundation; either version 2 of the License, or
4 .\" (at your option) any later version.
6 .\" This program is distributed in the hope that it will be useful,
7 .\" but WITHOUT ANY WARRANTY; without even the implied warranty of
8 .\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
9 .\" GNU General Public License for more details.
11 .\" You should have received a copy of the GNU General Public License
12 .\" along with this program; if not, write to the Free Software
13 .\" Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02110-1301 USA
15 \\$2 \(laURL: \\$1 \(ra\\$3
17 .if \n[.g] .mso www.tmac
18 .TH PWMD 1 "11 Nov 2010" "Password Manager Client" "Password Manager Client"
21 pwmc \- send a command to a pwmd server
35 A server command is read from standard input and the command result, if any,
36 is sent to either a file descriptor or standard output.
41 A string to parse that can be used for remote pwmd server details rather than
42 the other command line options.
48 Connect to the specified local domain socket. The default is
53 Don't lock the data file upon opening it.
56 .I "\--host, -h <hostname>"
57 Establish an SSH connection to the specified hostname. See
59 below for how to setup the SSH host to use
64 .I "\--port, -p <port>"
65 The port of the hostname to connect to. The default is 22.
68 .I "\--known-hosts, -k <filename>"
69 An OpenSSH formatted known_hosts file that
71 will verify the hostkey against while connecting to a remote host. The default
73 .B ~/.ssh/known_hosts.
77 Normally, when the SSH_AGENT_PID environment variable is set, pwmc will get
78 authentication details from the ssh agent. When this option is specified or
79 when the environment variable is unset, a private key must be specified on the
86 for how to add a private key to the ssh agent. Note that the
88 command line option has priority over the ssh agent. It is not possible for
91 option to have priority.
94 .I "\--identity, -i <filename>"
97 identity file to use for public key authentication. This is the only supported
98 method of SSH authentication. Both the public and private key must be
102 .I "\--user, -u <username>"
103 The username to login as on the remote SSH server. The default is the invoking
107 .I "\--get-hostkey, -g"
108 Retrieve the OpenSSH formatted host key of the remote SSH hostname specified
111 The result should be appended to the known hosts file.
115 Connect to an IPv4 host only. The default is to try an IPv6 host first, then
120 Connect to an IPv6 host only. The default is to try an IPv6 host first, then
124 .I "\--name, -n <string>"
125 Set the client name to the specified string. This string is what shows up in
128 log files. The default is "pwmc".
132 Don't show server status messages. By default, status messages are written to
137 Use an interactive pwmc shell. This will let you send more than one command
143 .I "\--inquire <COMMAND>"
144 Use this option to send commands that use a server inquire to retrieve data.
145 Only the command name and any command options should be specified. The
146 command data will be read from the inquire file descriptor or stdin by
150 .I "\--inquire-line, -L <STRING>"
151 The initial line to send during an inquire and before any other data read from
152 the inquire file descriptor. Use this to specify an element path without
153 having to modify the inquire data. See
158 .I "\--inquire-fd <FD>"
161 This option sets the file descriptor to read data from. The default is stdin
165 .I "\--output-fd <FD>"
166 Redirect output to the specified file descriptor. The default is stdout.
169 .I "\--cipher <string>"
170 When saving, encrypt with the specified cipher.
173 .I "\--iterations, -I <integer>"
174 Specifies the number of encryption iterations to use when
176 is used. The default is specified in the
178 server configuration.
182 After the command has been processed and no error occurred, send the SAVE
183 command to the server.
186 .I "\--passphrase, -P <string>"
187 The passphrase to use when required. If not set then a
189 will be used if available.
192 .I "\--key-file <filename>"
193 Read the passphrase from the specified filename.
197 Specifies that the passphrase is Base64 encoded.
199 will decode the passphrase before encryption and decryption.
203 Disable the use pinentry entirely, both with pwmd and libpwmd.
206 .I "\--pinentry, <path>"
207 The full path to the pinentry binary. The default is the
209 server configured setting.
212 .I "\--ttyname, <path>"
213 The full path of the TTY for
215 to prompt on. The default is the current terminal.
218 .I "\--ttytype, <string>"
219 The terminal type of the specified TTY that
221 should use. This is required if
226 .I "\--display, <string>"
229 should use. Note that a remote SSH
231 is currently not supported. The default is the current DISPLAY if set.
234 .I "\--lc-ctype, <string>"
240 .I "\--lc-messages, <string>"
247 The number of times before failing when an invalid passphrase is entered in
250 dialog. The default is 3.
253 .I "\--timeout, <seconds>"
254 The number of seconds before
256 will timeout while waiting for a passphrase. The default is 30.
259 .I "\--local-pinentry"
260 Force using the local pinentry for passphrase retrieval. This has the same
271 but expire any cache entry on the server before saving. When used with
273 the initial passphrase is also cleared.
284 In order to get this to work you need to put the following in your
285 .B ~/.ssh/authorized_keys
286 file on the remote SSH host. It should be prepended to the public key that was
289 and specified using the
293 command="socat gopen:$HOME/.pwmd/socket -"
297 command can be replaced with any utility that can read from stdin and write
298 to a local domain socket, and vice-versa.
303 is a program that prompts the user for input of a passphrase. This is
304 currently not supported when connected to a remote pwmd server since X11 port
305 forwarding is not done yet. If a pinentry is required then a local pinentry
308 The terminal, terminal type or DISPLAY that pinentry will prompt on is either
309 set with the command line options or uses options set in
310 .B ~/.pwmd/pinentry.conf
311 when available. Otherwise the current terminal and terminal type or X11
315 .B ~/.pwmd/pinentry.conf
316 file contains one NAME=VALUE pair per line. Comments begin with a '#'.
319 The full path to the location of the pinentry binary.
322 The X11 display to use.
325 The full path to the tty that pinentry should prompt on.
328 The terminal type of the tty (i.e., vt100) which is required if DISPLAY is not
337 a shell like interface can be used. This allows sending more than one command
338 during a connection. It's a little tricky to get server inquires to work right
339 so two special commands were added to the shell:
350 is the inquire command to send with any needed command options. The data is
351 read from stdin or from the specified
353 All other commands are sent directly to
358 without modification.
360 Since interactive mode uses the
362 library, the TAB character is normally interpreted as the line completion
363 character. This conflicts with the
365 element separation character. In order to insert a TAB you'd first need to
366 press CTRL-V then press TAB. See
368 for more information about line history and completion.
372 To list the available accounts and use
374 to get the passphrase (if required):
376 echo list | pwmc filename
379 To store an element path and save the file afterwards:
381 echo -ne 'isp\\tsmtp\\thostname\\tsomehost.com' | pwmc --inquire STORE -S filename
383 And then to get the content:
385 echo -ne 'get isp\\tsmtp\\thostname' | pwmc filename
390 echo -ne 'some\\telement\\tpath\\t' | cat - data_file | pwmc -S filename --inquire STORE
394 pwmc -S filename --inquire STORE --inquire-line 'some\\telement\\tpath\\t' <
398 Clear the file cache for a single file:
400 echo 'clearcache filename' | pwmc
403 To list root elements of a data file which is stored on a remote pwmd server
404 over an SSH connection:
406 echo list | pwmc --url ssh://user@hostname,~/identity,~/known_hosts filename
409 Start an interactive session over an SSH channel and use the SSH agent to
410 retrieve the private key and save when finished:
412 pwmc --url ssh://user@hostname --interactive --use-agent -S filename
416 Be careful of newline characters when storing data. The data is transfered and
417 stored exactly as the input is read, newlines and all. If you wonder why your
418 new passphrase for a service doesn't work then a trailing newline character
424 Default socket to connect to.
426 .B ~/.pwmd/pinentry.conf
427 Default settings that
429 will use for the terminal, terminal type or X11 display.
432 Default location of the
437 Ben Kibbey <bjk@luxsci.net>
439 .URL "http://libpwmd.sourceforge.net/" "libpwmd Homepage" .
445 .BR authorized_keys (5),