pwmc: let the -i option have priority over the ssh agent. The --url

[libpwmd.git] / doc / pwmc.1.in

.\" This program is free software; you can redistribute it and/or modify
.\" it under the terms of the GNU General Public License as published by
.\" the Free Software Foundation; either version 2 of the License, or
.\" (at your option) any later version.
.\" 
.\" This program is distributed in the hope that it will be useful,
.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
.\" GNU General Public License for more details.
.\" 
.\" You should have received a copy of the GNU General Public License
.\" along with this program; if not, write to the Free Software
.\" Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02110-1301  USA
.de URL
\\$2 \(laURL: \\$1 \(ra\\$3
..
.if \n[.g] .mso www.tmac
.TH PWMD 1 "11 Nov 2010" "Password Manager Client" "Password Manager Client"
.SH NAME

pwmc \- send a command to a pwmd server
.SH SYNOPSIS
.B pwmc
[options] [file]
.P
.B pwmsh
[options] [file]

.SH DESCRIPTION
.B pwmc
is a
.BR libpwmd (3)
client for
.BR pwmd (1) .
A server command is read from standard input and the command result, if any,
is sent to either a file descriptor or standard output.

.SH OPTIONS
.TP
.I "\--url <string>"
A string to parse that can be used for remote pwmd server details rather than
the other command line options.
See
.B EXAMPLES .

.TP
.I "\--socket <path>"
Connect to the specified local domain socket.  The default is
\fB~/.pwmd/socket\fR.

.TP
.I "\--no-lock"
Don't lock the data file upon opening it.

.TP
.I "\--host, -h <hostname>"
Establish an SSH connection to the specified hostname. See
.B SSH
below for how to setup the SSH host to use
.BR pwmd (1)
via a proxy.

.TP
.I "\--port, -p <port>"
The port of the hostname to connect to. The default is 22.

.TP
.I "\--known-hosts, -k <filename>"
An OpenSSH formatted known_hosts file that
.BR libpwmd (3)
will verify the hostkey against while connecting to a remote host. The default
is
.B ~/.ssh/known_hosts.

.TP
.I "\--no-ssh-agent"
Normally, when the SSH_AGENT_PID environment variable is set, pwmc will get
authentication details from the ssh agent. When this option is specified or
when the environment variable is unset, a private key must be specified on the
command line with the
.B -i
or
.B --url
options. See
.B ssh-add(1)
for how to add a private key to the ssh agent. Note that the
.B -i
command line option has priority over the ssh agent. It is not possible for
the
.B --url
option to have priority.

.TP
.I "\--identity, -i <filename>"
The
.BR ssh (1)
identity file to use for public key authentication. This is the only supported
method of SSH authentication. Both the public and private key must be
available.

.TP
.I "\--user, -u <username>"
The username to login as on the remote SSH server. The default is the invoking
user.

.TP
.I "\--get-hostkey, -g"
Retrieve the OpenSSH formatted host key of the remote SSH hostname specified
with
.B -h .
The result should be appended to the known hosts file.

.TP
.I "\--ipv4, -4"
Connect to an IPv4 host only. The default is to try an IPv6 host first, then
an IPv4 host.

.TP
.I "\--ipv4, -6"
Connect to an IPv6 host only. The default is to try an IPv6 host first, then
an IPv4 host.

.TP
.I "\--name, -n <string>"
Set the client name to the specified string. This string is what shows up in
the
.BR pwmd (1)
log files. The default is "pwmc".

.TP
.I "\--no-status"
Don't show server status messages. By default, status messages are written to
stderr.

.TP
.I "\--interactive"
Use an interactive pwmc shell. This will let you send more than one command
per connection. See
.B INTERACTIVE
below for commands.

.TP
.I "\--inquire <COMMAND>"
Use this option to send commands that use a server inquire to retrieve data.
Only the command name and any command options should be specified.  The
command data will be read from the inquire file descriptor or stdin by
default.

.TP
.I "\--inquire-line, -L <STRING>"
The initial line to send during an inquire and before any other data read from
the inquire file descriptor. Use this to specify an element path without
having to modify the inquire data. See
.B EXAMPLES
below.

.TP
.I "\--inquire-fd <FD>"
For use with
.I "\--inquire"
This option sets the file descriptor to read data from. The default is stdin
or 0.

.TP
.I "\--output-fd <FD>"
Redirect output to the specified file descriptor. The default is stdout.

.TP
.I "\--cipher <string>"
When saving, encrypt with the specified cipher.

.TP
.I "\--iterations, -I <integer>"
Specifies the number of encryption iterations to use when
.B -S
is used. The default is specified in the
.BR pwmd (1)
server configuration.

.TP
.I "\--save, -S"
After the command has been processed and no error occurred, send the SAVE
command to the server.

.TP
.I "\--passphrase, -P <string>"
The passphrase to use when required. If not set then a
.BR pinentry (1)
will be used if available.

.TP
.I "\--key-file <filename>"
Read the passphrase from the specified filename.

.TP
.I "\--base64"
Specifies that the passphrase is Base64 encoded.
.BR pwmd (1)
will decode the passphrase before encryption and decryption.

.TP
.I "\--no-pinentry"
Disable the use pinentry entirely, both with pwmd and libpwmd.

.TP
.I "\--pinentry, <path>"
The full path to the pinentry binary. The default is the
.BR pwmd (1)
server configured setting.

.TP
.I "\--ttyname, <path>"
The full path of the TTY for
.BR pinentry (1)
to prompt on. The default is the current terminal.

.TP
.I "\--ttytype, <string>"
The terminal type of the specified TTY that
.BR pinentry (1)
should use. This is required if
.B --ttyname
is specified.

.TP
.I "\--display, <string>"
The X11 display that
.BR pinentry (1)
should use. Note that a remote SSH
.BR pinentry (1)
is currently not supported. The default is the current DISPLAY if set.

.TP
.I "\--lc-ctype, <string>"
For
.BR pinentry (1)
localization.

.TP
.I "\--lc-messages, <string>"
For
.BR pinentry (1)
localization.

.TP
.I "\--tries, <N>"
The number of times before failing when an invalid passphrase is entered in
the
.BR pinentry (1)
dialog. The default is 3.

.TP
.I "\--timeout, <seconds>"
The number of seconds before
.BR pinentry (1)
will timeout while waiting for a passphrase. The default is 30.

.TP
.I "\--local-pinentry"
Force using the local pinentry for passphrase retrieval. This has the same
effect as specifying
.B --passphrase
after the
.BR pinentry (1)
dialog is closed.

.TP
.I "\--force-save"
Like
.B --save
but expire any cache entry on the server before saving. When used with
.B --local-pinentry,
the initial passphrase is also cleared.

.TP
.I "\--version"
Version information.
.TP
.I "\--help"
Help text.


.SH SSH
In order to get this to work you need to put the following in your
.B ~/.ssh/authorized_keys
file on the remote SSH host. It should be prepended to the public key that was
generated using
.BR ssh-keygen (1)
and specified using the
.B --identity
command line option:

    command="socat gopen:$HOME/.pwmd/socket -"

The
.BR socat (1)
command can be replaced with any utility that can read from stdin and write
to a local domain socket, and vice-versa.


.SH PINENTRY
.BR pinentry (1)
is a program that prompts the user for input of a passphrase. This is
currently not supported when connected to a remote pwmd server since X11 port
forwarding is not done yet. If a pinentry is required then a local pinentry
will be tried.

The terminal, terminal type or DISPLAY that pinentry will prompt on is either
set with the command line options or uses options set in
.B ~/.pwmd/pinentry.conf
when available. Otherwise the current terminal and terminal type or X11
DISPLAY is used.

The
.B ~/.pwmd/pinentry.conf
file contains one NAME=VALUE pair per line. Comments begin with a '#'.

.B PATH
The full path to the location of the pinentry binary.

.B DISPLAY
The X11 display to use.

.B TTYNAME
The full path to the tty that pinentry should prompt on.

.B TTYTYPE
The terminal type of the tty (i.e., vt100) which is required if DISPLAY is not
set.


.SH INTERACTIVE
When passed the 
.B --interactive
option or started as
.B pwmsh
a shell like interface can be used. This allows sending more than one command
during a connection. It's a little tricky to get server inquires to work right
so two special commands were added to the shell:
.P
.B INQUIRE
.I <COMMAND>
.P
.B INQUIRE_FILE
.I <FILENAME>
.I <COMMAND>
.P
The
.I COMMAND
is the inquire command to send with any needed command options. The data is
read from stdin or from the specified
.I FILENAME.
All other commands are sent directly to
.B pwmd(1)
via
.B libpwmd(3)
.I pwmd_command()
without modification.
.P
Since interactive mode uses the
.B readline(3)
library, the TAB character is normally interpreted as the line completion
character. This conflicts with the
.B pwmd(1)
element separation character. In order to insert a TAB you'd first need to
press CTRL-V then press TAB. See
.B readline(3)
for more information about line history and completion.


.SH EXAMPLES
To list the available accounts and use
.BR pinentry (1)
to get the passphrase (if required):
.RS
echo list | pwmc filename
.RE
.P
To store an element path and save the file afterwards:
.RS
echo -ne 'isp\\tsmtp\\thostname\\tsomehost.com' | pwmc --inquire STORE -S filename
.P
And then to get the content:
.P
echo -ne 'get isp\\tsmtp\\thostname' | pwmc filename
.RE
.P
Store a larger file:
.RS
echo -ne 'some\\telement\\tpath\\t' | cat - data_file | pwmc -S filename --inquire STORE
.RE
or
.RS
pwmc -S filename --inquire STORE --inquire-line 'some\\telement\\tpath\\t' <
data_file
.RE
.P
Clear the file cache for a single file:
.RS
echo 'clearcache filename' | pwmc
.RE
.P
To list root elements of a data file which is stored on a remote pwmd server
over an SSH connection:
.RS
echo list | pwmc --url ssh://user@hostname,~/identity,~/known_hosts filename
.RE
.P
Start an interactive session over an SSH channel and use the SSH agent to
retrieve the private key and save when finished:
.RS
pwmc --url ssh://user@hostname --interactive --use-agent -S filename
.RE

.SH NOTES
Be careful of newline characters when storing data. The data is transfered and
stored exactly as the input is read, newlines and all. If you wonder why your
new passphrase for a service doesn't work then a trailing newline character
may be the reason.

.SH FILES
.TP
.B ~/.pwmd/socket
Default socket to connect to.
.TP
.B ~/.pwmd/pinentry.conf
Default settings that
.BR pinentry (1)
will use for the terminal, terminal type or X11 display.
.TP
.B @pinentry@
Default location of the
.BR pinentry (1)
binary.

.SH AUTHOR
Ben Kibbey <bjk@luxsci.net>
.br
.URL "http://libpwmd.sourceforge.net/" "libpwmd Homepage" .

.SH "SEE ALSO"
.BR pwmd (1),
.BR pinentry (1),
.BR ssh-keygen (1),
.BR authorized_keys (5),
.BR socat (1),
.BR libpwmd (3)