1 .\" This program is free software; you can redistribute it and/or modify
2 .\" it under the terms of the GNU General Public License as published by
3 .\" the Free Software Foundation; either version 2 of the License, or
4 .\" (at your option) any later version.
6 .\" This program is distributed in the hope that it will be useful,
7 .\" but WITHOUT ANY WARRANTY; without even the implied warranty of
8 .\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
9 .\" GNU General Public License for more details.
11 .\" You should have received a copy of the GNU General Public License
12 .\" along with this program; if not, write to the Free Software
13 .\" Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
15 \\$2 \(laURL: \\$1 \(ra\\$3
17 .if \n[.g] .mso www.tmac
18 .TH PWMD 1 "23 Dec 2007" "Password Manager Daemon" "Password Manager Daemon"
21 pwmd \- local socket data server
24 [\-hv] [\-f <rcfile>] [\-I <filename>] [\-D] [\-b] [file] [...]
28 is a daemon that listens for connections on a local socket. Clients connect to
29 the server and can retrieve or modify "account" data. The word "account" is
30 just a placeholder for the element describing and item. But what the data
31 actually is can be anything. The data is stored in an AES encrypted XML file.
34 The following are the available command line options. Remaining arguments are
35 files to add to the cache on startup.
38 Specify an alternate configuration file. The default is \fI~/.pwmd/config\fR.
41 Import an XML file prompting for a key to use for encryption. The encrypted
42 data will be written to stdout.
45 Disable the LIST and DUMP protocol commands.
48 Run as a background process (daemonize).
56 .SH CONFIGURATION FILE
57 Blank lines and lines beginning with '#' are ignored. Some options can be
58 grouped together to have file specific settings. A file section is declared by
59 surrounding the filename with braces (i.e., \fI[filename]\fP). Default options
60 may be specified in a \fI[default]\fP section. If the first character of a
61 string value is a tilde, it will be expanded to your home directory. First the
64 .I "socket_path=<string>"
65 Listen on the specified socket. The default is \fI~/.pwmd/socket\fR.
67 .I "socket_perms=<integer>"
68 Permissions to set after creating the socket. This will override any
72 .I "data_directory=<string>"
75 should store and retrieve data files. The default is \fI~/.pwmd/data\fR.
77 .I "disable_mlockall=<boolean>"
78 When set to \fBfalse\fP,
80 will be called after the client connects. This will use alot more physical
81 memory but may also be more secure. Most will probably find it overkill since
82 the contents of all memory is cleared before being freed. Note that this
83 doesn't affect the file cache which is always stored in RAM (if possible).
85 .I "cache_size=<integer>"
86 Specfies the size of the file cache. Must be in multiples of your systems
87 \fBPAGE_SIZE\fR. The default is one page.
89 .I "log_path=<string>"
90 Logs informational messages to the specified file. The default is
93 .I "enable_logging=<boolean>"
94 Enable or disable logging to \fIlog_path\fR. The default is \fIfalse\fR.
99 with facility LOG_DAEMON and priority LOG_INFO. The default is \fIfalse\fR.
101 .I "cache_push=<list>"
102 A list of filenames separated by commas that will be pushed into the file
105 will ask for the key for each file specified unless the key was specified with
106 the \fBkey\fR or \fBkey_file\fR parameters in a matching file section. The
109 Below are options that can be in the \fI[default]\fP or \fI[filename]\fP
110 section. If in both, then \fI[filename]\fP will have precedence.
112 .I "cache_timeout=<integer>"
113 The number of seconds for the life of the cached file. If \fI-1\fP, the file
114 is cached forever. If \fI0\fP, each time the file is opened or saved a key
117 .I "enable_pinentry=<boolean>"
118 If \fIfalse\fP, disable the use of
120 The default is \fItrue\fP. Also see \fBPINENTRY\fP below.
122 .I "iterations=<integer>"
123 The number of times to encrypt the data. A value of 10000 or more will make
124 dictionary attacks very slow depending on the CPU. The default is \fI0\fP
125 which is really 1 iteration (data file compatibility bug). Setting to \fI-1\fP
126 will disable encryption.
128 .I "iteration_progress=<integer>"
129 After the specified number of iterations while encrypting or decrypting, a
130 status message with the keyword \fBPROGRESS\fP will be sent to the client.
131 Setting to \fI0\fP, the default, disables sending progress messages.
134 The initial key to use for this file. If specified in the \fI[default]\fP
135 section then "\fIdefault\fP" is treated as a filename and not a default for
136 other files. Note that if you change the key when connected this value is not
137 modified and will need to be updated by hand.
139 .I "key_file=<string>"
140 Same as above but obtain the key from the specified filename with the key
141 being on the first line of the file. Note that if you change the key when
142 connected this value is not modified and will need to be updated by hand.
144 .I "compression_level=<integer>"
145 The default compression level for data files from \fI1\fP to \fI9\fP, \fI1\fP
146 being the fastest but least compression and \fI9\fP being the slowest but best
147 compression. To disable compression entirely, set to \fI0\fP. The default is
150 .I "zlib_bufsize=<integer>"
151 The input and output buffer size when compressing and decompressing. This
152 affects how often the COMPRESS and DECOMPRESS status messages are sent and
153 also affects compression quality. The default is \fB65536\fP. Set to a higher
154 value for larger files.
156 .I "recursion_depth=<integer>"
157 The maximum number of times to resolve a target attribute for a single element
158 in an element path. An error is returned when this value is exceeded. The
159 default is \fI20\fP but can be disabled by setting to \fI0\fP.
161 .I "keepalive=<integer>"
162 Sends keep alive status messages to the client every N seconds. Set to \fI0\fP
163 to disable. The default is \fI5\fP.
167 When \fIenable_pinentry\fP is \fBtrue\fP, commands that require a key that
168 isn't cached or specified with the command, will use
170 to retrieve the passphrase. Since \fBpwmd\fP is a daemon process, it isn't
171 attached to any terminal. So \fBpinentry\fP needs to know where to put it's
172 dialog box by using command line options when executed. These can be set by
173 either using protocol commands (see COMMANDS included in the archive) or by
174 creating a file \fI~/.pwmd/pinentry.conf\fP. When using the file, each line should
175 contain NAME=VALUE pairs where NAME is one of:
178 The full path of the tty device.
181 The terminal type (i.e., vt100).
184 If using an X11 pinentry.
187 The full path to the pinentry binary. The default is \fI@pinentry@\fP.
189 The file is read only once when a client first connects.
194 Clears the entire file cache. If there are any clients connected, a key will
195 be required for the next \fBOPEN\fP or \fBSAVE\fP command.
198 Reloads the configuration file.
203 Default configuration file.
206 Default data directory.
209 Default listening socket.
212 Default log file when logging is enabled.
215 Default location of the pinentry binary.
217 .B ~/.pwmd/pinentry.conf
218 Default pinentry settings for new clients.
221 Ben Kibbey <bjk@luxsci.net>
223 .URL "http://bjk.sourceforge.net/pwmd/" "PWMD Homepage" .
232 Also see \fBCOMMANDS\fP included in the archive for protocol commands and