Fix 'allowed_file' to work in a file section.
[pwmd.git] / doc / pwmd.html
blob133afc894c6149e11c300a8dee760fdf9ce5f039
1 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
2 <html>
3 <!-- Created by GNU Texinfo 5.2, http://www.gnu.org/software/texinfo/ -->
4 <head>
5 <title>PWMD Manual</title>
7 <meta name="description" content="PWMD Manual">
8 <meta name="keywords" content="PWMD Manual">
9 <meta name="resource-type" content="document">
10 <meta name="distribution" content="global">
11 <meta name="Generator" content="makeinfo">
12 <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
13 <link href="#Top" rel="start" title="Top">
14 <link href="#SEC_Contents" rel="contents" title="Table of Contents">
15 <link href="dir.html#Top" rel="up" title="(dir)">
16 <style type="text/css">
17 <!--
18 a.summary-letter {text-decoration: none}
19 blockquote.smallquotation {font-size: smaller}
20 div.display {margin-left: 3.2em}
21 div.example {margin-left: 3.2em}
22 div.indentedblock {margin-left: 3.2em}
23 div.lisp {margin-left: 3.2em}
24 div.smalldisplay {margin-left: 3.2em}
25 div.smallexample {margin-left: 3.2em}
26 div.smallindentedblock {margin-left: 3.2em; font-size: smaller}
27 div.smalllisp {margin-left: 3.2em}
28 kbd {font-style:oblique}
29 pre.display {font-family: inherit}
30 pre.format {font-family: inherit}
31 pre.menu-comment {font-family: serif}
32 pre.menu-preformatted {font-family: serif}
33 pre.smalldisplay {font-family: inherit; font-size: smaller}
34 pre.smallexample {font-size: smaller}
35 pre.smallformat {font-family: inherit; font-size: smaller}
36 pre.smalllisp {font-size: smaller}
37 span.nocodebreak {white-space:nowrap}
38 span.nolinebreak {white-space:nowrap}
39 span.roman {font-family:serif; font-weight:normal}
40 span.sansserif {font-family:sans-serif; font-weight:normal}
41 ul.no-bullet {list-style: none}
42 -->
43 </style>
46 </head>
48 <body lang="en" bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#800080" alink="#FF0000">
49 <h1 class="settitle" align="center">PWMD Manual</h1>
54 <a name="Top"></a>
55 <div class="header">
56 <p>
57 Up: <a href="dir.html#Top" accesskey="u" rel="up">(dir)</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
58 </div>
59 <h1 class="node-heading">Top</h1>
62 <table class="menu" border="0" cellspacing="0">
63 <tr><td align="left" valign="top">&bull; <a href="#Introduction" accesskey="1">Introduction</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">Overview of pwmd.
64 </td></tr>
65 <tr><td align="left" valign="top">&bull; <a href="#Access-Control" accesskey="2">Access Control</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">ACL of a single XML element.
66 </td></tr>
67 <tr><td align="left" valign="top">&bull; <a href="#Invoking" accesskey="3">Invoking</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">Command line options.
68 </td></tr>
69 <tr><td align="left" valign="top">&bull; <a href="#Configuration" accesskey="4">Configuration</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">Configuration file options.
70 </td></tr>
71 <tr><td align="left" valign="top">&bull; <a href="#Commands" accesskey="5">Commands</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">Protocol commands.
72 </td></tr>
73 <tr><td align="left" valign="top">&bull; <a href="#Status-Messages" accesskey="6">Status Messages</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">Status lines and their meaning.
74 </td></tr>
75 <tr><td align="left" valign="top">&bull; <a href="#Target-Attribute" accesskey="7">Target Attribute</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">A kind of symbolic link.
76 </td></tr>
77 <tr><td align="left" valign="top">&bull; <a href="#Signals" accesskey="8">Signals</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">Signals known to pwmd.
78 </td></tr>
79 <tr><td align="left" valign="top">&bull; <a href="#Concept-Index" accesskey="9">Concept Index</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">Index of concepts.
80 </td></tr>
81 </table>
83 <hr>
84 <a name="Introduction"></a>
85 <div class="header">
86 <p>
87 Next: <a href="#Access-Control" accesskey="n" rel="next">Access Control</a>, Up: <a href="#Top" accesskey="u" rel="up">Top</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
88 </div>
89 <a name="Overview-of-pwmd"></a>
90 <h2 class="chapter">1 Overview of <code>pwmd</code></h2>
97 <p><code>pwmd</code> or <em>Password Manager Daemon</em> is a server that
98 applications connect to and send commands to store and retrieve data
99 that is saved in an encrypted <abbr>XML</abbr> document.
100 </p>
101 <p>The server uses the Assuan protocol (See <a href="http://www.gnupg.org/documentation/manuals/assuan/Implementation.html#Implementation">(assuan)Implementation</a>) which
102 is the same used by <code>gpg-agent</code>, <code>pinentry</code> and
103 <code>scdaemon</code>. It also uses <cite>libgpg-error</cite> for error reporting with
104 the error source set as <var>GPG_ERR_SOURCE_USER_1</var>.
105 </p>
107 <p>The <abbr>XML</abbr> document uses the following <abbr>DTD</abbr>:
108 </p>
109 <div class="example">
110 <pre class="example"> &lt;?xml version=&quot;1.0&quot;?&gt;
111 &lt;!DOCTYPE pwmd [
112 &lt;!ELEMENT pwmd (element*)&gt;
113 &lt;!ATTLIST element _name CDATA #REQUIRED&gt;
114 ]&gt;
115 </pre></div>
117 <p>The <code>pwmd</code> element is the document root node while all other elements
118 of the document have the name <code>element</code> with an attribute <code>_name</code>
119 whose value uniquely identifies the element at the current element tree depth.
120 It is done this way to avoid <abbr>XML</abbr> parsing errors for commonly used
121 characters. A <abbr>URL</abbr> for example would be an invalid <abbr>XML</abbr> element
122 since the <abbr>URI</abbr> contains a &lsquo;<samp>:</samp>&rsquo; which is also the <abbr>XML</abbr>
123 namespace separator.
124 </p>
125 <p>As mentioned, an element name must be unique for the current element tree
126 depth. You cannot have two elements containing the same <code>_name</code> attribute
127 value. <code>pwmd</code> will stop searching for an element of an <em>element
128 path</em> at the first match then continue searching for the next element of the
129 element path beginning at the child node of the matched element.
130 </p>
131 <p>An <em>element path</em> is a <tt class="key">TAB</tt> delimited character string where each
132 <tt class="key">TAB</tt> separates each element in the path. For example, the element path
133 <code>a<span class="key">TAB</span>b<span class="key">TAB</span>c</code> has the following <abbr>XML</abbr> document structure:
134 </p>
135 <div class="example">
136 <pre class="example"> &lt;pwmd&gt;
137 &lt;element _name=&quot;a&quot;&gt;
138 &lt;element _name=&quot;b&quot;&gt;
139 &lt;element _name=&quot;c&quot;&gt;
140 [... element value or content ...]
141 &lt;/element&gt;
142 &lt;/element&gt;
143 &lt;/element&gt;
144 &lt;/pwmd&gt;
145 </pre></div>
147 <p>The only restriction of an element name is that it contain no whitespace
148 characters. It also cannot begin with a &lsquo;<samp>!</samp>&rsquo; since this character is
149 reserved for the <code>target</code> attribute. See <a href="#Target-Attribute">Target Attribute</a>.
150 </p>
151 <hr>
152 <a name="Access-Control"></a>
153 <div class="header">
155 Next: <a href="#Invoking" accesskey="n" rel="next">Invoking</a>, Previous: <a href="#Introduction" accesskey="p" rel="prev">Introduction</a>, Up: <a href="#Top" accesskey="u" rel="up">Top</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
156 </div>
157 <a name="Access-Control-1"></a>
158 <h2 class="chapter">2 Access Control</h2>
160 <p>Like a filesystem has an <abbr>ACL</abbr> to grant or limit access to directories or
161 files for a specific user or group, <code>pwmd</code> can limit a local user,
162 group or a TLS connection to a specific element path. This is done by storing
163 an ACL in the element attribute <var>_acl</var>. Its syntax is similar to the
164 <var>allowed</var> configuration parameter (see <a href="#Configuration">Configuration</a>) with the
165 exception that a TLS fingerprint hash is prefixed with a <tt class="key">#</tt>.
166 </p>
167 <p>Access is denied for all users that are not in the <abbr>ACL</abbr> of an element
168 with the exception of the invoking user (see the <var>invoking_user</var> and
169 <var>invoking_tls</var> configuration parameters (see <a href="#Configuration">Configuration</a>)). The
170 connected client must be in the <abbr>ACL</abbr> for each element in an element path
171 otherwise an error is returned. As an example:
172 </p>
173 <div class="example">
174 <pre class="example">&lt;element _name=&quot;test&quot; _acl=&quot;username,-@wheel,root,#ABCDEF&quot;&gt;
175 &lt;element _name=&quot;child&quot;/&gt;
176 &lt;/element&gt;
177 </pre></div>
179 <p>The user <code>username</code> would be allowed access to the <code>test</code> element
180 but not if it is a member of the <code>wheel</code> group although the <code>root</code>
181 user, who may be a member of the <code>wheel</code> group, is allowed. The SHA-256
182 TLS fingerprint hash <code>#ABCDEF</code> is also allowed. No users other than the
183 <var>invoking_user</var> are allowed access to the <code>child</code> element.
184 </p>
185 <p>The first user listed in the <abbr>ACL</abbr> is considered the owner of the
186 element. This determines which clients may modify an <var>_acl</var> attribute and
187 store content for an element. The <var>invoking_user</var> may always modify an
188 <abbr>ACL</abbr>.
189 </p>
190 <hr>
191 <a name="Invoking"></a>
192 <div class="header">
194 Next: <a href="#Configuration" accesskey="n" rel="next">Configuration</a>, Previous: <a href="#Access-Control" accesskey="p" rel="prev">Access Control</a>, Up: <a href="#Top" accesskey="u" rel="up">Top</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
195 </div>
196 <a name="Invoking-pwmd"></a>
197 <h2 class="chapter">3 Invoking <code>pwmd</code></h2>
201 <p>When <code>pwmd</code> is started with the <samp>--use-agent</samp> command
202 line option then <code>pwmd</code> will use <code>gpg-agent</code> for key
203 generation, decryption, signing and caching of passphrases as the
204 default rather than symmetrically encrypted data files.
205 <code>gpg-agent</code> must be running prior to <code>pwmd</code> startup when
206 this option is enabled. The <code>GPG_AGENT_INFO</code> environment variable is
207 set by <code>gpg-agent</code> and <code>pwmd</code> uses this variable to
208 determine where the <code>gpg-agent</code> socket is listening for
209 connections.
210 </p>
211 <p>It is recommended to pass the <samp>--allow-preset-passphrase</samp>
212 command line option to <code>gpg-agent</code>. Doing so allows <code>pwmd</code>
213 cache pushing on startup. It is also recommended to pass the
214 <samp>--allow-loopback-pinentry</samp> to <code>gpg-agent</code>. This option allows
215 a passphrase to be inquired from <code>pwmd</code> when a <code>pinentry</code> is
216 unavailable to the client.
217 </p>
218 <a name="index-Running-pwmd"></a>
219 <p><code>pwmd</code> is executed as follows:
220 </p>
221 <div class="example">
222 <pre class="example">pwmd <var>options</var> [ file1 ] [ &hellip; ]
223 </pre></div>
225 <p>Non-option arguments are data files to cache on startup. When the data file
226 requires a passphrase for decryption a <code>pinentry</code> will prompt either
227 on the current <abbr>TTY</abbr> or from an X11 window when the <code>DISPLAY</code>
228 environment variable is set.
229 </p>
230 <a name="index-Options"></a>
231 <a name="index-Arguments"></a>
232 <p>The following command line options are supported:
233 </p>
234 <a name="index-Getting-help"></a>
235 <dl compact="compact">
236 <dt>&lsquo;<samp>--homedir directory</samp>&rsquo;</dt>
237 <dd><p>The root directory where pwmd will store its data and temporary files. The
238 default is <samp>~/.pwmd</samp>.
239 </p>
240 </dd>
241 <dt>&lsquo;<samp>--rcfile, -f rcfile</samp>&rsquo;</dt>
242 <dd><p>Specify an alternate configuration file. The default is
243 <samp>~/.pwmd/config</samp>.
244 </p>
245 </dd>
246 <dt>&lsquo;<samp>--use-agent</samp>&rsquo;</dt>
247 <dd><p>Enable the use of <code>gpg-agent</code> and add support for data files
248 encrypted with a keypair. Files previously handled by
249 <code>gpg-agent</code> when this option is not specified will no longer be
250 able to be opened and new data files are symmetrically or conventionally
251 encrypted and without a public and private key. If
252 specified, both data file types are supported.
253 </p>
254 </dd>
255 <dt>&lsquo;<samp>--import, -I filename</samp>&rsquo;</dt>
256 <dd><p>Imports an <abbr>XML</abbr> file. The <abbr>XML</abbr> file should be in conformance to
257 the <code>pwmd</code> <abbr>DTD</abbr> (see <a href="#Introduction">Introduction</a>). You
258 will be prompted for a passphrase to encrypt with. The output is written to
259 the filename specified with <samp>--outfile</samp>. To make use of the imported
260 data, place the output file in <samp>~/.pwmd/data</samp>.
261 </p>
262 </dd>
263 <dt>&lsquo;<samp>--keyparam S-expression</samp>&rsquo;</dt>
264 <dd><p>The key parameters to use when generating a new key pair while importing an
265 <abbr>XML</abbr> file or when converting a <em>version 2</em> data file. The argument
266 must be a valid S-expression (See <a href="http://www.gnupg.org/documentation/manuals/gcrypt/S_002dexpressions.html#S_002dexpressions">(gcrypt)S-expressions</a>).
267 </p>
268 </dd>
269 <dt>&lsquo;<samp>--keygrip hexstring</samp>&rsquo;</dt>
270 <dd><p>Specifies the hexadecimal encoded public key-grip to use for encryption when
271 importing or converting. When not specified a new key-pair will be created.
272 </p>
273 </dd>
274 <dt>&lsquo;<samp>--sign-keygrip hexstring</samp>&rsquo;</dt>
275 <dd><p>Specifies the hexadecimal encoded public key-grip to use for signing of the
276 data file when importing or converting. When not specified the generated
277 public key or the key specified with the <samp>--keygrip</samp> option will be
278 used.
279 </p>
280 </dd>
281 <dt>&lsquo;<samp>--passphrase-file, -k filename&quot;</samp>&rsquo;</dt>
282 <dd><p>Obtain the passphrase from the specified filename.
283 </p>
284 </dd>
285 <dt>&lsquo;<samp>--s2k-count iterations</samp>&rsquo;</dt>
286 <dd><p>The number of times to hash the passphrase when importing or converting. The
287 default is the gpg-agent calibrated value of the machine. When less than
288 &lsquo;<samp>65536</samp>&rsquo; the default will be used.
289 </p>
290 </dd>
291 <dt>&lsquo;<samp>--cipher-iterations iterations</samp>&rsquo;</dt>
292 <dd><p>The number of symmetric encryption iterations. The value is actually N+1. The
293 default is 0+1.
294 </p>
295 </dd>
296 <dt>&lsquo;<samp>--cipher algo</samp>&rsquo;</dt>
297 <dd><p>When importing, the cipher to use for data encryption. See the <var>cipher</var>
298 configuration parameter (see <a href="#Configuration">Configuration</a>) for available ciphers. The
299 default is &lsquo;<samp>aes256</samp>&rsquo;.
300 </p>
301 </dd>
302 <dt>&lsquo;<samp>--convert, -C filename</samp>&rsquo;</dt>
303 <dd><p>Converts a <code>pwmd</code> <em>version 2</em> data file to a <em>version 3</em>
304 data file. If encrypted, you will be prompted for a passphrase to use for
305 decryption unless <samp>--passphrase-file</samp> was specified. The converted data
306 file will be saved to the filename specified with <samp>--outfile</samp>. All
307 <samp>--import</samp> related options may also be used when converting.
308 </p>
309 </dd>
310 <dt>&lsquo;<samp>--disable-dump, -D</samp>&rsquo;</dt>
311 <dd><p>Disable the <code>XPATH</code>, <code>XPATHATTR</code>, <code>LIST</code> and <code>DUMP</code>
312 protocol commands (see <a href="#Commands">Commands</a>). This overrides any
313 <var>disable_list_and_dump</var> configuration parameter (see <a href="#Configuration">Configuration</a>).
314 </p>
315 </dd>
316 <dt>&lsquo;<samp>--no-fork, -n</samp>&rsquo;</dt>
317 <dd><p>Run as a foreground process and do not fork into the background.
318 </p>
319 </dd>
320 <dt>&lsquo;<samp>--ignore, --force</samp>&rsquo;</dt>
321 <dd><p>Ignore cache pushing failures on startup. By default, <code>pwmd</code> will exit
322 if an error occurred do to an invalid passphrase or other error.
323 </p>
324 </dd>
325 <dt>&lsquo;<samp>--debug-level keyword,keyword,...</samp>&rsquo;</dt>
326 <dd><p>Output libassuan See <a href="http://www.gnupg.org/documentation/manuals/assuan/index.html#Top">(assuan)Top</a> protocol IO with the comma
327 separated list of output keywords. Valid keywords are: <code>init</code>,
328 <code>ctx</code>, <code>engine</code>, <code>data</code>, <code>sysio</code> and <code>control</code>.
329 </p>
330 </dd>
331 <dt>&lsquo;<samp>--version</samp>&rsquo;</dt>
332 <dd><p>Show the version, copyright and compile time features and exit.
333 </p>
334 </dd>
335 <dt>&lsquo;<samp>--help</samp>&rsquo;</dt>
336 <dd><p>Print a summary of options.
337 </p></dd>
338 </dl>
341 <hr>
342 <a name="Configuration"></a>
343 <div class="header">
345 Next: <a href="#TLS" accesskey="n" rel="next">TLS</a>, Previous: <a href="#Invoking" accesskey="p" rel="prev">Invoking</a>, Up: <a href="#Top" accesskey="u" rel="up">Top</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
346 </div>
347 <a name="pwmd-configuration-file-options"></a>
348 <h2 class="chapter">4 <code>pwmd</code> configuration file options</h2>
351 <p>If no configuration file is specified with the <code>pwmd</code> <samp>-f</samp>
352 command line option, <code>pwmd</code> will read <samp>~/.pwmd/config</samp> if it
353 exists, and if not, will use defaults. Blank lines and lines beginning with
354 &lsquo;<samp>#</samp>&rsquo; are ignored. Some parameters may have data file specific settings by
355 placing them in a file section. A file section is declared by surrounding the
356 filename with braces (i.e., &lsquo;<samp>[filename]</samp>&rsquo;). Global options may be
357 specified in a &lsquo;<samp>[global]</samp>&rsquo; section and are the default options for new or
358 unspecified files.
359 </p>
360 <p>A tilde <tt class="key">~</tt> will be expanded to the home directory of the invoking user
361 when contained in a parameter whose value is a filename.
362 </p>
363 <a name="index-Reloading-the-configuration-file"></a>
364 <p>The configuration file can be reloaded by sending the <em>SIGHUP</em> signal to
365 a <code>pwmd</code> process.
366 </p>
367 <a name="index-Global-configuration-options"></a>
368 <p>The following options are only for use in the &lsquo;<samp>global</samp>&rsquo; section:
369 </p>
370 <dl compact="compact">
371 <dt>&lsquo;<samp>socket_path = /path/to/socket</samp>&rsquo;</dt>
372 <dd><p>Listen on the specified socket. The default is <samp>~/.pwmd/socket</samp>.
373 </p>
374 </dd>
375 <dt>&lsquo;<samp>socket_perms = octal_mode</samp>&rsquo;</dt>
376 <dd><p>Permissions to set after creating the socket. This will override any
377 <cite>umask(2)</cite> setting.
378 </p>
379 </dd>
380 <dt>&lsquo;<samp>invoking_user = username</samp>&rsquo;</dt>
381 <dd><p>This parameter is not to be confused with setuid or setguid upon startup. It
382 is the local username that may use the <code>XPATH</code>, <code>XPATHATTR</code>
383 and <code>DUMP</code> commands (except when disabled with the
384 <code>disable_list_and_dump</code> option) and who may modify elements that have no
385 <code>_acl</code> attribute or is not listed in an <code>_acl</code>. It is similar to
386 the system administrator root account but for a data file
387 (see <a href="#Access-Control">Access Control</a>). The default is the user the executes <code>pwmd</code>.
388 </p>
389 </dd>
390 <dt>&lsquo;<samp>invoking_tls = SHA-256</samp>&rsquo;</dt>
391 <dd><p>Like <code>invoking_user</code> but is a hash of an <abbr>TLS</abbr> certificate
392 fingerprint for a remote client. The hash should be prefixed with a <tt class="key">#</tt>
393 character.
394 </p>
395 </dd>
396 <dt>&lsquo;<samp>allowed = [-!]user,[-!]@group,[+,][-!]#SHA-256,...</samp>&rsquo;</dt>
397 <dd><p>A comma separated list of local user names, group names or <abbr>TLS</abbr>
398 fingerprint <abbr>SHA</abbr>-256 hashes (in the case of a remote client) who are
399 allowed to connect. Groups should be prefixed with a &lsquo;<samp>@</samp>&rsquo;. When not
400 specified only the invoking user may connect. A username, group name or hash
401 may also be prefixed with a <tt class="key">-</tt> or <tt class="key">!</tt> to prevent access to a specific
402 user or group in the list. The order of the list is important since a user may
403 be of multiple groups.
404 </p>
405 <p>This parameter may also be specified in a filename section to allow or deny a
406 client to <code>OPEN</code> (see <a href="#OPEN">OPEN</a>) a data file. It also affects the cache
407 commands <code>CLEARCACHE</code> (see <a href="#CLEARCACHE">CLEARCACHE</a>) and <code>CACHETIMEOUT</code>
408 (see <a href="#CACHETIMEOUT">CACHETIMEOUT</a>). When not specified in a file section any user that can
409 connect may also open the filename.
410 </p>
411 <p>The following example would deny all users in group <code>primary</code> but
412 allow <code>username</code> who may be a member of <code>primary</code>. It will also
413 allow any TLS client except for the client with <abbr>TLS</abbr> fingerprint hash
414 <code>#ABCDEF</code>:
415 </p>
416 <div class="example">
417 <pre class="example">allowed=-@primary,username,+,!#ABCDEF
418 </pre></div>
420 </dd>
421 <dt>&lsquo;<samp>allowed_file = filename</samp>&rsquo;</dt>
422 <dd><p>A file containing one entry per line. An entry has the same syntax as the
423 <code>allowed</code> parameter. When both this parameter and the <code>allowed</code>
424 parameter are specified then the <code>allowed_file</code> entries will be appended
425 to the <code>allowed</code> parameter value.
426 </p>
427 </dd>
428 <dt>&lsquo;<samp>disable_mlockall = boolean</samp>&rsquo;</dt>
429 <dd><p>When set to <code>false</code>, <cite>mlockall(2)</cite> will be called on startup. This
430 will use more physical memory but may also be more secure since no swapping to
431 disk will occur. The default is <var>true</var>.
432 </p>
433 </dd>
434 <dt>&lsquo;<samp>log_path = /path/to/logfile</samp>&rsquo;</dt>
435 <dd><p>Logs informational messages to the specified file. The default is
436 <samp>~/.pwmd/log</samp>.
437 </p>
438 </dd>
439 <dt>&lsquo;<samp>enable_logging = boolean</samp>&rsquo;</dt>
440 <dd><p>Enable or disable logging to <var>log_path</var>. The default is <code>false</code>.
441 </p>
442 </dd>
443 <dt>&lsquo;<samp>log_keepopen = boolean</samp>&rsquo;</dt>
444 <dd><p>When set to <code>false</code>, the log file specified with <var>log_path</var> will be
445 closed after writing each line. The default is <code>true</code>.
446 </p>
447 </dd>
448 <dt>&lsquo;<samp>syslog = boolean</samp>&rsquo;</dt>
449 <dd><p>Enable logging to <cite>syslog(8)</cite> with facility <em>LOG_DAEMON</em> and priority
450 <em>LOG_INFO</em>. The default is <code>false</code>.
451 </p>
452 </dd>
453 <dt>&lsquo;<samp>log_level = level</samp>&rsquo;</dt>
454 <dd><p>When <code>0</code>, only connections and errors are logged. When <code>1</code>, client
455 commands are also logged. When <code>2</code>, the command arguments are also logged.
456 The default is <code>0</code>.
457 </p>
458 </dd>
459 <dt>&lsquo;<samp>use_agent = boolean</samp>&rsquo;</dt>
460 <dd><p>When true, enable <code>gpg-agent</code> support (see <a href="#Invoking">Invoking</a>).
461 </p>
462 </dd>
463 <dt>&lsquo;<samp>agent_env_file = filename</samp>&rsquo;</dt>
464 <dd><p>A file containing the <code>GPG_AGENT_INFO</code> environment variable and value as
465 output by the <code>gpg-agent</code> <samp>--write-env-file</samp> command line
466 option.
467 </p>
468 </dd>
469 <dt>&lsquo;<samp>kill_scd = boolean</samp>&rsquo;</dt>
470 <dd><p>Kill <code>scdaemon</code> after each <code>OPEN</code> (see <a href="#OPEN">OPEN</a>) or <code>SAVE</code>
471 (see <a href="#SAVE">SAVE</a>) command.
472 </p>
473 </dd>
474 <dt>&lsquo;<samp>require_save_key = boolean</samp>&rsquo;</dt>
475 <dd><p>Require the passphrase needed to open a data file before writing changes
476 of the documment to disk reguardless of the key cache status.
477 </p>
478 </dd>
479 <dt>&lsquo;<samp>disable_list_and_dump = boolean</samp>&rsquo;</dt>
480 <dd><p>When <code>true</code>, the <code>XPATH</code>, <code>XPATHATTR</code>, <code>LIST</code> and
481 <code>DUMP</code> protocol commands (see <a href="#Commands">Commands</a>) will be disabled.
482 </p>
483 </dd>
484 <dt>&lsquo;<samp>cache_push = file1,file2</samp>&rsquo;</dt>
485 <dd><p>A comma separated list of filenames that will be pushed into the file cache
486 upon startup. <code>pwmd</code> will prompt for the passphrase for each file unless
487 specified with the <var>passphrase</var> or <var>passphrase_file</var> parameters in a
488 matching file section.
489 </p>
490 </dd>
491 <dt>&lsquo;<samp>priority = integer</samp>&rsquo;</dt>
492 <dd><p>The priority, or niceness, of the server. The default is inherited from the
493 parent process.
494 </p>
495 </dd>
496 <dt>&lsquo;<samp>cipher = algorithm</samp>&rsquo;</dt>
497 <dd><p>The default cipher to use for data encryption when saving (see <a href="#SAVE">SAVE</a>) a new
498 file. The algorithm must be one of: <code>aes128</code>, <code>aes192</code>,
499 <code>aes256</code>, <code>serpent128</code>, <code>serpent192</code>, <code>serpent256</code>,
500 <code>camellia128</code>, <code>camellia192</code>, <code>camellia256</code>, <code>3des</code>,
501 <code>cast5</code>, <code>blowfish</code>, <code>twofish128</code> or <code>twofish256</code>. The
502 default is <code>aes256</code>.
503 </p>
504 </dd>
505 <dt>&lsquo;<samp>cipher_iterations = integer</samp>&rsquo;</dt>
506 <dd><p>The number of times to encrypt the XML data. This differs from the
507 <var>s2k_count</var> parameter which specifies the number of times to hash the
508 passphrase used to encrypt the data. The default is 0 although at least 1
509 iteration is always done.
510 </p>
511 </dd>
512 <dt>&lsquo;<samp>cipher_progress = integer</samp>&rsquo;</dt>
513 <dd><p>Send a progress message to the client after the specified amount of encryption
514 or decryption iterations have been done. The default is 2000.
515 </p>
516 </dd>
517 <dt>&lsquo;<samp>keyparam = s-expression</samp>&rsquo;</dt>
518 <dd><p>The default key parameters to use when generating a new key-pair. The default
519 is <code>RSA</code> with <code>2048</code> bits. Note that only the <abbr>RSA</abbr> and
520 <abbr>ELG</abbr> algorithms as the encryption algorithm are supported at the moment.
521 Both <abbr>RSA</abbr> and <abbr>DSA</abbr> keys may be used for signing.
522 </p>
523 </dd>
524 <dt>&lsquo;<samp>pinentry_path = /path/to/pinentry</samp>&rsquo;</dt>
525 <dd><p>The location of the <code>pinentry</code> binary. This program is used to
526 prompt for a passphrase when not using <code>gpg-agent</code>. The default
527 is specified at compile time.
528 </p>
529 </dd>
530 <dt>&lsquo;<samp>pinentry_timeout = seconds</samp>&rsquo;</dt>
531 <dd><p>The number of seconds to wait for a pinentry before giving up and
532 returning an error. This timeout value is used for both waiting for
533 another pinentry to complete and for the pinentry waiting for user input.
534 </p></dd>
535 </dl>
537 <a name="index-Data-file-configuration-options"></a>
538 <p>The following options are defaults for new files when specified in the
539 &lsquo;<samp>global</samp>&rsquo; section. When placed in a data file section they are options
540 specific to that data file only.
541 </p>
542 <dl compact="compact">
543 <dt>&lsquo;<samp>backup = boolean</samp>&rsquo;</dt>
544 <dd><p>Whether to create a backup of the data file when saving. The backup filename
545 has the <samp>.backup</samp> extension appended to the opened file. The default is
546 <code>true</code>.
547 </p>
548 </dd>
549 <dt>&lsquo;<samp>cache_timeout = seconds</samp>&rsquo;</dt>
550 <dd><p>The number of seconds to keep the cache entry for this file. If <code>-1</code>, the
551 cache entry is kept forever. If <code>0</code>, each time an encrypted file is
552 <code>OPEN</code>ed (see <a href="#OPEN">OPEN</a>) a passphrase will be required. The default
553 is <code>600</code> or 10 minutes.
554 </p>
555 </dd>
556 <dt>&lsquo;<samp>xfer_progress = bytes</samp>&rsquo;</dt>
557 <dd><p>Commands that send data lines to the client will also send the <code>XFER</code>
558 status message (see <a href="#Status-Messages">Status Messages</a>) after the specified number of bytes
559 have been sent. The number of bytes is rounded to <var>ASSUAN_LINELENGTH</var> or
560 <code>1002</code> bytes. The default is <code>8196</code>.
561 </p>
562 </dd>
563 <dt>&lsquo;<samp>passphrase = string</samp>&rsquo;</dt>
564 <dd><p>The passphrase to use for this file. If specified in the &lsquo;<samp>global</samp>&rsquo; section
565 then &lsquo;<samp>global</samp>&rsquo; is treated as a data filename and not a default for other
566 files. Note that if a client changes the passphrase for this data file then
567 this value is not modified and will need to be updated.
568 </p>
569 </dd>
570 <dt>&lsquo;<samp>passphrase_file = /path/to/file</samp>&rsquo;</dt>
571 <dd><p>Same as the <var>passphrase</var> parameter above but obtains the passphrase from
572 the specified filename.
573 </p>
574 </dd>
575 <dt>&lsquo;<samp>recursion_depth = integer</samp>&rsquo;</dt>
576 <dd><p>The maximum number of times to resolve a <code>target</code> attribute for an
577 element in an element path (see <a href="#Target-Attribute">Target Attribute</a>). An error is returned
578 when this value is exceeded. The default is <code>100</code> but can be disabled by
579 setting to <code>0</code> (<em>not recommended</em>).
580 </p>
581 </dd>
582 <dt>&lsquo;<samp>allowed = [-]user,[-]@group,...</samp>&rsquo;</dt>
583 <dd><p>Same parameter value as the <code>allowed</code> parameter mentioned above in
584 the &lsquo;<samp>global</samp>&rsquo; section but grants or denies a local user from opening
585 a specific data file. The default is to allow only the invoking user.
586 </p>
587 </dd>
588 </dl>
589 <table class="menu" border="0" cellspacing="0">
590 <tr><td align="left" valign="top">&bull; <a href="#TLS" accesskey="1">TLS</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">Remote connections over TLS.
591 </td></tr>
592 <tr><td align="left" valign="top">&bull; <a href="#Pinentry" accesskey="2">Pinentry</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">Configuration file and defaults.
593 </td></tr>
594 </table>
596 <hr>
597 <a name="TLS"></a>
598 <div class="header">
600 Next: <a href="#Pinentry" accesskey="n" rel="next">Pinentry</a>, Previous: <a href="#Configuration" accesskey="p" rel="prev">Configuration</a>, Up: <a href="#Configuration" accesskey="u" rel="up">Configuration</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
601 </div>
602 <a name="Configuring-remote-connections-over-TLS_002e"></a>
603 <h2 class="chapter">5 Configuring remote connections over TLS.</h2>
604 <p>Remote connections can also be made to <code>pwmd</code> over <abbr>TLS</abbr>.
605 Authentication is done by using X509 client certificates that are signed with
606 the same Certificate Authority (<abbr>CA</abbr>) as the server certificate.
607 </p>
608 <p>The <abbr>CA</abbr> certificate is expected to be found in
609 <samp>~/.pwmd/ca-cert.pem</samp> while the <code>pwmd</code> server certificate and key
610 file should be put in <samp>~/.pwmd/server-cert.pem</samp> and
611 <samp>~/.pwmd/server-key.pem</samp>, respectively.
612 </p>
613 <p>See the documentation of <code>certtool</code> or <code>openssl</code> for details
614 on creating self-signed certificates.
615 </p>
616 <p>The following TLS configuration options are available:
617 </p>
618 <dl compact="compact">
619 <dt>&lsquo;<samp>enable_tcp = boolean</samp>&rsquo;</dt>
620 <dd><p>Whether to enable TCP/TLS server support. If enabled, both TCP and the local
621 unix domain socket will listen for connections. The default is
622 <code>false</code>.
623 </p>
624 </dd>
625 <dt>&lsquo;<samp>tcp_port = integer</samp>&rsquo;</dt>
626 <dd><p>The TCP port to listen on when <var>enable_tcp</var> is <code>true</code>. The default is
627 <code>6466</code>.
628 </p>
629 </dd>
630 <dt>&lsquo;<samp>tcp_bind = string</samp>&rsquo;</dt>
631 <dd><p>The internet protocol to listen with. Must be one of <code>ipv4</code>, <code>ipv6</code>
632 or <code>any</code> to listen for both IPv4 and IPv6 connections.
633 </p>
634 </dd>
635 <dt>&lsquo;<samp>tcp_interface = string</samp>&rsquo;</dt>
636 <dd><p>Only useful if running as root.
637 </p>
638 </dd>
639 <dt>&lsquo;<samp>tls_timeout = seconds</samp>&rsquo;</dt>
640 <dd><p>The number of seconds to wait for a read() or write() call on a
641 <abbr>TLS</abbr> client file descriptor to complete before returning an
642 error. The default is <var>300</var>.
643 </p>
644 <p>Note that the <code>SAVE</code> command (see <a href="#SAVE">SAVE</a>) may take a longer time
645 to complete than other commands since key generation may need to be done
646 or do to a large <samp>--cipher-iterations</samp> setting.
647 </p>
648 </dd>
649 <dt>&lsquo;<samp>keepalive_interval = seconds</samp>&rsquo;</dt>
650 <dd><p>Send a keepalive status message to an idle remote client. An idle
651 client is one who is not in a command. The purpose of this status
652 message is to disconnect a hung remote client and release any file mutex
653 locks so another client may open the same data file. The default is <code>60</code>.
654 </p>
655 </dd>
656 <dt>&lsquo;<samp>tcp_require_key = boolean</samp>&rsquo;</dt>
657 <dd><p>When <code>true</code>, require the remote client to provide the key or passphrase
658 to open a data file even if the file is cached. Note that the cache entry is
659 cleared during the see <a href="#OPEN">OPEN</a> command and the passphrase will be retrieved
660 from the client via a server <em>INQUIRE</em>. This option is a default
661 for all files when specified in the &lsquo;<samp>global</samp>&rsquo; section. The default
662 is <code>false</code>.
663 </p>
664 </dd>
665 <dt>&lsquo;<samp>tcp_wait = integer</samp>&rsquo;</dt>
666 <dd><p>The time in tenths of a second to wait between TCP connections. Setting to 0
667 will disable waiting. The default is <code>3</code>.
668 </p>
669 </dd>
670 <dt>&lsquo;<samp>tls_cipher_suite = string</samp>&rsquo;</dt>
671 <dd><p>The GnuTLS cipher suite and protocol to use. See the GnuTLS documentation for
672 information about the format of this string. The default is <code>SECURE256</code>.
673 </p></dd>
674 </dl>
676 <hr>
677 <a name="Pinentry"></a>
678 <div class="header">
680 Next: <a href="#Commands" accesskey="n" rel="next">Commands</a>, Previous: <a href="#TLS" accesskey="p" rel="prev">TLS</a>, Up: <a href="#Configuration" accesskey="u" rel="up">Configuration</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
681 </div>
682 <a name="Pinentry-configuration"></a>
683 <h2 class="chapter">6 Pinentry configuration</h2>
685 <p>The <code>pinentry</code> program is used to prompt the user for passphrase
686 input or as a confirmation dialog; it needs to know where to prompt for
687 the input, beit from a terminal or an X11 display.
688 </p>
689 <p>It is the responsibility of the client to tell <code>pinentry</code> about
690 the terminal or X11 display before requiring the input. This is done by
691 using the <code>pwmd</code> <code>OPTION</code> (see <a href="#OPTION">OPTION</a>) protocol command. It
692 need be done only once per client connection. To avoid the use of
693 <code>pinentry</code> entirely, use the <code>OPTION</code> (see <a href="#OPTION">OPTION</a>)
694 <samp>--disable-pinentry</samp> protocol command.
695 </p>
696 <hr>
697 <a name="Commands"></a>
698 <div class="header">
700 Next: <a href="#Status-Messages" accesskey="n" rel="next">Status Messages</a>, Previous: <a href="#Pinentry" accesskey="p" rel="prev">Pinentry</a>, Up: <a href="#Top" accesskey="u" rel="up">Top</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
701 </div>
702 <a name="Protocol-commands-and-their-syntax"></a>
703 <h2 class="chapter">7 Protocol commands and their syntax</h2>
704 <table class="menu" border="0" cellspacing="0">
705 <tr><td align="left" valign="top">&bull; <a href="#AGENT" accesskey="1">AGENT</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">
706 </td></tr>
707 <tr><td align="left" valign="top">&bull; <a href="#ATTR" accesskey="2">ATTR</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">
708 </td></tr>
709 <tr><td align="left" valign="top">&bull; <a href="#CACHETIMEOUT" accesskey="3">CACHETIMEOUT</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">
710 </td></tr>
711 <tr><td align="left" valign="top">&bull; <a href="#CLEARCACHE" accesskey="4">CLEARCACHE</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">
712 </td></tr>
713 <tr><td align="left" valign="top">&bull; <a href="#COPY" accesskey="5">COPY</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">
714 </td></tr>
715 <tr><td align="left" valign="top">&bull; <a href="#DELETE" accesskey="6">DELETE</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">
716 </td></tr>
717 <tr><td align="left" valign="top">&bull; <a href="#DUMP" accesskey="7">DUMP</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">
718 </td></tr>
719 <tr><td align="left" valign="top">&bull; <a href="#GET" accesskey="8">GET</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">
720 </td></tr>
721 <tr><td align="left" valign="top">&bull; <a href="#GETCONFIG" accesskey="9">GETCONFIG</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">
722 </td></tr>
723 <tr><td align="left" valign="top">&bull; <a href="#GETINFO">GETINFO</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">
724 </td></tr>
725 <tr><td align="left" valign="top">&bull; <a href="#HELP">HELP</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">
726 </td></tr>
727 <tr><td align="left" valign="top">&bull; <a href="#IMPORT">IMPORT</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">
728 </td></tr>
729 <tr><td align="left" valign="top">&bull; <a href="#ISCACHED">ISCACHED</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">
730 </td></tr>
731 <tr><td align="left" valign="top">&bull; <a href="#KEYGRIP">KEYGRIP</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">
732 </td></tr>
733 <tr><td align="left" valign="top">&bull; <a href="#LIST">LIST</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">
734 </td></tr>
735 <tr><td align="left" valign="top">&bull; <a href="#LOCK">LOCK</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">
736 </td></tr>
737 <tr><td align="left" valign="top">&bull; <a href="#LS">LS</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">
738 </td></tr>
739 <tr><td align="left" valign="top">&bull; <a href="#MOVE">MOVE</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">
740 </td></tr>
741 <tr><td align="left" valign="top">&bull; <a href="#NOP">NOP</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">
742 </td></tr>
743 <tr><td align="left" valign="top">&bull; <a href="#OPEN">OPEN</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">
744 </td></tr>
745 <tr><td align="left" valign="top">&bull; <a href="#OPTION">OPTION</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">
746 </td></tr>
747 <tr><td align="left" valign="top">&bull; <a href="#PASSWD">PASSWD</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">
748 </td></tr>
749 <tr><td align="left" valign="top">&bull; <a href="#REALPATH">REALPATH</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">
750 </td></tr>
751 <tr><td align="left" valign="top">&bull; <a href="#RENAME">RENAME</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">
752 </td></tr>
753 <tr><td align="left" valign="top">&bull; <a href="#RESET">RESET</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">
754 </td></tr>
755 <tr><td align="left" valign="top">&bull; <a href="#SAVE">SAVE</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">
756 </td></tr>
757 <tr><td align="left" valign="top">&bull; <a href="#STORE">STORE</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">
758 </td></tr>
759 <tr><td align="left" valign="top">&bull; <a href="#UNLOCK">UNLOCK</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">
760 </td></tr>
761 <tr><td align="left" valign="top">&bull; <a href="#XPATH">XPATH</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">
762 </td></tr>
763 <tr><td align="left" valign="top">&bull; <a href="#XPATHATTR">XPATHATTR</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">
764 </td></tr>
765 </table>
766 <hr>
767 <a name="AGENT"></a>
768 <div class="header">
770 Next: <a href="#ATTR" accesskey="n" rel="next">ATTR</a>, Up: <a href="#Commands" accesskey="u" rel="up">Commands</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
771 </div>
772 <a name="AGENT-command"></a>
773 <h2 class="chapter">8 AGENT command</h2>
774 <a name="index-AGENT-command"></a>
775 <p>Syntax:
776 </p><div class="example">
777 <pre class="example">AGENT &lt;command&gt;
778 </pre></div>
780 <p>Send a <code>gpg-agent</code> protocol <var>command</var> directly to the
781 <code>gpg-agent</code>.
782 </p>
784 <hr>
785 <a name="ATTR"></a>
786 <div class="header">
788 Next: <a href="#CACHETIMEOUT" accesskey="n" rel="next">CACHETIMEOUT</a>, Previous: <a href="#AGENT" accesskey="p" rel="prev">AGENT</a>, Up: <a href="#Commands" accesskey="u" rel="up">Commands</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
789 </div>
790 <a name="ATTR-command"></a>
791 <h2 class="chapter">9 ATTR command</h2>
792 <a name="index-ATTR-command"></a>
793 <p>Syntax:
794 </p><div class="example">
795 <pre class="example">ATTR [--inquire] SET|GET|DELETE|LIST [&lt;attribute&gt;] [!]element[&lt;TAB&gt;[!]child[..]] ..
796 </pre></div>
798 <dl compact="compact">
799 <dt>ATTR SET attribute [!]element[&lt;TAB&gt;[!]child[..]] [value]</dt>
800 <dd>
801 <p>Stores or updates an <var>attribute</var> name and optional <var>value</var> of an
802 element. When no <var>value</var> is specified any existing value will be removed.
803 </p>
804 </dd>
805 <dt>ATTR DELETE attribute [!]element[&lt;TAB&gt;[!]child[..]]</dt>
806 <dd>
807 <p>Removes an <var>attribute</var> from an element.
808 </p>
809 </dd>
810 <dt>ATTR LIST [!]element[&lt;TAB&gt;[!]child[..]]</dt>
811 <dd>
812 <p>Retrieves a newline separated list of attributes names and values
813 from the specified element. Each attribute name and value is space delimited.
814 </p>
815 </dd>
816 <dt>ATTR GET attribute [!]element[&lt;TAB&gt;[!]child[..]]</dt>
817 <dd>
818 <p>Retrieves the value of an <var>attribute</var> from an element.
819 </p></dd>
820 </dl>
822 <p>The <code>_name</code> attribute (case sensitive) cannot be removed nor modified.
823 Use the <code>DELETE</code> (see <a href="#DELETE">DELETE</a>) or <code>RENAME</code> (see <a href="#RENAME">RENAME</a>)
824 commands instead.
825 </p>
826 <p>The <code>_mtime</code> attribute is updated each time an element is modified by
827 either storing content, editing attributes or by deleting a child element.
828 The <code>_ctime</code> attribute is created for each new element in an element
829 path.
830 </p>
831 <p>When the <samp>--inquire</samp> option is passed then all remaining non-option
832 arguments are retrieved via a server <em>INQUIRE</em>.
833 </p>
834 <p>See <a href="#Target-Attribute">Target Attribute</a>, for details about this special attribute.
835 </p>
837 <hr>
838 <a name="CACHETIMEOUT"></a>
839 <div class="header">
841 Next: <a href="#CLEARCACHE" accesskey="n" rel="next">CLEARCACHE</a>, Previous: <a href="#ATTR" accesskey="p" rel="prev">ATTR</a>, Up: <a href="#Commands" accesskey="u" rel="up">Commands</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
842 </div>
843 <a name="CACHETIMEOUT-command"></a>
844 <h2 class="chapter">10 CACHETIMEOUT command</h2>
845 <a name="index-CACHETIMEOUT-command"></a>
846 <p>Syntax:
847 </p><div class="example">
848 <pre class="example">CACHETIMEOUT &lt;filename&gt; &lt;seconds&gt;
849 </pre></div>
851 <p>The time in <var>seconds</var> until <var>filename</var> will be removed from the
852 cache. <code>-1</code> will keep the cache entry forever, <code>0</code> will require
853 the passphrase for each <code>OPEN</code> or <code>SAVE</code> command (see <a href="#OPEN">OPEN</a>,
854 see <a href="#SAVE">SAVE</a>). See <a href="#Configuration">Configuration</a>, and the <code>cache_timeout</code>
855 parameter.
856 </p>
858 <hr>
859 <a name="CLEARCACHE"></a>
860 <div class="header">
862 Next: <a href="#COPY" accesskey="n" rel="next">COPY</a>, Previous: <a href="#CACHETIMEOUT" accesskey="p" rel="prev">CACHETIMEOUT</a>, Up: <a href="#Commands" accesskey="u" rel="up">Commands</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
863 </div>
864 <a name="CLEARCACHE-command"></a>
865 <h2 class="chapter">11 CLEARCACHE command</h2>
866 <a name="index-CLEARCACHE-command"></a>
867 <p>Syntax:
868 </p><div class="example">
869 <pre class="example">CLEARCACHE [&lt;filename&gt;]
870 </pre></div>
872 <p>Clears a file cache entry for all or the specified <var>filename</var>.
873 </p>
875 <hr>
876 <a name="COPY"></a>
877 <div class="header">
879 Next: <a href="#DELETE" accesskey="n" rel="next">DELETE</a>, Previous: <a href="#CLEARCACHE" accesskey="p" rel="prev">CLEARCACHE</a>, Up: <a href="#Commands" accesskey="u" rel="up">Commands</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
880 </div>
881 <a name="COPY-command"></a>
882 <h2 class="chapter">12 COPY command</h2>
883 <a name="index-COPY-command"></a>
884 <p>Syntax:
885 </p><div class="example">
886 <pre class="example">COPY [--inquire] [!]source[&lt;TAB&gt;[!]child[..]] [!]dest[&lt;TAB&gt;[!]child[..]]
887 </pre></div>
889 <p>Copies the entire element tree starting from the child node of the source
890 element, to the destination element path. If the destination element path
891 does not exist then it will be created; otherwise it is overwritten.
892 </p>
893 <p>Note that attributes from the source element are merged into the
894 destination element when the destination element path exists. When an
895 attribute of the same name exists in both the source and destination
896 elements then the destination attribute will be updated to the source
897 attribute value.
898 </p>
899 <p>When the <samp>--inquire</samp> option is passed then all remaining non-option
900 arguments are retrieved via a server <em>INQUIRE</em>.
901 </p>
903 <hr>
904 <a name="DELETE"></a>
905 <div class="header">
907 Next: <a href="#DUMP" accesskey="n" rel="next">DUMP</a>, Previous: <a href="#COPY" accesskey="p" rel="prev">COPY</a>, Up: <a href="#Commands" accesskey="u" rel="up">Commands</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
908 </div>
909 <a name="DELETE-command"></a>
910 <h2 class="chapter">13 DELETE command</h2>
911 <a name="index-DELETE-command"></a>
912 <p>Syntax:
913 </p><div class="example">
914 <pre class="example">DELETE [--inquire] [!]element[&lt;TAB&gt;[!]child[..]]
915 </pre></div>
917 <p>Removes the specified element path and all of its children. This may break
918 an element with a <code>target</code> attribute (see <a href="#Target-Attribute">Target Attribute</a>) that
919 refers to this element or any of its children.
920 </p>
921 <p>When the <samp>--inquire</samp> option is passed then all remaining non-option
922 arguments are retrieved via a server <em>INQUIRE</em>.
923 </p>
925 <hr>
926 <a name="DUMP"></a>
927 <div class="header">
929 Next: <a href="#GET" accesskey="n" rel="next">GET</a>, Previous: <a href="#DELETE" accesskey="p" rel="prev">DELETE</a>, Up: <a href="#Commands" accesskey="u" rel="up">Commands</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
930 </div>
931 <a name="DUMP-command"></a>
932 <h2 class="chapter">14 DUMP command</h2>
933 <a name="index-DUMP-command"></a>
934 <p>Syntax:
935 </p><div class="example">
936 <pre class="example">DUMP
937 </pre></div>
939 <p>Shows the in memory <abbr>XML</abbr> document with indenting. See <a href="#XPATH">XPATH</a>, for
940 dumping a specific node.
941 </p>
943 <hr>
944 <a name="GET"></a>
945 <div class="header">
947 Next: <a href="#GETCONFIG" accesskey="n" rel="next">GETCONFIG</a>, Previous: <a href="#DUMP" accesskey="p" rel="prev">DUMP</a>, Up: <a href="#Commands" accesskey="u" rel="up">Commands</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
948 </div>
949 <a name="GET-command"></a>
950 <h2 class="chapter">15 GET command</h2>
951 <a name="index-GET-command"></a>
952 <p>Syntax:
953 </p><div class="example">
954 <pre class="example">GET [--inquire] [!]element[&lt;TAB&gt;[!]child[..]]
955 </pre></div>
957 <p>Retrieves the content of the specified element. The content is returned
958 with a data response.
959 </p>
960 <p>When the <samp>--inquire</samp> option is passed then all remaining non-option
961 arguments are retrieved via a server <em>INQUIRE</em>.
962 </p>
964 <hr>
965 <a name="GETCONFIG"></a>
966 <div class="header">
968 Next: <a href="#GETINFO" accesskey="n" rel="next">GETINFO</a>, Previous: <a href="#GET" accesskey="p" rel="prev">GET</a>, Up: <a href="#Commands" accesskey="u" rel="up">Commands</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
969 </div>
970 <a name="GETCONFIG-command"></a>
971 <h2 class="chapter">16 GETCONFIG command</h2>
972 <a name="index-GETCONFIG-command"></a>
973 <p>Syntax:
974 </p><div class="example">
975 <pre class="example">GETCONFIG [filename] &lt;parameter&gt;
976 </pre></div>
978 <p>Returns the value of a <code>pwmd</code> configuration <var>parameter</var> with a
979 data response. If no file has been opened then the value for <var>filename</var>
980 or the default from the &lsquo;<samp>global</samp>&rsquo; section will be returned. If a file
981 has been opened and no <var>filename</var> is specified, a value previously
982 set with the <code>OPTION</code> command (see <a href="#OPTION">OPTION</a>) will be returned.
983 </p>
985 <hr>
986 <a name="GETINFO"></a>
987 <div class="header">
989 Next: <a href="#HELP" accesskey="n" rel="next">HELP</a>, Previous: <a href="#GETCONFIG" accesskey="p" rel="prev">GETCONFIG</a>, Up: <a href="#Commands" accesskey="u" rel="up">Commands</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
990 </div>
991 <a name="GETINFO-command"></a>
992 <h2 class="chapter">17 GETINFO command</h2>
993 <a name="index-GETINFO-command"></a>
994 <p>Syntax:
995 </p><div class="example">
996 <pre class="example">GETINFO [--data] CACHE | CLIENTS | PID | LAST_ERROR | VERSION
997 </pre></div>
999 <p>Get server and other information: <var>cache</var> returns the number of cached
1000 documents via a status message. <var>clients</var> returns the number of
1001 connected clients via a status message. <var>pid</var> returns the process ID
1002 number of the server via a data response. <var>VERSION</var> returns the server
1003 version number and compile-time features with a data response with each
1004 being space delimited. <var>LAST_ERROR</var> returns a detailed description of
1005 the last failed command when available. See <a href="#Status-Messages">Status Messages</a>.
1006 </p>
1007 <p>When the <samp>--data</samp> option is specified then the result will be sent
1008 via a data response rather than a status message.
1009 </p>
1011 <hr>
1012 <a name="HELP"></a>
1013 <div class="header">
1015 Next: <a href="#IMPORT" accesskey="n" rel="next">IMPORT</a>, Previous: <a href="#GETINFO" accesskey="p" rel="prev">GETINFO</a>, Up: <a href="#Commands" accesskey="u" rel="up">Commands</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
1016 </div>
1017 <a name="HELP-command"></a>
1018 <h2 class="chapter">18 HELP command</h2>
1019 <a name="index-HELP-command"></a>
1020 <p>Syntax:
1021 </p><div class="example">
1022 <pre class="example">HELP [&lt;COMMAND&gt;]
1023 </pre></div>
1025 <p>Show available commands or command specific help text.
1026 </p>
1028 <hr>
1029 <a name="IMPORT"></a>
1030 <div class="header">
1032 Next: <a href="#ISCACHED" accesskey="n" rel="next">ISCACHED</a>, Previous: <a href="#HELP" accesskey="p" rel="prev">HELP</a>, Up: <a href="#Commands" accesskey="u" rel="up">Commands</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
1033 </div>
1034 <a name="IMPORT-command"></a>
1035 <h2 class="chapter">19 IMPORT command</h2>
1036 <a name="index-IMPORT-command"></a>
1037 <p>Syntax:
1038 </p><div class="example">
1039 <pre class="example">IMPORT [--root [!]element[&lt;TAB&gt;[!]child[..]]] &lt;content&gt;
1040 </pre></div>
1042 <p>This command uses a server <em>INQUIRE</em> to retrieve data from the client.
1043 </p>
1044 <p>Like the <code>STORE</code> command (see <a href="#STORE">STORE</a>), but the <var>content</var>
1045 argument is raw <abbr>XML</abbr> data. The content is created as a child of
1046 the element path specified with the <samp>--root</samp> option or at the
1047 document root when not specified. Existing elements of the same name will
1048 be overwritten.
1049 </p>
1050 <p>The content must begin with an <abbr>XML</abbr> element node. See <a href="#Introduction">Introduction</a>,
1051 for details.
1052 </p>
1054 <hr>
1055 <a name="ISCACHED"></a>
1056 <div class="header">
1058 Next: <a href="#KEYGRIP" accesskey="n" rel="next">KEYGRIP</a>, Previous: <a href="#IMPORT" accesskey="p" rel="prev">IMPORT</a>, Up: <a href="#Commands" accesskey="u" rel="up">Commands</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
1059 </div>
1060 <a name="ISCACHED-command"></a>
1061 <h2 class="chapter">20 ISCACHED command</h2>
1062 <a name="index-ISCACHED-command"></a>
1063 <p>Syntax:
1064 </p><div class="example">
1065 <pre class="example">ISCACHED [--lock] &lt;filename&gt;
1066 </pre></div>
1068 <p>An <em>OK</em> response is returned if the specified <var>filename</var> is found
1069 in the file cache. If not found in the cache but exists on the filesystem
1070 then <var>GPG_ERR_NO_DATA</var> is returned. Otherwise a filesystem error is
1071 returned.
1072 </p>
1073 <p>The <samp>lock</samp> option will lock the file mutex of <var>filename</var> when the
1074 file exists; it does not need to be opened nor cached. The lock will be
1075 released when the client exits or sends the <code>UNLOCK</code> (see <a href="#UNLOCK">UNLOCK</a>)
1076 command.
1077 </p>
1079 <hr>
1080 <a name="KEYGRIP"></a>
1081 <div class="header">
1083 Next: <a href="#LIST" accesskey="n" rel="next">LIST</a>, Previous: <a href="#ISCACHED" accesskey="p" rel="prev">ISCACHED</a>, Up: <a href="#Commands" accesskey="u" rel="up">Commands</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
1084 </div>
1085 <a name="KEYGRIP-command"></a>
1086 <h2 class="chapter">21 KEYGRIP command</h2>
1087 <a name="index-KEYGRIP-command"></a>
1088 <p>Syntax:
1089 </p><div class="example">
1090 <pre class="example">KEYGRIP [--sign] &lt;filename&gt;
1091 </pre></div>
1093 <p>Returns the hex encoded keygrip of the specified <var>filename</var> with a
1094 data response.
1095 </p>
1096 <p>When the <samp>--sign</samp> option is specified then the key used for signing
1097 of the specified <var>filename</var> will be returned.
1098 </p>
1099 <p>For symmetrically encrypted data files this command returns the error
1100 GPG_ERR_NOT_SUPPORTED.
1101 </p>
1103 <hr>
1104 <a name="LIST"></a>
1105 <div class="header">
1107 Next: <a href="#LOCK" accesskey="n" rel="next">LOCK</a>, Previous: <a href="#KEYGRIP" accesskey="p" rel="prev">KEYGRIP</a>, Up: <a href="#Commands" accesskey="u" rel="up">Commands</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
1108 </div>
1109 <a name="LIST-command"></a>
1110 <h2 class="chapter">22 LIST command</h2>
1111 <a name="index-LIST-command"></a>
1112 <p>Syntax:
1113 </p><div class="example">
1114 <pre class="example">LIST [--inquire] [--no-recurse] [--verbose] [--with-target] [--all] [[!]element[&lt;TAB&gt;[!]child[..]]]
1115 </pre></div>
1117 <p>If no element path is given then a newline separated list of root elements
1118 is returned with a data response. If given, then all reachable elements
1119 of the specified element path are returned unless the <samp>--no-recurse</samp>
1120 option is specified. If specified, only the child elements of the element
1121 path are returned without recursing into grandchildren. Each resulting
1122 element is prefixed with the literal <code>!</code> character when the element
1123 contains no <code>target</code> attribute. See <a href="#Target-Attribute">Target Attribute</a>, for details.
1124 </p>
1125 <p>When the <samp>--verbose</samp> option is passed then each element path
1126 returned will have zero or more flags appened to it. These flags are
1127 delimited from the element path by a single space character. A flag itself
1128 is a single character. Flag <code>P</code> indicates that access to the element
1129 is denied. Flag <code>+</code> indicates that there are child nodes of
1130 the current element path. Flag <code>E</code> indicates that an element of an
1131 element path contained in a <var>target</var> attribute could not be found. Flag
1132 <code>O</code> indicates that a <var>target</var> attribute recursion limit was reached
1133 (see <a href="#Configuration">Configuration</a>). Flag <code>T</code> will append the resolved element path
1134 of the <var>target</var> attribute contained in the current element (see below).
1135 </p>
1136 <p>The <samp>--with-target</samp> option implies <samp>--verbose</samp> and will append
1137 an additional flag <code>T</code> followed by a single space then an element path.
1138 The appended element path is the resolved path (see <a href="#REALPATH">REALPATH</a>) of the
1139 current element when it contains a <var>target</var> attribute. When no
1140 <var>target</var> attribute is found then no flag will be appended.
1141 </p>
1142 <p>The <samp>--no-recurse</samp> option limits the amount of data returned to only
1143 the listing of children of the specified element path and not any
1144 grandchildren.
1145 </p>
1146 <p>The <samp>--all</samp> option lists the entire element tree for each root
1147 element. This option also implies option <samp>--verbose</samp>.
1148 </p>
1149 <p>When the <samp>--inquire</samp> option is passed then all remaining non-option
1150 arguments are retrieved via a server <em>INQUIRE</em>.
1151 </p>
1153 <hr>
1154 <a name="LOCK"></a>
1155 <div class="header">
1157 Next: <a href="#LS" accesskey="n" rel="next">LS</a>, Previous: <a href="#LIST" accesskey="p" rel="prev">LIST</a>, Up: <a href="#Commands" accesskey="u" rel="up">Commands</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
1158 </div>
1159 <a name="LOCK-command"></a>
1160 <h2 class="chapter">23 LOCK command</h2>
1161 <a name="index-LOCK-command"></a>
1162 <p>Syntax:
1163 </p><div class="example">
1164 <pre class="example">LOCK
1165 </pre></div>
1167 <p>Locks the mutex associated with the opened file. This prevents other clients
1168 from sending commands to the same opened file until the client
1169 that sent this command either disconnects or sends the <code>UNLOCK</code>
1170 command. See <a href="#UNLOCK">UNLOCK</a>.
1171 </p>
1173 <hr>
1174 <a name="LS"></a>
1175 <div class="header">
1177 Next: <a href="#MOVE" accesskey="n" rel="next">MOVE</a>, Previous: <a href="#LOCK" accesskey="p" rel="prev">LOCK</a>, Up: <a href="#Commands" accesskey="u" rel="up">Commands</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
1178 </div>
1179 <a name="LS-command"></a>
1180 <h2 class="chapter">24 LS command</h2>
1181 <a name="index-LS-command"></a>
1182 <p>Syntax:
1183 </p><div class="example">
1184 <pre class="example">LS
1185 </pre></div>
1187 <p>Lists the available data files stored in the data directory
1188 (<samp>~/.pwmd/data</samp>). The result is a newline separated list of filenames.
1189 </p>
1191 <hr>
1192 <a name="MOVE"></a>
1193 <div class="header">
1195 Next: <a href="#NOP" accesskey="n" rel="next">NOP</a>, Previous: <a href="#LS" accesskey="p" rel="prev">LS</a>, Up: <a href="#Commands" accesskey="u" rel="up">Commands</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
1196 </div>
1197 <a name="MOVE-command"></a>
1198 <h2 class="chapter">25 MOVE command</h2>
1199 <a name="index-MOVE-command"></a>
1200 <p>Syntax:
1201 </p><div class="example">
1202 <pre class="example">MOVE [--inquire] [!]source[&lt;TAB&gt;[!]child[..]] [[!]dest[&lt;TAB&gt;[!]child[..]]]
1203 </pre></div>
1205 <p>Moves the source element path to the destination element path. If the
1206 destination is not specified then it will be moved to the root node of the
1207 document. If the destination is specified and exists then it will be
1208 overwritten; otherwise non-existing elements of the destination element
1209 path will be created.
1210 </p>
1211 <p>When the <samp>--inquire</samp> option is passed then all remaining non-option
1212 arguments are retrieved via a server <em>INQUIRE</em>.
1213 </p>
1215 <hr>
1216 <a name="NOP"></a>
1217 <div class="header">
1219 Next: <a href="#OPEN" accesskey="n" rel="next">OPEN</a>, Previous: <a href="#MOVE" accesskey="p" rel="prev">MOVE</a>, Up: <a href="#Commands" accesskey="u" rel="up">Commands</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
1220 </div>
1221 <a name="NOP-command"></a>
1222 <h2 class="chapter">26 NOP command</h2>
1223 <a name="index-NOP-command"></a>
1224 <p>Syntax:
1225 </p><div class="example">
1226 <pre class="example">NOP
1227 </pre></div>
1229 <p>Does nothing. Always returns successfully.
1230 </p>
1232 <hr>
1233 <a name="OPEN"></a>
1234 <div class="header">
1236 Next: <a href="#OPTION" accesskey="n" rel="next">OPTION</a>, Previous: <a href="#NOP" accesskey="p" rel="prev">NOP</a>, Up: <a href="#Commands" accesskey="u" rel="up">Commands</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
1237 </div>
1238 <a name="OPEN-command"></a>
1239 <h2 class="chapter">27 OPEN command</h2>
1240 <a name="index-OPEN-command"></a>
1241 <p>Syntax:
1242 </p><div class="example">
1243 <pre class="example">OPEN [--lock] &lt;filename&gt; [&lt;passphrase&gt;]
1244 </pre></div>
1246 <p>Opens <var>filename</var> using <var>passphrase</var>. When the filename is not
1247 found on the file-system then a new document will be created. If the file
1248 is found, it is looked for in the file cache. If cached and no
1249 <var>passphrase</var> was specified then the cached document is opened. When not
1250 cached, <cite>pinentry(1)</cite> will be used to retrieve the passphrase to use
1251 for decryption unless <samp>disable-pinentry</samp> (see <a href="#OPTION">OPTION</a>) was
1252 specified.
1253 </p>
1254 <p>When the <samp>--lock</samp> option is passed then the file mutex will be
1255 locked as if the <code>LOCK</code> command (see <a href="#LOCK">LOCK</a>) had been sent after the
1256 file has been opened.
1257 </p>
1259 <hr>
1260 <a name="OPTION"></a>
1261 <div class="header">
1263 Next: <a href="#PASSWD" accesskey="n" rel="next">PASSWD</a>, Previous: <a href="#OPEN" accesskey="p" rel="prev">OPEN</a>, Up: <a href="#Commands" accesskey="u" rel="up">Commands</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
1264 </div>
1265 <a name="OPTION-command"></a>
1266 <h2 class="chapter">28 OPTION command</h2>
1267 <a name="index-OPTION-command"></a>
1268 <p>Syntax:
1269 </p><div class="example">
1270 <pre class="example">OPTION &lt;NAME&gt;=&lt;VALUE&gt;
1271 </pre></div>
1273 <p>Sets a client option <var>name</var> to <var>value</var>. The value for an option is
1274 kept for the duration of the connection.
1275 </p>
1276 <dl compact="compact">
1277 <dt>DISABLE-PINENTRY</dt>
1278 <dd><p>Disable use of <code>pinentry</code> for passphrase retrieval. When set, a
1279 server inquire is sent to the client to obtain the passphrase. This option
1280 may be set as needed before the <code>OPEN</code> (see <a href="#OPEN">OPEN</a>), <code>PASSWD</code>
1281 (see <a href="#PASSWD">PASSWD</a>) and <code>SAVE</code> (see <a href="#SAVE">SAVE</a>) commands.
1282 </p>
1283 </dd>
1284 <dt>PINENTRY-TIMEOUT</dt>
1285 <dd><p>Sets the number of seconds before a pinentry prompt will return an error
1286 while waiting for user input.
1287 </p>
1288 </dd>
1289 <dt>TTYNAME</dt>
1290 <dd><p>Passed to the <code>gpg-agent</code> and used for the <code>pinentry</code> dialog.
1291 </p>
1292 </dd>
1293 <dt>TTYTYPE</dt>
1294 <dd><p>Passed to the <code>gpg-agent</code> and used for the <code>pinentry</code> dialog.
1295 </p>
1296 </dd>
1297 <dt>DISPLAY</dt>
1298 <dd><p>Passed to the <code>gpg-agent</code> and used for the <code>pinentry</code> dialog.
1299 </p>
1300 </dd>
1301 <dt>PINENTRY-DESC</dt>
1302 <dd><p>Sets the description string of the <code>gpg-agent</code> and <code>pinentry</code> dialog.
1303 </p>
1304 </dd>
1305 <dt>PINENTRY-TITLE</dt>
1306 <dd><p>Sets the title string of the <code>gpg-agent</code> and <code>pinentry</code> dialog.
1307 </p>
1308 </dd>
1309 <dt>PINENTRY-PROMPT</dt>
1310 <dd><p>Sets the prompt string of the <code>gpg-agent</code> and <code>pinentry</code> dialog.
1311 </p>
1312 </dd>
1313 <dt>LC-CTYPE</dt>
1314 <dd><p>Passed to the <code>gpg-agent</code> and used for the <code>pinentry</code> dialog.
1315 </p>
1316 </dd>
1317 <dt>LC-MESSAGES</dt>
1318 <dd><p>Passed to the <code>gpg-agent</code> and used for the <code>pinentry</code> dialog.
1319 </p>
1320 </dd>
1321 <dt>NAME</dt>
1322 <dd><p>Associates the thread ID of the connection with the specified textual
1323 representation. Useful for debugging log messages.
1324 </p>
1325 </dd>
1326 <dt>LOCK-TIMEOUT</dt>
1327 <dd><p>When not <code>0</code>, the duration in tenths of a second to wait for the file
1328 mutex which has been locked by another thread to be released before returning
1329 an error. When <code>-1</code>, then an error will be returned immediately.
1330 </p>
1331 </dd>
1332 <dt>LOG-LEVEL</dt>
1333 <dd><p>An integer specifiying the logging level.
1334 </p></dd>
1335 </dl>
1338 <hr>
1339 <a name="PASSWD"></a>
1340 <div class="header">
1342 Next: <a href="#REALPATH" accesskey="n" rel="next">REALPATH</a>, Previous: <a href="#OPTION" accesskey="p" rel="prev">OPTION</a>, Up: <a href="#Commands" accesskey="u" rel="up">Commands</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
1343 </div>
1344 <a name="PASSWD-command"></a>
1345 <h2 class="chapter">29 PASSWD command</h2>
1346 <a name="index-PASSWD-command"></a>
1347 <p>Syntax:
1348 </p><div class="example">
1349 <pre class="example">PASSWD [--reset] [--s2k-count=N] [--no-passphrase]
1350 </pre></div>
1352 <p>Changes the passphrase of the secret key required to open the current
1353 file or the passphrase of a symmetrically encrypted data file. When the
1354 <samp>--reset</samp> option is passed then the cache entry for the current
1355 file will be reset and the passphrase, if any, will be required during the
1356 next <code>OPEN</code> (see <a href="#OPEN">OPEN</a>).
1357 </p>
1358 <p>The <samp>--s2k-count</samp> option sets or changes (see <a href="#SAVE">SAVE</a>) the number
1359 of hash iterations for a passphrase and must be either <code>0</code> to use
1360 the calibrated count of the machine (the default), or a value greater than
1361 or equal to <code>65536</code>. This option has no effect for symmetrically
1362 encrypted data files.
1363 </p>
1364 <p>The <samp>--no-passphrase</samp> option will prevent requiring a passphrase for
1365 the data file, although a passphrase may be required when changing it.
1366 </p>
1367 <p>This command is not available for non-invoking clients
1368 (see <a href="#Access-Control">Access Control</a>).
1369 </p>
1371 <hr>
1372 <a name="REALPATH"></a>
1373 <div class="header">
1375 Next: <a href="#RENAME" accesskey="n" rel="next">RENAME</a>, Previous: <a href="#PASSWD" accesskey="p" rel="prev">PASSWD</a>, Up: <a href="#Commands" accesskey="u" rel="up">Commands</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
1376 </div>
1377 <a name="REALPATH-command"></a>
1378 <h2 class="chapter">30 REALPATH command</h2>
1379 <a name="index-REALPATH-command"></a>
1380 <p>Syntax:
1381 </p><div class="example">
1382 <pre class="example">REALPATH [--inquire] [!]element[&lt;TAB&gt;[!]child[..]]
1383 </pre></div>
1385 <p>Resolves all <code>target</code> attributes of the specified element path and
1386 returns the result with a data response. See <a href="#Target-Attribute">Target Attribute</a>, for details.
1387 </p>
1388 <p>When the <samp>--inquire</samp> option is passed then all remaining non-option
1389 arguments are retrieved via a server <em>INQUIRE</em>.
1390 </p>
1392 <hr>
1393 <a name="RENAME"></a>
1394 <div class="header">
1396 Next: <a href="#RESET" accesskey="n" rel="next">RESET</a>, Previous: <a href="#REALPATH" accesskey="p" rel="prev">REALPATH</a>, Up: <a href="#Commands" accesskey="u" rel="up">Commands</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
1397 </div>
1398 <a name="RENAME-command"></a>
1399 <h2 class="chapter">31 RENAME command</h2>
1400 <a name="index-RENAME-command"></a>
1401 <p>Syntax:
1402 </p><div class="example">
1403 <pre class="example">RENAME [--inquire] [!]element[&lt;TAB&gt;[!]child[..]] &lt;value&gt;
1404 </pre></div>
1406 <p>Renames the specified <var>element</var> to the new <var>value</var>. If an element of
1407 the same name as the <var>value</var> already exists it will be overwritten.
1408 </p>
1409 <p>When the <samp>--inquire</samp> option is passed then all remaining non-option
1410 arguments are retrieved via a server <em>INQUIRE</em>.
1411 </p>
1413 <hr>
1414 <a name="RESET"></a>
1415 <div class="header">
1417 Next: <a href="#SAVE" accesskey="n" rel="next">SAVE</a>, Previous: <a href="#RENAME" accesskey="p" rel="prev">RENAME</a>, Up: <a href="#Commands" accesskey="u" rel="up">Commands</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
1418 </div>
1419 <a name="RESET-command"></a>
1420 <h2 class="chapter">32 RESET command</h2>
1421 <a name="index-RESET-command"></a>
1422 <p>Syntax:
1423 </p><div class="example">
1424 <pre class="example">RESET
1425 </pre></div>
1427 <p>Closes the currently opened file but keeps any previously set client options.
1428 </p>
1430 <hr>
1431 <a name="SAVE"></a>
1432 <div class="header">
1434 Next: <a href="#STORE" accesskey="n" rel="next">STORE</a>, Previous: <a href="#RESET" accesskey="p" rel="prev">RESET</a>, Up: <a href="#Commands" accesskey="u" rel="up">Commands</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
1435 </div>
1436 <a name="SAVE-command"></a>
1437 <h2 class="chapter">33 SAVE command</h2>
1438 <a name="index-SAVE-command"></a>
1439 <p>Syntax:
1440 </p><div class="example">
1441 <pre class="example">SAVE [--no-passphrase] [--reset] [--no-agent] [--s2k-count=N] [--cipher=&lt;algo&gt;] [--cipher-iterations=N] [--inquire-keyparam] [--keygrip=hexstring] [--sign-keygrip=hexstring]
1442 </pre></div>
1444 <p>Writes the <abbr>XML</abbr> document to disk. The file written to is the file that
1445 was opened using the <code>OPEN</code> command (see <a href="#OPEN">OPEN</a>). If the file is a
1446 new one or the option <samp>--inquire-keyparam</samp> was passed, then a new
1447 keypair will be generated and a pinentry will be used to prompt for the
1448 passphrase to encrypt with unless the <samp>--no-passphrase</samp> option was
1449 passed in which case the data file will not be passphrase protected.
1450 </p>
1451 <p>The <samp>--no-agent</samp> option disables use of <code>gpg-agent</code> for
1452 passphrase retrieval and caching of new files when <code>gpg-agent</code>
1453 use is enabled. The datafile will be symmetrically encrypted and will not
1454 use or generate any keypair.
1455 </p>
1456 <p>The <samp>--reset</samp> option will clear the cache entry for the current file
1457 and require a passphrase, if needed, before saving.
1458 </p>
1459 <p>The <samp>--cipher</samp> option can be used to encrypt the <abbr>XML</abbr> data to
1460 an alternate cipher. The default is <code>aes256</code>. See the Configuration
1461 (see <a href="#Configuration">Configuration</a>) for available ciphers.
1462 </p>
1463 <p>The <samp>--cipher-iterations</samp> option specifies the number of times to
1464 encrypt the XML data. The default is 0 although 1 iteration is still done.
1465 </p>
1466 <p>The <samp>--inquire-keyparam</samp> option will send a server <em>INQUIRE</em> to
1467 the client to obtain the key paramaters to use when generating a new
1468 keypair. The inquired data is expected to be an S-expression. If not
1469 specified then an &lsquo;<samp>RSA</samp>&rsquo; key of &lsquo;<samp>2048</samp>&rsquo; bits will be generated
1470 unless otherwise set in the configuration file (see <a href="#Configuration">Configuration</a>). Note
1471 that when this option is specified a new keypair will be generated
1472 reguardless if the file is a new one and that if the data file is protected
1473 the passphrase to open it will be required before generating the new
1474 keypair. This option is not available for non-invoking clients
1475 (see <a href="#Access-Control">Access Control</a>).
1476 </p>
1477 <p>You can encrypt the data file to a public key other than the one that it
1478 was originally encrypted with by passing the <samp>--keygrip</samp> option with
1479 the hex encoded keygrip of the public key as its argument. The keygrip may
1480 be of any key that <code>gpg-agent</code> knows about. The
1481 <samp>--sign-keygrip</samp> option may also be used to sign with an alternate
1482 secret key. Use the <code>KEYGRIP</code> (see <a href="#KEYGRIP">KEYGRIP</a>) command to obtain the
1483 keygrip of an existing data file. This option may be needed when using a
1484 smartcard. This option has no effect with symmetrically encrypted data
1485 files. These options are not available for non-invoking clients
1486 (see <a href="#Access-Control">Access Control</a>).
1487 </p>
1488 <p>The <samp>--s2k-count</samp> option sets number of hash iterations for a
1489 passphrase. A value less-than <code>65536</code> will use the machine calibrated
1490 value and is the default. This setting only affects new files. To change
1491 the setting use the <code>PASSWD</code> command (see <a href="#PASSWD">PASSWD</a>). This option
1492 has no effect with symmetrically encrypted data files.
1493 </p>
1495 <hr>
1496 <a name="STORE"></a>
1497 <div class="header">
1499 Next: <a href="#UNLOCK" accesskey="n" rel="next">UNLOCK</a>, Previous: <a href="#SAVE" accesskey="p" rel="prev">SAVE</a>, Up: <a href="#Commands" accesskey="u" rel="up">Commands</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
1500 </div>
1501 <a name="STORE-command"></a>
1502 <h2 class="chapter">34 STORE command</h2>
1503 <a name="index-STORE-command"></a>
1504 <p>Syntax:
1505 </p><div class="example">
1506 <pre class="example">STORE [!]element[&lt;TAB&gt;[!]child[..]]&lt;TAB&gt;[content]
1507 </pre></div>
1509 <p>This command uses a server <em>INQUIRE</em> to retrieve data from the client.
1510 </p>
1511 <p>Creates a new element path or modifies the <var>content</var> of an existing
1512 element. If only a single element is specified then a new root element is
1513 created. Otherwise, elements are <tt class="key">TAB</tt> delimited and the content will be
1514 set to the final <tt class="key">TAB</tt> delimited element. If no <var>content</var> is
1515 specified after the final <tt class="key">TAB</tt>, then the content of an existing
1516 element will be removed; or empty when creating a new element.
1517 </p>
1518 <p>The only restriction of an element name is that it not contain whitespace
1519 or begin with the literal element character <code>!</code> unless specifying a
1520 literal element (see <a href="#Target-Attribute">Target Attribute</a>). There is no whitespace between
1521 the <tt class="key">TAB</tt> delimited elements. It is recommended that the content of an
1522 element be base64 encoded when it contains control or <tt class="key">TAB</tt> characters
1523 to prevent <abbr>XML</abbr> parsing and <code>pwmd</code> syntax errors.
1524 </p>
1526 <hr>
1527 <a name="UNLOCK"></a>
1528 <div class="header">
1530 Next: <a href="#XPATH" accesskey="n" rel="next">XPATH</a>, Previous: <a href="#STORE" accesskey="p" rel="prev">STORE</a>, Up: <a href="#Commands" accesskey="u" rel="up">Commands</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
1531 </div>
1532 <a name="UNLOCK-command"></a>
1533 <h2 class="chapter">35 UNLOCK command</h2>
1534 <a name="index-UNLOCK-command"></a>
1535 <p>Syntax:
1536 </p><div class="example">
1537 <pre class="example">UNLOCK
1538 </pre></div>
1540 <p>Unlocks the file mutex which was locked with the <code>LOCK</code> command or
1541 a commands&rsquo; <samp>--lock</samp> option (see <a href="#LOCK">LOCK</a>, see <a href="#OPEN">OPEN</a>,
1542 see <a href="#ISCACHED">ISCACHED</a>).
1543 </p>
1545 <hr>
1546 <a name="XPATH"></a>
1547 <div class="header">
1549 Next: <a href="#XPATHATTR" accesskey="n" rel="next">XPATHATTR</a>, Previous: <a href="#UNLOCK" accesskey="p" rel="prev">UNLOCK</a>, Up: <a href="#Commands" accesskey="u" rel="up">Commands</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
1550 </div>
1551 <a name="XPATH-command"></a>
1552 <h2 class="chapter">36 XPATH command</h2>
1553 <a name="index-XPATH-command"></a>
1554 <p>Syntax:
1555 </p><div class="example">
1556 <pre class="example">XPATH [--inquire] &lt;expression&gt;[&lt;TAB&gt;[value]]
1557 </pre></div>
1559 <p>Evaluates an XPath <var>expression</var>. If no <var>value</var> argument is
1560 specified it is assumed the expression is a request to return a result.
1561 Otherwise, the result is set to the <var>value</var> argument and the document is
1562 updated. If there is no <var>value</var> after the <tt class="key">TAB</tt> character, the value
1563 is assumed to be empty and the document is updated. For example:
1564 </p><br>
1565 <div class="example">
1566 <pre class="example">XPATH //element[@_name='password']<span class="key">TAB</span>
1567 </pre></div>
1568 <br>
1569 <p>would clear the content of all <code>password</code> elements in the data file
1570 while leaving off the trailing <tt class="key">TAB</tt> would return all <code>password</code>
1571 elements in <abbr>XML</abbr> format.
1572 </p>
1573 <p>When the <samp>--inquire</samp> option is passed then all remaining non-option
1574 arguments are retrieved via a server <em>INQUIRE</em>.
1575 </p>
1576 <p>See <a href="http://www.w3schools.com/xpath/xpath_syntax.asp">http://www.w3schools.com/xpath/xpath_syntax.asp</a> for <abbr>XPATH</abbr>
1577 expression syntax.
1578 </p>
1580 <hr>
1581 <a name="XPATHATTR"></a>
1582 <div class="header">
1584 Previous: <a href="#XPATH" accesskey="p" rel="prev">XPATH</a>, Up: <a href="#Commands" accesskey="u" rel="up">Commands</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
1585 </div>
1586 <a name="XPATHATTR-command"></a>
1587 <h2 class="chapter">37 XPATHATTR command</h2>
1588 <a name="index-XPATHATTR-command"></a>
1589 <p>Syntax:
1590 </p><div class="example">
1591 <pre class="example">XPATHATTR [--inquire] SET|DELETE &lt;name&gt; &lt;expression&gt;[&lt;TAB&gt;[&lt;value&gt;]]
1592 </pre></div>
1594 <p>Like the <code>XPATH</code> command (see <a href="#XPATH">XPATH</a>) but operates on element
1595 attributes and does not return a result. For the <var>SET</var> operation the
1596 <var>value</var> is optional but the field is required. If not specified then
1597 the attribute value will be empty. For example:
1598 </p><br>
1599 <div class="example">
1600 <pre class="example">XPATHATTR SET password //element[@_name='password']<span class="key">TAB</span>
1601 </pre></div>
1602 <br>
1603 <p>would create an <code>password</code> attribute for each <code>password</code> element
1604 found in the document. The attribute value will be empty but still exist.
1605 </p>
1606 <p>When the <samp>--inquire</samp> option is passed then all remaining non-option
1607 arguments are retrieved via a server <em>INQUIRE</em>.
1608 </p>
1609 <p>See <a href="http://www.w3schools.com/xpath/xpath_syntax.asp">http://www.w3schools.com/xpath/xpath_syntax.asp</a> for <abbr>XPATH</abbr>
1610 expression syntax.
1611 </p>
1614 <hr>
1615 <a name="Status-Messages"></a>
1616 <div class="header">
1618 Next: <a href="#Target-Attribute" accesskey="n" rel="next">Target Attribute</a>, Previous: <a href="#Commands" accesskey="p" rel="prev">Commands</a>, Up: <a href="#Top" accesskey="u" rel="up">Top</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
1619 </div>
1620 <a name="Status-messages-and-their-meanings"></a>
1621 <h2 class="chapter">38 Status messages and their meanings</h2>
1622 <p>Some commands send status messages to inform the client about certain
1623 operations or as a progress indicator. Status messages begin with a
1624 <code>KEYWORD</code> followed by a status description for status messages that
1625 require it. What status messages are sent, when, and how often may depend on
1626 configuration settings (see <a href="#Configuration">Configuration</a>). A status message sent from
1627 <code>gpg-agent</code> (See <a href="http://www.gnupg.org/documentation/manuals/gnupg/Invoking-GPG_002dAGENT.html#Invoking-GPG_002dAGENT">(gnupg)Invoking GPG-AGENT</a>) is also forwarded to
1628 the client.
1629 </p>
1630 <table>
1631 <thead><tr><th width="20%">Message</th><th width="25%">Parameters</th><th width="55%">Description</th></tr></thead>
1632 <tr><td width="20%">CACHE
1633 <a name="index-CACHE"></a></td><td width="25%"><code>&lt;integer&gt;</code></td><td width="55%">The number of cached documents. Sent to each client after connecting
1634 (see <a href="#GETINFO">GETINFO</a>) and after every cache modification.</td></tr>
1635 <tr><td width="20%">CLIENTS
1636 <a name="index-CLIENTS"></a></td><td width="25%"><code>&lt;integer&gt;</code></td><td width="55%">The number of connected clients (see <a href="#GETINFO">GETINFO</a>). Sent to each client
1637 when another client either connects or disconnects.</td></tr>
1638 <tr><td width="20%">DECRYPT
1639 <a name="index-DECRYPT"></a></td><td width="25%"><code>&lt;current&gt;</code> <code>&lt;total&gt;</code></td><td width="55%">Sent to the current client during a decrypt operation. How often this
1640 status message is sent is determined by the <code>cipher_progress</code>
1641 (see <a href="#Configuration">Configuration</a>) setting.</td></tr>
1642 <tr><td width="20%">ENCRYPT
1643 <a name="index-ENCRYPT"></a></td><td width="25%"><code>&lt;current&gt;</code> <code>&lt;total&gt;</code></td><td width="55%">Sent to the current client during an encrypt operation. How often this
1644 status message is sent is determined by the <code>cipher_progress</code>
1645 (see <a href="#Configuration">Configuration</a>) setting.</td></tr>
1646 <tr><td width="20%">GENKEY
1647 <a name="index-GENKEY"></a></td><td width="25%"></td><td width="55%">Sent once to the current client just before generating a new key-pair.</td></tr>
1648 <tr><td width="20%">INQUIRE_MAXLEN
1649 <a name="index-INQUIRE_005fMAXLEN"></a></td><td width="25%"><code>&lt;bytes&gt;</code></td><td width="55%">Sent to the client from <code>gpg-agent</code> when inquiring data. This
1650 specifies the maximum number of bytes allowed for the client to send and
1651 should not be exceeded.</td></tr>
1652 <tr><td width="20%">KEEPALIVE
1653 <a name="index-KEEPALIVE"></a></td><td width="25%"></td><td width="55%">Sent to each idle client every <var>keepalive_interval</var>
1654 (see <a href="#Configuration">Configuration</a>) seconds.</td></tr>
1655 <tr><td width="20%">LOCKED
1656 <a name="index-LOCKED"></a></td><td width="25%"></td><td width="55%">Sent to the current client when another client is holding the lock for
1657 the mutex associated with a file.</td></tr>
1658 <tr><td width="20%">NEWFILE
1659 <a name="index-NEWFILE"></a></td><td width="25%"></td><td width="55%">Sent to the current client when the opened (see <a href="#OPEN">OPEN</a>) file does not
1660 exist on the file-system.</td></tr>
1661 <tr><td width="20%">XFER
1662 <a name="index-XFER"></a></td><td width="25%"><code>&lt;sent&gt; &lt;total&gt;</code></td><td width="55%">Sent to the current client when transferring data. It has two space
1663 delimited arguments. The first being the current amount of bytes transferred
1664 and the other being the total bytes to be transferred.</td></tr>
1665 </table>
1667 <hr>
1668 <a name="Target-Attribute"></a>
1669 <div class="header">
1671 Next: <a href="#Signals" accesskey="n" rel="next">Signals</a>, Previous: <a href="#Status-Messages" accesskey="p" rel="prev">Status Messages</a>, Up: <a href="#Top" accesskey="u" rel="up">Top</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
1672 </div>
1673 <a name="The-target-attribute"></a>
1674 <h2 class="chapter">39 The <code>target</code> attribute</h2>
1675 <a name="index-target-attribute"></a>
1676 <p>A <em>case sensitive</em> attribute named <code>target</code> is treated specially
1677 when found in each element of an element path. This attribute, like other
1678 element attributes, is created or modified with the <code>ATTR</code> command
1679 (see <a href="#ATTR">ATTR</a>). The value of this attribute is an existing element path
1680 somewhere in the document. If you are familiar with <abbr>XML</abbr> entities or
1681 maybe the <abbr>HTML</abbr> <code>id</code> or <code>target</code> attributes or a symbolic link
1682 in a file-system, you may find this attribute behaves similar to any of those.
1683 </p>
1684 <p>To create a <code>target</code> attribute use the following syntax:
1685 </p>
1686 <div class="example">
1687 <pre class="example">ATTR SET target [!]element[<span class="key">TAB</span>[!]child[..]] [!]element[<span class="key">TAB</span>[!]child[..]]
1688 </pre></div>
1690 <p>Note the single space between the two element paths. The first element path is
1691 where the <code>target</code> attribute will be created. If the element path does
1692 not exist then it will be created. This is the only time the <code>ATTR</code>
1693 (see <a href="#ATTR">ATTR</a>) command will create elements. The attribute is created in the
1694 final element of the first element path.
1695 </p>
1696 <p>The second element path is the destination of where you want the first element
1697 path to resolve to. When an element path is passed as an argument to a
1698 protocol command <code>pwmd</code> looks for a <code>target</code> attribute when
1699 resolving each element and, if found, &quot;jumps&quot; to the attribute value and
1700 continues resolving any remaining elements. When you want to avoid the
1701 <code>target</code> attribute for any element of an element path then prefix the
1702 element with the literal element character &lsquo;<samp>!</samp>&rsquo;.
1703 </p>
1704 <p>When an element of a element path is removed that a <code>target</code> attribute
1705 resolves to then an error will occur when trying to access that element. You
1706 may need to either update the <code>target</code> attribute value with a new element
1707 path or remove the attribute entirely. Remember that since the element
1708 contains the <code>target</code> attribute it will need to be prefixed with the
1709 literal element character &lsquo;<samp>!</samp>&rsquo; when specifying the element path to prevent
1710 <code>pwmd</code> from trying to resolve the <code>target</code> attribute. For
1711 example, to remove a <code>target</code> attribute for an element containing it:
1712 </p>
1713 <div class="example">
1714 <pre class="example">ATTR DELETE target path<span class="key">TAB</span>to<span class="key">TAB</span>!element
1715 </pre></div>
1717 <p>Clients should be careful of creating <code>target</code> loops, or targets that
1718 resolve to themselves. See the <var>recursion_depth</var> (see <a href="#Configuration">Configuration</a>)
1719 configuration parameter for details.
1720 </p>
1721 <p>The <code>REALPATH</code> command (see <a href="#REALPATH">REALPATH</a>) can be used to show the element
1722 path after resolving all <code>target</code> attributes.
1723 </p>
1725 <hr>
1726 <a name="Signals"></a>
1727 <div class="header">
1729 Next: <a href="#Concept-Index" accesskey="n" rel="next">Concept Index</a>, Previous: <a href="#Target-Attribute" accesskey="p" rel="prev">Target Attribute</a>, Up: <a href="#Top" accesskey="u" rel="up">Top</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
1730 </div>
1731 <a name="Recognized-signals"></a>
1732 <h2 class="chapter">40 Recognized signals</h2>
1734 <p>Sending the <em>SIGHUP</em> signal to a <code>pwmd</code> process will reload the
1735 configuration file and sending <em>SIGUSR1</em> will clear the entire file
1736 cache.
1737 </p>
1740 <hr>
1741 <a name="Concept-Index"></a>
1742 <div class="header">
1744 Previous: <a href="#Signals" accesskey="p" rel="prev">Signals</a>, Up: <a href="#Top" accesskey="u" rel="up">Top</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
1745 </div>
1746 <a name="Concept-Index-1"></a>
1747 <h2 class="unnumbered">Concept Index</h2>
1750 <a name="SEC_Overview"></a>
1751 <h2 class="shortcontents-heading">Short Table of Contents</h2>
1753 <div class="shortcontents">
1754 <ul class="no-bullet">
1755 <li><a name="stoc-Overview-of-pwmd" href="#toc-Overview-of-pwmd">1 Overview of <code>pwmd</code></a></li>
1756 <li><a name="stoc-Access-Control-1" href="#toc-Access-Control-1">2 Access Control</a></li>
1757 <li><a name="stoc-Invoking-pwmd" href="#toc-Invoking-pwmd">3 Invoking <code>pwmd</code></a></li>
1758 <li><a name="stoc-pwmd-configuration-file-options" href="#toc-pwmd-configuration-file-options">4 <code>pwmd</code> configuration file options</a></li>
1759 <li><a name="stoc-Configuring-remote-connections-over-TLS_002e" href="#toc-Configuring-remote-connections-over-TLS_002e">5 Configuring remote connections over TLS.</a></li>
1760 <li><a name="stoc-Pinentry-configuration" href="#toc-Pinentry-configuration">6 Pinentry configuration</a></li>
1761 <li><a name="stoc-Protocol-commands-and-their-syntax" href="#toc-Protocol-commands-and-their-syntax">7 Protocol commands and their syntax</a></li>
1762 <li><a name="stoc-AGENT-command" href="#toc-AGENT-command">8 AGENT command</a></li>
1763 <li><a name="stoc-ATTR-command" href="#toc-ATTR-command">9 ATTR command</a></li>
1764 <li><a name="stoc-CACHETIMEOUT-command" href="#toc-CACHETIMEOUT-command">10 CACHETIMEOUT command</a></li>
1765 <li><a name="stoc-CLEARCACHE-command" href="#toc-CLEARCACHE-command">11 CLEARCACHE command</a></li>
1766 <li><a name="stoc-COPY-command" href="#toc-COPY-command">12 COPY command</a></li>
1767 <li><a name="stoc-DELETE-command" href="#toc-DELETE-command">13 DELETE command</a></li>
1768 <li><a name="stoc-DUMP-command" href="#toc-DUMP-command">14 DUMP command</a></li>
1769 <li><a name="stoc-GET-command" href="#toc-GET-command">15 GET command</a></li>
1770 <li><a name="stoc-GETCONFIG-command" href="#toc-GETCONFIG-command">16 GETCONFIG command</a></li>
1771 <li><a name="stoc-GETINFO-command" href="#toc-GETINFO-command">17 GETINFO command</a></li>
1772 <li><a name="stoc-HELP-command" href="#toc-HELP-command">18 HELP command</a></li>
1773 <li><a name="stoc-IMPORT-command" href="#toc-IMPORT-command">19 IMPORT command</a></li>
1774 <li><a name="stoc-ISCACHED-command" href="#toc-ISCACHED-command">20 ISCACHED command</a></li>
1775 <li><a name="stoc-KEYGRIP-command" href="#toc-KEYGRIP-command">21 KEYGRIP command</a></li>
1776 <li><a name="stoc-LIST-command" href="#toc-LIST-command">22 LIST command</a></li>
1777 <li><a name="stoc-LOCK-command" href="#toc-LOCK-command">23 LOCK command</a></li>
1778 <li><a name="stoc-LS-command" href="#toc-LS-command">24 LS command</a></li>
1779 <li><a name="stoc-MOVE-command" href="#toc-MOVE-command">25 MOVE command</a></li>
1780 <li><a name="stoc-NOP-command" href="#toc-NOP-command">26 NOP command</a></li>
1781 <li><a name="stoc-OPEN-command" href="#toc-OPEN-command">27 OPEN command</a></li>
1782 <li><a name="stoc-OPTION-command" href="#toc-OPTION-command">28 OPTION command</a></li>
1783 <li><a name="stoc-PASSWD-command" href="#toc-PASSWD-command">29 PASSWD command</a></li>
1784 <li><a name="stoc-REALPATH-command" href="#toc-REALPATH-command">30 REALPATH command</a></li>
1785 <li><a name="stoc-RENAME-command" href="#toc-RENAME-command">31 RENAME command</a></li>
1786 <li><a name="stoc-RESET-command" href="#toc-RESET-command">32 RESET command</a></li>
1787 <li><a name="stoc-SAVE-command" href="#toc-SAVE-command">33 SAVE command</a></li>
1788 <li><a name="stoc-STORE-command" href="#toc-STORE-command">34 STORE command</a></li>
1789 <li><a name="stoc-UNLOCK-command" href="#toc-UNLOCK-command">35 UNLOCK command</a></li>
1790 <li><a name="stoc-XPATH-command" href="#toc-XPATH-command">36 XPATH command</a></li>
1791 <li><a name="stoc-XPATHATTR-command" href="#toc-XPATHATTR-command">37 XPATHATTR command</a></li>
1792 <li><a name="stoc-Status-messages-and-their-meanings" href="#toc-Status-messages-and-their-meanings">38 Status messages and their meanings</a></li>
1793 <li><a name="stoc-The-target-attribute" href="#toc-The-target-attribute">39 The <code>target</code> attribute</a></li>
1794 <li><a name="stoc-Recognized-signals" href="#toc-Recognized-signals">40 Recognized signals</a></li>
1795 <li><a name="stoc-Concept-Index-1" href="#toc-Concept-Index-1">Concept Index</a></li>
1797 </ul>
1798 </div>
1800 <a name="SEC_Contents"></a>
1801 <h2 class="contents-heading">Table of Contents</h2>
1803 <div class="contents">
1804 <ul class="no-bullet">
1805 <li><a name="toc-Overview-of-pwmd" href="#Introduction">1 Overview of <code>pwmd</code></a></li>
1806 <li><a name="toc-Access-Control-1" href="#Access-Control">2 Access Control</a></li>
1807 <li><a name="toc-Invoking-pwmd" href="#Invoking">3 Invoking <code>pwmd</code></a></li>
1808 <li><a name="toc-pwmd-configuration-file-options" href="#Configuration">4 <code>pwmd</code> configuration file options</a></li>
1809 <li><a name="toc-Configuring-remote-connections-over-TLS_002e" href="#TLS">5 Configuring remote connections over TLS.</a></li>
1810 <li><a name="toc-Pinentry-configuration" href="#Pinentry">6 Pinentry configuration</a></li>
1811 <li><a name="toc-Protocol-commands-and-their-syntax" href="#Commands">7 Protocol commands and their syntax</a></li>
1812 <li><a name="toc-AGENT-command" href="#AGENT">8 AGENT command</a></li>
1813 <li><a name="toc-ATTR-command" href="#ATTR">9 ATTR command</a></li>
1814 <li><a name="toc-CACHETIMEOUT-command" href="#CACHETIMEOUT">10 CACHETIMEOUT command</a></li>
1815 <li><a name="toc-CLEARCACHE-command" href="#CLEARCACHE">11 CLEARCACHE command</a></li>
1816 <li><a name="toc-COPY-command" href="#COPY">12 COPY command</a></li>
1817 <li><a name="toc-DELETE-command" href="#DELETE">13 DELETE command</a></li>
1818 <li><a name="toc-DUMP-command" href="#DUMP">14 DUMP command</a></li>
1819 <li><a name="toc-GET-command" href="#GET">15 GET command</a></li>
1820 <li><a name="toc-GETCONFIG-command" href="#GETCONFIG">16 GETCONFIG command</a></li>
1821 <li><a name="toc-GETINFO-command" href="#GETINFO">17 GETINFO command</a></li>
1822 <li><a name="toc-HELP-command" href="#HELP">18 HELP command</a></li>
1823 <li><a name="toc-IMPORT-command" href="#IMPORT">19 IMPORT command</a></li>
1824 <li><a name="toc-ISCACHED-command" href="#ISCACHED">20 ISCACHED command</a></li>
1825 <li><a name="toc-KEYGRIP-command" href="#KEYGRIP">21 KEYGRIP command</a></li>
1826 <li><a name="toc-LIST-command" href="#LIST">22 LIST command</a></li>
1827 <li><a name="toc-LOCK-command" href="#LOCK">23 LOCK command</a></li>
1828 <li><a name="toc-LS-command" href="#LS">24 LS command</a></li>
1829 <li><a name="toc-MOVE-command" href="#MOVE">25 MOVE command</a></li>
1830 <li><a name="toc-NOP-command" href="#NOP">26 NOP command</a></li>
1831 <li><a name="toc-OPEN-command" href="#OPEN">27 OPEN command</a></li>
1832 <li><a name="toc-OPTION-command" href="#OPTION">28 OPTION command</a></li>
1833 <li><a name="toc-PASSWD-command" href="#PASSWD">29 PASSWD command</a></li>
1834 <li><a name="toc-REALPATH-command" href="#REALPATH">30 REALPATH command</a></li>
1835 <li><a name="toc-RENAME-command" href="#RENAME">31 RENAME command</a></li>
1836 <li><a name="toc-RESET-command" href="#RESET">32 RESET command</a></li>
1837 <li><a name="toc-SAVE-command" href="#SAVE">33 SAVE command</a></li>
1838 <li><a name="toc-STORE-command" href="#STORE">34 STORE command</a></li>
1839 <li><a name="toc-UNLOCK-command" href="#UNLOCK">35 UNLOCK command</a></li>
1840 <li><a name="toc-XPATH-command" href="#XPATH">36 XPATH command</a></li>
1841 <li><a name="toc-XPATHATTR-command" href="#XPATHATTR">37 XPATHATTR command</a></li>
1842 <li><a name="toc-Status-messages-and-their-meanings" href="#Status-Messages">38 Status messages and their meanings</a></li>
1843 <li><a name="toc-The-target-attribute" href="#Target-Attribute">39 The <code>target</code> attribute</a></li>
1844 <li><a name="toc-Recognized-signals" href="#Signals">40 Recognized signals</a></li>
1845 <li><a name="toc-Concept-Index-1" href="#Concept-Index">Concept Index</a></li>
1847 </ul>
1848 </div>
1850 <hr>
1854 </body>
1855 </html>