From 8b2f87c2d4725c75cfb2c3e41172f0035aebb090 Mon Sep 17 00:00:00 2001
From: Ben Kibbey Password Manager Daemon (or pwmd
) is a server that
applications connect to and send commands to put and get data
-that is stored in an OpenPGP encrypted XML document. It mimics a
-filesystem in a lot of ways including per element ACL’s, but also has
-the advantage of remote connections over TLS and a document cache. The
+that is stored in an OpenPGP encrypted XML document. It mimics a
+filesystem in a lot of ways including per element ACL’s, but also has
+the advantage of remote connections over TLS and a document cache. The
document cache is needed for a data file encrypted with keys stored on a
smartcard.
gpg-agent
, pinentry
and
GPG_ERR_SOURCE_USER_1 being the error source.
The XML document uses the following DTD: +
The XML document uses the following DTD:
<?xml version="1.0"?> @@ -122,9 +122,9 @@ is the same used bygpg-agent
,pinentry
andThe
pwmd
element is the document root node while all other elements of the document have the nameelement
with an attribute_name
whose value uniquely identifies the element at the current element tree depth. -It is done this way to avoid XML parsing errors for commonly used -characters. A URL for example would be an invalid XML element -since the URI contains a ‘:’ which is also the XML +It is done this way to avoid XML parsing errors for commonly used +characters. A URL for example would be an invalid XML element +since the URI contains a ‘:’ which is also the XML namespace separator.As mentioned, an element name must be unique for the current element tree @@ -135,7 +135,7 @@ element path beginning at the child node of the matched element.
An element path is a
TAB
delimited character string where eachTAB
separates each element in the path. For example, the element path -a
has the following XML document structure: +TAB
bTAB
ca
has the following XML document structure:TAB
bTAB
c<pwmd> @@ -161,17 +161,17 @@ Next: Invoking, Previous:2 Access Control
-Like a filesystem has an ACL to grant or limit access to directories or +
Like a filesystem has an ACL to grant or limit access to directories or files for a specific user or group,
-pwmd
can limit a local user, -group or a TLS connection to a specific element path. This is done by -storing an ACL in the element attribute _acl. Its syntax is +group or a TLS connection to a specific element path. This is done by +storing an ACL in the element attribute _acl. Its syntax is similar to the allowed configuration parameter (see Configuration) -with the exception that a TLS fingerprint hash is prefixed with a +with the exception that a TLS fingerprint hash is prefixed with a#
.Access is denied for all users that are not in the ACL of an element +
Access is denied for all users that are not in the ACL of an element with the exception of an invoking user (see the invoking_user). The -connected client must be in the ACL for each element in an element path +connected client must be in the ACL for each element in an element path otherwise an error is returned. As an example:
@@ -186,10 +186,10 @@ user, who may be a member of thewheel
group, is allowed. The SHA-2 TLS fingerprint hash#ABCDEF
is also allowed. No users other than an invoking_user are allowed access to thechild
element. -The first user listed in the ACL is considered the owner of the +
The first user listed in the ACL is considered the owner of the element. This determines which clients may modify an _acl attribute and store content for an element. An invoking_user may always modify an -ACL. +ACL.
@@ -202,8 +202,8 @@ Next: Configuration, Previ -
pwmd
uses GpgME for encryption, decryption and signing of the -OpenPGP data file. GpgME itself makes use ofgpg
for +
pwmd
uses GpgME for encryption, decryption and signing of the +OpenPGP data file. GpgME itself makes use ofgpg
for these operations so some configuration ofgpg
may also be needed.It is recommended to pass the --allow-preset-passphrase @@ -223,7 +223,7 @@ about the gpg_homedir parameter.
Non-option arguments are data files to cache upon startup. When the data file requires a passphrase for decryption a
@@ -262,9 +262,9 @@ from the --homedir and --rcfile options.pinentry
will prompt either -on the current TTY or from an X11 window when theDISPLAY
+on the current TTY or from an X11 window when theDISPLAY
environment variable is set. See Pinentry.‘--import, -I filename|-’ -Imports the XML filename. When filename is
-
the -XML is read from stdin. The XML file should be in conformance to -thepwmd
DTD (see Introduction). You will be prompted for +Imports the XML filename. When filename is
-
the +XML is read from stdin. The XML file should be in conformance to +thepwmd
DTD (see Introduction). You will be prompted for a passphrase to encrypt with. The output is written to the filename specified with --outfile. To make use of the imported data, place the output file in ~/.pwmd/data. @@ -281,7 +281,7 @@ file in ~/.pwmd/data.‘--keyparam filename’ The key parameters to use when generating a new key pair while importing an -XML file. The file contents must be in GnuPG XML format. +XML file. The file contents must be in GnuPG XML format.
‘--keyid fingerprint[,<fingerprint>]’ @@ -393,14 +393,14 @@ appended to theinvoking_user
parameter value.‘strict_kill = boolean’ When
false
, theKILL
command (see KILL) will allow killing -another client that is not of the sameUID
or TLS fingerprint of +another client that is not of the sameUID
or TLS fingerprint of the current client and when not theinvoking_user
. The default usfalse
.‘allowed = [-!]user,[-!]@group,[+,][-!]#SHA-256,...’ -A comma separated list of local user names, group names or TLS -fingerprint SHA-256 hashes (in the case of a remote client) who are +
A comma separated list of local user names, group names or TLS +fingerprint SHA-256 hashes (in the case of a remote client) who are allowed to connect. Groups should be prefixed with a ‘@’. When not specified only the user who started
pwmd
may connect. A username, group name or hash may also be prefixed with a-
or!
to prevent @@ -415,7 +415,7 @@ can connect may also open any filename (provided they can decrypt it).The following example would deny all users in group
primary
but allowusername
who may be a member ofprimary
. It will also -allow any TLS client except for the client with TLS fingerprint hash +allow any TLS client except for the client with TLS fingerprint hash#ABCDEF
:@@ -588,11 +588,11 @@ Next: Pinentry, Previous:5 Configuring remote connections over TLS.
-Remote connections can also be made to
pwmd
over TLS. +Remote connections can also be made to
-pwmd
over TLS. Authentication is done by using X.509 client certificates that are signed with -the same Certificate Authority (CA) as the server certificate. +the same Certificate Authority (CA) as the server certificate.The CA certificate is expected to be found in +
The CA certificate is expected to be found in ~/.pwmd/ca-cert.pem while the
pwmd
server certificate and key file should be put in ~/.pwmd/server-cert.pem and ~/.pwmd/server-key.pem, respectively. @@ -626,7 +626,7 @@ orany
to listen for both IPv4 and IPv6 connections. The default is‘tls_timeout = seconds’ @@ -651,7 +651,7 @@ information about the format of this string. The default is The number of seconds to wait for a read() or write() call on a -TLS client file descriptor to complete before returning an +TLS client file descriptor to complete before returning an error. The default is 300.
‘tls_dh_params_file = filename’ -The PEM encoded filename containing DH parameters. If not specified +
The PEM encoded filename containing DH parameters. If not specified then DH algorithms will not be available to the client. See the
openssl dhparam
orcerttool
manual pages for details about generating this file. @@ -1698,8 +1698,8 @@ Next: Other Attributes, when found in each element of an element path. This attribute, like other element attributes, is created or modified with theATTR
command (see ATTR). The value of this attribute is an existing element path -somewhere in the document. If you are familiar with XML entities or -maybe the HTMLid
ortarget
attributes or a symbolic link +somewhere in the document. If you are familiar with XML entities or +maybe the HTMLid
ortarget
attributes or a symbolic link in a file-system, you may find this attribute behaves similar to any of those.To create a
target
attribute use the following syntax: diff --git a/doc/pwmd.texi b/doc/pwmd.texi index cd008333..3356d97e 100644 --- a/doc/pwmd.texi +++ b/doc/pwmd.texi @@ -64,9 +64,9 @@ their syntax. @mansect description @dfn{Password Manager Daemon} (or @command{pwmd}) is a server that applications connect to and send commands to put and get data -that is stored in an @abbr{OpenPGP} encrypted @abbr{XML} document. It mimics a -filesystem in a lot of ways including per element @abbr{ACL}'s, but also has -the advantage of remote connections over @abbr{TLS} and a document cache. The +that is stored in an OpenPGP encrypted XML document. It mimics a +filesystem in a lot of ways including per element ACL's, but also has +the advantage of remote connections over TLS and a document cache. The document cache is needed for a data file encrypted with keys stored on a smartcard. @@ -77,7 +77,7 @@ is the same used by @command{gpg-agent}, @command{pinentry} and @ifset isman .P You can import an existing @command{pwmd} version @var{3.0.x} data file by -dumping the raw @abbr{XML} data with +dumping the raw XML data with .BR pwmd-dump(1) to a file, then importing that file by using @command{pwmd}'s @option{--import} command line @@ -92,7 +92,7 @@ found here. @end ifset @manpause -The @abbr{XML} document uses the following @abbr{DTD}: +The XML document uses the following DTD: @example @@ -105,9 +105,9 @@ The @abbr{XML} document uses the following @abbr{DTD}: The @code{pwmd} element is the document root node while all other elements of the document have the name @code{element} with an attribute @code{_name} whose value uniquely identifies the element at the current element tree depth. -It is done this way to avoid @abbr{XML} parsing errors for commonly used -characters. A @abbr{URL} for example would be an invalid @abbr{XML} element -since the @abbr{URI} contains a @samp{:} which is also the @abbr{XML} +It is done this way to avoid XML parsing errors for commonly used +characters. A URL for example would be an invalid XML element +since the URI contains a @samp{:} which is also the XML namespace separator. As mentioned, an element name must be unique for the current element tree @@ -118,7 +118,7 @@ element path beginning at the child node of the matched element. An @emph{element path} is a @code{TAB} delimited character string where each @code{TAB} separates each element in the path. For example, the element path -@code{a@code{TAB}b@code{TAB}c} has the following @abbr{XML} document structure: +@code{a@code{TAB}b@code{TAB}c} has the following XML document structure: @example@@ -139,17 +139,17 @@ characters. @node Access Control, Invoking, Introduction, Top @chapter Access Control -Like a filesystem has an @abbr{ACL} to grant or limit access to directories or +Like a filesystem has an ACL to grant or limit access to directories or files for a specific user or group, @command{pwmd} can limit a local user, -group or a @abbr{TLS} connection to a specific element path. This is done by -storing an @abbr{ACL} in the element attribute @var{_acl}. Its syntax is +group or a TLS connection to a specific element path. This is done by +storing an ACL in the element attribute @var{_acl}. Its syntax is similar to the @var{allowed} configuration parameter (@pxref{Configuration}) -with the exception that a @abbr{TLS} fingerprint hash is prefixed with a +with the exception that a TLS fingerprint hash is prefixed with a @code{#}. -Access is denied for all users that are not in the @abbr{ACL} of an element +Access is denied for all users that are not in the ACL of an element with the exception of an invoking user (see the @var{invoking_user}). The -connected client must be in the @abbr{ACL} for each element in an element path +connected client must be in the ACL for each element in an element path otherwise an error is returned. As an example: @example @@ -164,10 +164,10 @@ user, who may be a member of the @code{wheel} group, is allowed. The SHA-256 TLS fingerprint hash @code{#ABCDEF} is also allowed. No users other than an @var{invoking_user} are allowed access to the @code{child} element. -The first user listed in the @abbr{ACL} is considered the owner of the +The first user listed in the ACL is considered the owner of the element. This determines which clients may modify an @var{_acl} attribute and store content for an element. An @var{invoking_user} may always modify an -@abbr{ACL}. +ACL. @c Node, Next, Previous, Up @node Invoking, Configuration, Access Control, Top @@ -175,8 +175,8 @@ store content for an element. An @var{invoking_user} may always modify an @mancont @mansect options -@command{pwmd} uses @abbr{GpgME} for encryption, decryption and signing of the -@abbr{OpenPGP} data file. @abbr{GpgME} itself makes use of @command{gpg} for +@command{pwmd} uses GpgME for encryption, decryption and signing of the +OpenPGP data file. GpgME itself makes use of @command{gpg} for these operations so some configuration of @command{gpg} may also be needed. It is recommended to pass the @option{--allow-preset-passphrase} @@ -196,7 +196,7 @@ pwmd @var{options} [ file1 ] [ @dots{} ] Non-option arguments are data files to cache upon startup. When the data file requires a passphrase for decryption a @command{pinentry} will prompt either -on the current @abbr{TTY} or from an X11 window when the @env{DISPLAY} +on the current TTY or from an X11 window when the @env{DISPLAY} environment variable is set. @xref{Pinentry}. @cindex Options @@ -231,9 +231,9 @@ Terminate an existing instance of pwmd. The process to terminate is determined from the @option{--homedir} and @option{--rcfile} options. @item --import, -I filename|- -Imports the @abbr{XML} @var{filename}. When @var{filename} is @code{-} the -@abbr{XML} is read from stdin. The @abbr{XML} file should be in conformance to -the @command{pwmd} @abbr{DTD} (@pxref{Introduction}). You will be prompted for +Imports the XML @var{filename}. When @var{filename} is @code{-} the +XML is read from stdin. The XML file should be in conformance to +the @command{pwmd} DTD (@pxref{Introduction}). You will be prompted for a passphrase to encrypt with. The output is written to the filename specified with @option{--outfile}. To make use of the imported data, place the output file in @file{~/.pwmd/data}. @@ -247,7 +247,7 @@ Obtain the passphrase to use when importing from the specified @var{filename}. @item --keyparam filename The key parameters to use when generating a new key pair while importing an -@abbr{XML} file. The file contents must be in @abbr{GnuPG} @abbr{XML} format. +XML file. The file contents must be in GnuPG XML format. @item --keyid fingerprint[, ] Specifies the fingerprint of the encryption key to use as a recipient when @@ -340,13 +340,13 @@ appended to the @code{invoking_user} parameter value. @item strict_kill = boolean When @code{false}, the @code{KILL} command (@pxref{KILL}) will allow killing -another client that is not of the same @code{UID} or @abbr{TLS} fingerprint of +another client that is not of the same @code{UID} or TLS fingerprint of the current client and when not the @code{invoking_user}. The default us @code{false}. @item allowed = [-!]user,[-!]@@group,[+,][-!]#SHA-256,... -A comma separated list of local user names, group names or @abbr{TLS} -fingerprint @abbr{SHA}-256 hashes (in the case of a remote client) who are +A comma separated list of local user names, group names or TLS +fingerprint SHA-256 hashes (in the case of a remote client) who are allowed to connect. Groups should be prefixed with a @samp{@@}. When not specified only the user who started @command{pwmd} may connect. A username, group name or hash may also be prefixed with a @code{-} or @code{!} to prevent @@ -361,7 +361,7 @@ can connect may also open any filename (provided they can decrypt it). The following example would deny all users in group @code{primary} but allow @code{username} who may be a member of @code{primary}. It will also -allow any TLS client except for the client with @abbr{TLS} fingerprint hash +allow any TLS client except for the client with TLS fingerprint hash @code{#ABCDEF}: @example @@ -509,11 +509,11 @@ connect. @ifset manverb .P @end ifset -Remote connections can also be made to @command{pwmd} over @abbr{TLS}. +Remote connections can also be made to @command{pwmd} over TLS. Authentication is done by using X.509 client certificates that are signed with -the same Certificate Authority (@abbr{CA}) as the server certificate. +the same Certificate Authority (CA) as the server certificate. -The @abbr{CA} certificate is expected to be found in +The CA certificate is expected to be found in @file{~/.pwmd/ca-cert.pem} while the @command{pwmd} server certificate and key file should be put in @file{~/.pwmd/server-cert.pem} and @file{~/.pwmd/server-key.pem}, respectively. @@ -543,7 +543,7 @@ Only useful if running as root. @item tls_timeout = seconds The number of seconds to wait for a read() or write() call on a -@abbr{TLS} client file descriptor to complete before returning an +TLS client file descriptor to complete before returning an error. The default is @var{300}. @item keepalive_interval = seconds @@ -564,7 +564,7 @@ information about the format of this string. The default is @code{SECURE256:SECURE192:SECURE128:-VERS-SSL3.0:-VERS-TLS1.0}. @item tls_dh_params_file = filename -The @abbr{PEM} encoded filename containing DH parameters. If not specified +The PEM encoded filename containing DH parameters. If not specified then DH algorithms will not be available to the client. See the @command{openssl dhparam} or @command{certtool} manual pages for details about generating this file. @@ -717,8 +717,8 @@ A @emph{case sensitive} attribute named @code{target} is treated specially when found in each element of an element path. This attribute, like other element attributes, is created or modified with the @code{ATTR} command (@pxref{ATTR}). The value of this attribute is an existing element path -somewhere in the document. If you are familiar with @abbr{XML} entities or -maybe the @abbr{HTML} @code{id} or @code{target} attributes or a symbolic link +somewhere in the document. If you are familiar with XML entities or +maybe the HTML @code{id} or @code{target} attributes or a symbolic link in a file-system, you may find this attribute behaves similar to any of those. To create a @code{target} attribute use the following syntax: -- 2.11.4.GIT