Provided by: mandos-client_1.8.9-2_amd64 
NAME
password-agent - Run Mandos client as a systemd password agent.
SYNOPSIS
password-agent [--agent-directory=DIRECTORY]
[--helper-directory=DIRECTORY]
[--user=USERID]
[--group=GROUPID]
[--] [MANDOS_CLIENT [OPTIONS...]]
password-agent --test
password-agent {--help | -?}
password-agent --usage
password-agent {--version | -V}
DESCRIPTION
password-agent is a program which is meant to be a systemd(1) “Password Agent” (See
Password Agents[1]). The aim of this program is therefore to acquire and then send a
password to some other program which will use the password to unlock the encrypted root
disk.
This program is not meant to be invoked directly, but can be in order to test it.
PURPOSE
The purpose of this is to enable remote and unattended rebooting of client host computer
with an encrypted root file system. See the section called “OVERVIEW” for details.
OPTIONS
--agent-directory DIRECTORY
Specify a different agent directory. The default is “/run/systemd/ask-password” as per
the Password Agents[1] specification.
--helper-directory DIRECTORY
Specify a different helper directory. The default is “/lib/mandos/plugin-helpers”,
which will exist in the initial RAM disk environment. (This will simply be passed to
the MANDOS_CLIENT program via the MANDOSPLUGINHELPERDIR environment variable. See
mandos-client(8mandos).)
--user USERID
Change real user ID to USERID when running MANDOS_CLIENT. The default is 65534. Note:
This must be a number, not a name.
--group GROUPID
Change real group ID to GROUPID when running MANDOS_CLIENT. The default is 65534.
Note: This must be a number, not a name.
MANDOS_CLIENT
This specifies the file name for mandos-client(8mandos). If the “--” option is given,
any following options are passed to the MANDOS_CLIENT program. The default is
“/lib/mandos/plugins.d/mandos-client” (which is the correct location for the initial
RAM disk environment) without any options.
--help, -?
Gives a help message about options and their meanings.
--test
Ignore normal operation; instead only run self-tests. Adding the --help option may
show more options possible in combination with --test.
--usage
Gives a short usage message.
--version, -V
Prints the program version.
OVERVIEW
This is part of the Mandos system for allowing computers to have encrypted root file
systems and at the same time be capable of remote and/or unattended reboots. The computers
run a small client program in the initial RAM disk environment which will communicate with
a server over a network. All network communication is encrypted using TLS. The clients are
identified by the server using a TLS key; each client has one unique to it. The server
sends the clients an encrypted password. The encrypted password is decrypted by the
clients using a separate OpenPGP key, and the password is then used to unlock the root
file system, whereupon the computers can continue booting normally.
This program, password-agent, will run on the client side in the initial RAM disk
environment, and is responsible for getting a password from the Mandos client program
itself, and to send that password to whatever is currently asking for a password using the
systemd Password Agents[1] mechanism.
To accomplish this, password-agent runs the mandos-client program (which is the actual
client program communicating with the Mandos server) or, alternatively, any executable
file specified as MANDOS_CLIENT, and, as soon as a password is acquired from the
MANDOS_CLIENT program, sends that password (as per the Password Agents[1] specification)
to all currently unanswered password questions.
This program should be started (normally as a systemd service, which in turn is normally
started by a systemd.path(5) file) as a reaction to files named “ask.xxxx” appearing in
the agent directory “/run/systemd/ask-password” (or the directory specified by
--agent-directory).
EXIT STATUS
Exit status of this program is zero if no errors were encountered, and otherwise not.
ENVIRONMENT
This program does not use any environment variables itself, it only passes on its
environment to MANDOS_CLIENT. Also, the --helper-directory option will affect the
environment variable MANDOSPLUGINHELPERDIR for MANDOS_CLIENT.
FILES
/run/systemd/ask-password
The default directory to watch for password questions as per the Password Agents[1]
specification; can be changed by the --agent-directory option.
/lib/mandos/plugin-helpers
The helper directory as supplied to MANDOS_CLIENT via the MANDOSPLUGINHELPERDIR
environment variable; can be changed by the --helper-directory option.
BUGS
Please report bugs to the Mandos development mailing list: <mandos-dev@recompile.se>
(subscription required). Note that this list is public. The developers can be reached
privately at <mandos@recompile.se> (OpenPGP key fingerprint 153A 37F1 0BBA 0435 987F 2C4A
7223 2973 CA34 C2C4 for encrypted mail).
EXAMPLE
Normal invocation needs no options:
password-agent
Run an alternative MANDOS_CLIENT program::
password-agent /usr/local/sbin/alternate
Use alternative locations for the helper directory and the Mandos client, and add extra
options suitable for running in the normal file system:
password-agent --helper-directory=/usr/lib/x86_64-linux-gnu/mandos/plugin-helpers --
/usr/lib/x86_64-linux-gnu/mandos/plugins.d/mandos-client
--pubkey=/etc/keys/mandos/pubkey.txt --seckey=/etc/keys/mandos/seckey.txt
--tls-pubkey=/etc/keys/mandos/tls-pubkey.pem
--tls-privkey=/etc/keys/mandos/tls-privkey.pem
Use the default location for mandos-client(8mandos), but add many options to it:
password-agent -- /lib/mandos/mandos-client --pubkey=/etc/mandos/keys/pubkey.txt
--seckey=/etc/mandos/keys/seckey.txt --tls-pubkey=/etc/mandos/keys/tls-pubkey.pem
--tls-privkey=/etc/mandos/keys/tls-privkey.pem
Only run the self-tests:
password-agent --test
SECURITY
This program will need to run as the root user in order to read the agent directory and
the “ask.xxxx” files there, and will, when starting the Mandos client program, require the
ability to set the “real” user and group ids to another user, by default user and group
65534, which are assumed to be non-privileged. This is done in order to match the
expectations of mandos-client(8mandos), which assumes that its executable file is owned by
the root user and also has the set-user-ID bit set (see execve(2)).
SEE ALSO
intro(8mandos), mandos-client(8mandos), systemd(1),
Password Agents[1]
The specification for systemd “Password Agent” programs, which password-agent follows.
COPYRIGHT
Copyright © 2019 Teddy Hogeborn, Björn Påhlsson
This manual page is part of Mandos.
Mandos is free software: you can redistribute it and/or modify it under the terms of the
GNU General Public License as published by the Free Software Foundation, either version 3
of the License, or (at your option) any later version.
Mandos is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with Mandos. If
not, see http://www.gnu.org/licenses/.
NOTES
1. Password Agents
https://www.freedesktop.org/wiki/Software/systemd/PasswordAgents/