password-agent — Run Mandos client as a systemd password agent.
password-agent [--agent-directory=]DIRECTORY
[--helper-directory=]DIRECTORY
[--user=]USERID
[--group=]GROUPID
[--] [
MANDOS_CLIENT
[ OPTIONS ...]
]
password-agent --test
password-agent { --help | -? }
password-agent --usage
password-agent { --version | -V }
password-agent is a program which is meant to be a systemd(1) “Password Agent” (See Password Agents). The aim of this program is therefore to acquire and then send a password to some other program which will use the password to unlock the encrypted root disk.
This program is not meant to be invoked directly, but can be in order to test it.
The purpose of this is to enable remote and unattended rebooting of client host computer with an encrypted root file system. See the section called “OVERVIEW” for details.
--agent-directory
DIRECTORY
Specify a different agent directory. The default is
“/run/systemd/ask-password” as per the
Password
Agents specification.
--helper-directory
DIRECTORY
Specify a different helper directory. The default is
“/lib/mandos/plugin-helpers”, which
will exist in the initial RAM disk
environment. (This will simply be passed to the
MANDOS_CLIENT program via the
MANDOSPLUGINHELPERDIR environment variable.
See
mandos-client(8mandos).)
--user
USERID
Change real user ID to USERID
when running MANDOS_CLIENT.
The default is 65534. Note: This
must be a number, not a name.
--group
GROUPID
Change real group ID to GROUPID
when running MANDOS_CLIENT.
The default is 65534. Note: This
must be a number, not a name.
MANDOS_CLIENT
This specifies the file name for
mandos-client(8mandos). If the
“--” option is given, any
following options are passed to the MANDOS_CLIENT program. The default is
“/lib/mandos/plugins.d/mandos-client”
(which is the correct location for the initial
RAM disk environment) without any
options.
--help, -?Gives a help message about options and their meanings.
--test
Ignore normal operation; instead only run self-tests.
Adding the --help option may show more
options possible in combination with
--test.
--usageGives a short usage message.
--version, -VPrints the program version.
This is part of the Mandos system for allowing computers to have encrypted root file systems and at the same time be capable of remote and/or unattended reboots. The computers run a small client program in the initial RAM disk environment which will communicate with a server over a network. All network communication is encrypted using TLS. The clients are identified by the server using a TLS key; each client has one unique to it. The server sends the clients an encrypted password. The encrypted password is decrypted by the clients using a separate OpenPGP key, and the password is then used to unlock the root file system, whereupon the computers can continue booting normally.
This program, password-agent, will run on the client side in the initial RAM disk environment, and is responsible for getting a password from the Mandos client program itself, and to send that password to whatever is currently asking for a password using the systemd Password Agents mechanism.
To accomplish this, password-agent runs the
mandos-client program (which is the actual
client program communicating with the Mandos server) or,
alternatively, any executable file specified as
MANDOS_CLIENT, and, as soon as a
password is acquired from the
MANDOS_CLIENT program, sends that
password (as per the Password Agents
specification) to all currently unanswered password questions.
This program should be started (normally as a systemd service,
which in turn is normally started by a systemd.path(5) file) as a reaction to
files named “ask.” appearing in the agent directory
“xxxx/run/systemd/ask-password”
(or the directory specified by
--agent-directory).
This program does not use any environment variables itself, it
only passes on its environment to
MANDOS_CLIENT. Also, the
--helper-directory option will affect the
environment variable MANDOSPLUGINHELPERDIR for
MANDOS_CLIENT.
/run/systemd/ask-password
The default directory to watch for password questions as
per the Password
Agents specification; can be changed by the
--agent-directory option.
/lib/mandos/plugin-helpers
The helper directory as supplied to
MANDOS_CLIENT via the
MANDOSPLUGINHELPERDIR environment
variable; can be changed by the
--helper-directory option.
Please report bugs to the Mandos development mailing list:
<mandos-dev@recompile.se> (subscription required).
Note that this list is public. The developers can be reached
privately at <mandos@recompile.se> (OpenPGP key
fingerprint 153A 37F1 0BBA 0435 987F 2C4A 7223 2973 CA34
C2C4 for encrypted mail).
Normal invocation needs no options:
password-agent
Run an alternative MANDOS_CLIENT
program::
password-agent /usr/local/sbin/alternate
Use alternative locations for the helper directory and the Mandos client, and add extra options suitable for running in the normal file system:
password-agent --helper-directory=/usr/lib/x86_64-linux-gnu/mandos/plugin-helpers -- /usr/lib/x86_64-linux-gnu/mandos/plugins.d/mandos-client --pubkey=/etc/keys/mandos/pubkey.txt --seckey=/etc/keys/mandos/seckey.txt --tls-pubkey=/etc/keys/mandos/tls-pubkey.pem --tls-privkey=/etc/keys/mandos/tls-privkey.pem
Use the default location for mandos-client(8mandos), but add many options to it:
password-agent -- /lib/mandos/plugins.d/mandos-client --pubkey=/etc/mandos/keys/pubkey.txt --seckey=/etc/mandos/keys/seckey.txt --tls-pubkey=/etc/mandos/keys/tls-pubkey.pem --tls-privkey=/etc/mandos/keys/tls-privkey.pem
Only run the self-tests:
password-agent --test
This program will need to run as the root user in order to read
the agent directory and the “ask.” files
there, and will, when starting the Mandos client program,
require the ability to set the “real” user and
group ids to another user, by default user and group 65534,
which are assumed to be non-privileged. This is done in order
to match the expectations of mandos-client(8mandos), which assumes that its executable file is
owned by the root user and also has the set-user-ID bit set (see
execve(2)).
xxxx
intro(8mandos), mandos-client(8mandos), systemd(1),
The specification for systemd “Password Agent” programs, which password-agent follows.