1 files changed, 268 insertions, 0 deletions

diff --git a/man/systemd-ask-password.xml b/man/systemd-ask-password.xml
new file mode 100644
index 0000000..5bae448
--- /dev/null
+++ b/man/systemd-ask-password.xml
@@ -0,0 +1,268 @@
+<?xml version='1.0'?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
+  "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
+<!-- SPDX-License-Identifier: LGPL-2.1-or-later -->
+
+<refentry id="systemd-ask-password"
+    xmlns:xi="http://www.w3.org/2001/XInclude">
+
+  <refentryinfo>
+    <title>systemd-ask-password</title>
+    <productname>systemd</productname>
+  </refentryinfo>
+
+  <refmeta>
+    <refentrytitle>systemd-ask-password</refentrytitle>
+    <manvolnum>1</manvolnum>
+  </refmeta>
+
+  <refnamediv>
+    <refname>systemd-ask-password</refname>
+    <refpurpose>Query the user for a system password</refpurpose>
+  </refnamediv>
+
+  <refsynopsisdiv>
+    <cmdsynopsis>
+      <command>systemd-ask-password <arg choice="opt" rep="repeat">OPTIONS</arg> <arg choice="opt">MESSAGE</arg></command>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsect1>
+    <title>Description</title>
+
+    <para><command>systemd-ask-password</command> may be used to query
+    a system password or passphrase from the user, using a question
+    message specified on the command line. When run from a TTY it will
+    query a password on the TTY and print it to standard output. When
+    run with no TTY or with <option>--no-tty</option> it will use the
+    system-wide query mechanism, which allows active users to respond via
+    several agents, listed below.</para>
+
+    <para>The purpose of this tool is to query system-wide passwords
+    — that is passwords not attached to a specific user account.
+    Examples include: unlocking encrypted hard disks when they are
+    plugged in or at boot, entering an SSL certificate passphrase for
+    web and VPN servers.</para>
+
+    <para>Existing agents are:
+    <itemizedlist>
+
+      <listitem><para>A boot-time password agent asking the user for
+      passwords using
+      <citerefentry project='die-net'><refentrytitle>plymouth</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
+      </para></listitem>
+
+      <listitem><para>A boot-time password agent querying the user
+      directly on the console —
+      <citerefentry><refentrytitle>systemd-ask-password-console.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
+      </para></listitem>
+
+      <listitem><para>An agent requesting password input via a
+      <citerefentry project='man-pages'><refentrytitle>wall</refentrytitle><manvolnum>1</manvolnum></citerefentry>
+      message —
+      <citerefentry><refentrytitle>systemd-ask-password-wall.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
+      </para></listitem>
+
+      <listitem><para>A TTY agent that is temporarily spawned during
+      <citerefentry><refentrytitle>systemctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>
+      invocations,</para></listitem>
+
+      <listitem><para>A command line agent which can be started
+      temporarily to process queued password
+      requests — <command>systemd-tty-ask-password-agent --query</command>.
+      </para></listitem>
+    </itemizedlist></para>
+
+    <para>Answering system-wide password queries is a privileged operation, hence
+    all the agents listed above (except for the last one), run as privileged
+    system services. The last one also needs elevated privileges, so
+    should be run through
+    <citerefentry project='die-net'><refentrytitle>sudo</refentrytitle><manvolnum>8</manvolnum></citerefentry>
+    or similar.</para>
+
+    <para>Additional password agents may be implemented according to
+    the <ulink url="https://systemd.io/PASSWORD_AGENTS/">systemd Password Agent
+    Specification</ulink>.</para>
+
+    <para>If a password is queried on a TTY, the user may press TAB to
+    hide the asterisks normally shown for each character typed.
+    Pressing Backspace as first key achieves the same effect.</para>
+
+  </refsect1>
+
+  <refsect1>
+    <title>Options</title>
+
+    <para>The following options are understood:</para>
+
+    <variablelist>
+      <varlistentry>
+        <term><option>--icon=</option></term>
+
+        <listitem><para>Specify an icon name alongside the password
+        query, which may be used in all agents supporting graphical
+        display. The icon name should follow the <ulink
+        url="https://standards.freedesktop.org/icon-naming-spec/icon-naming-spec-latest.html">XDG
+        Icon Naming Specification</ulink>.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><option>--id=</option></term>
+        <listitem><para>Specify an identifier for this password
+        query. This identifier is freely choosable and allows
+        recognition of queries by involved agents. It should include
+        the subsystem doing the query and the specific object the
+        query is done for. Example:
+        <literal>--id=cryptsetup:/dev/sda5</literal>.</para>
+
+        <xi:include href="version-info.xml" xpointer="v227"/></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><option>--keyname=</option></term>
+        <listitem><para>Configure a kernel keyring key name to use as
+        cache for the password. If set, then the tool will try to push
+        any collected passwords into the kernel keyring of the root
+        user, as a key of the specified name. If combined with
+        <option>--accept-cached</option>, it will also try to retrieve
+        such cached passwords from the key in the kernel keyring
+        instead of querying the user right away. By using this option,
+        the kernel keyring may be used as effective cache to avoid
+        repeatedly asking users for passwords, if there are multiple
+        objects that may be unlocked with the same password. The
+        cached key will have a timeout of 2.5min set, after which it
+        will be purged from the kernel keyring. Note that it is
+        possible to cache multiple passwords under the same keyname,
+        in which case they will be stored as <constant>NUL</constant>-separated list of
+        passwords. Use
+        <citerefentry project='die-net'><refentrytitle>keyctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>
+        to access the cached key via the kernel keyring
+        directly. Example: <literal>--keyname=cryptsetup</literal></para>
+
+        <xi:include href="version-info.xml" xpointer="v227"/></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><option>--credential=</option></term>
+        <listitem><para>Configure a credential to read the password from – if it exists. This may be used in
+        conjunction with the <varname>ImportCredential=</varname>, <varname>LoadCredential=</varname> and
+        <varname>SetCredential=</varname> settings in unit files. See
+        <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry> for
+        details. If not specified, defaults to <literal>password</literal>. This option has no effect if no
+        credentials directory is passed to the program (i.e. <varname>$CREDENTIALS_DIRECTORY</varname> is not
+        set) or if the no credential of the specified name exists.</para>
+
+        <xi:include href="version-info.xml" xpointer="v249"/></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><option>--timeout=</option></term>
+
+        <listitem><para>Specify the query timeout in seconds. Defaults
+        to 90s. A timeout of 0 waits indefinitely. </para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><option>--echo=yes|no|masked</option></term>
+
+        <listitem><para>Controls whether to echo user input. Takes a boolean or the special string
+        <literal>masked</literal>, the default being the latter. If enabled the typed characters are echoed
+        literally, which is useful for prompting for usernames and other non-protected data. If disabled the
+        typed characters are not echoed in any form, the user will not get feedback on their input. If set to
+        <literal>masked</literal>, an asterisk (<literal>*</literal>) is echoed for each character
+        typed. In this mode, if the user hits the tabulator key (<literal>↹</literal>), echo is turned
+        off. (Alternatively, if the user hits the backspace key (<literal>⌫</literal>) while no data has
+        been entered otherwise, echo is turned off, too).</para>
+
+        <xi:include href="version-info.xml" xpointer="v249"/></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><option>--echo</option></term>
+        <term><option>-e</option></term>
+
+        <listitem><para>Equivalent to <option>--echo=yes</option>, see above.</para>
+
+        <xi:include href="version-info.xml" xpointer="v217"/></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><option>--emoji=yes|no|auto</option></term>
+
+        <listitem><para>Controls whether or not to prefix the query with a
+        lock and key emoji (🔐), if the TTY settings permit this. The default
+        is <literal>auto</literal>, which defaults to <literal>yes</literal>,
+        unless <option>--echo=yes</option> is given.</para>
+
+        <xi:include href="version-info.xml" xpointer="v249"/></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><option>--no-tty</option></term>
+
+        <listitem><para>Never ask for password on current TTY even if
+        one is available. Always use agent system.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><option>--accept-cached</option></term>
+
+        <listitem><para>If passed, accept cached passwords, i.e.
+        passwords previously entered.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><option>--multiple</option></term>
+
+        <listitem><para>When used in conjunction with
+        <option>--accept-cached</option> accept multiple passwords.
+        This will output one password per line.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><option>--no-output</option></term>
+
+        <listitem><para>Do not print passwords to standard output.  This is useful if you want to store a
+        password in kernel keyring with <option>--keyname=</option> but do not want it to show up on screen
+        or in logs.</para>
+
+        <xi:include href="version-info.xml" xpointer="v230"/></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><option>-n</option></term>
+
+        <listitem><para>By default, when the acquired password is written to standard output it is suffixed
+        by a newline character. This may be turned off with the <option>-n</option> switch, similarly to the
+        switch of the same name of the <citerefentry
+        project='man-pages'><refentrytitle>echo</refentrytitle><manvolnum>1</manvolnum></citerefentry>
+        command.</para>
+
+        <xi:include href="version-info.xml" xpointer="v249"/></listitem>
+      </varlistentry>
+
+      <xi:include href="standard-options.xml" xpointer="help" />
+    </variablelist>
+
+  </refsect1>
+
+  <refsect1>
+    <title>Exit status</title>
+
+    <para>On success, 0 is returned, a non-zero failure code
+    otherwise.</para>
+  </refsect1>
+
+  <refsect1>
+    <title>See Also</title>
+    <para>
+      <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
+      <citerefentry><refentrytitle>systemd-ask-password-console.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
+      <citerefentry><refentrytitle>systemd-tty-ask-password-agent</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
+      <citerefentry project='die-net'><refentrytitle>keyctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
+      <citerefentry project='die-net'><refentrytitle>plymouth</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
+      <citerefentry project='man-pages'><refentrytitle>wall</refentrytitle><manvolnum>1</manvolnum></citerefentry>
+    </para>
+  </refsect1>
+
+</refentry>