1PWMD(1) Password Manager Daemon PWMD(1)
2
6 pwmd - a universal data server
7
9 pwmd [options] [file1] [...]
10
13 pwmd is a daemon/server that serves clients data which is stored in an,
14 optionally encrypted and compressed, XML data file. Clients connect and
15 send commands that either retrieve or store data.
16
19 The following are the available command line options. Remaining argu‐
20 ments are files to add to the cache on startup.
21 --rcfile, -f rcfile
23 Specify an alternate configuration file. The default is
24 ~/.pwmd/config.
25 --import, -I filename --outfile filename
28 Imports an XML file. The XML file should be in conformance to
29 the pwmd DTD. See COMMANDS contained in the distributed pwmd
30 archive for details. If encryption is wanted (specified with the
31 iterations configuration parameter or the --iterations command
32 line switch), you will be prompted for a passphrase to encrypt
33 with. The output is written to the filename specified with the
34 --outfile command line switch which should then be placed in the
35 configured data_directory.
36 --iterations, -i iterations
39 The number of encryption iterations to use when importing. When
40 not specified, the iterations configuration option from the
41 global section will be used.
42 --key-file, -k keyfile
45 When importing (--import) or converting (--convert), obtain the
46 key from the specified filename. Be sure to set key_file in your
47 configuration.
48 --convert, -C filename --outfile filename
51 Converts a pwmd version 1 data file to a version 2 data file. If
52 encrypted, you will be prompted for a passphrase to use for
53 decryption (unless using a --key-file). The converted data file
54 will be saved to the filename specified with the --outfile com‐
55 mand line switch and with the same passphrase and iterations as
56 the version 1 data file.
57 --disable-dump, -D
60 Disable the XPATH, LIST and DUMP protocol commands. This over‐
61 rides any disable_list_and_dump configuration parameter.
62 --no-fork, -n
65 Run as a foreground process.
66 --no-pinentry, -P
69 Disable pinentry(1) use overriding any configuration setting.
70 --version
73 Version information.
74 --help Help text.
77
80 Blank lines and lines beginning with '#' are ignored. Some options can
81 have data file-specific settings by placing them in a file section. A
82 file section is declared by surrounding the filename with braces (i.e.,
83 [filename]). Global options may be specified in a [global] section and
84 are the default options for new or unspecified files. If the first
85 character of a string value is a tilde, it will be expanded to your
86 home directory. First the global options:
87 socket_path=<string>
89 Listen on the specified socket. The default is ~/.pwmd/socket.
90 socket_perms=<integer>
93 Permissions to set after creating the socket. This will override
94 any umask(2) setting.
95 allowed=<user,@group,...>
98 A comma separated list of local usernames or group names allowed
99 to connect to the socket. Groups should be prefixed with a '@'.
100 When not specified only the invoking user may connect. The user‐
101 name is obtained via SO_PEERCRED.
102 data_directory=<string>
105 Where pwmd should store and retrieve data files. The default is
106 ~/.pwmd/data.
107 disable_mlockall=<boolean>
110 When set to false, mlockall(2) will be called after the client
111 connects. This will use more physical memory but may also be
112 more secure. Most will probably find it overkill since the con‐
113 tents of all allocated memory is cleared before being freed.
114 Note that this doesn't affect the file cache which is always
115 stored in RAM (if possible).
116 log_path=<string>
119 Logs informational messages to the specified file. The default
120 is ~/.pwmd/log.
121 enable_logging=<boolean>
124 Enable or disable logging to log_path. The default is false.
125 syslog=<boolean>
128 Enable logging to syslog(8) with facility LOG_DAEMON and prior‐
129 ity LOG_INFO. The default is false.
130 log_level=<integer>
133 The logging level. When 0, only connections and errors are
134 logged. When 1, client commands are also logged. When 2, the
135 command arguments are also logged. The default is 0.
136 debug_file=<string>
139 When set, enable protocol debugging to the specified file. Note
140 that this logs all protocol IO so it may also log sensitive
141 data.
142 disable_list_and_dump=<boolean>
145 When true, the XPATH, LIST and DUMP protocol commands will be
146 disabled and will return an error code.
147 cache_push=<list>
150 A list of filenames separated with commas that will be pushed
151 into the file cache upon startup. pwmd will prompt for the key
152 for each file specified unless the key was specified with the
153 key or key_file parameters in a matching file section. The
154 default is none.
155 priority=<integer>
158 The priority, or niceness, of the server. The default is inher‐
159 ited from the parent process.
160 Below are options that can be specified in the [global] or [filename]
163 section. If in both then [filename] will have precedence.
164 backup=<boolean>
166 Whether to create a backup of the data file when saving. The
167 default is true. The backup filename has the .backup extension
168 appended to the opened file.
169 cache_timeout=<integer>
172 The number of seconds to keep the cache entry for this file. If
173 -1, the cache entry is kept forever. If 0, each time the file is
174 opened (if encrypted) or saved a key will be required.
175 enable_pinentry=<boolean>
178 If false, disable the use of pinentry(1). When disabled and a
179 file requires a passphrase, the passphrase must be included in
180 the command (see COMMANDS included in the archive). The default
181 is true. Also see PINENTRY below.
182 pinentry_path=<string>
185 The full path of the pinentry binary. The default is specified
186 at compile time.
187 pinentry_timeout=<integer>
190 The number of seconds before the pinentry dialog will terminate
191 while waiting for a passphrase. The default is 20. Set to 0 to
192 wait forever.
193 iterations=<integer>
196 The number of times to encrypt the data. A value of 10000 or
197 more will make dictionary attacks very slow depending on the CPU
198 and size of the data file. The default is 1 iteration. Setting
199 to 0 will disable encryption.
200 cipher=<string>
203 The default cipher to use when saving a data file. Valid values
204 are: aes128, aes192, aes256, serpent128, serpent192, serpent256,
205 camellia128, camellia192, camellia256, 3des, cast5, blowfish,
206 twofish128 and twofish256. The default is aes256.
207 iteration_progress=<integer>
210 After the specified number of iterations have been processed
211 while encrypting or decrypting, a status message with the key‐
212 word PROGRESS will be sent to the client. Setting to 0, the
213 default, disables sending these progress messages.
214 xfer_progress=<integer>
217 Commands that send data lines to the client can send the XFER
218 status message after the specified number of bytes have been
219 sent. The number of bytes is rounded to ASSUAN_LINELENGTH
220 (1002).
221 key=<string>
224 The initial passphrase to use for this file. If specified in the
225 global section then "global" is treated as a data filename and
226 not a default for other files. Note that if a client changes the
227 passphrase for this data file with the SAVE command, then this
228 value is not modified and will need to be updated by hand.
229 key_file=<string>
232 Same as the key option above but obtains the key from the speci‐
233 fied filename. Note that if the cache entry for this file gets
234 removed then the only way to add it again is to restart pwmd or
235 to re-read the configuration file (i.e., you won't be prompted
236 from pinentry).
237 Starting with pwmd version 2.14 the entire file is treated as
239 the passphrase including null bytes and newlines. A log message
240 will be displayed warning of the byte position that the key file
241 of previous versions will be truncated to, if any. This message
242 means that the byte position is really the length or size of the
243 key data which may not be the size of the key file. A fix for
244 this is to generate a new key file and import your data that was
245 exported via the DUMP command with the new key file.
246 compression_level=<integer>
249 The default compression level for data files from 1 to 9, 1
250 being the fastest but least compression and 9 being the slowest
251 but best compression. To disable compression entirely, set to 0.
252 The default is 6.
253 zlib_bufsize=<integer>
256 The input and output buffer size when compressing and decom‐
257 pressing. This affects how often the COMPRESS and DECOMPRESS
258 status messages are sent and also affects compression quality.
259 The default is 65536. Set to a higher value for larger files.
260 recursion_depth=<integer>
263 The maximum number of times to resolve a target attribute for a
264 single element in an element path. An error is returned when
265 this value is exceeded. The default is 20 but can be disabled by
266 setting to 0.
267 keepalive=<integer>
270 Sends keep alive status messages to the client every N seconds.
271 Set to 0 to disable. The default is 0. This option is depre‐
272 cated.
273
276 When enable_pinentry is true, commands that require a key will use
277 pinentry(1) to retrieve the passphrase. Since pwmd is normally a daemon
278 process, it isn't attached to any terminal. So pinentry needs to know
279 where to put it's dialog box by using command line options when exe‐
280 cuted. These can be set by either using protocol commands (see COMMANDS
281 included in the archive) or by creating a file ~/.pwmd/pinentry.conf.
282 When using this file, each line should contain NAME=VALUE pairs where
283 NAME is one of:
284 TTYNAME
286 The full path of the tty device.
287 TTYTYPE
290 The terminal type (i.e., vt100). Must be set when TTYNAME is
291 set.
292 DISPLAY
295 If using an X11 pinentry.
296 LC_CTYPE
299 For internationalization.
300 LC_MESSAGES
303 For internationalization.
304 PATH The full path to the pinentry binary. The default is
307 /usr/bin/pinentry.
308 The file is read only once after each client first connects. Note that
311 if your not using a DISPLAY, then both TTYNAME and TTYTYPE should be
312 set otherwise you'll get a segfault from ncurses.
313
316 SIGUSR1
317 Clears the entire file cache. If there are any clients con‐
318 nected, a key will be required for the next OPEN or SAVE com‐
319 mand.
320 SIGHUP Reloads the configuration file.
322 SIGTERM and SIGINT
324 Disallows new connections and waits for all clients to discon‐
325 nect before terminating.
326
329 ~/.pwmd/config
330 Default configuration file.
331 ~/.pwmd/data
333 Default data directory.
334 ~/.pwmd/socket
336 Default listening socket.
337 ~/.pwmd/log
339 Default log file when logging is enabled.
340 /usr/bin/pinentry
342 Default location of the pinentry binary.
343 ~/.pwmd/pinentry.conf
345 Default pinentry settings for new clients.
346
349 Ben Kibbey <bjk@luxsci.net>
350 PWMD Homepage ⟨http://bjk.sourceforge.net/pwmd/⟩.
351
354 pinentry(1)
355 Also see COMMANDS included in the archive for protocol commands and
357 syntax.
358Password Manager Daemon 23 Oct 2010 PWMD(1)