diff options
author | Daniel Mueller <deso@posteo.net> | 2020-04-04 15:32:14 -0700 |
---|---|---|
committer | Daniel Mueller <deso@posteo.net> | 2020-04-04 15:32:14 -0700 |
commit | 681cc8882f7995407c33eb48730daaa901074460 (patch) | |
tree | c865f6c4a34e11af685889a09d95f3225e54a16c /nitrocli/doc/nitrocli.1 | |
parent | d0d9683df8398696147e7ee1fcffb2e4e957008c (diff) | |
download | nitrocli-681cc8882f7995407c33eb48730daaa901074460.tar.gz nitrocli-681cc8882f7995407c33eb48730daaa901074460.tar.bz2 |
Move nitrocli source code into repository root
Now that all vendored dependencies have been removed, this change moves
the program's source code from the nitrocli/ directory into the root of
the repository.
Diffstat (limited to 'nitrocli/doc/nitrocli.1')
-rw-r--r-- | nitrocli/doc/nitrocli.1 | 355 |
1 files changed, 0 insertions, 355 deletions
diff --git a/nitrocli/doc/nitrocli.1 b/nitrocli/doc/nitrocli.1 deleted file mode 100644 index 75f5960..0000000 --- a/nitrocli/doc/nitrocli.1 +++ /dev/null @@ -1,355 +0,0 @@ -.TH NITROCLI 1 2019-06-08 -.SH NAME -nitrocli \- access Nitrokey devices -.SH SYNOPSIS -.B nitrocli -[\fB\-m\fR|\fB\-\-model pro\fR|\fBstorage\fR] \fR[\fB\-v\fR|\fB\-\-verbose\fR] -[\fB\-V\fR|\fB\-\-version\fR] -\fIcommand\fR -[\fIarguments\fR] -.SH DESCRIPTION -\fBnitrocli\fR provides access to Nitrokey devices. -It supports the Nitrokey Pro and the Nitrokey Storage. -It can be used to access the encrypted volume, the one-time password generator, -and the password safe. -.SH OPTIONS -.TP -\fB\-m\fR, \fB\-\-model pro\fR|\fBstorage\fR -Restrict connections to the given device model. -If this option is not set, nitrocli will connect to any connected Nitrokey Pro -or Nitrokey Storage device. -.TP -\fB\-v\fR, \fB\-\-verbose\fR -Enable additional logging and control its verbosity. Logging enabled through -this option will appear on the standard error stream. This option can be -supplied multiple times. A single occurrence will show additional warnings. -Commands sent to the device will be shown when supplied three times and full -device communication is available with four occurrences. Supplying this option -five times enables the highest verbosity. -.TP -\fB\-V\fR, \fB\-\-version\fR -Print the nitrocli version and exit. -.SH COMMANDS -.SS General -.TP -.B nitrocli status -Print the status of the connected Nitrokey device, including the stick serial -number, the firmware version, and the PIN retry count. If the device is a -Nitrokey Storage, also print storage related information including the SD card -serial number, the encryption status, and the status of the volumes. -.TP -.B nitrocli lock -Lock the Nitrokey. -This command locks the password safe (see the Password safe section). On the -Nitrokey Storage, it will also close any active encrypted or hidden volumes (see -the Storage section). -.TP -.B nitrocli reset -Perform a factory reset on the Nitrokey. -This command performs a factory reset on the OpenPGP smart card, clears the -flash storage and builds a new AES key. -The user PIN is reset to 123456, the admin PIN to 12345678. - -This command requires the admin PIN. -To avoid accidental calls of this command, the user has to enter the PIN even -if it has been cached. - -.SS Storage -The Nitrokey Storage comes with a storage area. This area is comprised of an -\fIunencrypted\fR region and an \fIencrypted\fR one of fixed sizes, each made -available to the user in the form of block devices. The encrypted region can -optionally further be overlayed with up to four \fIhidden\fR volumes. Because of -this overlay (which is required to achieve plausible deniability of the -existence of hidden volumes), the burden of ensuring that data on the encrypted -volume does not overlap with data on one of the hidden volumes is on the user. -.TP -\fBnitrocli unencrypted set \fImode\fR -Change the read-write mode of the volume. -\fImode\fR is the type of the mode to change to: \fBread-write\fR to make the -volume readable and writable or \fBread-only\fR to make it only readable. -This command requires the admin PIN. - -Note that this command requires firmware version 0.51 or higher. Earlier -versions are not supported. -.TP -\fBnitrocli encrypted open -Open the encrypted volume on the Nitrokey Storage. -The user PIN that is required to open the volume is queried using -\fBpinentry\fR(1) and cached by \fBgpg\-agent\fR(1). -.TP -\fBnitrocli encrypted close -Close the encrypted volume on the Nitrokey Storage. -.TP -\fBnitrocli hidden create \fIslot\fR \fIstart\fR \fIend\fR -Create a new hidden volume inside the encrypted volume. \fIslot\fR must indicate -one of the four available slots. \fIstart\fR and \fIend\fR represent, -respectively, the start and end position of the hidden volume inside the -encrypted volume, as a percentage of the encrypted volume's size. -This command requires a password which is later used to look up the hidden -volume to open. Unlike a PIN, this password is not cached by \fBgpg\-agent\fR(1). -.TP -\fBnitrocli hidden open -Open a hidden volume. The volume to open is determined based on the password -entered, which must have a minimum of six characters. Only one hidden volume can -be active at any point in time and previously opened volumes will be -automatically closed. Similarly, the encrypted volume will be closed if it was -open. -.TP -\fBnitrocli hidden close -Close a hidden volume. - -.SS One-time passwords -The Nitrokey Pro and the Nitrokey Storage support the generation of one-time -passwords using the HOTP algorithm according to RFC 4226 or the TOTP algorithm -according to RFC 6238. -The required data \(en a name and the secret \(en is stored in slots. -Currently, the Nitrokey devices provide three HOTP slots and 15 TOTP slots. -The slots are numbered per algorithm starting at zero. -.P -The TOTP algorithm is a modified version of the HOTP algorithm that also uses -the current time. -Therefore, the Nitrokey clock must be synchronized with the clock of the -application that requests the one-time password. -.TP -\fBnitrocli otp get \fIslot \fR[\fB\-a\fR|\fB\-\-algorithm \fIalgorithm\fR] \ -\fB[\-t\fR|\fB\-\-time \fItime\fR] -Generate a one-time password. -\fIslot\fR is the number of the slot to generate the password from. -\fIalgorithm\fR is the OTP algorithm to use. -Possible values are \fBhotp\fR for the HOTP algorithm according to RFC 4226 and -\fBtotp\fR for the TOTP algorithm according to RFC 6238 (default). -Per default, this commands sets the Nitrokey's time to the system time if the -TOTP algorithm is selected. -If \fB\-\-time\fR is set, it is set to \fItime\fR instead, which must be a Unix -timestamp (i.e., the number of seconds since 1970-01-01 00:00:00 UTC). -This command might require the user PIN (see the Configuration section). -.TP -\fBnitrocli otp set \fIslot name secret \ -\fR[\fB\-a\fR|\fB\-\-algorithm \fIalgorithm\fR] \ -[\fB\-d\fR|\fB\-\-digits \fIdigits\fR] [\fB\-c\fR|\fB\-\-counter \fIcounter\fR] \ -[\fB\-t\fR|\fB\-\-time-window \fItime-window\fR] \ -[\fB-f\fR|\fB\-\-format ascii\fR|\fBbase32\fR|\fBhex\fR] -Configure a one-time password slot. -\fIslot\fR is the number of the slot to configure. -\fIname\fR is the name of the slot (may not be empty). -\fIsecret\fR is the secret value to store in that slot. - -The \fB\-\-format\fR option specifies the format of the secret. -If it is set to \fBascii\fR, each character of the given secret is interpreted -as the ASCII code of one byte. -If it is set to \fBbase32\fR, the secret is interpreted as a base32 string -according to RFC 4648. -If it is set to \fBhex\fR, every two characters are interpreted as the -hexadecimal value of one byte. -The default value is \fBhex\fR. - -\fIalgorithm\fR is the OTP algorithm to use. -Possible values are \fBhotp\fR for the HOTP algorithm according to RFC 4226 and -\fBtotp\fR for the TOTP algorithm according to RFC 6238 (default). -\fIdigits\fR is the number of digits the one-time password should have. -Allowed values are 6 and 8 (default: 6). -\fIcounter\fR is the initial counter if the HOTP algorithm is used (default: 0). -\fItime window\fR is the time window used with TOTP in seconds (default: 30). -.TP -\fBnitrocli otp clear \fIslot \fR[\fB\-a\fR|\fB\-\-algorithm \fIalgorithm\fR] -Delete the name and the secret stored in a one-time password slot. -\fIslot\fR is the number of the slot to clear. -\fIalgorithm\fR is the OTP algorithm to use. -Possible values are \fBhotp\fR for the HOTP algorithm according to RFC 4226 and -\fBtotp\fR for the TOTP algorithm according to RFC 6238 (default). -.TP -\fBnitrocli otp status \fR[\fB\-a\fR|\fB\-\-all\fR] -List all OTP slots. -If \fB\-\-all\fR is not set, empty slots are ignored. - -.SS Configuration -Nitrokey devices have four configuration settings: the numlock, capslock and -scrollock keys can be mapped to an HOTP slot, and OTP generation can be set to -require the user PIN. -.TP -\fBnitrocli config get\fR -Print the current configuration. -.TP -\fBnitrocli config set \fR\ -[[\fB\-n\fR|\fB\-\-numlock \fIslot\fR] | [\fB\-N\fR|\fB\-\-no\-numlock\fR]] \ -[[\fB\-c\fR|\fB\-\-capslock \fIslot\fR] | [\fB\-C\fR|\fB\-\-no\-capslock\fR]] \ -[[\fB\-s\fR|\fB\-\-scrollock \fIslot\fR] | [\fB\-S\fR|\fB\-\-no\-scrollock\fR]] \ -[[\fB\-o\fR|\fB\-\-otp\-pin\fR] | [\fB\-O\fR|\fB\-\-no\-otp\-pin\fR]] -Update the Nitrokey configuration. -This command requires the admin PIN. - -With the \fB\-\-numlock\fR, \fB\-\-capslock\fR and \fB\-\-scrollock\fR options, -the respective bindings can be set. -\fIslot\fR is the number of the HOTP slot to bind the key to. -If \fB\-\-no\-numlock\fR, \fB\-\-no\-capslock\fR or \fB\-\-no\-scrollock\fR is -set, the respective binding is disabled. -The two corresponding options are mutually exclusive. - -If \fB\-\-otp\-pin\fR is set, the user PIN will be required to generate one-time -passwords using the \fBotp get\fR command. -If \fB\-\-no\-otp\-pin\fR is set, OTP generation can be performed without PIN. -These two options are mutually exclusive. - -.SS Password safe -The Nitrokey Pro and the Nitrokey Storage provide a password safe (PWS) with 20 -slots. -In each of these slots you can store a name, a login, and a password. -The PWS is not encrypted, but it is protected with the user PIN by the firmware. -Once the PWS is unlocked by one of the commands listed below, it can be -accessed without authentication. -You can use the \fBlock\fR command to lock the password safe. -.TP -\fBnitrocli pws get \fIslot \fR[\fB\-n\fR|\fB\-\-name\fR] \ -[\fB\-l\fR|\fB\-\-login\fR] \ -[\fB\-p\fR|\fB\-\-password\fR] \ -[\fB\-q\fR|\fB\-\-quiet\fR] -Print the content of one PWS slot. -\fIslot\fR is the number of the slot. -Per default, this command prints the name, the login and the password (in that -order). -If one or more of the options \fB\-\-name\fR, \fB\-\-login\fR, and -\fB\-\-password\fR are set, only the selected fields are printed. -The order of the fields never changes. - -The fields are printed together with a label. -Use the \fB\-\-quiet\fR option to suppress the labels and to only output the -values stored in the PWS slot. -.TP -\fBnitrocli pws set \fIslot name login password\fR -Set the content of a PWS slot. -\fIslot\fR is the number of the slot to write. -\fIname\fR, \fIlogin\fR, and \fIpassword\fR represent the data to write to the -slot. -.TP -\fBnitrocli pws clear \fIslot\fR -Delete the data stored in a PWS slot. -\fIslot\fR is the number of the slot clear. -.TP -\fBnitrocli pws status \fR[\fB\-a\fR|\fB\-\-all\fR] -List all PWS slots. -If \fB\-\-all\fR is not set, empty slots are ignored. - -.SS PINs -Nitrokey devices have two PINs: the user PIN and the admin PIN. The user -PIN must have at least six, the admin PIN at least eight characters. The -user PIN is required for commands such as \fBotp get\fR (depending on -the configuration) and for all \fBpws\fR commands. -The admin PIN is usually required to change the device configuration. -.P -Each PIN has a retry counter that is decreased with every wrong PIN entry and -reset if the PIN was entered correctly. -The initial retry counter is three. -If the retry counter for the user PIN is zero, you can use the -\fBpin unblock\fR command to unblock and reset the user PIN. -If the retry counter for the admin PIN is zero, you have to perform a factory -reset using the \fBreset\fR command or \fBgpg\fR(1). -Use the \fBstatus\fR command to check the retry counters. -.TP -.B nitrocli pin clear -Clear the PINs cached by the other commands. Note that cached PINs are -associated with the device they belong to and the \fBclear\fR command will only -clear the PIN for the currently used device, not all others. -.TP -\fBnitrocli pin set \fItype\fR -Change a PIN. -\fItype\fR is the type of the PIN that will be changed: \fBadmin\fR to change -the admin PIN or \fBuser\fR to change the user PIN. -This command only works if the retry counter for the PIN type is at least one. -(Use the \fBstatus\fR command to check the retry counters.) -.TP -.B nitrocli pin unblock -Unblock and reset the user PIN. -This command requires the admin PIN. -The admin PIN cannot be unblocked. -This operation is equivalent to the unblock PIN option provided by \fBgpg\fR(1) -(using the \fB\-\-change\-pin\fR option). - -.SH ENVIRONMENT -The program honors a set of environment variables that can be used to -suppress interactive PIN entry through \fBpinentry\fR(1). The following -variables are recognized: -.TP -.B NITROCLI_ADMIN_PIN -The admin PIN to use. -.TP -.B NITROCLI_USER_PIN -The user PIN to use. -.TP -.B NITROCLI_NEW_ADMIN_PIN -The new admin PIN to set. This variable is only used by the \fBpin set\fR -command for the \fBadmin\fR type. -.TP -.B NITROCLI_NEW_USER_PIN -The new user PIN to set. This variable is only used by the \fBpin set\fR command -for the \fBuser\fR type. -.TP -.B NITROCLI_PASSWORD -A password used by commands that require one (e.g., \fBhidden open\fR). -.TP -.B NITROCLI_NO_CACHE -If this variable is present in the environment, do not cache any inquired -secrets using \fBgpg\-agent\fR(1) but ask for them each time they are needed. -Note that this variable does not cause any cached secrets to be cleared. If a -secret is already in the cache it will be ignored, but left otherwise untouched. -Use the \fBpin clear\fR command to clear secrets from the cache. - -.SH EXAMPLES -.SS Storage -Create a hidden volume in the first available slot, starting at half the size of -the encrypted volume (i.e., 50%) and stretching all the way to its end (100%): - $ \fBnitrocli hidden create 0 50 100\fR - -.SS One-time passwords -Configure a one-time password slot with a hexadecimal secret representation: - $ \fBnitrocli otp set 0 test\-rfc4226 3132333435363738393031323334353637383930 \-\-algorithm hotp\fR - $ \fBnitrocli otp set 1 test\-foobar 666F6F626172 \-\-algorithm hotp\fR - $ \fBnitrocli otp set 0 test\-rfc6238 3132333435363738393031323334353637383930 \-\-algorithm totp \-\-digits 8\fR -.P -Configure a one-time password slot with an ASCII secret representation: - $ \fBnitrocli otp set 0 test\-rfc4226 12345678901234567890 \-\-format ascii \-\-algorithm hotp\fR - $ \fBnitrocli otp set 1 test\-foobar foobar \-\-format ascii \-\-algorithm hotp\fR - $ \fBnitrocli otp set 0 test\-rfc6238 12345678901234567890 \-\-format ascii \-\-algorithm totp \-\-digits 8\fR -.P -Configure a one-time password slot with a base32 secret representation: - $ \fBnitrocli otp set 0 test\-rfc4226 gezdgnbvgy3tqojqgezdgnbvgy3tqojq \-\-format base32 \-\-algorithm hotp\fR - $ \fBnitrocli otp set 1 test\-foobar mzxw6ytboi====== \-\-format base32 \-\-algorithm hotp\fR - $ \fBnitrocli otp set 0 test\-rfc6238 gezdgnbvgy3tqojqgezdgnbvgy3tqojq \-\-format base32 \-\-algorithm totp \-\-digits 8\fR -.P -Generate a one-time password: - $ \fBnitrocli otp get 0 \-\-algorithm hotp\fR - 755224 - $ \fBnitrocli otp get 0 \-\-algorithm totp \-\-time 1234567890\fR - 89005924 -.P -Clear a one-time password slot: - $ \fBnitrocli otp clear 0 \-\-algorithm hotp\fR - -.SS Configuration -Query the configuration: - $ \fBnitrocli config get\fR - Config: - numlock binding: not set - capslock binding: not set - scrollock binding: not set - require user PIN for OTP: true -.P -Change the configuration: - $ \fBnitrocli config set \-\-otp\-pin\fR - -.SS Password safe -Configure a PWS slot: - $ \fBnitrocli pws set 0 example.org john.doe passw0rd\fR - -Get the data from a slot: - $ \fBnitrocli pws get 0\fR - name: example.org - login: john.doe - password: passw0rd - -Copy the password to the clipboard (requires \fBxclip\fR(1)). - $ \fBnitrocli pws get 0 \-\-password \-\-quiet | xclip \-in\fR - -Query the PWS slots: - $ \fB nitrocli pws status\fR - slot name - 0 example.org |