systemd-ask-password

Query a system password with a specific prompt

$ systemd-ask-password "[prompt]"

$ systemd-ask-password --id [identifier] "[prompt]"

$ systemd-ask-password --keyname [key_name] "[prompt]"

$ systemd-ask-password --timeout [seconds] "[prompt]"

$ systemd-ask-password --no-tty "[prompt]"

$ systemd-ask-password --no-output --keyname [key_name] "[prompt]"

$ systemd-ask-password | [command]

$ systemd-ask-password [[-h|--help]]

systemd-ask-password [OPTIONS...] [PROMPT]

PROMPT
    Optional string used as the prompt for the user. If omitted, a default prompt is used.

-h, --help
    Show a help message and exit.

--version
    Show package version and exit.

-s, --no-tty
    Prevent asking for the password on a TTY, requiring a graphical password agent instead.

-p, --echo
    Echo characters while typing the password. This option is generally not recommended for sensitive passwords due to security implications.

-P, --no-confirm
    Do not ask the user to confirm the password by typing it twice.

--timeout=SECS
    Set a timeout in seconds after which the password query will be aborted if no input is received.

--repeat-until-ok
    Continuously repeat the password query until a valid password is provided.

--key-slot=SLOT
    Specify a key slot to use, typically for LUKS volumes. This option is passed directly to the password agent.

--max-attempts=N
    Set the maximum number of password entry attempts allowed before giving up.

--max-delay=SECS
    Specify the maximum delay in seconds between password query attempts when retrying.

--retry-delay=SECS
    Set the initial delay in seconds between password query attempts when retrying.

systemd-ask-password is a utility designed to securely obtain a password or passphrase from a user. It acts as an interface between a requesting program (e.g., a system service, a script needing a password for an encrypted volume) and a password agent, such as systemd-tty-ask-password-agent for terminal environments or graphical agents in desktop environments. When invoked, it sends a request to the registered password agent, which then displays a prompt to the user, collects the input, and returns the password to systemd-ask-password.

This tool ensures that sensitive information like passwords are not directly handled by the requesting application, promoting better security practices within the systemd ecosystem. It's commonly used during boot for unlocking encrypted file systems (like LUKS volumes) or by services that require authentication credentials. The command exits with status 0 on success, printing the password to standard output, and a non-zero status on failure or user cancellation.

systemd-ask-password relies on a password agent being active and correctly configured. If no agent is running or accessible, the password prompt may fail. The --echo option should be used with extreme caution, as it exposes the password directly on the screen while typing. When used for LUKS volumes or other critical system components, ensure the password agent is robust and secure, as it handles sensitive data.

This command does not directly prompt the user. Instead, it communicates with a password agent (like systemd-tty-ask-password-agent for terminal interaction or a graphical agent in a desktop environment). The agent then handles the actual display of the prompt and input collection from the user, ensuring secure handling of credentials.

On successful password acquisition, systemd-ask-password exits with a status code of 0 and prints the collected password to its standard output. If the operation fails (e.g., user cancellation, timeout, incorrect password after multiple attempts), it exits with a non-zero status code and prints an error message to standard error.

systemd-ask-password is an integral part of the systemd init system, which replaced the traditional SysVinit in many Linux distributions. It was introduced as part of systemd's broader strategy to standardize and centralize system management, including secure password handling. Its development is tied to the evolution of systemd itself, aiming to provide a robust and extensible mechanism for services to acquire user credentials without direct terminal interaction or insecure methods. Its reliance on password agents reflects systemd's design philosophy of modularity and separation of concerns.

systemd-tty-ask-password-agent(8), systemctl(1), cryptsetup(8)