Thursday 19 November 2015

Linux Commandline Password Manager

Recently I was looking for a good Password Manager, as the number of passwords I need to maintain is growing steadily (I'm sure everyone knows how it is).

The one I found ("pass2 - the standard unix password manager"), the one I am talking about, exemplifies the Unix philosophy0. Which is:
Do One Thing and Do It Well.
Write programs to work together.
Write programs to handle text streams, because that is a universal interface.
The password manager actually basically doesn't do anything itself, but delegates to other parts of the Linux system, namely the filesystem, and GPG for encryption, pwgen for the generation of random passwords, xclip for interfacing with the clipboard and (optionally) Git for version control.

It does mean that you have to setup Gnu Private Guard properly, before you can start using "pass", hence the next chapter.

Gnu Private Guard

“GnuPG1 is a complete and free implementation of the OpenPGP standard as defined by RFC4880 (also known as PGP).”

Creating a key

All keys are stored in .gnupg.
bash-4.3$ gpg2 --full-gen-key
gpg (GnuPG) 2.1.7; Copyright (C) 2015 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

gpg: directory '/home/mrbear/.gnupg' created
gpg: new configuration file '/home/mrbear/.gnupg/gpg.conf' created
gpg: WARNING: options in '/home/mrbear/.gnupg/gpg.conf' are not yet active during this run
gpg: keybox '/home/mrbear/.gnupg/pubring.kbx' created
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
Your selection? 2
I have decided to follow the advice of the website1 and take 2.
DSA keys may be between 1024 and 3072 bits long.
What keysize do you want? (2048)
I take 2048, it seems fairly default.
Requested keysize is 2048 bits
Please specify how long the key should be valid.
0 = key does not expire
= key expires in n days
w = key expires in n weeks
m = key expires in n months
y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) Y

GnuPG needs to construct a user ID to identify your key.

Real name: mrbear
Email address: mrbear@localhost.com
Comment: mrbear
You selected this USER-ID:
"mrbear (mrbear) "

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit?
And away we go!
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: WARNING: some OpenPGP programs can't handle a DSA key with this digest size
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: /home/mrbear/.gnupg/trustdb.gpg: trustdb created
gpg: key 3A4CFDFE marked as ultimately trusted
gpg: directory '/home/mrbear/.gnupg/openpgp-revocs.d' created
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
pub dsa2048/3A4CFDFE 2015-10-14
Key fingerprint = 7FCC 07FA A6BE 32DE A971 2281 587B D827 3A4C FDFE
uid [ultimate] mrbear (mrbear)
sub elg2048/0B94C819 2015-10-14
So, just to check:
bash-4.3$ gpg2 --list-keys
/home/mrbear/.gnupg/pubring.kbx
---------------------------------
pub dsa2048/3A4CFDFE 2015-10-14
uid [ultimate] mrbear (mrbear)
sub elg2048/0B94C819 2015-10-14

Password store

Apparently, initialising the store needs to be done with the name of the key generated above.
bash-4.3$ sudo dnf install pass
...
bash-4.3$ pass init "3A4CFDFE"
mkdir: created directory ‘/home/mrbear/.password-store/’
Password store initialized for 3A4CFDFE
And I wish to use Git, because I'm that kinda guy.
bash-4.3$ pass git init
Initialized empty Git repository in /home/mrbear/.password-store/.git/
[master (root-commit) 77cc085] Add current contents of password store.
1 file changed, 1 insertion(+)
create mode 100644 .gpg-id
[master 6655058] Configure git repository for gpg file diff.
1 file changed, 1 insertion(+)
create mode 100644 .gitattributes

Adding my passwords

For example, my email:
bash-4.3$ pass insert Email/mail.localhost.com
mkdir: created directory ‘/home/mrbear/.password-store/Email’
Enter password for Email/mail.localhost.com:
Retype password for Email/mail.localhost.com:
[master 40d6094] Add given password for Email/mail.localhost.com to store.
1 file changed, 0 insertions(+), 0 deletions(-)
create mode 100644 Email/mail.localhost.com.gpg
Adding parameter --multiline makes it possible to not only add your password but other stuff as well. Handy if the userid/username is not standard my email address.

Showing passwords

bash-4.3$ pass
Password Store
└── Email
    └── mail.localhost.com

Generating passwords

bash-4.3$ pass generate Internet/sync.firefox.com 16
mkdir: created directory ‘/home/mrbear/.password-store/Internet’
[master 9b966af] Add generated password for Internet/sync.firefox.com.
1 file changed, 0 insertions(+), 0 deletions(-)
create mode 100644 Internet/sync.firefox.com.gpg
The generated password for Internet/sync.firefox.com is:
\$%R&E%&8^BA/
Some websites do not accept "odd" characters (< > ! @ # $ % ^ & * _) when it comes to passwords. When adding the "[--no-symbols,-n]" option you get a generated password containing only letters, capitals and digits.

Showing passwords and copying to clipboard

bash-4.3$ pass -c Email/mail.localhost.com
Copied Email/mail.localhost.com to clipboard. Will clear in 45 seconds.

Getting your stuff back

As basically this awesome password manager stored the passwords as a bunch of GPG2 encrypted files in .password-store, we should be able to decrypt the files directly.

This would work as follows:
bash-4.3$ gpg2 --decrypt .password-store/Email/mail.localhost.com.gpg
gpg: encrypted with 2048-bit ELG key, ID 0B94C819, created 2015-10-14
"mrbear (mrbear) "
itsasecret!

Syncing the git

As I wish to manage my passwords from multiple computers, there's a need to sync/merge the git repositories5 from time to time.

First is, of course, the copying of the GPG keys by copying the .gnupg directory.
scp -r .gnupg mrbear@toby:/home/mrbear
From the second machine, from my homedirectory:
git clone ssh://mrbear@sherlock/home/mrbear/.password-store
Cloning into '.password-store'...
After that it is nothing more but a "git pull" or "git push" whenever I need it.

References

[0] Wikipedia - Unix philosophy
https://en.wikipedia.org/wiki/Unix_philosophy
[1] GnuPG
https://www.gnupg.org/documentation/howtos.html
[2] Password store
http://www.passwordstore.org/
[3] Linux Crypto: Passwords
http://blog.sanctum.geek.nz/linux-crypto-passwords/
[4] StackExchange Unix - I try to add passwords to the pass password managers but my attempts fail
http://unix.stackexchange.com/questions/53912/i-try-to-add-passwords-to-the-pass-password-manager-but-my-attempts-fail-with
[5] Git - Git Basics Working with Remotes
https://git-scm.com/book/en/v2/Git-Basics-Working-with-Remotes
Fedora Magazine - GPG: a Fedora primer
https://fedoramagazine.org/gnupg-a-fedora-primer/
Fedora Magazine - GPG key management, part 1
https://fedoramagazine.org/gpg-key-management-part-1/

No comments:

Post a Comment