freedombone/src/freedombone-pass

226 lines
6.3 KiB
Plaintext
Raw Normal View History

2016-11-19 14:23:54 +01:00
#!/bin/bash
#
# .---. . .
# | | |
# |--- .--. .-. .-. .-.| .-. .--.--. |.-. .-. .--. .-.
# | | (.-' (.-' ( | ( )| | | | )( )| | (.-'
# ' ' --' --' -' - -' ' ' -' -' -' ' - --'
#
# Freedom in the Cloud
#
2016-11-19 15:36:07 +01:00
# It's useful to be able to store user passwords, but not a good
# idea to do that in plain text. This implements a simple password
# store. It gpg symmetric encrypts passwords using the backups
# private key as the passphrase.
#
# In order for an adversary to obtain the passwords they must have
# the backups GPG key, which is not obtainable from local or remote
# backups and can only happen if they get root access to the system
# (in which case it's game over anyhow) or if they can decrypt
# a master keydrive or obtain sufficient keydrive fragments.
2016-11-19 14:23:54 +01:00
#
# License
# =======
#
# Copyright (C) 2016 Bob Mottram <bob@freedombone.net>
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
PROJECT_NAME='freedombone'
export TEXTDOMAIN=${PROJECT_NAME}-pass
export TEXTDOMAINDIR="/usr/share/locale"
MY_BACKUP_KEY_ID=
CURR_USERNAME=
2016-11-19 20:17:33 +01:00
REMOVE_USERNAME=
2016-11-19 14:23:54 +01:00
CURR_APP=
2016-11-19 20:17:33 +01:00
REMOVE_APP=
2016-11-19 14:34:35 +01:00
CURR_PASSWORD=""
TESTS=
2016-11-19 14:23:54 +01:00
function get_backup_key_id {
MY_BACKUP_KEY_ID=$(gpg --list-keys "(backup key)" | \
grep 'pub ' | awk -F ' ' '{print $2}' | \
awk -F '/' '{print $2}')
if [ ${#MY_BACKUP_KEY_ID} -lt 4 ]; then
echo $"Error: gpg backup key was not found"
2016-11-19 14:23:54 +01:00
return 58213
fi
}
2016-11-19 14:31:44 +01:00
function pass_show_help {
2016-11-19 14:23:54 +01:00
echo ''
echo $"${PROJECT_NAME}-pass"
echo ''
echo $'Password store using gpg'
echo ''
2016-11-19 14:31:44 +01:00
echo $' -h --help Show help'
echo $' -u --user [name] Username'
2016-11-19 14:23:54 +01:00
echo $' -a --app [name] Name of the application'
echo $' -p --pass [password] The password to store'
echo ''
echo $'To encrypt a password:'
echo ''
echo $" ${PROJECT_NAME}-pass -u [username] -a [app] -p [password]"
echo ''
echo $'To retrieve a password:'
echo $''
echo $" ${PROJECT_NAME}-pass -u [username] -a [app]"
echo ''
2016-11-19 20:17:33 +01:00
echo $'To remove passwords for a user:'
echo $''
echo $" ${PROJECT_NAME}-pass -r [username]"
echo ''
echo $'To remove an application password for a user:'
echo $''
echo $" ${PROJECT_NAME}-pass --u [username] --rmapp [name]"
echo ''
2016-11-19 14:23:54 +01:00
exit 0
}
2016-11-19 14:44:57 +01:00
function pad_string {
pass_string="$1"
str_length=${#pass_string}
total_padding=$((128 - str_length))
leading_padding=$((1 + RANDOM % $total_padding))
trailing_padding=$((total_padding - leading_padding))
leading=printf "%-${leading_padding}s"
trailing=printf "%-${trailing_padding}s"
echo "${leading}${pass_string}${trailing}"
}
function remove_padding {
padded_string="$1"
echo -e "${padded_string}" | tr -d '[:space:]'
}
function run_tests {
pass="SuperSecretPassword"
padded=$(pad_string "$pass")
echo "|${padded}|"
${PROJECT_NAME}-pass -u root -a tests -p "$pass"
returned_pass=$(${PROJECT_NAME}-pass -u root -a tests)
if [[ "$pass" != "$returned_pass" ]]; then
echo "pass :${pass}:"
echo "padded :${padded}:"
echo "returned :${pass}:"
exit 73825
fi
${PROJECT_NAME}-pass -u root --rmapp tests
echo "Tests passed"
2016-11-19 14:44:57 +01:00
}
2016-11-19 14:23:54 +01:00
while [[ $# > 1 ]]
do
key="$1"
case $key in
2016-11-19 14:27:48 +01:00
-h|--help)
2016-11-19 14:31:44 +01:00
pass_show_help
2016-11-19 14:23:54 +01:00
;;
-t|--test)
TESTS=1
;;
2016-11-19 14:23:54 +01:00
-u|--user|--username)
shift
CURR_USERNAME="${1}"
;;
2016-11-19 20:17:33 +01:00
-r|--rm|--remove)
shift
REMOVE_USERNAME="${1}"
;;
--rmapp|--removeapp)
shift
REMOVE_APP="${1}"
;;
2016-11-19 14:23:54 +01:00
-a|--app|--application)
shift
CURR_APP="${1}"
;;
-p|--pass|--password|--passphrase)
shift
CURR_PASSWORD="${1}"
;;
*)
# unknown option
;;
esac
shift
done
2016-11-19 20:17:33 +01:00
if [ ${REMOVE_USERNAME} ]; then
if [ -d ~/.passwords/${REMOVE_USERNAME} ]; then
rm -rf ~/.passwords/${REMOVE_USERNAME}
fi
exit 0
fi
2016-11-19 14:27:48 +01:00
get_backup_key_id
2016-11-19 15:36:07 +01:00
# Use the backups private key as a symmetric passphrase
2016-11-19 20:27:41 +01:00
MASTER_PASSWORD=$(gpg -q --armor --export-secret-key $MY_BACKUP_KEY_ID | sed '/---/d' | sed '/Version/d' | sed '/^$/d')
2016-11-19 14:23:54 +01:00
if [ $TESTS ]; then
run_tests
exit 0
fi
2016-11-19 14:23:54 +01:00
if [ ! $CURR_USERNAME ]; then
echo $'Error: No username given'
2016-11-19 14:23:54 +01:00
exit 1
fi
if [ ! -d /home/$CURR_USERNAME ]; then
2016-11-21 11:53:44 +01:00
if [[ "$CURR_USERNAME" != "root" ]]; then
echo $"Error: User $CURR_USERNAME does not exist"
exit 2
fi
2016-11-19 14:23:54 +01:00
fi
2016-11-19 20:17:33 +01:00
if [ ${REMOVE_APP} ]; then
if [ -d ~/.passwords/${CURR_USERNAME}/${REMOVE_APP} ]; then
shred -zu ~/.passwords/${CURR_USERNAME}/${REMOVE_APP}
fi
exit 0
fi
2016-11-19 14:23:54 +01:00
if [ ! $CURR_APP ]; then
echo $'Error: No app name given'
2016-11-19 14:23:54 +01:00
exit 3
fi
2016-11-19 14:35:54 +01:00
if [ ${#CURR_PASSWORD} -eq 0 ]; then
2016-11-19 14:23:54 +01:00
# retrieve password
2016-11-19 14:38:19 +01:00
if [ ! -f ~/.passwords/$CURR_USERNAME/$CURR_APP ]; then
2016-11-19 14:23:54 +01:00
echo ""
exit 4
else
2016-11-19 14:44:57 +01:00
pass=$(gpg -dq --passphrase "$MASTER_PASSWORD" ~/.passwords/$CURR_USERNAME/$CURR_APP)
remove_padding "${pass}"
2016-11-19 14:23:54 +01:00
fi
else
# store password
2016-11-19 14:38:19 +01:00
if [ ! -d ~/.passwords/$CURR_USERNAME ]; then
mkdir -p ~/.passwords/$CURR_USERNAME
2016-11-19 14:23:54 +01:00
fi
2016-11-19 15:15:34 +01:00
# padding helps to ensure than nothing can be learned from the length of the cyphertext
2016-11-19 15:02:08 +01:00
pad_string "${CURR_PASSWORD}" | gpg -ca --cipher-algo AES256 --passphrase "$MASTER_PASSWORD" > ~/.passwords/$CURR_USERNAME/$CURR_APP
2016-11-19 14:38:19 +01:00
if [ ! -f ~/.passwords/$CURR_USERNAME/$CURR_APP ]; then
2016-11-19 14:23:54 +01:00
exit 5
fi
fi
exit 0