2016-11-19 14:23:54 +01:00
|
|
|
#!/bin/bash
|
|
|
|
#
|
|
|
|
# .---. . .
|
|
|
|
# | | |
|
|
|
|
# |--- .--. .-. .-. .-.| .-. .--.--. |.-. .-. .--. .-.
|
|
|
|
# | | (.-' (.-' ( | ( )| | | | )( )| | (.-'
|
|
|
|
# ' ' --' --' -' - -' ' ' -' -' -' ' - --'
|
|
|
|
#
|
|
|
|
# Freedom in the Cloud
|
|
|
|
#
|
2016-11-19 15:36:07 +01:00
|
|
|
# It's useful to be able to store user passwords, but not a good
|
|
|
|
# idea to do that in plain text. This implements a simple password
|
|
|
|
# store. It gpg symmetric encrypts passwords using the backups
|
|
|
|
# private key as the passphrase.
|
|
|
|
#
|
|
|
|
# In order for an adversary to obtain the passwords they must have
|
|
|
|
# the backups GPG key, which is not obtainable from local or remote
|
|
|
|
# backups and can only happen if they get root access to the system
|
|
|
|
# (in which case it's game over anyhow) or if they can decrypt
|
|
|
|
# a master keydrive or obtain sufficient keydrive fragments.
|
2016-11-19 14:23:54 +01:00
|
|
|
#
|
|
|
|
# License
|
|
|
|
# =======
|
|
|
|
#
|
|
|
|
# Copyright (C) 2016 Bob Mottram <bob@freedombone.net>
|
|
|
|
#
|
|
|
|
# This program is free software: you can redistribute it and/or modify
|
|
|
|
# it under the terms of the GNU Affero General Public License as published by
|
|
|
|
# the Free Software Foundation, either version 3 of the License, or
|
|
|
|
# (at your option) any later version.
|
|
|
|
#
|
|
|
|
# This program is distributed in the hope that it will be useful,
|
|
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
# GNU Affero General Public License for more details.
|
|
|
|
#
|
|
|
|
# You should have received a copy of the GNU Affero General Public License
|
|
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
|
|
|
|
PROJECT_NAME='freedombone'
|
|
|
|
|
|
|
|
export TEXTDOMAIN=${PROJECT_NAME}-pass
|
|
|
|
export TEXTDOMAINDIR="/usr/share/locale"
|
|
|
|
|
|
|
|
MY_BACKUP_KEY_ID=
|
|
|
|
CURR_USERNAME=
|
2016-11-19 20:17:33 +01:00
|
|
|
REMOVE_USERNAME=
|
2016-11-19 14:23:54 +01:00
|
|
|
CURR_APP=
|
2016-11-19 20:17:33 +01:00
|
|
|
REMOVE_APP=
|
2016-11-19 14:34:35 +01:00
|
|
|
CURR_PASSWORD=""
|
2016-11-19 14:23:54 +01:00
|
|
|
|
|
|
|
function get_backup_key_id {
|
|
|
|
MY_BACKUP_KEY_ID=$(gpg --list-keys "(backup key)" | \
|
|
|
|
grep 'pub ' | awk -F ' ' '{print $2}' | \
|
|
|
|
awk -F '/' '{print $2}')
|
|
|
|
if [ ${#MY_BACKUP_KEY_ID} -lt 4 ]; then
|
2016-11-20 21:39:14 +01:00
|
|
|
echo $"Error: gpg backup key was not found"
|
2016-11-19 14:23:54 +01:00
|
|
|
return 58213
|
|
|
|
fi
|
|
|
|
}
|
|
|
|
|
2016-11-19 14:31:44 +01:00
|
|
|
function pass_show_help {
|
2016-11-19 14:23:54 +01:00
|
|
|
echo ''
|
|
|
|
echo $"${PROJECT_NAME}-pass"
|
|
|
|
echo ''
|
|
|
|
echo $'Password store using gpg'
|
|
|
|
echo ''
|
2016-11-19 14:31:44 +01:00
|
|
|
echo $' -h --help Show help'
|
|
|
|
echo $' -u --user [name] Username'
|
2016-11-19 14:23:54 +01:00
|
|
|
echo $' -a --app [name] Name of the application'
|
|
|
|
echo $' -p --pass [password] The password to store'
|
|
|
|
echo ''
|
|
|
|
echo $'To encrypt a password:'
|
|
|
|
echo ''
|
|
|
|
echo $" ${PROJECT_NAME}-pass -u [username] -a [app] -p [password]"
|
|
|
|
echo ''
|
|
|
|
echo $'To retrieve a password:'
|
|
|
|
echo $''
|
|
|
|
echo $" ${PROJECT_NAME}-pass -u [username] -a [app]"
|
|
|
|
echo ''
|
2016-11-19 20:17:33 +01:00
|
|
|
echo $'To remove passwords for a user:'
|
|
|
|
echo $''
|
|
|
|
echo $" ${PROJECT_NAME}-pass -r [username]"
|
|
|
|
echo ''
|
|
|
|
echo $'To remove an application password for a user:'
|
|
|
|
echo $''
|
|
|
|
echo $" ${PROJECT_NAME}-pass --u [username] --rmapp [name]"
|
|
|
|
echo ''
|
2016-11-19 14:23:54 +01:00
|
|
|
exit 0
|
|
|
|
}
|
|
|
|
|
2016-11-19 14:44:57 +01:00
|
|
|
function pad_string {
|
2016-11-19 15:02:08 +01:00
|
|
|
echo -n -e "$1" | sed -e :a -e 's/^.\{1,128\}$/& /;ta'
|
2016-11-19 14:44:57 +01:00
|
|
|
}
|
|
|
|
|
2016-11-19 14:23:54 +01:00
|
|
|
while [[ $# > 1 ]]
|
|
|
|
do
|
|
|
|
key="$1"
|
|
|
|
|
|
|
|
case $key in
|
2016-11-19 14:27:48 +01:00
|
|
|
-h|--help)
|
2016-11-19 14:31:44 +01:00
|
|
|
pass_show_help
|
2016-11-19 14:23:54 +01:00
|
|
|
;;
|
|
|
|
-u|--user|--username)
|
|
|
|
shift
|
|
|
|
CURR_USERNAME="${1}"
|
|
|
|
;;
|
2016-11-19 20:17:33 +01:00
|
|
|
-r|--rm|--remove)
|
|
|
|
shift
|
|
|
|
REMOVE_USERNAME="${1}"
|
|
|
|
;;
|
|
|
|
--rmapp|--removeapp)
|
|
|
|
shift
|
|
|
|
REMOVE_APP="${1}"
|
|
|
|
;;
|
2016-11-19 14:23:54 +01:00
|
|
|
-a|--app|--application)
|
|
|
|
shift
|
|
|
|
CURR_APP="${1}"
|
|
|
|
;;
|
|
|
|
-p|--pass|--password|--passphrase)
|
|
|
|
shift
|
|
|
|
CURR_PASSWORD="${1}"
|
|
|
|
;;
|
|
|
|
*)
|
|
|
|
# unknown option
|
|
|
|
;;
|
|
|
|
esac
|
|
|
|
shift
|
|
|
|
done
|
|
|
|
|
2016-11-19 20:17:33 +01:00
|
|
|
if [ ${REMOVE_USERNAME} ]; then
|
|
|
|
if [ -d ~/.passwords/${REMOVE_USERNAME} ]; then
|
|
|
|
rm -rf ~/.passwords/${REMOVE_USERNAME}
|
|
|
|
fi
|
|
|
|
exit 0
|
|
|
|
fi
|
|
|
|
|
2016-11-19 14:27:48 +01:00
|
|
|
get_backup_key_id
|
2016-11-19 15:36:07 +01:00
|
|
|
|
|
|
|
# Use the backups private key as a symmetric passphrase
|
2016-11-19 20:27:41 +01:00
|
|
|
MASTER_PASSWORD=$(gpg -q --armor --export-secret-key $MY_BACKUP_KEY_ID | sed '/---/d' | sed '/Version/d' | sed '/^$/d')
|
2016-11-19 14:23:54 +01:00
|
|
|
|
|
|
|
if [ ! $CURR_USERNAME ]; then
|
2016-11-20 21:39:14 +01:00
|
|
|
echo $'Error: No username given'
|
2016-11-19 14:23:54 +01:00
|
|
|
exit 1
|
|
|
|
fi
|
|
|
|
|
|
|
|
if [ ! -d /home/$CURR_USERNAME ]; then
|
2016-11-21 11:53:44 +01:00
|
|
|
if [[ "$CURR_USERNAME" != "root" ]]; then
|
|
|
|
echo $"Error: User $CURR_USERNAME does not exist"
|
|
|
|
exit 2
|
|
|
|
fi
|
2016-11-19 14:23:54 +01:00
|
|
|
fi
|
|
|
|
|
2016-11-19 20:17:33 +01:00
|
|
|
if [ ${REMOVE_APP} ]; then
|
|
|
|
if [ -d ~/.passwords/${CURR_USERNAME}/${REMOVE_APP} ]; then
|
|
|
|
shred -zu ~/.passwords/${CURR_USERNAME}/${REMOVE_APP}
|
|
|
|
fi
|
|
|
|
exit 0
|
|
|
|
fi
|
|
|
|
|
2016-11-19 14:23:54 +01:00
|
|
|
if [ ! $CURR_APP ]; then
|
2016-11-20 21:39:14 +01:00
|
|
|
echo $'Error: No app name given'
|
2016-11-19 14:23:54 +01:00
|
|
|
exit 3
|
|
|
|
fi
|
|
|
|
|
2016-11-19 14:35:54 +01:00
|
|
|
if [ ${#CURR_PASSWORD} -eq 0 ]; then
|
2016-11-19 14:23:54 +01:00
|
|
|
# retrieve password
|
2016-11-19 14:38:19 +01:00
|
|
|
if [ ! -f ~/.passwords/$CURR_USERNAME/$CURR_APP ]; then
|
2016-11-19 14:23:54 +01:00
|
|
|
echo ""
|
|
|
|
exit 4
|
|
|
|
else
|
2016-11-19 14:44:57 +01:00
|
|
|
pass=$(gpg -dq --passphrase "$MASTER_PASSWORD" ~/.passwords/$CURR_USERNAME/$CURR_APP)
|
2016-11-19 15:15:34 +01:00
|
|
|
echo "${pass}" | xargs
|
2016-11-19 14:23:54 +01:00
|
|
|
fi
|
|
|
|
else
|
|
|
|
# store password
|
2016-11-19 14:38:19 +01:00
|
|
|
if [ ! -d ~/.passwords/$CURR_USERNAME ]; then
|
|
|
|
mkdir -p ~/.passwords/$CURR_USERNAME
|
2016-11-19 14:23:54 +01:00
|
|
|
fi
|
2016-11-19 15:15:34 +01:00
|
|
|
# padding helps to ensure than nothing can be learned from the length of the cyphertext
|
2016-11-19 15:02:08 +01:00
|
|
|
pad_string "${CURR_PASSWORD}" | gpg -ca --cipher-algo AES256 --passphrase "$MASTER_PASSWORD" > ~/.passwords/$CURR_USERNAME/$CURR_APP
|
2016-11-19 14:38:19 +01:00
|
|
|
if [ ! -f ~/.passwords/$CURR_USERNAME/$CURR_APP ]; then
|
2016-11-19 14:23:54 +01:00
|
|
|
exit 5
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
|
|
|
|
exit 0
|