freedombone-pass 9.4KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330
  1. #!/bin/bash
  2. # _____ _ _
  3. # | __|___ ___ ___ _| |___ _____| |_ ___ ___ ___
  4. # | __| _| -_| -_| . | . | | . | . | | -_|
  5. # |__| |_| |___|___|___|___|_|_|_|___|___|_|_|___|
  6. #
  7. # Freedom in the Cloud
  8. #
  9. # It's useful to be able to store user passwords, but not a good
  10. # idea to do that in plain text. This implements a simple password
  11. # store. It gpg symmetric encrypts passwords using the backups
  12. # private key as the passphrase.
  13. #
  14. # In order for an adversary to obtain the passwords they must have
  15. # the backups GPG key, which is not obtainable from local or remote
  16. # backups and can only happen if they get root access to the system
  17. # (in which case it's game over anyhow) or if they can decrypt
  18. # a master keydrive or obtain sufficient keydrive fragments.
  19. #
  20. # License
  21. # =======
  22. #
  23. # Copyright (C) 2016-2018 Bob Mottram <bob@freedombone.net>
  24. #
  25. # This program is free software: you can redistribute it and/or modify
  26. # it under the terms of the GNU Affero General Public License as published by
  27. # the Free Software Foundation, either version 3 of the License, or
  28. # (at your option) any later version.
  29. #
  30. # This program is distributed in the hope that it will be useful,
  31. # but WITHOUT ANY WARRANTY; without even the implied warranty of
  32. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  33. # GNU Affero General Public License for more details.
  34. #
  35. # You should have received a copy of the GNU Affero General Public License
  36. # along with this program. If not, see <http://www.gnu.org/licenses/>.
  37. PROJECT_NAME='freedombone'
  38. export TEXTDOMAIN=${PROJECT_NAME}-pass
  39. export TEXTDOMAINDIR="/usr/share/locale"
  40. MY_BACKUP_KEY_ID=
  41. CURR_USERNAME=
  42. REMOVE_USERNAME=
  43. CURR_APP=
  44. REMOVE_APP=
  45. CURR_PASSWORD=""
  46. TESTS=
  47. EXPORT_FILENAME=
  48. MASTER_PASSWORD=''
  49. # If this file is present then don't store passwords
  50. NO_PASSWORD_STORE_FILE=~/.nostore
  51. function get_backup_key_id {
  52. MY_BACKUP_KEY_ID=$(gpg --list-keys "(backup key)" | sed -n '2p' | sed 's/^[ \t]*//')
  53. if [ ${#MY_BACKUP_KEY_ID} -lt 4 ]; then
  54. echo $"Error: gpg backup key was not found"
  55. exit 58213
  56. fi
  57. }
  58. function pass_show_help {
  59. echo ''
  60. echo $"${PROJECT_NAME}-pass"
  61. echo ''
  62. echo $'Password store using gpg'
  63. echo ''
  64. echo $' -h --help Show help'
  65. echo $' -u --user [name] Username'
  66. echo $' -a --app [name] Name of the application'
  67. echo $' -p --pass [password] The password to store'
  68. echo $' --export [filename] Export to KeepassX XML'
  69. echo ''
  70. echo $'To encrypt a password:'
  71. echo ''
  72. echo $" ${PROJECT_NAME}-pass -u [username] -a [app] -p [password]"
  73. echo ''
  74. echo $'To retrieve a password:'
  75. echo $''
  76. echo $" ${PROJECT_NAME}-pass -u [username] -a [app]"
  77. echo ''
  78. echo $'To remove passwords for a user:'
  79. echo $''
  80. echo $" ${PROJECT_NAME}-pass -r [username]"
  81. echo ''
  82. echo $'To remove an application password for a user:'
  83. echo $''
  84. echo $" ${PROJECT_NAME}-pass --u [username] --rmapp [name]"
  85. echo ''
  86. exit 0
  87. }
  88. function pad_string {
  89. pass_string="$1"
  90. str_length=${#pass_string}
  91. total_padding=$((128 - str_length))
  92. leading_padding=$((1 + RANDOM % total_padding))
  93. trailing_padding=$((total_padding - leading_padding))
  94. leading=$(printf "%-${leading_padding}s")
  95. trailing=$(printf "%-${trailing_padding}s")
  96. echo "${leading}${pass_string}${trailing}"
  97. }
  98. function remove_padding {
  99. padded_string="$1"
  100. echo -e "${padded_string}" | tr -d '[:space:]'
  101. }
  102. function run_tests {
  103. pass="SuperSecretPassword"
  104. padded=$(pad_string "$pass")
  105. if [ ${#padded} -ne 128 ]; then
  106. echo $'Incorrect padded length'
  107. exit 78352
  108. fi
  109. if ! "${PROJECT_NAME}-pass" -u root -a tests -p "$pass"; then
  110. echo $'Unable to encrypt password'
  111. exit 72725
  112. fi
  113. echo $'Password encrypted'
  114. returned_pass=$(${PROJECT_NAME}-pass -u root -a tests)
  115. if [[ "$pass" != "$returned_pass" ]]; then
  116. echo "pass :${pass}:"
  117. echo "padded :${padded}:"
  118. echo "returned :${returned_pass}:"
  119. exit 73825
  120. fi
  121. echo $'Password decrypted'
  122. ${PROJECT_NAME}-pass -u root --rmapp tests
  123. echo "Tests passed"
  124. }
  125. function clear_passwords {
  126. # remove all passwords except for the root one, which is needed
  127. # for automatic database backups
  128. for d in /root/.passwords/*/ ; do
  129. USERNAME=$(echo "$d" | awk -F '/' '{print $4}')
  130. if [[ "$USERNAME" != 'root' ]]; then
  131. shred -zu "/root/.passwords/$USERNAME/"*
  132. rm -rf "/root/.passwords/$USERNAME"
  133. fi
  134. done
  135. if [ ! -f $NO_PASSWORD_STORE_FILE ]; then
  136. touch $NO_PASSWORD_STORE_FILE
  137. fi
  138. echo $'Passwords cleared. Future passwords will not be stored.'
  139. exit 0
  140. }
  141. function export_to_keepass {
  142. filename="$1"
  143. { echo '<database>';
  144. echo ' <group>';
  145. echo " <title>${PROJECT_NAME}</title>";
  146. echo ' <icon>48</icon>'; } > "$filename"
  147. for d in /root/.passwords/*/ ; do
  148. USERNAME=$(echo "$d" | awk -F '/' '{print $4}')
  149. { echo ' <group>';
  150. echo " <title>$USERNAME</title>";
  151. echo ' <icon>0</icon>'; } >> "$filename"
  152. for a in /root/.passwords/$USERNAME/* ; do
  153. APP_NAME=$(basename "$a")
  154. app_password=$("${PROJECT_NAME}-pass" -u "$USERNAME" -a "$APP_NAME")
  155. { echo ' <entry>';
  156. echo " <title>$APP_NAME</title>";
  157. echo " <username>$USERNAME</username>";
  158. echo " <password>$app_password</password>";
  159. echo ' <url/>';
  160. echo ' <comment/>';
  161. echo ' <icon>0</icon>';
  162. echo ' <expire>Never</expire>';
  163. echo ' </entry>'; } >> "$filename"
  164. done
  165. echo ' </group>' >> "$filename"
  166. done
  167. echo ' </group>' >> "$filename"
  168. echo '</database>' >> "$filename"
  169. echo $"Exported $filename"
  170. }
  171. while [ $# -gt 1 ]
  172. do
  173. key="$1"
  174. case $key in
  175. -h|--help)
  176. pass_show_help
  177. ;;
  178. -t|--test)
  179. shift
  180. TESTS=1
  181. ;;
  182. -c|--clear|--erase)
  183. clear_passwords
  184. ;;
  185. -e|--enable)
  186. shift
  187. if [ -f $NO_PASSWORD_STORE_FILE ]; then
  188. rm $NO_PASSWORD_STORE_FILE
  189. echo $'Password storage has been enabled'
  190. fi
  191. ;;
  192. -u|--user|--username)
  193. shift
  194. CURR_USERNAME="${1}"
  195. ;;
  196. -r|--rm|--remove)
  197. shift
  198. REMOVE_USERNAME="${1}"
  199. ;;
  200. --rmapp|--removeapp)
  201. shift
  202. REMOVE_APP="${1}"
  203. ;;
  204. -a|--app|--application)
  205. shift
  206. CURR_APP="${1}"
  207. ;;
  208. --export)
  209. shift
  210. EXPORT_FILENAME="${1}"
  211. ;;
  212. --master)
  213. shift
  214. MASTER_PASSWORD="${1}"
  215. ;;
  216. -p|--pass|--password|--passphrase)
  217. shift
  218. CURR_PASSWORD="${1}"
  219. ;;
  220. *)
  221. # unknown option
  222. ;;
  223. esac
  224. shift
  225. done
  226. if [ "${REMOVE_USERNAME}" ]; then
  227. if [ -d "${HOME}/.passwords/${REMOVE_USERNAME}" ]; then
  228. rm -rf "${HOME}/.passwords/${REMOVE_USERNAME}"
  229. fi
  230. exit 0
  231. fi
  232. get_backup_key_id
  233. if [ ${#MASTER_PASSWORD} -eq 0 ]; then
  234. if [ ! -d /root/.passwords/root ]; then
  235. mkdir -p /root/.passwords/root
  236. fi
  237. if [ ! -f /root/.passwords/root/master ]; then
  238. newpass=$(openssl rand -base64 64 | tr -dc A-Za-z0-9 | head -c 30)
  239. echo "$newpass" > /root/.passwords/root/master
  240. chmod 700 /root/.passwords/root/master
  241. fi
  242. MASTER_PASSWORD=$(cat /root/.passwords/root/master)
  243. fi
  244. if [ $TESTS ]; then
  245. run_tests
  246. exit 0
  247. fi
  248. if [ "$EXPORT_FILENAME" ]; then
  249. export_to_keepass "$EXPORT_FILENAME"
  250. exit 0
  251. fi
  252. if [ ! "$CURR_USERNAME" ]; then
  253. echo $'Error: No username given'
  254. exit 1
  255. fi
  256. if [ ! -d "/home/$CURR_USERNAME" ]; then
  257. if [[ "$CURR_USERNAME" != "root" ]]; then
  258. echo $"Error: User $CURR_USERNAME does not exist"
  259. exit 2
  260. fi
  261. fi
  262. if [ "${REMOVE_APP}" ]; then
  263. if [ -d "${HOME}/.passwords/${CURR_USERNAME}/${REMOVE_APP}" ]; then
  264. shred -zu "${HOME}/.passwords/${CURR_USERNAME}/${REMOVE_APP}"
  265. fi
  266. exit 0
  267. fi
  268. if [ ! "$CURR_APP" ]; then
  269. echo $'Error: No app name given'
  270. exit 3
  271. fi
  272. if [ ${#CURR_PASSWORD} -eq 0 ]; then
  273. # retrieve password
  274. if [ ! -f "${HOME}/.passwords/$CURR_USERNAME/$CURR_APP" ]; then
  275. MASTER_PASSWORD=
  276. echo ""
  277. exit 4
  278. else
  279. pass=$(gpg --batch -dq --passphrase "$MASTER_PASSWORD" "${HOME}/.passwords/$CURR_USERNAME/$CURR_APP")
  280. remove_padding "${pass}"
  281. fi
  282. else
  283. # store password
  284. if [ -f $NO_PASSWORD_STORE_FILE ]; then
  285. if [[ "$CURR_USERNAME" != 'root' ]]; then
  286. MASTER_PASSWORD=
  287. exit 0
  288. fi
  289. fi
  290. if [ ! -d "${HOME}/.passwords/$CURR_USERNAME" ]; then
  291. mkdir -p "${HOME}/.passwords/$CURR_USERNAME"
  292. fi
  293. # padding helps to ensure than nothing can be learned from the length of the cyphertext
  294. pad_string "${CURR_PASSWORD}" | gpg --batch -ca --cipher-algo AES256 --passphrase "$MASTER_PASSWORD" > "${HOME}/.passwords/$CURR_USERNAME/$CURR_APP"
  295. if [ ! -f "${HOME}/.passwords/$CURR_USERNAME/$CURR_APP" ]; then
  296. MASTER_PASSWORD=
  297. exit 5
  298. fi
  299. fi
  300. MASTER_PASSWORD=
  301. exit 0