freedombone-pass 4.4KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154
  1. #!/bin/bash
  2. #
  3. # .---. . .
  4. # | | |
  5. # |--- .--. .-. .-. .-.| .-. .--.--. |.-. .-. .--. .-.
  6. # | | (.-' (.-' ( | ( )| | | | )( )| | (.-'
  7. # ' ' --' --' -' - -' ' ' -' -' -' ' - --'
  8. #
  9. # Freedom in the Cloud
  10. #
  11. # It's useful to be able to store user passwords, but not a good
  12. # idea to do that in plain text. This implements a simple password
  13. # store. It gpg symmetric encrypts passwords using the backups
  14. # private key as the passphrase.
  15. #
  16. # In order for an adversary to obtain the passwords they must have
  17. # the backups GPG key, which is not obtainable from local or remote
  18. # backups and can only happen if they get root access to the system
  19. # (in which case it's game over anyhow) or if they can decrypt
  20. # a master keydrive or obtain sufficient keydrive fragments.
  21. #
  22. # License
  23. # =======
  24. #
  25. # Copyright (C) 2016 Bob Mottram <bob@freedombone.net>
  26. #
  27. # This program is free software: you can redistribute it and/or modify
  28. # it under the terms of the GNU Affero General Public License as published by
  29. # the Free Software Foundation, either version 3 of the License, or
  30. # (at your option) any later version.
  31. #
  32. # This program is distributed in the hope that it will be useful,
  33. # but WITHOUT ANY WARRANTY; without even the implied warranty of
  34. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  35. # GNU Affero General Public License for more details.
  36. #
  37. # You should have received a copy of the GNU Affero General Public License
  38. # along with this program. If not, see <http://www.gnu.org/licenses/>.
  39. PROJECT_NAME='freedombone'
  40. export TEXTDOMAIN=${PROJECT_NAME}-pass
  41. export TEXTDOMAINDIR="/usr/share/locale"
  42. MY_BACKUP_KEY_ID=
  43. CURR_USERNAME=
  44. CURR_APP=
  45. CURR_PASSWORD=""
  46. function get_backup_key_id {
  47. MY_BACKUP_KEY_ID=$(gpg --list-keys "(backup key)" | \
  48. grep 'pub ' | awk -F ' ' '{print $2}' | \
  49. awk -F '/' '{print $2}')
  50. if [ ${#MY_BACKUP_KEY_ID} -lt 4 ]; then
  51. echo $"gpg backup key was not found"
  52. return 58213
  53. fi
  54. }
  55. function pass_show_help {
  56. echo ''
  57. echo $"${PROJECT_NAME}-pass"
  58. echo ''
  59. echo $'Password store using gpg'
  60. echo ''
  61. echo $' -h --help Show help'
  62. echo $' -u --user [name] Username'
  63. echo $' -a --app [name] Name of the application'
  64. echo $' -p --pass [password] The password to store'
  65. echo ''
  66. echo $'To encrypt a password:'
  67. echo ''
  68. echo $" ${PROJECT_NAME}-pass -u [username] -a [app] -p [password]"
  69. echo ''
  70. echo $'To retrieve a password:'
  71. echo $''
  72. echo $" ${PROJECT_NAME}-pass -u [username] -a [app]"
  73. echo ''
  74. exit 0
  75. }
  76. function pad_string {
  77. echo -n -e "$1" | sed -e :a -e 's/^.\{1,128\}$/& /;ta'
  78. }
  79. while [[ $# > 1 ]]
  80. do
  81. key="$1"
  82. case $key in
  83. -h|--help)
  84. pass_show_help
  85. ;;
  86. -u|--user|--username)
  87. shift
  88. CURR_USERNAME="${1}"
  89. ;;
  90. -a|--app|--application)
  91. shift
  92. CURR_APP="${1}"
  93. ;;
  94. -p|--pass|--password|--passphrase)
  95. shift
  96. CURR_PASSWORD="${1}"
  97. ;;
  98. *)
  99. # unknown option
  100. ;;
  101. esac
  102. shift
  103. done
  104. get_backup_key_id
  105. # Use the backups private key as a symmetric passphrase
  106. MASTER_PASSWORD=$(gpg -q --armor --export-secret-key $MY_BACKUP_KEY_ID)
  107. if [ ! $CURR_USERNAME ]; then
  108. echo $'No username given'
  109. exit 1
  110. fi
  111. if [ ! -d /home/$CURR_USERNAME ]; then
  112. echo $"User $CURR_USERNAME does not exist"
  113. exit 2
  114. fi
  115. if [ ! $CURR_APP ]; then
  116. echo $'No app name given'
  117. exit 3
  118. fi
  119. if [ ${#CURR_PASSWORD} -eq 0 ]; then
  120. # retrieve password
  121. if [ ! -f ~/.passwords/$CURR_USERNAME/$CURR_APP ]; then
  122. echo ""
  123. exit 4
  124. else
  125. pass=$(gpg -dq --passphrase "$MASTER_PASSWORD" ~/.passwords/$CURR_USERNAME/$CURR_APP)
  126. echo "${pass}" | xargs
  127. fi
  128. else
  129. # store password
  130. if [ ! -d ~/.passwords/$CURR_USERNAME ]; then
  131. mkdir -p ~/.passwords/$CURR_USERNAME
  132. fi
  133. # padding helps to ensure than nothing can be learned from the length of the cyphertext
  134. pad_string "${CURR_PASSWORD}" | gpg -ca --cipher-algo AES256 --passphrase "$MASTER_PASSWORD" > ~/.passwords/$CURR_USERNAME/$CURR_APP
  135. if [ ! -f ~/.passwords/$CURR_USERNAME/$CURR_APP ]; then
  136. exit 5
  137. fi
  138. fi
  139. exit 0