freedombone-pass 9.3KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327
  1. #!/bin/bash
  2. #
  3. # .---. . .
  4. # | | |
  5. # |--- .--. .-. .-. .-.| .-. .--.--. |.-. .-. .--. .-.
  6. # | | (.-' (.-' ( | ( )| | | | )( )| | (.-'
  7. # ' ' --' --' -' - -' ' ' -' -' -' ' - --'
  8. #
  9. # Freedom in the Cloud
  10. #
  11. # It's useful to be able to store user passwords, but not a good
  12. # idea to do that in plain text. This implements a simple password
  13. # store. It gpg symmetric encrypts passwords using the backups
  14. # private key as the passphrase.
  15. #
  16. # In order for an adversary to obtain the passwords they must have
  17. # the backups GPG key, which is not obtainable from local or remote
  18. # backups and can only happen if they get root access to the system
  19. # (in which case it's game over anyhow) or if they can decrypt
  20. # a master keydrive or obtain sufficient keydrive fragments.
  21. #
  22. # License
  23. # =======
  24. #
  25. # Copyright (C) 2016 Bob Mottram <bob@freedombone.net>
  26. #
  27. # This program is free software: you can redistribute it and/or modify
  28. # it under the terms of the GNU Affero General Public License as published by
  29. # the Free Software Foundation, either version 3 of the License, or
  30. # (at your option) any later version.
  31. #
  32. # This program is distributed in the hope that it will be useful,
  33. # but WITHOUT ANY WARRANTY; without even the implied warranty of
  34. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  35. # GNU Affero General Public License for more details.
  36. #
  37. # You should have received a copy of the GNU Affero General Public License
  38. # along with this program. If not, see <http://www.gnu.org/licenses/>.
  39. PROJECT_NAME='freedombone'
  40. export TEXTDOMAIN=${PROJECT_NAME}-pass
  41. export TEXTDOMAINDIR="/usr/share/locale"
  42. MY_BACKUP_KEY_ID=
  43. CURR_USERNAME=
  44. REMOVE_USERNAME=
  45. CURR_APP=
  46. REMOVE_APP=
  47. CURR_PASSWORD=""
  48. TESTS=
  49. EXPORT_FILENAME=
  50. MASTER_PASSWORD=''
  51. # If this file is present then don't store passwords
  52. NO_PASSWORD_STORE_FILE=~/.nostore
  53. function get_backup_key_id {
  54. MY_BACKUP_KEY_ID=$(gpg --list-keys "(backup key)" | sed -n '2p' | sed 's/^[ \t]*//')
  55. if [ ${#MY_BACKUP_KEY_ID} -lt 4 ]; then
  56. echo $"Error: gpg backup key was not found"
  57. return 58213
  58. fi
  59. }
  60. function pass_show_help {
  61. echo ''
  62. echo $"${PROJECT_NAME}-pass"
  63. echo ''
  64. echo $'Password store using gpg'
  65. echo ''
  66. echo $' -h --help Show help'
  67. echo $' -u --user [name] Username'
  68. echo $' -a --app [name] Name of the application'
  69. echo $' -p --pass [password] The password to store'
  70. echo $' --export [filename] Export to KeepassX XML'
  71. echo ''
  72. echo $'To encrypt a password:'
  73. echo ''
  74. echo $" ${PROJECT_NAME}-pass -u [username] -a [app] -p [password]"
  75. echo ''
  76. echo $'To retrieve a password:'
  77. echo $''
  78. echo $" ${PROJECT_NAME}-pass -u [username] -a [app]"
  79. echo ''
  80. echo $'To remove passwords for a user:'
  81. echo $''
  82. echo $" ${PROJECT_NAME}-pass -r [username]"
  83. echo ''
  84. echo $'To remove an application password for a user:'
  85. echo $''
  86. echo $" ${PROJECT_NAME}-pass --u [username] --rmapp [name]"
  87. echo ''
  88. exit 0
  89. }
  90. function pad_string {
  91. pass_string="$1"
  92. str_length=${#pass_string}
  93. total_padding=$((128 - str_length))
  94. leading_padding=$((1 + RANDOM % $total_padding))
  95. trailing_padding=$((total_padding - leading_padding))
  96. leading=$(printf "%-${leading_padding}s")
  97. trailing=$(printf "%-${trailing_padding}s")
  98. echo "${leading}${pass_string}${trailing}"
  99. }
  100. function remove_padding {
  101. padded_string="$1"
  102. echo -e "${padded_string}" | tr -d '[:space:]'
  103. }
  104. function run_tests {
  105. pass="SuperSecretPassword"
  106. padded=$(pad_string "$pass")
  107. if [ ${#padded} -ne 128 ]; then
  108. echo $'Incorrect padded length'
  109. exit 78352
  110. fi
  111. ${PROJECT_NAME}-pass -u root -a tests -p "$pass"
  112. returned_pass=$(${PROJECT_NAME}-pass -u root -a tests)
  113. if [[ "$pass" != "$returned_pass" ]]; then
  114. echo "pass :${pass}:"
  115. echo "padded :${padded}:"
  116. echo "returned :${returned_pass}:"
  117. exit 73825
  118. fi
  119. ${PROJECT_NAME}-pass -u root --rmapp tests
  120. echo "Tests passed"
  121. }
  122. function clear_passwords {
  123. # remove all passwords except for the root one, which is needed
  124. # for automatic database backups
  125. for d in /root/.passwords/*/ ; do
  126. USERNAME=$(echo "$d" | awk -F '/' '{print $4}')
  127. if [[ "$USERNAME" != 'root' ]]; then
  128. shred -zu /root/.passwords/$USERNAME/*
  129. rm -rf /root/.passwords/$USERNAME
  130. fi
  131. done
  132. if [ ! -f $NO_PASSWORD_STORE_FILE ]; then
  133. touch $NO_PASSWORD_STORE_FILE
  134. fi
  135. echo $'Passwords cleared. Future passwords will not be stored.'
  136. exit 0
  137. }
  138. function export_to_keepass {
  139. filename="$1"
  140. echo '<database>' > $filename
  141. echo ' <group>' >> $filename
  142. echo " <title>${PROJECT_NAME}</title>" >> $filename
  143. echo ' <icon>48</icon>' >> $filename
  144. for d in /root/.passwords/*/ ; do
  145. USERNAME=$(echo "$d" | awk -F '/' '{print $4}')
  146. echo ' <group>' >> $filename
  147. echo " <title>$USERNAME</title>" >> $filename
  148. echo ' <icon>0</icon>' >> $filename
  149. for a in /root/.passwords/$USERNAME/* ; do
  150. APP_NAME=$(basename $a)
  151. app_password=$(${PROJECT_NAME}-pass -u $USERNAME -a $APP_NAME)
  152. echo ' <entry>' >> $filename
  153. echo " <title>$APP_NAME</title>" >> $filename
  154. echo " <username>$USERNAME</username>" >> $filename
  155. echo " <password>$app_password</password>" >> $filename
  156. echo ' <url/>' >> $filename
  157. echo ' <comment/>' >> $filename
  158. echo ' <icon>0</icon>' >> $filename
  159. echo ' <expire>Never</expire>' >> $filename
  160. echo ' </entry>' >> $filename
  161. done
  162. echo ' </group>' >> $filename
  163. done
  164. echo ' </group>' >> $filename
  165. echo '</database>' >> $filename
  166. echo $"Exported $filename"
  167. }
  168. while [[ $# > 1 ]]
  169. do
  170. key="$1"
  171. case $key in
  172. -h|--help)
  173. pass_show_help
  174. ;;
  175. -t|--test)
  176. shift
  177. TESTS=1
  178. ;;
  179. -c|--clear|--erase)
  180. clear_passwords
  181. ;;
  182. -e|--enable)
  183. shift
  184. if [ -f $NO_PASSWORD_STORE_FILE ]; then
  185. rm $NO_PASSWORD_STORE_FILE
  186. echo $'Password storage has been enabled'
  187. fi
  188. ;;
  189. -u|--user|--username)
  190. shift
  191. CURR_USERNAME="${1}"
  192. ;;
  193. -r|--rm|--remove)
  194. shift
  195. REMOVE_USERNAME="${1}"
  196. ;;
  197. --rmapp|--removeapp)
  198. shift
  199. REMOVE_APP="${1}"
  200. ;;
  201. -a|--app|--application)
  202. shift
  203. CURR_APP="${1}"
  204. ;;
  205. --export)
  206. shift
  207. EXPORT_FILENAME="${1}"
  208. ;;
  209. --master)
  210. shift
  211. MASTER_PASSWORD="${1}"
  212. ;;
  213. -p|--pass|--password|--passphrase)
  214. shift
  215. CURR_PASSWORD="${1}"
  216. ;;
  217. *)
  218. # unknown option
  219. ;;
  220. esac
  221. shift
  222. done
  223. if [ ${REMOVE_USERNAME} ]; then
  224. if [ -d ~/.passwords/${REMOVE_USERNAME} ]; then
  225. rm -rf ~/.passwords/${REMOVE_USERNAME}
  226. fi
  227. exit 0
  228. fi
  229. get_backup_key_id
  230. if [ ${#MASTER_PASSWORD} -eq 0 ]; then
  231. if [ ! -d /root/.passwords/root ]; then
  232. mkdir -p /root/.passwords/root
  233. fi
  234. if [ ! -f /root/.passwords/root/master ]; then
  235. newpass=$(openssl rand -base64 64 | tr -dc A-Za-z0-9 | head -c 30)
  236. echo "$newpass" > /root/.passwords/root/master
  237. chmod 700 /root/.passwords/root/master
  238. fi
  239. MASTER_PASSWORD=$(cat /root/.passwords/root/master)
  240. fi
  241. if [ $TESTS ]; then
  242. run_tests
  243. exit 0
  244. fi
  245. if [ $EXPORT_FILENAME ]; then
  246. export_to_keepass $EXPORT_FILENAME
  247. exit 0
  248. fi
  249. if [ ! $CURR_USERNAME ]; then
  250. echo $'Error: No username given'
  251. exit 1
  252. fi
  253. if [ ! -d /home/$CURR_USERNAME ]; then
  254. if [[ "$CURR_USERNAME" != "root" ]]; then
  255. echo $"Error: User $CURR_USERNAME does not exist"
  256. exit 2
  257. fi
  258. fi
  259. if [ ${REMOVE_APP} ]; then
  260. if [ -d ~/.passwords/${CURR_USERNAME}/${REMOVE_APP} ]; then
  261. shred -zu ~/.passwords/${CURR_USERNAME}/${REMOVE_APP}
  262. fi
  263. exit 0
  264. fi
  265. if [ ! $CURR_APP ]; then
  266. echo $'Error: No app name given'
  267. exit 3
  268. fi
  269. if [ ${#CURR_PASSWORD} -eq 0 ]; then
  270. # retrieve password
  271. if [ ! -f ~/.passwords/$CURR_USERNAME/$CURR_APP ]; then
  272. MASTER_PASSWORD=
  273. echo ""
  274. exit 4
  275. else
  276. pass=$(gpg -dq --passphrase "$MASTER_PASSWORD" ~/.passwords/$CURR_USERNAME/$CURR_APP)
  277. remove_padding "${pass}"
  278. fi
  279. else
  280. # store password
  281. if [ -f $NO_PASSWORD_STORE_FILE ]; then
  282. if [[ "$CURR_USERNAME" != 'root' ]]; then
  283. MASTER_PASSWORD=
  284. exit 0
  285. fi
  286. fi
  287. if [ ! -d ~/.passwords/$CURR_USERNAME ]; then
  288. mkdir -p ~/.passwords/$CURR_USERNAME
  289. fi
  290. # padding helps to ensure than nothing can be learned from the length of the cyphertext
  291. pad_string "${CURR_PASSWORD}" | gpg -ca --cipher-algo AES256 --passphrase "$MASTER_PASSWORD" > ~/.passwords/$CURR_USERNAME/$CURR_APP
  292. if [ ! -f ~/.passwords/$CURR_USERNAME/$CURR_APP ]; then
  293. MASTER_PASSWORD=
  294. exit 5
  295. fi
  296. fi
  297. MASTER_PASSWORD=
  298. exit 0