1
0
mirror of https://github.com/octoleo/Purse.git synced 2024-12-29 12:32:39 +00:00

Version 3 beta

This commit is contained in:
drduh 2024-03-10 14:59:33 -07:00
parent 7074a8bf4c
commit 5cc6c81ed0
4 changed files with 93 additions and 103 deletions

3
.gitignore vendored Normal file
View File

@ -0,0 +1,3 @@
purse.*.tar
purse.index
safe/

View File

@ -1,6 +1,6 @@
The MIT License (MIT) The MIT License (MIT)
Copyright (c) 2018-2020 drduh Copyright (c) 2018 drduh
Permission is hereby granted, free of charge, to any person obtaining a copy Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal of this software and associated documentation files (the "Software"), to deal

View File

@ -2,60 +2,35 @@
Purse is a fork of [drduh/pwd.sh](https://github.com/drduh/pwd.sh). Purse is a fork of [drduh/pwd.sh](https://github.com/drduh/pwd.sh).
Both programs are Bash shell scripts which use [GPG](https://www.gnupg.org/) to manage passwords and other secrets in encrypted text files. Purse uses asymmetric (public-key) authentication, while pwd.sh uses symmetric (password-based) authentication. Both programs are Bash shell scripts which use [GnuPG](https://www.gnupg.org/) to manage passwords and other secrets in encrypted text files. Purse is based on asymmetric (public-key) authentication, while pwd.sh is based on symmetric (password-based) authentication.
While both scripts use a trusted crypto implementation (GPG) and safely handle passwords (never saving plaintext to disk), Purse eliminates the need to remember and use a master password - just plug in a YubiKey, enter the PIN, then touch it to decrypt a password to clipboard. While both scripts use a trusted crypto implementation (GnuPG) and safely handle passwords (never saving plaintext to disk), Purse eliminates the need to remember and use a master password - just plug in a YubiKey, enter the PIN, then touch it to decrypt a password to clipboard.
By using Purse with YubiKey, the risk of master password theft or keylogging is eliminated - only physical possession of the Yubikey AND knowledge of the PIN can unlock the encrypted index and password files. By using Purse with YubiKey, the risk of master password theft or keylogging is eliminated - only physical possession of the Yubikey AND knowledge of the PIN can unlock the encrypted index and password files.
# Release notes # Release notes
## Version 2b1 (2020) See [Releases](https://github.com/drduh/Purse/releases)
Minor update to the second release. Currently in beta testing. Compatible on Linux, OpenBSD, macOS.
Changelist:
* Purse now uses a GPG keygroup to encrypt secrets to multiple recipients for improved reliability. The program will prompt for key IDs to define the keygroup; a single key ID can still be used.
* Encrypted index is now optional and off by default, allowing a single touch to encrypt and decrypt secrets instead of two.
* GPG configuration file is now included in Purse backup archives.
## Version 2b (2019)
The second release of purse.sh features several security and reliability improvements, and is an optional upgrade. Currently in beta testing. Compatible on Linux, OpenBSD, macOS.
Known issues:
* Read actions now require two Yubikey touches, if touch to decrypt is enabled - once for the index and twice for the encrypted password file.
Changelist:
* Passwords are now encrypted as individual files, rather than all encrypted as a single flat file.
* Individual password filenames are random, mapped to usernames in an encrypted index file.
* Index and password files are now "immutable" using chmod while purse.sh is not running.
* Read passwords are now copied to clipboard and cleared after a timeout, instead of printed to stdout.
* Use printf instead of echo for improved portability.
* New option: list passwords in the index.
* New option: create tar archive for backup.
* Removed option: delete password; the index is now a permanent ledger.
* Removed option: read all passwords; no use case for having a single command.
* Removed option: suppress generated password output; should be read from safe to verify save.
## Version 1 (2018)
The original release which has been available for general use and review since June 2018 (forked from pwd.sh which dates to 2015). There are no known bugs nor security vulnerabilities identified in this stable version of purse.sh. Compatible on Linux, OpenBSD, macOS.
# Use # Use
This script requires a GPG identity - see [drduh/YubiKey-Guide](https://github.com/drduh/YubiKey-Guide) to set one up. Multiple identities stored on several YubiKeys are recommended for reliability. This script requires a GnuPG identity - see [drduh/YubiKey-Guide](https://github.com/drduh/YubiKey-Guide) to set one up. Multiple identities stored on several YubiKeys are recommended for improved durability and reliability.
Clone the repository:
```console ```console
$ git clone https://github.com/drduh/Purse git clone https://github.com/drduh/Purse
``` ```
(Version 2b and older) Set your GPG key ID with `export PURSE_KEYID=0xFF3E7D88647EBCDB` or by editing `purse.sh`. Or download the script directly:
`cd purse.sh` and run the script interactively using `./purse.sh` or symlink to a directory in `PATH`: ```console
wget https://github.com/drduh/Purse/blob/master/purse.sh
```
(Version 2b and older) Set the GnuPG key ID with `export PURSE_KEYID=0xFF3E7D88647EBCDB` or by editing `purse.sh`
Run the script interactively using `./purse.sh` or symlink to a directory in `PATH`:
* Type `w` to write a password * Type `w` to write a password
* Type `r` to read a password * Type `r` to read a password
@ -67,46 +42,40 @@ Options can also be passed on the command line.
Example usage: Example usage:
Create a 30-character password for `userName`: Create a 20-character password for `userName`:
```console ```console
$ ./purse.sh w userName 30 ./purse.sh w userName 20
``` ```
Read password for `userName`: Read password for `userName`:
```console ```console
$ ./purse.sh r userName ./purse.sh r userName
``` ```
Passwords are stored with a timestamp for revision control. The most recent version is copied to clipboard on read. To list all passwords or read a previous version of a password: Passwords are stored with a timestamp for revision control. The most recent version is copied to clipboard on read. To list all passwords or read a specific version of a password:
```console ```console
$ ./purse.sh l ./purse.sh l
$ ./purse.sh r userName@1574723600 ./purse.sh r userName@1574723600
``` ```
Create an archive for backup: Create an archive for backup:
```console ```console
$ ./purse.sh b ./purse.sh b
``` ```
Restore an archive from backup: Restore an archive from backup:
```console ```console
$ tar xvf purse*tar tar xvf purse*tar
``` ```
The backup contains only encrypted passwords and can be publicly shared for use on trusted computers. For additional privacy, the recipient key ID is **not** included in GPG metadata (`throw-keyids` option). The password index file can also be encrypted by changing the `encrypt_index` variable to `true` in the script. **Note** For additional privacy, the recipient key ID is **not** included in metadata (`throw-keyids` option).
See [drduh/config/gpg.conf](https://github.com/drduh/config/blob/master/gpg.conf) for additional GPG configuration options. The password index file can also be encrypted by changing the `encrypt_index` variable to `true` in the script.
# Similar software See [config/gpg.conf](https://github.com/drduh/config/blob/master/gpg.conf) for additional configuration options.
* [drduh/pwd.sh](https://github.com/drduh/pwd.sh)
* [zx2c4/password-store](https://github.com/zx2c4/password-store)
* [caodonnell/passman.sh: a pwd.sh fork](https://github.com/caodonnell/passman.sh)
* [bndw/pick: command-line password manager for macOS and Linux](https://github.com/bndw/pick)
* [anders/pwgen: generate passwords using OS X Security framework](https://github.com/anders/pwgen)

102
purse.sh
View File

@ -1,29 +1,33 @@
#!/usr/bin/env bash #!/usr/bin/env bash
# https://github.com/drduh/Purse/blob/master/purse.sh # https://github.com/drduh/Purse/blob/master/purse.sh
set -o errtrace set -o errtrace
set -o nounset set -o nounset
set -o pipefail set -o pipefail
#set -x # uncomment to debug #set -x # uncomment to debug
umask 077 umask 077
encrypt_index="false" cb_timeout=10 # seconds to keep password on clipboard
now=$(date +%s) daily_backup="false" # if true, create daily archive on write
copy="$(command -v xclip || command -v pbcopy)" encrypt_index="false" # if true, requires 2 touches to decrypt
gpg="$(command -v gpg || command -v gpg2)" pass_copy="false" # if true, keep password on clipboard before write
pass_len=14 # default password length
pass_chars="[:alnum:]!@#$%^&*();:+="
gpgconf="${HOME}/.gnupg/gpg.conf" gpgconf="${HOME}/.gnupg/gpg.conf"
backuptar="${PURSE_BACKUP:=purse.$(hostname).$(date +%F).tar}" backuptar="${PURSE_BACKUP:=purse.$(hostname).$(date +%F).tar}"
safeix="${PURSE_INDEX:=purse.index}" safeix="${PURSE_INDEX:=purse.index}"
safedir="${PURSE_SAFE:=safe}" safedir="${PURSE_SAFE:=safe}"
script="$(basename $BASH_SOURCE)"
timeout=10 now="$(date +%s)"
copy="$(command -v xclip || command -v pbcopy)"
gpg="$(command -v gpg || command -v gpg2)"
script="$(basename "${BASH_SOURCE}")"
fail () { fail () {
# Print an error message and exit. # Print an error message and exit.
tput setaf 1 1 1 ; printf "\nError: %s\n" "${1}" ; tput sgr0 tput setaf 1 ; printf "\nError: %s\n" "${1}" ; tput sgr0
exit 1 exit 1
} }
@ -53,7 +57,8 @@ get_pass () {
decrypt () { decrypt () {
# Decrypt with GPG. # Decrypt with GPG.
cat "${1}" | ${gpg} --armor --batch --decrypt 2>/dev/null cat "${1}" | \
${gpg} --armor --batch --decrypt 2>/dev/null
} }
encrypt () { encrypt () {
@ -80,17 +85,20 @@ read_pass () {
prompt_key "index" prompt_key "index"
spath=$(decrypt "${safeix}" | \ spath=$(decrypt "${safeix}" | \
grep -F "${username}" | tail -n1 | cut -d ":" -f2) || \ grep -F "${username}" | tail -1 | cut -d ":" -f2) || \
fail "Decryption failed" fail "Decryption failed"
else else
spath=$(grep -F "${username}" "${safeix}" | \ spath=$(grep -F "${username}" "${safeix}" | \
tail -n1 | cut -d ":" -f2) tail -1 | cut -d ":" -f2)
fi fi
prompt_key "password" prompt_key "password"
clip <(decrypt "${spath}" | head -n1) || \ if [[ -s "${spath}" ]] ; then
clip <(decrypt "${spath}" | head -1) || \
fail "Decryption failed" fail "Decryption failed"
else fail "Secret not available"
fi
} }
prompt_key () { prompt_key () {
@ -104,28 +112,30 @@ prompt_key () {
gen_pass () { gen_pass () {
# Generate a password using GPG. # Generate a password using GPG.
len=20
max=80
if [[ -z "${3+x}" ]] ; then read -r -p " if [[ -z "${3+x}" ]] ; then read -r -p "
Password length (default: ${len}, max: ${max}): " length Password length (default: ${pass_len}): " length
else length="${3}" ; fi else length="${3}" ; fi
if [[ ${length} =~ ^[0-9]+$ ]] ; then len=${length} ; fi if [[ ${length} =~ ^[0-9]+$ ]] ; then pass_len=${length} ; fi
# base64: 4 characters for every 3 bytes LC_LANG=C tr -dc "${pass_chars}" < /dev/urandom | \
${gpg} --armor --gen-random 0 "$((max * 3 / 4))" | cut -c -"${len}" fold -w "${pass_len}" | head -1
} }
write_pass () { write_pass () {
# Write a password and update index file. # Write a password and update the index.
fpath=$(tr -dc "[:lower:]" < /dev/urandom | fold -w8 | head -n1) if [[ "${pass_copy}" = "true" ]] ; then
spath=${safedir}/${fpath} clip <(printf '%s' "${userpass}")
fi
fpath="$(LC_LANG=C tr -dc '[:lower:]' < /dev/urandom | fold -w10 | head -1)"
spath="${safedir}/${fpath}"
printf '%s\n' "${userpass}" | \ printf '%s\n' "${userpass}" | \
encrypt "${spath}" - || \ encrypt "${spath}" - || \
fail "Failed to put ${spath}" fail "Failed to put ${spath}"
userpass=""
if [[ "${encrypt_index}" = "true" ]] ; then if [[ "${encrypt_index}" = "true" ]] ; then
prompt_key "index" prompt_key "index"
@ -139,7 +149,6 @@ write_pass () {
else else
printf "%s@%s:%s\n" "${username}" "${now}" "${spath}" >> "${safeix}" printf "%s@%s:%s\n" "${username}" "${now}" "${spath}" >> "${safeix}"
fi fi
} }
list_entry () { list_entry () {
@ -151,16 +160,17 @@ list_entry () {
prompt_key "index" prompt_key "index"
decrypt "${safeix}" || fail "Decryption failed" decrypt "${safeix}" || fail "Decryption failed"
else else
printf "\n"
cat "${safeix}" cat "${safeix}"
fi fi
} }
backup () { backup () {
# Create an archive for backup. # Archive index, safe and configuration.
if [[ -f "${safeix}" ]] ; then if [[ -f "${safeix}" && -d "${safedir}" ]] ; then
cp "${gpgconf}" "gpg.conf.${now}" cp "${gpgconf}" "gpg.conf.${now}"
tar cfv "${backuptar}" \ tar --create --file "${backuptar}" \
"${safeix}" "${safedir}" "gpg.conf.${now}" "${script}" "${safeix}" "${safedir}" "gpg.conf.${now}" "${script}"
rm "gpg.conf.${now}" rm "gpg.conf.${now}"
else fail "Nothing to archive" ; fi else fail "Nothing to archive" ; fi
@ -175,17 +185,17 @@ clip () {
printf "\n" printf "\n"
shift shift
while [ $timeout -gt 0 ] ; do while [ $cb_timeout -gt 0 ] ; do
printf "\r\033[KPassword on clipboard! Clearing in %.d" $((timeout--)) printf "\r\033[KPassword on clipboard! Clearing in %.d" $((cb_timeout--))
sleep 1 sleep 1
done done
printf "\n"
printf "" | ${copy} printf "" | ${copy}
} }
setup_keygroup() { setup_keygroup() {
# Configure GPG keygroup setting. # Configure GPG keygroup.
purse_keygroup="group purse_keygroup =" purse_keygroup="group purse_keygroup ="
keyid="" keyid=""
@ -212,7 +222,7 @@ setup_keygroup() {
} }
new_entry () { new_entry () {
# Prompt for new username and/or password. # Prompt for username and password.
username="" username=""
while [[ -z "${username}" ]] ; do while [[ -z "${username}" ]] ; do
@ -226,7 +236,9 @@ new_entry () {
userpass="${password}" userpass="${password}"
fi fi
if [[ -z "${password}" ]] ; then userpass=$(gen_pass "$@") ; fi if [[ -z "${password}" ]] ; then
userpass=$(gen_pass "$@")
fi
} }
print_help () { print_help () {
@ -250,7 +262,7 @@ print_help () {
* Copy the password for 'userName' to clipboard: * Copy the password for 'userName' to clipboard:
./purse.sh r userName ./purse.sh r userName
* List stored passwords and copy a previous version: * List stored passwords and copy a specific version:
./purse.sh l ./purse.sh l
./purse.sh r userName@1574723625 ./purse.sh r userName@1574723625
@ -263,21 +275,21 @@ print_help () {
if [[ -z ${gpg} && ! -x ${gpg} ]] ; then fail "GnuPG is not available" ; fi if [[ -z ${gpg} && ! -x ${gpg} ]] ; then fail "GnuPG is not available" ; fi
if [[ ! -f ${gpgconf} ]] ; then fail "GnuPG config is not available" ; fi
if [[ -z ${copy} && ! -x ${copy} ]] ; then fail "Clipboard is not available" ; fi if [[ -z ${copy} && ! -x ${copy} ]] ; then fail "Clipboard is not available" ; fi
if [[ ! -d ${safedir} ]] ; then mkdir -p ${safedir} ; fi if [[ ! -f ${gpgconf} ]] ; then fail "GnuPG config is not available" ; fi
chmod -R 0600 ${safeix} 2>/dev/null if [[ ! -d "${safedir}" ]] ; then mkdir -p "${safedir}" ; fi
chmod -R 0700 ${safedir} 2>/dev/null
chmod -R 0600 "${safeix}" 2>/dev/null
chmod -R 0700 "${safedir}" 2>/dev/null
password="" password=""
action="" action=""
if [[ -n "${1+x}" ]] ; then action="${1}" ; fi if [[ -n "${1+x}" ]] ; then action="${1}" ; fi
while [[ -z "${action}" ]] ; do while [[ -z "${action}" ]] ; do
read -n 1 -p " read -r -n 1 -p "
Read or Write (or Help for more options): " action Read or Write (or Help for more options): " action
printf "\n" printf "\n"
done done
@ -301,8 +313,14 @@ elif [[ "${action}" =~ ^([wW])$ ]] ; then
new_entry "$@" new_entry "$@"
write_pass write_pass
if [[ "${daily_backup}" = "true" ]] ; then
if [[ ! -f ${backuptar} ]] ; then
backup
fi
fi
else read_pass "$@" ; fi else read_pass "$@" ; fi
chmod -R 0400 ${safeix} ${safedir} 2>/dev/null chmod -R 0400 "${safeix}" "${safedir}" 2>/dev/null
tput setaf 2 2 2 ; printf "\nDone\n" ; tput sgr0 tput setaf 2 ; printf "\nDone\n" ; tput sgr0