[pass] Using pass as non interactive password manager
Mike Charlton
mikekchar at gmail.com
Sat Apr 25 02:33:46 CEST 2015
I haven't tried it, but if I understand the problem correctly, it is
actually gpg-agent that requires the TTY. So when you run gpg-agent and
type in the password, you must keep that TTY open. Then your cron job must
run *as the same user* as the one that ran gpg-agent, or else it will spawn
a new gpg-agent.
Having said that, I think leaving a running gpg-agent with a very high TTL
around is dubious security. Instead, I might think about using something
like EncFs or eCryptfs to encrypt the data rather than anything GPG-based.
GPG is good when you have to authenticate people as well as encrypt and
decrypt. It makes plenty of assumptions about how it will be used which
make it not particularly useful as a general purpose encryption/decryption
system, unfortunately.
I am actually hoping that now that Werner Koch has a regular and fairly
secure income now that we will see a restructuring of the code that will
address other usage patterns, but that remains to be seen...
On 25 April 2015 at 08:12, <notfreebeer at openmailbox.org> wrote:
> Hi,
> i'm trying to set up a little home server to, among other things, download
> my
> mails via POP from various mail servers. I'm using mpop [0] for this, which
> can read user's POP passwords either in plain text from the configuration
> file, (which i don't like) or using a nice eval command.
> My idea was to use pass as password manager, so i don't have to store
> passwords in plain text. I'd set gpg-agent ttl variables to a very high
> value
> to prevent expiration, feed the master password for the key encrypting the
> password-store once, manually at server startup, and then let everything
> happen in the background with mpop using eval on "pass show". The first
> problem i had to face was cron not using environment variable for the
> password
> store path, which i solved explicitly specifying it in crontab, but this is
> more a general unix issue.
> The second problem, the one which pushed me to ask for help here, is that
> being used in background, gpg complains about not being able to write on
> tty.
> So i tried putting "--no-tty" in the PGP_OPTS variable inside pass, but
> fairly
> enough now mpop says it doesn't receive any output from the eval...
>
> Can anyone imagine a way to workaround this issue? Did anyone ever use
> pass in
> a similar situation?
>
> Thanks.
>
>
> [0] http://mpop.sourceforge.net/
> _______________________________________________
> Password-Store mailing list
> Password-Store at lists.zx2c4.com
> http://lists.zx2c4.com/mailman/listinfo/password-store
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.zx2c4.com/pipermail/password-store/attachments/20150425/5d6ab686/attachment.html>
More information about the Password-Store
mailing list