[pass] Using pass as non interactive password manager
notfreebeer at openmailbox.org
notfreebeer at openmailbox.org
Sat Apr 25 09:31:29 CEST 2015
Hi Mike, thanks for your answer.
> I haven't tried it, but if I understand the problem correctly, it is actually
> gpg-agent that requires the TTY. So when you run gpg-agent and type in the
> password, you must keep that TTY open. Then your cron job must run *as the
> same user* as the one that ran gpg-agent, or else it will spawn a new
> gpg-agent.
Of course, when i insert the passphrase of the key for the first time, as i
said, i do it personally by hand at server startup, so i do have a tty and an
interaction with pass. The users for cron and mpop are the same too, and i
already ensured there is only one gpg-agent instance available.
These are the errors i get in mpop logs when the cron job executes:
gpg: cannot open tty `/dev/tty': No such device or address
mpop: cannot read output of 'pass <my_mail>'
and when i tried to use --no-tty:
gpg: Sorry, no terminal at all requested - can't get input
mpop: cannot read output of 'pass <my_mail>'
So mpop fails because gpg fails...
No need to say that the script works when called from an interactive shell...
>
> Having said that, I think leaving a running gpg-agent with a very high TTL
> around is dubious security.
I agree, but after thinking a lot about it it seemed a feasible solution in my
case... Anyways i use a specific key to only encrypt my mail tree in the
password store, so when it is cached, if ever it is compromised, it can at
most impact my mail accounts, but not the rest (but on the server i don't have
the full pass tree as on my laptop)... in any case it would require a bit more
effort than reading passwords stored in plain text from the configuration
file.
>Instead, I might think about using something like
> EncFs or eCryptfs to encrypt the data rather than anything GPG-based.
Sure. Mails, the password store itself and mpop files are already all stored
in an encrypted loop file created with cryptmount, and this is nice for
offline security... Anyways i was looking for a way to protect passwords when
the server is up and running, and the protection shield of the filesystem
encryption has been opened...
Thanks again for your support.
More information about the Password-Store
mailing list