[pass] A web view/integration

the_jinx at etv.cx the_jinx at etv.cx
Mon Feb 8 10:56:47 CET 2016


On 2016-02-08 10:50, Alexandre PUJOL wrote:
>> 
>> Currently some coders at IJhack are looking into a different backend 
>> (as
>> opposed to git + local filesystem) that allows for rate-limiting and a
>> paper trail of who accessed which passwords and when, this would make
>> pass a viable alternative to enterprises that need stuff like that.
> 
> This is very interesting. Do you have more information about that?

I’ve only joined in on some brainstorming, but in short the flow comes 
down to this.

To “mount” the remote password-store you receive a GPG encrypted token, 
once decrypted that token allows you to list, retrieve, store etc.
Since there is a central storage it is very easy to have a log and do 
things like rate-limiting.

The central storage only has the encrypted passwords, .gpg-id 
information and the GPG pub-keys to encrypt access tokens.
As soon as I know more, I'll keep you updated.

> On 08/02/16 10:37, GOYOT Martin wrote:
>> Yeah, that was exactly my point. I know that LastPass does the same 
>> too.
>> You have a utility installed on your computer and the web plugin is 
>> just
>> calling it.
>> 
>> Thanks for the information
>> 
>> On Mon, Feb 8, 2016 at 10:34 AM <the_jinx at etv.cx
>> <mailto:the_jinx at etv.cx>> wrote:
>> 
>>     Hi,
>> 
>>     Most applications like 1Password use a local tool with a helper in 
>> the
>>     browser.
>>     Pass an do the same on Firefox with the passff plugin
>>     https://github.com/jvenant/passff
>> 
>>     Having your GPG passphrase exposed to a hostile environment 
>> (browser) is
>>     never a good idea, in principle all (other) browser plugins might 
>> be
>>     able to intercept your key and passphrase.
>> 
>>     Currently some coders at IJhack are looking into a different 
>> backend (as
>>     opposed to git + local filesystem) that allows for rate-limiting 
>> and a
>>     paper trail of who accessed which passwords and when, this would 
>> make
>>     pass a viable alternative to enterprises that need stuff like 
>> that.
>> 
>>     I am looking into making a browser plugin for chrome like passff 
>> but
>>     it's still in extremely early stages.
>> 
>>     Greetings,
>>         Anne Jan
>> 
>>     On 2016-02-08 10:04, GOYOT Martin wrote:
>>     > Hello Alexandre,
>>     >
>>     > Thanks for the tip, I decided to use the android app.
>>     >
>>     > This said I would love you to explain me why this would be a bad 
>> idea.
>>     > This could work exactly like what LastPass is doing for 
>> instance.
>>     >
>>     > Regards,
>>     > -- Martin
>>     >
>>     > On Mon, Feb 8, 2016 at 10:00 AM Alexandre PUJOL <list at pujol.io
>>     <mailto:list at pujol.io>> wrote:
>>     >
>>     >> Using git, you can use any git sever and git web app (like 
>> cgit) as
>>     >> a
>>     >> pass web viewer. Then, the git server will allow you to sync 
>> your
>>     >> passwords between you device, and thus use the good pass client 
>> for
>>     >> your
>>     >> device (pass, pass-ios, Android-Password-Store...)
>>     >>
>>     >> However the git web app only output the tree of the password
>>     >> directory.
>>     >> The content itself stay encrypted. Do NOT try to create a tool 
>> in
>>     >> order
>>     >> to decrypt and output it in a web browser. As said Dashamir 
>> Hoxha
>>     >> it
>>     >> would not be a good idea at all.
>>     >> Because you must NOT:
>>     >> - Use any server to decrypt your password.
>>     >> - Use JavaScript to decrypt the password directly in a web 
>> browser.
>>     >>
>>     >> This is why there is not pass web app, all the pass server you
>>     >> would
>>     >> ever need already exist it is a git server.
>>     >>
>>     >> Regards,
>>     >> Alex
>>     >>
>>     >> On 07/02/16 20:57, GOYOT Martin wrote:
>>     >>> Oh I didn't know of keybase. Looks like a really interesting
>>     >> project!
>>     >>>
>>     >>> Also I don't know if Kenny Stier had the mailing list in copy
>>     >> when he
>>     >>> replied to me, but he pointed me to two mobile applications 
>> that
>>     >> can
>>     >>> deal with pass:
>>     >>>
>>     >>> https://github.com/zeapo/Android-Password-Store [1]
>>     >>> https://github.com/davidjb/pass-ios#readme [2]
>>     >>>
>>     >>> I decided to give the android app a try, and for my really 
>> small
>>     >> test
>>     >>> until now, looks good!
>>     >>>
>>     >>> On Sun, Feb 7, 2016 at 8:24 PM Santiago Borrazás
>>     >> <sanbor at gmail.com <mailto:sanbor at gmail.com>
>>     >>> <mailto:sanbor at gmail.com <mailto:sanbor at gmail.com>>> wrote:
>>     >>>
>>     >>> Also, maybe using the Keybase
>>     >>> filesystem
>>     >> https://keybase.io/introducing-the-keybase-filesystem [3]
>>     >>>
>>     >>> On Sun, Feb 7, 2016 at 10:22 AM, Dashamir Hoxha
>>     >>> <dashohoxha at gmail.com <mailto:dashohoxha at gmail.com>
>>     <mailto:dashohoxha at gmail.com <mailto:dashohoxha at gmail.com>>> 
>> wrote:
>>     >>>
>>     >>> In principle, you can use `git clone` or `rsync` to copy
>>     >>> ~/.password-store to a portable device (usb, phone,
>>     >> smartphone,
>>     >>> etc.). You can copy there the corresponding GPG key as
>>     >> well.
>>     >>> Then, on another computer, you can tell pass to use the
>>     >> data on
>>     >>> the portable device by setting environment variables like
>>     >> this:
>>     >>>
>>     >>> export PASSWORD_STORE_DIR="/dev/sdb1/.password-store"
>>     >>> export
>>     >> PASSWORD_STORE_GPG_OPTS="--homedir=/dev/sdb1/.gnupg"
>>     >>>
>>     >>> Or you can define an alias like this:
>>     >>>
>>     >>> alias
>>     >> pass="PASSWORD_STORE_DIR='/dev/sdb1/.password-store'
>>     >>> PASSWORD_STORE_GPG_OPTS='--homedir=/dev/sdb1/.gnupg'
>>     >> pass"
>>     >>>
>>     >>> I haven't tried this but it should work. Maybe somebody
>>     >> has
>>     >>> written any blog or tutorial about this, with more
>>     >> detailed
>>     >>> instructions.
>>     >>>
>>     >>> Sorry, I know nothing about any web interface to pass.
>>     >> And I
>>     >>> don't even think it would be a good idea.
>>     >>>
>>     >>> Regards,
>>     >>> Dashamir
>>     >>>
>>     >>> On Sun, Feb 7, 2016 at 6:11 PM, GOYOT Martin
>>     >> <martin at piwany.com <mailto:martin at piwany.com>
>>     >>> <mailto:martin at piwany.com <mailto:martin at piwany.com>>> wrote:
>>     >>>
>>     >>> Hello there,
>>     >>>
>>     >>> This is my first mail here, so if I'm doing anything
>>     >> wrong
>>     >>> please tell me. I just wanted to know if there was
>>     >> any web
>>     >>> app or mobile app that was able to deal with the pass
>>     >>> utility as a backend.
>>     >>>
>>     >>> I'm using pass since quite some time now, and I
>>     >> really love
>>     >>> it. But sometimes I need to access my passwords and
>>     >> sadly
>>     >>> I'm not on my own computer with pass installed, my
>>     >> gpg key
>>     >>> and so on. So I was wondering if something like a web
>>     >> or
>>     >>> mobile interface capable to answer this problematic
>>     >> already
>>     >>> exists.
>>     >>>
>>     >>> Regards,
>>     >>> -- Martin
>>     >>>
>>     >>> _______________________________________________
>>     >>> Password-Store mailing list
>>     >>> Password-Store at lists.zx2c4.com
>>     <mailto:Password-Store at lists.zx2c4.com>
>>     >>> <mailto:Password-Store at lists.zx2c4.com
>>     <mailto:Password-Store at lists.zx2c4.com>>
>>     >>>
>>     >> http://lists.zx2c4.com/mailman/listinfo/password-store [4]
>>     >>>
>>     >>>
>>     >>>
>>     >>> _______________________________________________
>>     >>> Password-Store mailing list
>>     >>> Password-Store at lists.zx2c4.com
>>     <mailto:Password-Store at lists.zx2c4.com>
>>     >>> <mailto:Password-Store at lists.zx2c4.com
>>     <mailto:Password-Store at lists.zx2c4.com>>
>>     >>> http://lists.zx2c4.com/mailman/listinfo/password-store
>>     >> [4]
>>     >>>
>>     >>>
>>     >>>
>>     >>>
>>     >>> _______________________________________________
>>     >>> Password-Store mailing list
>>     >>> Password-Store at lists.zx2c4.com
>>     <mailto:Password-Store at lists.zx2c4.com>
>>     >>> http://lists.zx2c4.com/mailman/listinfo/password-store [4]
>>     >>>
>>     >> _______________________________________________
>>     >> Password-Store mailing list
>>     >> Password-Store at lists.zx2c4.com
>>     <mailto:Password-Store at lists.zx2c4.com>
>>     >> http://lists.zx2c4.com/mailman/listinfo/password-store [4]
>>     >
>>     >
>>     > Links:
>>     > ------
>>     > [1] https://github.com/zeapo/Android-Password-Store
>>     > [2] https://github.com/davidjb/pass-ios#readme
>>     > [3] https://keybase.io/introducing-the-keybase-filesystem
>>     > [4] http://lists.zx2c4.com/mailman/listinfo/password-store
>>     >
>>     > _______________________________________________
>>     > Password-Store mailing list
>>     > Password-Store at lists.zx2c4.com 
>> <mailto:Password-Store at lists.zx2c4.com>
>>     > http://lists.zx2c4.com/mailman/listinfo/password-store
>> 


More information about the Password-Store mailing list