From daniel.g.lahr at gmail.com Thu Feb 4 19:14:26 2021 From: daniel.g.lahr at gmail.com (Daniel Lahr) Date: Thu, 4 Feb 2021 20:14:26 +0100 Subject: pass-csv: A pass extension to generate a CSV summary of metadata fields Message-ID: Hey everyone, I wanted to keep track of which personal data (i.e. address, phone number) I gave to websites. Therefore, I created a pass extension that iterates over the password store, searches for specified colon-delimited key-value fields in the metadata and prints a CSV summary table: https://github.com/lahr/pass-csv Maybe it's of use for others as well. Contributions are always welcome. From jpalus at fastmail.com Fri Feb 5 11:36:01 2021 From: jpalus at fastmail.com (Jan Palus) Date: Fri, 5 Feb 2021 12:36:01 +0100 Subject: alias command Message-ID: <20210205113601.mdasuba5milg2eck@pine> Hi, I was wondering how to manage same credentials for different websites so that password is changed only once for all of them and ideas that I came up with are: - keep on nesting domains: domain1.com |- domain2.com |- domain3.com |- user - keep domain pattern as metadata, however that's not something I can use since matching would require decrypting every file and I have gpg key on my YubiKey with touch required to decrypt. That in turn would greatly increase time to get credentials - an alias command (not implemented) which would create a symbolic link domain1.com |- user domain2.com -> domain1.com domain3.com -> domain1.com Does anyone have better ideas? Would you consider adding alias command? From password-store at storiepvtride.it Fri Feb 5 12:08:04 2021 From: password-store at storiepvtride.it (jman) Date: Fri, 05 Feb 2021 13:08:04 +0100 Subject: alias command In-Reply-To: <20210205113601.mdasuba5milg2eck@pine> References: <20210205113601.mdasuba5milg2eck@pine> Message-ID: <877dnmiuor.fsf@nyarlathotep> Jan Palus writes: > Hi, > > I was wondering how to manage same credentials for different websites > so that password is changed only once for all of them I should probably mention that having the same credentials for multiple accounts is not recommended. > - an alias command (not implemented) which would create a symbolic link > domain1.com > |- user > domain2.com -> domain1.com > domain3.com -> domain1.com At a first glance, yes, you could manually aliasing different gpg files like you suggest. (Personally I don't see a good usecase for an alias feature for `pass`) cheers, From jpalus at fastmail.com Fri Feb 5 12:19:33 2021 From: jpalus at fastmail.com (Jan Palus) Date: Fri, 5 Feb 2021 13:19:33 +0100 Subject: alias command In-Reply-To: <877dnmiuor.fsf@nyarlathotep> References: <20210205113601.mdasuba5milg2eck@pine> <877dnmiuor.fsf@nyarlathotep> Message-ID: <20210205121933.qarebgtpsgljawdv@pine> On 05.02.2021 13:08, jman wrote: > > Jan Palus writes: > > > Hi, > > > > I was wondering how to manage same credentials for different websites > > so that password is changed only once for all of them > > I should probably mention that having the same credentials for multiple > accounts is not recommended. I do use different credentials for _different_ accounts, but actually described use case is for _single_ account. Same account store is used by multiple domains within an organization. From jpalus at fastmail.com Fri Feb 5 12:53:10 2021 From: jpalus at fastmail.com (Jan Palus) Date: Fri, 5 Feb 2021 13:53:10 +0100 Subject: alias command In-Reply-To: References: <20210205113601.mdasuba5milg2eck@pine> Message-ID: <20210205125310.obr6x7joshfjtl2h@kalarepa> On 06.02.2021 00:42, Steve Gilberd wrote: > I just use symlinks. Works perfectly, no hassle. > > I don't really feel a need to integrate an alias command, considering ln -s > works just fine already. But I have no objection to that kind of > abstraction either; I can see why it might appeal. I'm happy to create symbolic links myself though aliases handled by pass would have additional benefits: - one could argue that insert/edit/mv/cp/rm commands are redundant because you can just go create files/directories, move or copy them. it's simply more convenient to have dedicated command - while it could create symbolic links at first, it might as well change behavior later on to ie support systems without symbolic links, however for user change would be transparent - in case `alias` implementation changes it could also handle migration process again transparently for the end user From jpalus at fastmail.com Fri Feb 5 13:53:17 2021 From: jpalus at fastmail.com (Jan Palus) Date: Fri, 5 Feb 2021 14:53:17 +0100 Subject: alias command In-Reply-To: <20210205125310.obr6x7joshfjtl2h@kalarepa> References: <20210205113601.mdasuba5milg2eck@pine> <20210205125310.obr6x7joshfjtl2h@kalarepa> Message-ID: <20210205135317.g37ayl2vdlv2uvfc@kalarepa> On 05.02.2021 13:53, Jan Palus wrote: > On 06.02.2021 00:42, Steve Gilberd wrote: > > I just use symlinks. Works perfectly, no hassle. > > > > I don't really feel a need to integrate an alias command, considering ln -s > > works just fine already. But I have no objection to that kind of > > abstraction either; I can see why it might appeal. > > I'm happy to create symbolic links myself though aliases handled by pass > would have additional benefits: > > - one could argue that insert/edit/mv/cp/rm commands are redundant > because you can just go create files/directories, move or copy them. > it's simply more convenient to have dedicated command > > - while it could create symbolic links at first, it might as well change > behavior later on to ie support systems without symbolic links, > however for user change would be transparent > > - in case `alias` implementation changes it could also handle migration > process again transparently for the end user I'm new to pass so didn't check yet myself but is it possible/planned/considered for extensions to intercept commands ie to provide alternative password storage (other than filesystem)? If yes then it would be another argument for dedicated command. From nicolai at dagestad.fr Fri Feb 5 20:25:56 2021 From: nicolai at dagestad.fr (Nicolai Dagestad) Date: Fri, 05 Feb 2021 21:25:56 +0100 Subject: alias command In-Reply-To: <20210205135317.g37ayl2vdlv2uvfc@kalarepa> References: <20210205113601.mdasuba5milg2eck@pine> <20210205125310.obr6x7joshfjtl2h@kalarepa> <20210205135317.g37ayl2vdlv2uvfc@kalarepa> Message-ID: > I'm new to pass so didn't check yet myself but is it > possible/planned/considered for extensions to intercept commands ie to > provide alternative password storage (other than filesystem)? If yes > then it would be another argument for dedicated command. I fell that storing the passwords in something different from a file would go against what pass tries to be: A simple password manager following the unix philosophy. But if you really want to use pass while storing the data in something other than a filesystem you might want to consider using fuse[1] to expose the data in a way pass can handle while storing it in a way you like. [1] https://en.wikipedia.org/wiki/Filesystem_in_Userspace From tubaman at fattuba.com Sat Feb 6 14:41:25 2021 From: tubaman at fattuba.com (Ryan Nowakowski) Date: Sat, 6 Feb 2021 08:41:25 -0600 Subject: [Question] python library In-Reply-To: <65b2dc78-6991-bdd6-429d-446da433f4ff@antonovs.family> References: <65b2dc78-6991-bdd6-429d-446da433f4ff@antonovs.family> Message-ID: <20210206144125.GG12902@fattuba.com> On Tue, Dec 22, 2020 at 11:04:49AM -0800, Ihor Antonov wrote: > Hi guys, > > Is there a python library to use pass programmatically? > > (I need to get a password to the python process) > > I know it is easy to simply shell out to pass but I was wondering if: > > a) someone already wrote something so I don't have to reinvent the bicycle > > b) there is a better way then just shelling out I just shell out: https://gist.github.com/tubaman/a2bcbc07a69ea2c4a7353291760755b4 From maximilian at eschenbacher.email Sat Feb 6 19:35:33 2021 From: maximilian at eschenbacher.email (Maximilian Eschenbacher) Date: Sat, 6 Feb 2021 20:35:33 +0100 Subject: [PATCH 0/1] contrib: passmenu: implement --name --both --delay Message-ID: <20210206193534.70004-1-maximilian@eschenbacher.email> I've been heavily using a slightly modified version of passmenu which knows how to additionally type the username or both username password. Feedback is very welcome. Enjoy! Maximilian Eschenbacher (1): contrib: passmenu: implement --name --both --delay contrib/dmenu/README.md | 20 +++++++++++++++++--- contrib/dmenu/passmenu | 37 +++++++++++++++++++++++++++++++------ 2 files changed, 48 insertions(+), 9 deletions(-) -- 2.30.0 From maximilian at eschenbacher.email Sat Feb 6 19:35:34 2021 From: maximilian at eschenbacher.email (Maximilian Eschenbacher) Date: Sat, 6 Feb 2021 20:35:34 +0100 Subject: [PATCH 1/1] contrib: passmenu: implement --name --both --delay In-Reply-To: <20210206193534.70004-1-maximilian@eschenbacher.email> References: <20210206193534.70004-1-maximilian@eschenbacher.email> Message-ID: <20210206193534.70004-2-maximilian@eschenbacher.email> This commit implements additional options to passmenu for typing additional information: --name only types the basename of the entry (usually a username). --both types username password --delay SECONDS sleeps for a configurable amount of seconds before typing the requested data. Signed-off-by: Maximilian Eschenbacher --- contrib/dmenu/README.md | 20 +++++++++++++++++--- contrib/dmenu/passmenu | 38 ++++++++++++++++++++++++++++++++------ 2 files changed, 49 insertions(+), 9 deletions(-) diff --git a/contrib/dmenu/README.md b/contrib/dmenu/README.md index 9d54fb4..022e794 100644 --- a/contrib/dmenu/README.md +++ b/contrib/dmenu/README.md @@ -1,12 +1,26 @@ `passmenu` is a [dmenu][]-based interface to [pass][], the standard Unix password manager. This design allows you to quickly copy a password to the clipboard without having to open up a terminal window if you don't already have -one open. If `--type` is specified, the password is typed using [xdotool][] -instead of copied to the clipboard. +one open. + +If `--type` is specified, the password is typed using [xdotool][] instead of +copied to the clipboard. Adding to `--type`, if `--name` is specified, only the +user name (basename) will be typed. The `--both` option types user name TAB +password. An optional `--delay SECONDS` causes the typing to start after +`SECONDS`. # Usage - passmenu [--type] [dmenu arguments...] + passmenu [--type [--both|--name] [--delay SECONDS]] [dmenu arguments...] + +# Example usage for the i3 window manager + + bindsym $mod+p exec ~/bin/passmenu --type + bindsym $mod+o exec ~/bin/passmenu --type --both + bindsym $mod+i exec ~/bin/passmenu --type --name + bindsym $mod+shift+p exec ~/bin/passmenu --type --delay 5 + bindsym $mod+shift+o exec ~/bin/passmenu --type --both --delay 5 + bindsym $mod+shift+i exec ~/bin/passmenu --type --name --delay 5 [dmenu]: http://tools.suckless.org/dmenu/ [xdotool]: http://www.semicomplete.com/projects/xdotool/ diff --git a/contrib/dmenu/passmenu b/contrib/dmenu/passmenu index 83268bc..c5ccf90 100755 --- a/contrib/dmenu/passmenu +++ b/contrib/dmenu/passmenu @@ -3,23 +3,49 @@ shopt -s nullglob globstar typeit=0 -if [[ $1 == "--type" ]]; then - typeit=1 - shift -fi +typeboth=0 +typename=0 +delay=0 + +while true; do case $1 in + --type) typeit=1; shift ;; + --both) typeboth=1; shift ;; + --name) typename=1; shift ;; + --delay) shift; delay=$1; shift ;; + *) break ;; +esac done prefix=${PASSWORD_STORE_DIR-~/.password-store} password_files=( "$prefix"/**/*.gpg ) password_files=( "${password_files[@]#"$prefix"/}" ) password_files=( "${password_files[@]%.gpg}" ) -password=$(printf '%s\n' "${password_files[@]}" | dmenu "$@") +password=$(printf '%s\n' "${password_files[@]}" | dmenu -i "$@") +loginname=$(basename "$password") [[ -n $password ]] || exit if [[ $typeit -eq 0 ]]; then + # this is the easy case pass show -c "$password" 2>/dev/null -else + exit +fi + +if [[ $typeit -eq 1 ]] && [[ $delay -gt 0 ]]; then + # with a startup delay, decrypt the password once at startup to increase our + # chances that we will not be asked for a decryption passphrase in a few + # seconds + pass show "$password" 1>/dev/null 2>/dev/null + sleep "$delay" +fi + +if [[ $typeboth -eq 1 ]] || [ $typename -eq 1 ]; then + echo -n "$loginname" | xdotool type --clearmodifiers --file - +fi +if [[ $typeboth -eq 1 ]]; then + xdotool key --clearmodifiers Tab +fi +if [[ $typeboth -eq 1 ]] || [[ $typename -eq 0 ]]; then pass show "$password" | { IFS= read -r pass; printf %s "$pass"; } | xdotool type --clearmodifiers --file - fi -- 2.30.0 From passwordstore at 3001.dk Thu Feb 11 16:31:32 2021 From: passwordstore at 3001.dk (Henrik Christian Grove) Date: Thu, 11 Feb 2021 17:31:32 +0100 Subject: alias command In-Reply-To: <20210205121933.qarebgtpsgljawdv@pine> References: <20210205113601.mdasuba5milg2eck@pine> <877dnmiuor.fsf@nyarlathotep> <20210205121933.qarebgtpsgljawdv@pine> Message-ID: <8e827155-fd37-d239-7e12-2832e91b2454@3001.dk> Den 05.02.2021 kl. 13.19 skrev Jan Palus: > On 05.02.2021 13:08, jman wrote: >> Jan Palus writes: >> >>> Hi, >>> >>> I was wondering how to manage same credentials for different websites >>> so that password is changed only once for all of them >> I should probably mention that having the same credentials for multiple >> accounts is not recommended. That was also my first thought when I read the question. But what you're doing seems to be different, and a legitimate usecase for this (I do fear that adding an alias feature would make people use it the wrong way. > I do use different credentials for _different_ accounts, but actually > described use case is for _single_ account. Same account store is used > by multiple domains within an organization. A solution could then be to store the password under some common name describing the account/first use/some common name (perhaps mentioning - some of - the users, in parentheses/brackets/whatever suits you). For instance I found out that two webshops I occasionally bought stuff from, were actually frontends for the same company and shared accounts, so that password is stored in a file called '_()_()'. (Even though it's *one* company there is a difference in which products the webshops offers) I think the same company has more webshops, if I ever need to use those I'll have to rename the file - or live with it - and continually appending to the filename does scale very well. .Henrik From david at izquierdofernandez.com Thu Feb 11 17:05:35 2021 From: david at izquierdofernandez.com (David Izquierdo) Date: Thu, 11 Feb 2021 18:05:35 +0100 Subject: alias command In-Reply-To: <8e827155-fd37-d239-7e12-2832e91b2454@3001.dk> References: <20210205113601.mdasuba5milg2eck@pine> <877dnmiuor.fsf@nyarlathotep> <20210205121933.qarebgtpsgljawdv@pine> <8e827155-fd37-d239-7e12-2832e91b2454@3001.dk> Message-ID: <2aeaab66-2458-2117-422f-15904e4e56c2@izquierdofernandez.com> On 11/02/2021 17:31, Henrik Christian Grove wrote: > Den 05.02.2021 kl. 13.19 skrev Jan Palus: >> On 05.02.2021 13:08, jman wrote: >>> Jan Palus writes: >>> >>>> Hi, >>>> >>>> I was wondering how to manage same credentials for different websites >>>> so that password is changed only once for all of them >>> I should probably mention that having the same credentials for multiple >>> accounts is not recommended. > > That was also my first thought when I read the question. > > But what you're doing seems to be different, and a legitimate usecase > for this (I do fear that adding an alias feature would make people use > it the wrong way. I wonder how many people can survive the dissonance of using a password manager to store the same password for every website. Like, it sounds hard to be aware of what a password manager is for and, at the same time, not be aware that password reuse is a bad practice? >> I do use different credentials for _different_ accounts, but actually >> described use case is for _single_ account. Same account store is used >> by multiple domains within an organization. > > A solution could then be to store the password under some common name > describing the account/first use/some common name (perhaps mentioning - > some of - the users, in parentheses/brackets/whatever suits you). > > For instance I found out that two webshops I occasionally bought stuff > from, were actually frontends for the same company and shared accounts, > so that password is stored in a file called > '_()_()'. (Even though it's *one* company > there is a difference in which products the webshops offers) > I think the same company has more webshops, if I ever need to use those > I'll have to rename the file - or live with it - and continually > appending to the filename does scale very well. I do a similar thing for my job. Single account managed from a central directory is used to login to several services on different domains and URLs. Simplest way to tell helper scripts to use the same passwords is to symlink files a bunch. It feels to me that `pass ln` is almost a natural thing to try if you know about `pass cp`, `ls`, `mv` and `rm` too, and those also are simply convenience wrappers over the actual command and git. From opal at wowana.me Fri Feb 12 06:04:53 2021 From: opal at wowana.me (opal hart) Date: Fri, 12 Feb 2021 06:04:53 +0000 Subject: XDG Base Directory Specification In-Reply-To: <9e41cffe-c5d9-67f4-65db-365faf67d320@redpill-linpro.com> References:

<4a359962-27d7-f868-adbc-02613661431a@storiepvtride.it> <20200514075559.1493c1b9@DaemONX> <049bc1dd-18da-e647-8e3a-4470e4978fdc@storiepvtride.it> <9e41cffe-c5d9-67f4-65db-365faf67d320@redpill-linpro.com> Message-ID: <20210212060453.4b6807e8@mahin.internal> > As I understand XDG_CONFIG_DIR should contain configuration files. > Password store is data, not configuration - so it should go to > XDG_DATA_HOME. I'd consider the .gpg-id file to be configuration, and the rest to be data. However, I'm not behind this idea since many people use pass' git integration, including myself. And I have a directory '~/git/private/' where I stuff private git repos. My password store lives in a repo there. I'm a big fan of XDG basedir support since it cleans up my home directory when programs implement it, but this is one of those cases I cannot really see the justification for it. If the storage format was reworked to flow better with the specification, sure, but as it stands I don't see much benefit. > I know you already can set PASSWORD_STORE_DIR but I already have to way many > environment variable I wrote a script `envenv` available at (stuffed in with some politically-incorrect scripts and such, so exercise caution if you are easily offended) which I actually use along with pass among other things. It's a bit manual to set up still, since essentially it's a giant hack to scratch my own itch, but basically it goes: 1. Configuration for envenv in "$XDG_CONFIG_DIR/envenv/", with a 'profiles' subdirectory housing shell scripts that `envenv` sources depending on the arg0 it is called by. So in my case it lives at ~/etc/envenv/profiles/pass and contains: export PASSWORD_STORE_DIR="$HOME/git/private/password-store" . ~/etc/envenv/profiles/gnupg.profile which sets both pass-specific and my usual gpg environment. 2. Link in PATH that points from the program being wrapped, to `envenv`. In my case `ln -s $(which envenv) ~/bin/pass`. 3. Now when I run `pass`, as long as it's in the PATH that calling programs see (sh, dmenu, whatever) then `envenv` will first source the environment as I described in the config, then execute it. It has already helped to clean up my environment a lot with a bunch of environment-controlled utilities, and for me it's simpler than just writing a bunch of wrapper scripts, repeating myself a bunch across each script -- I've done it before and it's definitely more tedious than what I ended up with. I had design plans to make it more extensible than it currently is, but so far I haven't needed anything more than what I already have, so I've left it alone for now, but of course feel free to add whatever pleases your fancy if you do wish to use it. -- wowaname From tom at sanctum.geek.nz Tue Feb 16 03:03:35 2021 From: tom at sanctum.geek.nz (Tom Ryder) Date: Tue, 16 Feb 2021 16:03:35 +1300 Subject: [PATCH] vim: fix redact_pass.vim for macOS In-Reply-To: References: Message-ID: On Sun, Dec 27, 2020 at 08:29:24PM +0000, Lakshay Garg wrote: >Problem: redact_pass.vim did not work on macOS machines >Fix: add resolve($TMPDIR) to the autcmd pattern list Please excuse the thread necromancy here; Lakshay contacted me (the `redact_pass.vim` plugin's author) off-list about this issue, and I've now addressed it with his help. In password-store `/contrib/`: Plugin upstream: -- Tom Ryder Maybe we can bring back the light. From hey at ahill.io Wed Feb 17 16:28:55 2021 From: hey at ahill.io (Alec Hill) Date: Wed, 17 Feb 2021 11:28:55 -0500 Subject: easier selection of passwords Message-ID: Hello dear people! I'm wondering if there are any suggestions/solutions/thoughts about easier selection of passwords... With dozens of passwords in variously nested directories, it can be hard to remember where one lives. I could spend time better organizing my password folder structure and memorizing this... but `upass` allows me a more robust finding/searching mechanism, however it compromises security: it does not prompt me for my passphrase and it does not remove the password from my clipboard. Optimally, the shell completion would allow me to omit the directories and just the password file name to be able to then `tab` through the results and select the desired one. What do you think about this? ~Alec From matt at connell.tech Wed Feb 17 16:38:36 2021 From: matt at connell.tech (Matt Connell) Date: Wed, 17 Feb 2021 10:38:36 -0600 Subject: easier selection of passwords In-Reply-To: References: Message-ID: On Wed, 2021-02-17 at 11:28 -0500, Alec Hill wrote: > Optimally, the shell completion would allow me to omit the directories > and just the password file name to be able to then `tab` through the > results and select the desired one. My pass tab completion does this... and as I recall I didn't do anything in particular to make that happen, it just always worked that way. Alternatively, there's always "pass find" to help you out. Sure its one extra command but its an option. From nicolai at dagestad.fr Wed Feb 17 16:45:15 2021 From: nicolai at dagestad.fr (Nicolai Dagestad) Date: Wed, 17 Feb 2021 17:45:15 +0100 Subject: easier selection of passwords In-Reply-To: References: Message-ID: On Wed Feb 17, 2021 at 5:28 PM CET, Alec Hill wrote: > Optimally, the shell completion would allow me to omit the directories > and just the password file name to be able to then `tab` through the > results and select the desired one. passmenu is a script that basically does that with dmenu, if you prefer to stay in your terminal you could adapt it to use fzf instead (adpating being litterally replacing `dmenu` by `fzf` in the script) From kjetil.homme at redpill-linpro.com Wed Feb 17 17:25:17 2021 From: kjetil.homme at redpill-linpro.com (Kjetil Torgrim Homme) Date: Wed, 17 Feb 2021 18:25:17 +0100 Subject: easier selection of passwords In-Reply-To: References: Message-ID: <3f238829-0471-51e7-c90d-6fea358155a8@redpill-linpro.com> On 17/02/2021 17:28, Alec Hill wrote: > Hello dear people! I'm wondering if there are any > suggestions/solutions/thoughts about easier selection of passwords... > > With dozens of passwords in variously nested directories, it can be > hard to remember where one lives. I could spend time better > organizing my password folder structure and memorizing this... Sounds like your organization into nested directories is detrimental rather than helpful. I keep it simple: I have just two top-level directories, "job" and "private", and the filenames inside are the domain names for the places the password is for. If I need more accounts on a domain, I let the domain be a directory with one file per account. (I also add symlinks manually when there is a less than obvious connection between the login screen domain and the service name. I would definitely like to see an extension to make it easier to create these - having to "cd ~/.password-store; ln -s foo bar; git add bar; git commit" is a bit inconvenient.) -- Kjetil T. Homme Redpill Linpro AS - Changing the game From chemmi at posteo.org Sat Feb 20 14:56:01 2021 From: chemmi at posteo.org (chemmi at posteo.org) Date: Sat, 20 Feb 2021 15:56:01 +0100 Subject: Password-store git repository inference using symlinks Message-ID: <8b89a77f-e9d6-e403-7abc-c0c7796f11bd@posteo.org> Hi folks, I use password store as my default password manager because it is super easy to understand how passwords are stored and where the security limitations lie. Although I have several projects which store credentials, I want to manage them from a single point, but want to store them near the project (e.g. in the assoicated git repo). More verbose, I want to store secret data from a git-project in that project repository and want to link it in my password-store. So far I worked with symlinks from my .password-store to other password stores (e.g. .password-store/proj1 -> .other-password-store) which worked fine as long as the .other-password-store is the root of a git repository. The right git repository has always been infered. Today I got a problem with symlinking to a subfolder of a repository (e.g. .password-store/proj2 -> proj2/proj2-password-store, where proj2 is a root of a git repository). The problem occurred when adding new passwords to that "sub store", i.e. pass generate proj2/foo. I expected pass to add that created foo.gpg to the proj2 git repository. Instead, it could not infer the right repository and threw an error. It turns out that git -C add does not work well with symlinks in neither bar nor baz. Thus, I would suggest to resolve all symlinks in the password-store bash script before git actions. That would solve my problem. Or does anyone here has a hint how I can approach the issue differently? Thanks for you help! Regards, chemmi From lists+pass at simplit.com Sat Feb 20 16:13:45 2021 From: lists+pass at simplit.com (Allan Odgaard) Date: Sat, 20 Feb 2021 17:13:45 +0100 Subject: Password-store git repository inference using symlinks In-Reply-To: <8b89a77f-e9d6-e403-7abc-c0c7796f11bd@posteo.org> References: <8b89a77f-e9d6-e403-7abc-c0c7796f11bd@posteo.org> Message-ID: <026DAE98-0D4A-45A7-8A26-9DF6413C2371@simplit.com> On 20 Feb 2021, at 15:56, chemmi at posteo.org wrote: > I want to store secret data from a git-project in that project > repository and want to link it in my password-store. > [?] > Or does anyone here has a hint how I can approach the issue > differently? I wonder why you think the secret data belongs in your project. As I see it, secret data depends on the environment, for example, a web project may run in a virtual machine, a staging environment, or production. For these 3 environments, the secret data will differ. Or you could have a project where deployment builds are signed and uploaded to a server, but again, if someone else clones this project, they should not sign releases with my signing key or upload them to my server with my credientials, so I make sure these things are not part of the project. I know this is not helpful to actually solving your problem, but I would suggest reconsidering how you manage your secret data. Even for private projects that are only for myself, I think it is still good to treat them as they would be public, and remove anything ?hardcoded? such as API keys, passwords, etc. From hey at ahill.io Sat Feb 20 19:15:04 2021 From: hey at ahill.io (Alec Hill) Date: Sat, 20 Feb 2021 14:15:04 -0500 Subject: easier selection of passwords In-Reply-To: <3f238829-0471-51e7-c90d-6fea358155a8@redpill-linpro.com> References: <3f238829-0471-51e7-c90d-6fea358155a8@redpill-linpro.com> Message-ID: Thanks all, these are helpful responses :) On Wed, Feb 17, 2021 at 12:25 PM Kjetil Torgrim Homme wrote: > > On 17/02/2021 17:28, Alec Hill wrote: > > Hello dear people! I'm wondering if there are any > > suggestions/solutions/thoughts about easier selection of passwords... > > > > With dozens of passwords in variously nested directories, it can be > > hard to remember where one lives. I could spend time better > > organizing my password folder structure and memorizing this... > > Sounds like your organization into nested directories is detrimental > rather than helpful. I keep it simple: I have just two top-level > directories, "job" and "private", and the filenames inside are the > domain names for the places the password is for. If I need more > accounts on a domain, I let the domain be a directory with one file per > account. > > (I also add symlinks manually when there is a less than obvious > connection between the login screen domain and the service name. I > would definitely like to see an extension to make it easier to create > these - having to "cd ~/.password-store; ln -s foo bar; git add bar; git > commit" is a bit inconvenient.) > > > -- > Kjetil T. Homme > Redpill Linpro AS - Changing the game From hey at ahill.io Sat Feb 20 19:18:50 2021 From: hey at ahill.io (Alec Hill) Date: Sat, 20 Feb 2021 14:18:50 -0500 Subject: easier selection of passwords In-Reply-To: References: Message-ID: On Wed, Feb 17, 2021 at 11:39 AM Matt Connell wrote: > On Wed, 2021-02-17 at 11:28 -0500, Alec Hill wrote: > > Optimally, the shell completion would allow me to omit the directories > > and just the password file name to be able to then `tab` through the > > results and select the desired one. > > My pass tab completion does this... and as I recall I didn't do > anything in particular to make that happen, it just always worked that > way. Oh that's interesting. Are you using bash shell? I'm using zsh, and my completion requires me to enter the directories. From tom at sanctum.geek.nz Sat Feb 20 20:13:58 2021 From: tom at sanctum.geek.nz (Tom Ryder) Date: Sun, 21 Feb 2021 09:13:58 +1300 Subject: easier selection of passwords In-Reply-To: References: Message-ID: On Wed, Feb 17, 2021 at 11:28:55AM -0500, Alec Hill wrote: >With dozens of passwords in variously nested directories, it can be >hard to remember where one lives. I could spend time better organizing >my password folder structure and memorizing this... I use this path layout for my passwords: SITE[/SERVICE]/USERNAME So: example.com/ftp/tomryder Because I so often have only one file in a directory ancestry like this, it makes sense to me to complete the whole path in one hit if possible. I wrote my own Bash completion to do this: (Attached, too.) This means I can type: $ pass ex And as long as there's only the one password in the structure, it completes to the full path: $ pass example.com/ftp/tomryder This only completes the password names---not e.g. the subcommands---but that's all I wanted to complete anyway. -- Tom Ryder Maybe we can bring back the light. -------------- next part -------------- # Load _completion_ignore_case helper function if ! declare -F _completion_ignore_case >/dev/null ; then source "$HOME"/.bash_completion.d/_completion_ignore_case.bash fi # Custom completion for pass(1), because I don't like the one included with the # distribution _pass() { # Iterate through completions produced by subshell local ci comp while IFS= read -d '' -r comp ; do COMPREPLY[ci++]=$comp done < <( # Make globs expand appropriately shopt -u dotglob shopt -s nullglob if _completion_ignore_case ; then shopt -s nocaseglob fi # Set password store path pass_dir=${PASSWORD_STORE_DIR:-"$HOME"/.password-store} # Gather the entries for entry in "$pass_dir"/"$2"*.gpg ; do entries[ei++]=$entry done # Try to iterate into subdirs, use depth search with ** if available if shopt -s globstar 2>/dev/null ; then for entry in "$pass_dir"/"$2"*/**/*.gpg ; do entries[ei++]=$entry done else for entry in "$pass_dir"/"$2"*/*.gpg ; do entries[ei++]=$entry done fi # Iterate through entries for entry in "${entries[@]}" ; do # Skip directories ! [[ -d $entry ]] || continue # Strip leading path entry=${entry#"$pass_dir"/} # Strip .gpg suffix entry=${entry%.gpg} # Print shell-quoted entry, null terminated printf '%q\0' "$entry" done ) } complete -F _pass pass From matt at connell.tech Sun Feb 21 07:47:31 2021 From: matt at connell.tech (Matt Connell) Date: Sun, 21 Feb 2021 01:47:31 -0600 Subject: easier selection of passwords In-Reply-To: References:

Message-ID: <5e52372fe60709e8f64731d6b165f2f236494544.camel@connell.tech> On Sat, 2021-02-20 at 14:18 -0500, Alec Hill wrote: > On Wed, Feb 17, 2021 at 11:39 AM Matt Connell wrote: > > On Wed, 2021-02-17 at 11:28 -0500, Alec Hill wrote: > > > Optimally, the shell completion would allow me to omit the directories > > > and just the password file name to be able to then `tab` through the > > > results and select the desired one. > > > > My pass tab completion does this... and as I recall I didn't do > > anything in particular to make that happen, it just always worked that > > way. > > Oh that's interesting. Are you using bash shell? I'm using zsh, and > my completion requires me to enter the directories. I am using bash. I do have a package installed called app-shells/bash- completion (Gentoo) that may be providing this functionality. Not sure. Never used a machine that I didn't install it on :) But other distros should offer something similar. -- Matt From chemmi at posteo.org Sun Feb 21 17:37:18 2021 From: chemmi at posteo.org (chemmi at posteo.org) Date: Sun, 21 Feb 2021 18:37:18 +0100 Subject: Password-store git repository inference using symlinks In-Reply-To: <9837a1ef-e187-4bdf-895a-666e50dc2db4@Spark> References: <8b89a77f-e9d6-e403-7abc-c0c7796f11bd@posteo.org> <9837a1ef-e187-4bdf-895a-666e50dc2db4@Spark> Message-ID: <9cf73a60-0146-3327-e063-d1fddb7078e1@posteo.org> Thanks for your suggestion. Using other roots for the pass is exactly what I want to circumvent. That worked well for me in the past, but I want to choose a different structure for a current project. To make things a bit more clear, I want to give an example of what does work atm and what does not work for my special setting. This is my directory structure with two symlinked password stores. The `other-password-store` links to a password-store (git-)root, the `nested-passwords-proj1` links to passwords in a strict subdirectory of a git-repo. ``` . ??? .password-sore/ ? ??? .git/ ? ??? .gpg-id ? ??? google.com.gpg ? ??? facebook.com.gpg ? ??? other-password-store -> /.password-store-other ? ??? nested-passwords-proj1 -> /project1/.passwords-proj1 ??? .password-store-other/ ? ??? .git/ ? ??? .gpg-id ? ??? my-fancy-employer.com.gpg ??? project1/ ??? .git/ ??? .passwords-proj1/ ? ??? .gpg-id ? ??? secret-reset-code.gpg ? ??? things-some-others-should-know-as-well.gpg ??? protocols/ ??? todos.org ``` For the `other-password-store` a generation of new passwords (and other commands) works well. The versioning is kept in `.password-store-other`. ``` # This works as expected pass generate other-password-store/my-new-password ``` For the `nested-passwords-proj1`, the generation works fine, but version control exits with an error. The new password is not kept in versioning of `project1`. ``` # This throws a git error pass generate nested-passwords-proj1/my-new-password ``` The error comes from `git -C ... add ...` not working well with paths containing symlinks. Regards, chemmi P.S. To specify my use case: I hold an office for an association and I want to keep all the data for that in one place. That are notes for meetings, protocols, todos, secrets, ... , because I want to keep things compact for a potential successor. Therefore 1 git repo would be best. On 20.02.21 17:46, bex at pobox.com wrote: > On Feb 20, 2021, 3:56 PM +0100, chemmi at posteo.org, wrote: > > Hi folks, > > > I use password store as my default password manager because it is super > > easy to understand how passwords are stored and where the security > > limitations lie. Although I have several projects which store > > credentials, I want to manage them from a single point, but want to > > store them near the project (e.g. in the assoicated git repo). > > > Or does anyone here has a hint how I can approach the issue differently? > > > Thinking out loud, it seems what you want is a way to specify > alternative password stores easily from the command line.??One option is > to use the PASSWORD_STORE_DIR environment variable and create some > aliases, i.e. pass-default, pass-proj2, etc. > > That feels less ?elegant? to me and I wonder if we should consider a > password database global option.??Then you could have a lookup table in > your default password store that would resolve out alternative stores. > > I base this suggestion on my read of your email as not only wanting a > ?known method? but wanting that to be a single access.??What I am > envisioning would give you this: > > pass -c aws # Provide your default AWS password (perhaps from your > personal database) > pass -c was -P proj2 # Provide the AWS password from proj2, located > somewhere else > > We could have a dot file that maps proj2 to a path in your default > password store. > > Regards, > > bex