[PATCH] Do not add newline at the end of the password

Daniel Mach daniel.mach at suse.com
Thu Apr 14 12:19:10 UTC 2022 

On 14. 04. 22 13:50, Johannes Altmanninger wrote:
> On Thu, Apr 14, 2022 at 01:26:47PM +0200, Daniel Mach wrote:
>> SaltStack strips leading/trailing whitespaces from the password [1],
>> because pass adds a newline when entering passwords interactively.
> SaltStack is removing too much. They should use the equivalent of
> pass_show_output.removesuffix("\n").

That's right. I'm planning to address this by sending a pull-request to 
SaltStack.

On the other hand, if you store a multiline/binary password in pass, it 
can end with a newline, which still would end as an invalid password in 
SaltStack.

I hope I'm not abusing pass too much by storing binary keys in it, but 
it's quite convenient to have all secrets in one place...

>
>> Pass is capable of storing multiline passwords which are stored as
>> provided. That includes storing binary data as well. If such password
>> has leading/traling whitespaces, they get stripped in SaltStack
>> and the password becomes invalid.
>>
>> This change fixes the inconsistency by always storing the passwords
>> as provided, with no extra characters added.
>>
>> To retain good user experience, a newline is printed to stderr after
>> printing a password.
>>
>> [1] https://github.com/saltstack/salt/commit/2584df93e074155062bd934f23bb244613e20dd3
>> ---
>>   src/password-store.sh | 7 ++++---
>>   1 file changed, 4 insertions(+), 3 deletions(-)
>>
>> diff --git a/src/password-store.sh b/src/password-store.sh
>> index 22e818f..48b3a79 100755
>> --- a/src/password-store.sh
>> +++ b/src/password-store.sh
>> @@ -385,7 +385,8 @@ cmd_show() {
>>   	if [[ -f $passfile ]]; then
>>   		if [[ $clip -eq 0 && $qrcode -eq 0 ]]; then
>>   			pass="$($GPG -d "${GPG_OPTS[@]}" "$passfile" | $BASE64)" || exit $?
>> -			echo "$pass" | $BASE64 -d
>> +			echo -n "$pass" | $BASE64 -d
>> +			echo >&2
>>   		else
>>   			[[ $selected_line =~ ^[0-9]+$ ]] || die "Clip location '$selected_line' is not a number."
>>   			pass="$($GPG -d "${GPG_OPTS[@]}" "$passfile" | tail -n +${selected_line} | head -n 1)" || exit $?
>> @@ -468,7 +469,7 @@ cmd_insert() {
>>   			read -r -p "Retype password for $path: " -s password_again || exit 1
>>   			echo
>>   			if [[ $password == "$password_again" ]]; then
>> -				echo "$password" | $GPG -e "${GPG_RECIPIENT_ARGS[@]}" -o "$passfile" "${GPG_OPTS[@]}" || die "Password encryption aborted."
>> +				echo -n "$password" | $GPG -e "${GPG_RECIPIENT_ARGS[@]}" -o "$passfile" "${GPG_OPTS[@]}" || die "Password encryption aborted."
>>   				break
>>   			else
>>   				die "Error: the entered passwords do not match."
>> @@ -477,7 +478,7 @@ cmd_insert() {
>>   	else
>>   		local password
>>   		read -r -p "Enter password for $path: " -e password
>> -		echo "$password" | $GPG -e "${GPG_RECIPIENT_ARGS[@]}" -o "$passfile" "${GPG_OPTS[@]}" || die "Password encryption aborted."
>> +		echo -n "$password" | $GPG -e "${GPG_RECIPIENT_ARGS[@]}" -o "$passfile" "${GPG_OPTS[@]}" || die "Password encryption aborted."
>>   	fi
>>   	git_add_file "$passfile" "Add given password for $path to store."
>>   }
>> -- 
>> 2.35.1
>>

More information about the Password-Store mailing list