From ondrejsynacek at fastmail.com Sun Oct 1 12:44:00 2023 From: ondrejsynacek at fastmail.com (=?UTF-8?Q?Ond=C5=99ej_Syn=C3=A1=C4=8Dek?=) Date: Sun, 01 Oct 2023 14:44:00 +0200 Subject: pass generate without writing to store Message-ID: I'm wondering if it's possible to have `pass generate` just return the generated password to stdout without providing password name. The reason is that when I have pass installed on my system, I know it creates password and would like to use it as password generator too for other stuff. Second reason is that I want to write my own wrapper around pass to augment the functionality and would like to re-use the logic for generating password. My wrapper would have different way of creating passwords with custom UI so at some point I only want to have just the generated password available. From doug.hs at proton.me Sun Oct 1 13:55:43 2023 From: doug.hs at proton.me (Douglas Silva) Date: Sun, 01 Oct 2023 13:55:43 +0000 Subject: pass generate without writing to store In-Reply-To: References: Message-ID: <726xfMOcYS473cZ5aT2ceGkEaGZoNwDGrZ80O46NQSvyRaQxP-fq5Hl-GJIuojMCLlQNf-ftUUDq2SmqHOc9bXk9zZ3gclM79znPtx0oiu0=@proton.me> I'd like to have that too. The syntax would probably have to be changed from pass generate [--no-symbols,-n] [--clip,-c] [--qrcode,-q] [--in-place,-i | --force,-f] pass-name [pass-length] to this: pass generate [--no-symbols,-n] [--clip,-c] [--qrcode,-q] [--in-place,-i | --force,-f] [pass-name] [pass-length] And then in the script we would detect the missing "pass-name" argument and skip saving. ------- Original Message ------- Em domingo, 1 de outubro de 2023 ?s 9:44 AM, Ond?ej Syn??ek escreveu: > I'm wondering if it's possible to have `pass generate` just return > the generated password to stdout without providing password name. > > The reason is that when I have pass installed on my system, I know > it creates password and would like to use it as password generator > too for other stuff. > > Second reason is that I want to write my own wrapper around pass > to augment the functionality and would like to re-use the logic > for generating password. My wrapper would have different way > of creating passwords with custom UI so at some point I only > want to have just the generated password available. From nils at nilsand.re Sun Oct 1 18:56:12 2023 From: nils at nilsand.re (=?UTF-8?Q?Nils_Andr=C3=A9?=) Date: Sun, 1 Oct 2023 11:56:12 -0700 Subject: pass generate without writing to store In-Reply-To: References: Message-ID: This is the line that generates passwords in pass: https://git.zx2c4.com/password-store/tree/src/password-store.sh?id=28cec11f1dbe6c4273d30370af45b69c9f408386#n539 You can use that to generate your own passwords. Otherwise there's programs like pwgen[0]. [0]: https://github.com/tytso/pwgen On Sun, 1 Oct 2023 at 05:45, Ond?ej Syn??ek wrote: > > I'm wondering if it's possible to have `pass generate` just return > the generated password to stdout without providing password name. > > The reason is that when I have pass installed on my system, I know > it creates password and would like to use it as password generator > too for other stuff. > > Second reason is that I want to write my own wrapper around pass > to augment the functionality and would like to re-use the logic > for generating password. My wrapper would have different way > of creating passwords with custom UI so at some point I only > want to have just the generated password available. > From mbw at mailbox.org Sun Oct 8 12:10:04 2023 From: mbw at mailbox.org (Maximilian Winkler) Date: Sun, 8 Oct 2023 14:10:04 +0200 Subject: Can you use pass as/with system keyring? Message-ID: Hi everybody, pass comes with various integrations/extensions, but I am as of yet unsure how to put the existing pieces together to allow any of the following use cases: 1. Avoid storing plaintext passphrases/keys in wpa_supplicant.conf 2. Have applications which expect a "system keychain/keyring" to be present interact with pass The first one is probably not easily accomplished. There is a `wpa_passphrase` command, but this is sparsely documented and I could not get this to work across all my stored network configurations. For this reason, I am considering using NetworkManager instead. But from what I have read, use of encrypted passphrases is supported via a system keychain only (i.e. no "password command"). So the second point would probably subsume the first one. Examples for this would be NetworkManager or Intellij. I am aware of Gnome-Keyring and KWallet, but I believe these require you to store your passwords with them. Meaning I would either need to migrate or somehow keep passwords and possibly even meta-data in sync, introducing additional complexity. On the other hand, there is a myriad of passwordstore extensions, one of which may do what I want? I am also aware of e.g. https://pypi.org/project/SecretStorage/, which provides Python applications with a way to abstract over the different keychain implementations, but this is python-specific only I believe. I would much appreciate any advice in this matter. Kind Regards, Max From password-store at city17.xyz Sun Oct 8 15:57:44 2023 From: password-store at city17.xyz (jman) Date: Sun, 08 Oct 2023 17:57:44 +0200 Subject: Can you use pass as/with system keyring? In-Reply-To: References: Message-ID: <87fs2lgkxi.fsf@city17.xyz> > pass comes with various integrations/extensions, but I am as of yet unsure how to put the existing pieces together to > allow any of the following use cases: > > 1. Avoid storing plaintext passphrases/keys in wpa_supplicant.conf > 2. Have applications which expect a "system keychain/keyring" to be present interact with pass I had investigated some time ago options to use pass as a system keyring. Didn't find a "ready-to-use" good solution but I had earmarked this github comment with some experiments in this area: https://github.com/Nheko-Reborn/nheko/issues/1187#issuecomment-1260802593 (didn't yet got around testing any of them) From matt at connell.tech Mon Oct 9 13:31:11 2023 From: matt at connell.tech (Matt Connell) Date: Mon, 09 Oct 2023 09:31:11 -0400 Subject: Can you use pass as/with system keyring? In-Reply-To: References: Message-ID: On Sun, 2023-10-08 at 14:10 +0200, Maximilian Winkler wrote: > ??? 1. Avoid storing plaintext passphrases/keys in wpa_supplicant.conf I use pass for some VPN setups wherein I use a wrapper script to, in order: 1. assemble a configuration file, based on a template, with contents retrieved from pass 2. start the service 3. erase the file openforticlient and openvpn both tolerate having their configuration file yoinked while running. I can't speak for wpa_supplicant, and it doesn't cover your other use case, but it might be worth a try. From mailinglists-pass at qwertyuiop.de Mon Oct 9 13:53:25 2023 From: mailinglists-pass at qwertyuiop.de (Alexander Gehrke) Date: Mon, 9 Oct 2023 15:53:25 +0200 Subject: Can you use pass as/with system keyring? In-Reply-To: References: Message-ID: Hi, I have successfully used https://github.com/mdellweg/pass_secret_service for GUI applications wanting to store passwords, the XDG Secret Service API seems to be what Gnome Keyring etc. implement. The applications will store their passwords under $PASSWORD_STORE/secret_service/$UUID together with some .properties files containing info about which program it belongs to, so sadly keeping in sync is still required, if you need the passwords in other ways than via the system keyring. Different programs also seem to store different formats (e.g. spot stores a json object in the gpg file, nheko stores just the password encrypted and puts username etc. in the unencrypted .properties file). Regards, Alexander From password-store at city17.xyz Mon Oct 9 14:19:17 2023 From: password-store at city17.xyz (jman) Date: Mon, 09 Oct 2023 16:19:17 +0200 Subject: Can you use pass as/with system keyring? In-Reply-To: References: Message-ID: <87pm1nvpwh.fsf@city17.xyz> > I have successfully used https://github.com/mdellweg/pass_secret_service for GUI > applications wanting to store passwords, the XDG Secret Service API seems to be > what Gnome Keyring etc. implement. Cool, thanks for sharing. I am also interested in this kind of system integration. From mbw at mailbox.org Sun Oct 15 08:26:34 2023 From: mbw at mailbox.org (Maximilian Winkler) Date: Sun, 15 Oct 2023 10:26:34 +0200 Subject: Can you use pass as/with system keyring? In-Reply-To: References: Message-ID: Hi again, thanks for all the replies, this was more helpful input than I expected! For who may be interested, here's what happened. I gave all of the options a look and decided to go with the approach Matt suggested, since it is simple and the inter-component dependencies are easy enough for me to understand. I have seen that both the secret-service integrations are not very actively maintained (that is not to say that they may not work perfectly of course) and a short sanity-check found that there are open Intellij bugs about people using this getting timeouts. Then there's the problem of how/when to cache the gpg-key with gpg-agent. I tried https://github.com/cruegge/pam-gnupg, but could not get it to work after following the instructions and it does not seem to be actively maintained either (multiple issues about the same problem). Having the same password for the gpg key and the user is also problematic, since the one for the gpg key is pretty long and would need to be typed for every sudo invocation. Another problem is of course using my user's gpg key as root; gpg-agent stores those on a per-session basis so I would need to enter the gpg key's password at least once as root, even if it's already cached for my normal user. Thus I kept it simple and postponed starting wpa_supplicant until after login and call a `go-online` script manually once, which writes the wpa_supplicant config to a temporary file and deletes it after it is no longer needed: #!/usr/bin/env bash INTERFACE="wlp0s20f3" CONF_FILE="wpa_supplicant-$INTERFACE.conf" CONF_DIR="/etc/wpa_supplicant" SERVICE="wpa_supplicant@$INTERFACE.service" function cleanup() { sudo rm -f "$CONF_DIR/$CONF_FILE" } trap cleanup EXIT INT TERM if [[ $UID -eq 0 ]]; then echo "This must be run as normal user!" exit 1 fi pass show WiFi/wpa_supplicant > "$CONF_FILE" sudo mv "$CONF_FILE" "$CONF_DIR/$CONF_FILE" sudo systemctl start "$SERVICE" sudo ip link set "$INTERFACE" up while lsof -t "$CONF_DIR/$CONF_FILE" && inotifywait -q -e CLOSE "$CONF_DIR/$CONF_FILE"; do # If the file is still open, wait for it to be closed before deleting it. continue done Which works reasonably well for now, apart from the fact that I have to manually call it and maybe enter up to two passwords. Maybe I will still give the secret-service thing a try another time though. Best Regards, Max On Mon, Oct 09, 2023 at 09:31:11AM -0400, Matt Connell wrote: > On Sun, 2023-10-08 at 14:10 +0200, Maximilian Winkler wrote: > > ??? 1. Avoid storing plaintext passphrases/keys in wpa_supplicant.conf > > I use pass for some VPN setups wherein I use a wrapper script to, in > order: > > 1. assemble a configuration file, based on a template, with contents > retrieved from pass > 2. start the service > 3. erase the file > > openforticlient and openvpn both tolerate having their configuration > file yoinked while running. I can't speak for wpa_supplicant, and it > doesn't cover your other use case, but it might be worth a try. From mailinglists-pass at qwertyuiop.de Mon Oct 16 08:14:49 2023 From: mailinglists-pass at qwertyuiop.de (Alexander Gehrke) Date: Mon, 16 Oct 2023 10:14:49 +0200 Subject: Can you use pass as/with system keyring? In-Reply-To: References: Message-ID: <3s5kot4q7cnopu3kfvpg3fa2faftwp3ql33qnkzjg7oqnec27c@xwaofzi7otkg> Hello, If wpa_supplicant is your only usecase, you may also be able to use wpa_cli. If you leave the password blank in wpa_supplicant.conf, you can then supply it later (when wpa_supplicant is already running) using wpa_cli or wpa_gui. This way you wouldn't even temporarily write the password to the disk. I haven't tried this yet, but it should be possible to combine wpa_cli with pass in a script. Regards, Alexander