Much ado about scripting, Linux & Eclipse: card subject to change

2008-10-16

Password management with ccrypt

Intro
Server
Client(s)
About ccrypt

For the past few years, the list of passwords I use for all the various websites, servers, and applications has been growing ever longer. Some people limit themselves to 3-4 passwords, or a handful of formulas for password generation. I used to do that, but it's insecure, and when you control the fate of numerous servers, it's irresponsible. These day, I generally create new passwords at random, and replace them every 3-4 months.

Every flavour of linux has its own system for managing passwords; for example, KDE has KWallet; Gnome has Keyring. Tuesday I started playing with Fedora for the first time in years, and discovered yet another way: System > Preferences > System > Authorizations (polkit-gnome-authorization). And, of course, even Mozilla (Firefox, Thunderbird) handles password management like this... but each application has its own repository, and each one will get out of sync in time.

So, for a password management system that doesn't care about window manager, application, or even OS (this works with under cygwin on Windows, too), I've designed my own method.

How do you remember 100s of passwords which have nothing in common? Store them in a database, encrypted by a passphrase/password, then use a simple query engine to retrieve them.

Here's how it works, and how you can set up something similar.

Home Server / CVS Server

First, define these 3 scripts.

  1. /home/user/passwds/PWget.sh
  2. #!/bin/bash
    dir=/home/user/passwds;
    mkdir -p $dir;
    echo -n "Retrieve latest? [y/N] "; read yn;
    if [[ $yn == "y" ]]; then
     scp user@home-server:$dir/passwds.cpt $dir
    fi
  3. /home/user/passwds/PWsearch.sh
  4. #!/bin/bash
    file="/home/user/passwds/passwds.cpt";
    ccrypt -c $file | grep -i "$1";
  5. /home/user/passwds/PWedit.sh
  6. #!/bin/bash
    file="/home/user/passwds/passwds";
    ccrypt -d $file.cpt; vi $file; ccrypt -e $file

Next, define 2 aliases -- one for password lookup, and one to modify the encrypted password file. I use ~/.alias, which I load as part of my ~/.bashrc file.

  1. /home/user/.alias
  2. alias PW='/home/user/passwds/PWsearch.sh $1'
    alias PWE='~/PWDs/PWedit.sh'

Now, on the home server, I can run `PW eclipse` to decrypt the file, look up any lines in the password file with "eclipse" in them, and return those entries to me. Or, I can run `PW | more` by itself to display the entire file (paged with `more`). To modify the file, I use `PWE` to decrypt, edit, and re-encrypt the file. I also periodically save this file into my CVS repository (cvs add -kb passwds.cpt; cvs ci -m "" passwds.cpt) so I can track changes.

Remote Client(s) / Other Servers

Well, you think, that's great for a single system, but I need my passwords on 3 or 4 different systems. Plus, my home server may or may not always be accessible (eg., only when I'm on my home network).

So, once again, we start with the same three bash scripts.

Next, define a different version of the `PW` alias:

  1. /home/user/.alias
  2. alias PW='/home/user/passwds/PWget.sh;/home/user/passwds/PWsearch.sh $1'

Now, on any other server which can reach the home server over ssh, `PW eclipse` can be used to (optionally) retrieve the latest version of the password file, then search it as in the example above. Can't reach the home server? That's fine, we keep a local cache of the encrypted password file -- good enough until the next synch.

Voila! Centralized encrypted password management for Windows & Linux clients!

About ccrypt

So, what handles the encryption, and how secure is it?

ccrypt is based on the Rijndael block cipher, which was also chosen by the U.S. government as the Advanced Encryption Standard (AES, see http://www.nist.gov/aes/). This cipher is believed to provide very strong cryptographic security.

 

If your linux or cygwin distro doesn't include ccrypt in its repositories, here are a couple places you can find it:

2 comments:

Marcelo Paternostro said...

To sue or not to sue... :-P

What do I do with my passwords?

I will take either as a form of flattery or as a case in which brilliant minds think alike.

Cheers my friend.

nickb said...

Parallel solutions developed in a vaccuum from each other. You taught me about ccrypt; from there we clearly both went in the same direction -- though I use a csv format for my password file instead.

At any rate, consider it flattery, with my thanks.