gopass icon indicating copy to clipboard operation
gopass copied to clipboard

Published 20 hours ago verified publisher icon gopasspw

Display Multi-line Passwords

Open OceanTrader1 opened this issue 7 months ago • 6 comments

Summary

When passing flags --password or -o to a multi-line password, only the first line is displayed.

Steps To Reproduce

  1. Create a multi-line password: gopass insert -m testpassword
  2. Using specified $EDITOR (I am using code -w), enter a mutli-line password.
Password on line 1
Password on line 2
Password on line 3
  1. Display the created password using gopass show testpassword 
Secret: testpassword

Password on line 1
Password on line 2
Password on line 3
  1. Display the created password using gopass show --password testpassword 
Password on line 1

(lines 2 and 3 are missing from output)

Expected behavior

Expected behaviour is that the full password is displayed when using appropriate flag(s) as indicated in the function's help documentation (e.g., Display only the password).

Using the example above, the expected output should be :

Password on line 1
Password on line 2
Password on line 3

Environment

  • OS: MacOS
  • OS version: Darwin 23.2.0 Darwin Kernel Version 23.2.0
  • gopass Version: gopass 1.15.11 go1.21.4 darwin arm64
  • Installation method: brew

Relevant Sections

  • https://github.com/gopasspw/gopass/blob/master/internal/action/show.go#L41
  • https://github.com/gopasspw/gopass/blob/master/internal/action/context.go#L67

OceanTrader1 avatar Dec 30 '23 14:12 OceanTrader1

@OceanTrader1 From what I can tell, looking at the codebase, Gopass handles passwords by simply having them as the first line, always, and assuming that the other lines are other fields, or the body text. For example:

 ❯ gopass insert my-entry <<EOF
username: my-username
password: my-secret
EOF

 ❯ gopass show my-entry
Secret: my-entry

username: my-username
password: my-secret

 ❯ gopass show -o my-entry
username: my-username

It would have to be it's own feature, as the default way gopass parses passwords (where the first line is always the password) is depended on and expected by several external integrations.

Maybe there could be discussion about a feature / alternative syntax that would allow saving and parsing of a password that was several lines?

A side note though, the --multiline flag isn't the clearest about it's functionality. It's essentially --edit or --editor=$EDITOR, but could imply that the password and all password features, will be handled by that.

kanielrkirby avatar Feb 02 '24 23:02 kanielrkirby

Gopass handles passwords by simply having them as the first line, always, and assuming that the other lines are other fields, or the body text...It would have to be it's own feature

I agree with the points stated. Either (1) the language for the --multiline documentation should be clarified regarding this limitation if the current scope of gopass is working as intended, or (2) introduce new functionality for multi-line passwords.

external integrations

Is there a recommended method that exists already for reading stored private keys having the -----[BEGIN|END] OPENSSH PRIVATE KEY----- format?

OceanTrader1 avatar Feb 04 '24 19:02 OceanTrader1

@OceanTrader1 Can I ask which circumstances you're in that can't be satisfied by the generic gopass show <secret>? If you're concerned about the first line that says Secret: <secret>, it doesn't actually get carried over to the output when piping or setting variables.

To clarify, I set a multiline password with the following text:

---
my
multiline
ssh
key
---

 ❯ gopass show test
Secret: test

---
my
multiline
ssh
key
---


 ❯ gopass show test | cat
---
my
multiline
ssh
key
---

 ❯ my_var="$(gopass show test)" && echo "$my_var"
---
my
multiline
ssh
key
---

Though I may be overlooking something so feel free to let me know. I'm also not well-versed in the Windows implementation, if that applies, though I would imagine (or hope, at least) it's similar.

kanielrkirby avatar Feb 06 '24 04:02 kanielrkirby

I am using MacOS, so I can not speak directly to the Windows implementation either.

I concur that piping for works adequately for reading a stored key though it was not apparent that only the multi-line key is piped to STDOUT. Still, the wording for the --password flag seems misleading in this context. My suggestion is to adjust the language in the documentation to express this behaviour more clearly. Thoughts?

OceanTrader1 avatar Feb 06 '24 10:02 OceanTrader1

If you want to have a multiline key-value, that should work, relying on our YAML parsing support:

---
key: |
  -----BEGIN OPENSSH PRIVATE KEY-----
  ...
  ...
  -----END OPENSSH PRIVATE KEY-----
user: bob

and you can get the multi-line key using:

$ gopass show name/of/entry key
Secret: testy
Key: key

-----BEGIN OPENSSH PRIVATE KEY-----
...
...
-----END OPENSSH PRIVATE KEY-----

As mentioned earlier by someone, we display extra information on stderr, such as the name of the secret and the key being queried. These do not get copied nor piped further:

gopass -c name/of/entry key

will copy just the multiline key-value.

You can check this by seeing that

gopass name/of/entry key | cat

works and it doesn't get piped further.

Another option is to just disable all parsing and force output with:

gopass show -n -f name/of/entry

AnomalRoil avatar Feb 06 '24 10:02 AnomalRoil

Hm, I wasn't thinking of the YAML support for multi-line passwords with a specific key. Cool stuff. I probably should have greped for multi-line haha.

kanielrkirby avatar Feb 06 '24 13:02 kanielrkirby

I don't think there is anything we can fix here. Handling the first line of a secret as the password is coming form the pass format and we don't want to break that.

dominikschulz avatar Mar 31 '24 07:03 dominikschulz