cli icon indicating copy to clipboard operation
cli copied to clipboard

Published 20 hours ago verified publisher icon hedgedoc

Add pass support

Open SISheogorath opened this issue 5 years ago • 7 comments

The UNIX passwordstore called pass is a very handy unix tool that allows to have GPG encrypted passwords stored in a git repository and being used as a password safe.

CodiMD CLI could integrate with pass by checking for its existence and reading login (i.e. pass show demo.codimd.org/myuser) data from there.

In order to make it easy to integrate, we should provide a function that abstracts provided password. Means check if a password is supplied by CLi parameter, check if passwordstore is there and if so, check for a password. When non of the above provides a password, show a prompt.

Just my rough idea, feel free to extend/change/improve.

SISheogorath avatar Apr 11 '19 01:04 SISheogorath

Using #23 and settings such as those of isync it will be possible. Cf man mbsync:

Pass password

Specify the password for username on the IMAP server. Note that this option is not required. If neither a password nor a password command is specified in the configuration file, mbsync will prompt you for a password.

PassCmd [+]command

Specify a shell command to obtain a password rather than specifying a password directly. This allows you to use password files and agents. The command must produce exactly one line on stdout; the trailing newline is optional. Prepend + to the command to indicate that it produces TTY output (e.g., a decryption password prompt); failure to do so will merely produce messier output.

Fumesover avatar Apr 11 '19 05:04 Fumesover

@Fumesover ~~I'm sorry to say, but I'm not really sure what you say with your comment~~ :sweat_smile:

~~Could you elaborate (maybe with links to documentations) what you mean?~~

Mhm, so you suggest to have a parameter --password-cmd which refers to a binary that will run in order to get he password out?

Maybe we should take the approach that ansible uses: Having a --vault-password-file (in our case probably just --password-file) which can be either a plaintext file container a password or a executable file that will run in order to get the password.

SISheogorath avatar Apr 11 '19 10:04 SISheogorath

If we use codimd in command line, we can just do something like that: ~codimd codimd login --email [email protected] $(pass show my/pass/for/codi)~ do not do that, the password leaks and can be accessed by anyone My first comment was about hypotetic configuration file where some secrets could be written in clear

Fumesover avatar Apr 11 '19 11:04 Fumesover

Depending on how big and how versatile a change would have to be, I'm against integrating stuff for a single other product (pass in this case).

ccoenen avatar Apr 11 '19 23:04 ccoenen

FWIW I run this on a Mac where pass is ~~not supported~~ not natively installed, but a system keychain CLI does exist. I'm not sure it's worth adding this relatively complex dependency for such a small thing, especially considering things like Amazon AWS keys, entire chrome data directories with all cookies/sessions keys, and SSH private keys are routinely stored unencrypted in user's home folders.

pirate avatar Apr 17 '19 01:04 pirate

@pirate I might be mistaken, but I think it is supported: https://www.passwordstore.org/#macintosh

SISheogorath avatar May 04 '19 09:05 SISheogorath

I would prefer a universal solution where you can specify a command that outputs the password.

This way other popular password-managers are also supported.

davidak avatar Mar 21 '20 00:03 davidak