pass Password Manager
Love them or hate them, shared passwords are a fact of life. Default user accounts, database users, API keys etc. pass the “standard Unix password manager” stores each password within a directory structure of gpg encrypted files. Because gpg is used, multiple gpg id’s can be used to encrypt/decrypt the password files and due to the simple directory and file structure, git can be used to track changes and share the password repository with others.
SETUP
To set up and test out sharing passwords between two people, I will build and configure three Ubuntu docker containers; two clients alice@heavymessing, bob@justtesting to act as user machines and server git@lastingdamage to be the Git repository machine.
Each host requires these packages:
openssh-client - secure shell (SSH) client, for access to remote machines
gnupg - GNU privacy guard - a free PGP replacement
pass - lightweight directory-based password manager
git - fast, scalable, distributed revision control system
gpg
Each user will need to generate their own keys, export their public key and import and sign their team members public key.
gpg --full-generate-key
gpg --export --armor $USER@$HOST > .gnupg/$USER@$HOST_public.asc
gpg --import /root/public_keys/bob@justtesting_public.asc
gpg --edit-key bob@justtesting -> lsign
Note: Permission denied error
gpg: agent_genkey failed: Permission denied
Key generation failed: Permission denied
is fixed by
ls -la $(tty)
sudo chown <USERNAME> $(tty)
pass
Each user will need to setup pass.
pass init $(echo $USER)@$(echo $HOST)
pass generate $(echo $HOST)/$(echo $USER) 15
pass generate gmail/$USER 15
pass
Git
Each user will need to setup git personal password repo.
cd .password-store
git init
git add .
git commit -m "first commit"
git remote add origin git@lastingdamage:password-store-$USER.git
Alice sets up a shared password repo.
cd /home/alice/.password-store
git push --set-upstream origin master
echo "shared" > .gitignore
git clone git@lastingdamage:password-store-shared.git shared
pass init -p shared alice@heavymessing
echo "bob@justtesting" >> /home/alice/.password-store/shared/.gpg-id
pass init -p shared $(cat /home/alice/.password-store/shared/.gpg-id)
pass generate --no-symbols shared/password 15
pass
cd /home/alice/.password-store/shared
git add .
git commit -m "added shared/password"
git push --set-upstream origin master
Bob clones the shared password repo.
cd /home/alice/.password-store
git push --set-upstream origin master
echo "shared" > .gitignore
git clone git@lastingdamage:password-store-shared.git shared
pass
TESTS
To gain a level of assurance that the required functionality has been achieved, conducted the following tests.
1. Alice & Bob have their individual and shared password stores
2. Alice changes the shared password and push’s the git repo and Bob pulls
4. Alice removes Bob’s id and changes the shared password and push’s the git repo. Bob pulls the shared repo, but is unable to decrypt the password.
Conclusion
pass is very easy to use, git and gpg are straightforward, making sharing password simple and secure.