drduh / pwd.sh Goto Github PK

Hello! Cool project. Could you possibly tack a license on it? It's proprietary otherwise :)

On almost every invocation of ./pwd.sh w someusername 30, I receive a "tr: Illegal byte sequence" response. On the very few invocations that work (one in every 20), my random safe/filename is only 1-2 characters long.

It appears to be a MacOS problem (I'm on 11.6) - and the workaround here appears to work: https://unix.stackexchange.com/questions/45404/why-cant-tr-read-from-dev-urandom-on-osx

LC_CTYPE=C tr -dc "[:lower:]" < /dev/urandom | fold -w8 | head -n1

I don't have any locales in my environment by default, and my zshrc doesn't set any by default - so I think the data pulled from urandom is going haywire.

I'm also not sure if my workaround above is "the" solution, or just a workaround.

I have a lot of accounts with the same username, some context like "Twitter" or "Github" for each would help quickly look up a password and differentiate between them in a list.

Hello,
first of all, I'd like to let you know that I love the idea you came up with in this repository! Keep on developing it!

After I cloned the repo and started using the script, I intentionally produced an error. I like the red error message, but the font color is never reseted, so all the console output was red, until the 'success' message came. Here is the screenshot:

I'm using Mac OS X 10.10.4 on a mid-2013 Air. I am not using any other scripts that could possibly override any color settings in the bash.

This way you could set a different location for the safe file without having to modify the original pwd.sh script e.g: safe=${PWDSH_SAFE:=pwd.sh.safe} on line 10 would mean you could do : export PWDSH_SAFE=/my/dropbox/location/pwd.sh.safe; ./pwd.sh

What do you think about optional gist backups? You can put pwd safe to a new secret gist repository and attempt to pull/push on read/write. On conflict you just output it and let user resolve manually.

And how do you feel about https://github.com/caodonnell/passman.sh fork?

You're passing the gpg passphrase as an argument to gpg, which means it will show in any 'ps' listing while the gpg command is running.

% while :; do ps -ef | grep decrypt | grep -v grep; done
...
jblaine 27709 27704 0 13:24 pts/0 00:00:00 /usr/bin/gpg --decrypt --armor --batch --command-fd 0 --passphrase MyPasswordWasHere pwd.sh.safe

I can't delete any password, i get this error: "Write to safe failed" , and every time that i try to run the program, i need to use "sudo" or instead i get an gpg error.

https://github.com/drduh/pwd.sh/blob/master/pwd.sh#L121

decrypt the safe
remove the username
add the new entry
remove any blank lines
encrypt the vault
copy it over the old vault

You've left the vault, with a known name, decrypted, with permissions that match umask. Danger, Danger Will Robinson.

Its possible to change the default cipher method to AES256, I used to save my passwords in a file encrypted with AES256. Its possible to add this to the script? Or CAST5 its just fine and secure?
Thanks in advance.
... http://crypto.stackexchange.com/questions/24045/is-cast5-still-a-secure-algorithm-to-use

Creating a new safe with a password which contains one or more spaces will cause encryption to fail, and may cause parts of the password to be printed.

Please see my pull request #33

Set the umask to the most restrictive possible to avoid other users from reading the tmp file.

It required srm to work but that is not part of installation/requirements documentation.

Also what version of srm that must be used because 3.1 in ubuntu do not work with the default options.

is there any security risk adding "-sel clip" to xcopy?
the password was not getting copied to my clipboard in ubuntu linux, and that did the trick, i left a PR

I think there is actually no need for pwd.sh to show a password just created: it would be safer to do so only if specified and to simply store it otherwise, without sending it to output.

When executing the script it looks for gpg in a folder that gpg is not installed in by default (on ubuntu 14.04) It is hardcoded to look in /usr/local/bin/gpg but default it is installed in /usr/bin/gpg. I either have to symlink it to make it work or change the script to look in the correct folder.

Possible solutions, look in more places that it might exist or locate the script with which gpg to make it dynamic.

Hi I've been experiencing a strange issue as I get 'mDoneB' these included at the end of the copied password when using:

./pwd.sh r github | cut -f1 -d ' ' | tr -d '\n' | pbcopy

I tried a fresh copy and it worked for the first time but as soon as I wrote over the password. The copy command stops working.

Please do help me if you know any reason for why this would happen.

Thanks.

If someone can edit the PGP message in the file, then they can mess with the decryption. I'm envisioning a ransomware type attack where a bad actor gains access, changes a few random characters in the .safe file, and makes the program unable to decrypt the passwords. Kind of like, "I can't see your passwords, but neither can you until you pay me!" Big problem if the keys to someone's entire digital life are stored in that file.

Is there some way to make the .safe file read-only except when pwd.sh is using it?

Hi,

Thanks for sharing this useful piece of code!

It seems there's a small bug that prevent deletion where there's only one entry remaining.

See:

./pwd.sh w user1 9
./pwd.sh w user2 9
./pwd.sh w user3 9
./pwd.sh r all
# MIcA4iieW user1
# fi+ALzJvT user2
# GZvLkTX4+ user3

./pwd.sh d user1
./pwd.sh d user2
./pwd.sh d user3
# Error: Write to safe failed
./pwd.sh r all
# GZvLkTX4+ user3

I guess that's not a problem for most of users as their safe contains multiple entries, but it is one for new users who want to play with the script and don't understand why the deletion can't work.

Is there any way to pass the password as an argument?