Pass
官網提到:
- 密碼管理應該要簡易且遵照Unix哲學。Pass將你的密碼保存在由gpg加密的文件中,並以相關的網站和資源的名稱來命名文件。這些加密文件會被組織成合理的文件體系,你可以從一台裝置複製到另一台裝置,並用命令行程序來管理和操作它們。
Pass是一款簡易的命令行密碼管理器,本質上,它其實是利用GnuPG、tree包、和Git的腳本。
安裝[編輯 | 編輯原始碼]
基本用法[編輯 | 編輯原始碼]
初始化:
$ pass init <gpg-id or email>
若要創建一組新密碼,提供一個文件名,注意文件名需要能體現出文件層次,如:archlinux.org/wiki/username。
$ pass insert archlinux.org/wiki/username
以文件組織的方式查看儲存的密碼:
$ pass
Password Store
└── archlinux.org
└── wiki
└── username
生成一組隨機的新密碼,執行如下命令,其中,正整數n代表想要的密碼長度。
$ pass generate archlinux.org/wiki/username n
若要取得一組密碼,執行如下命令,並在彈出窗口輸入你的gpg密碼短語(passphrase),如使用以上範例:
$ pass archlinux.org/wiki/username
若您是Xorg用戶並安裝了xclip包,您可以直接將取得的密碼暫時的複製到剪貼板(clipboard)上;若您是Wayland用戶,pass-gitAUR 則會使用 wl-clipboard包,如使用以上範例:
$ pass -c archlinux.org/wiki/username
~/.shellrc 中添加:export PASSWORD_STORE_X_SELECTION=primarypass 也有附加的功能可與dmenu包相結合,讓用戶可以輕鬆的搜索和複製粘貼。若要使用它,安裝如下可選依賴dmenu包後,執行:
$ passmenu
當您選擇一組密碼時,dmenu將會複製密碼到剪貼版上。dmenu(1) 有更多相關的自定義選項。為了更快的取得密碼,您可以把這個命令綁定在一組系統快捷鍵上。
信息格式[編輯 | 編輯原始碼]
由pass insert新建的信息文件預設只會包含您的密碼,有時這仍舊不太足夠,因為一些應用可能會要求取得您的其他信息如:用戶名、網站地址等。這時,您可以用以下命令,編輯一個已存在的信息文件:
$ pass edit password_name
如下是由官網推薦的信息排版格式。使用這種格式時,選項-c或--clip僅會複製第一行的密碼。
YwrZSNH35z164ym9pI URL: *.amazon.com/* Username: AmazonianChicken@example.com Secret Question 1: What is your childhood best friend's most bizarre superhero fantasy? Oh god, Amazon, it's too awful to say... Phone Support PIN #: 84719
遷移到pass[編輯 | 編輯原始碼]
在這裡可以找到相當多腳本可將其他應用的密碼導入pass。
擴充[編輯 | 編輯原始碼]
自版本1.7起,pass開始支援由社區開發的擴充,這些擴充包含一些新的命令,用以延伸pass的功能。
可將信息文件以tomb加密
一次性密碼(OTP)支援
- pass-import (pass-importAUR)
從其他管理器導入密碼的綜合工具
- pass-update (pass-updateAUR)
一種更新密碼的快捷方式
- pass-audit (pass-auditAUR)
一款用以審查密碼安全性的擴充
進階用法[編輯 | 編輯原始碼]
可使用環境變量修改pass設定中執行存取和git命令的地方:
PASSWORD_STORE_DIR=/path/to/store
若想進一步了解怎麼修改變量使pass支持存取多個密碼倉庫,參閱此處
以下的pw()別名範例將信息文件中第一行複製到剪貼板上,五秒後再複製第二行,再五秒後複製一組一次性密碼(OTP)。如果信息文件中的第一行為密碼(password),第二行為用戶名(username),並包含一組一次性密碼(OTP)URI,此範例可按照username > password > otp code的順序將三者貼入空白欄位中(如瀏覽器的登入註冊表)。
pw() {
export PASSWORD_STORE_CLIP_TIME=8
export PASSWORD_STORE_X_SELECTION=primary
pass -c2 $1; sleep 5; pass -c $1; sleep 5; pass otp -c $1; exit
}
Multiple pass Contexts (e.g. Teaming)[編輯 | 編輯原始碼]
One can use aliases to set up different pass contexts, which helps when collaborating with different teams. We have gotten this working in bash as follows:
Add aliases to your ~/.bashrc:
alias passred="PASSWORD_STORE_DIR=~/.pass/red pass" alias passblue="PASSWORD_STORE_DIR=~/.pass/blue pass"
Add these for bash-completion to your ~/.bash_completion and make sure bash-completion包 is installed:
source /usr/share/bash-completion/completions/pass
_passred(){
PASSWORD_STORE_DIR=~/.pass/red/ _pass
}
complete -o filenames -o nospace -F _passred passred
_passblue(){
PASSWORD_STORE_DIR=~/.pass/blue/ _pass
}
complete -o filenames -o nospace -F _passblue passblue
Now you can initialize into ~/.pass/red and ~/.pass/blue and have two pass contexts with the passred and passblue aliases. You can generalize this further into as many contexts as you like.
Git integration[編輯 | 編輯原始碼]
Git helper usage[編輯 | 編輯原始碼]
You can use pass as a credentials helper for git. Install the pass-git-helperAUR or pass-git-helper-gitAUR package.
Detail are described in the github README file.
git Configuration[編輯 | 編輯原始碼]
Install pass-git-helper as a git credentials helper by calling:
git config --global credential.helper /usr/bin/pass-git-helper
Mapping File[編輯 | 編輯原始碼]
Create the file ~/.config/pass-git-helper/git-pass-mapping.ini. It is used to map git remote hosts to your pass database. The format is something like this:
[github.com] target=dev/github [*.fooo-bar.*] target=dev/fooo-bar
You can use wildcards in the host part, as shown in the example.
Password Store Layout[編輯 | 編輯原始碼]
As usual with pass, the helper assumes that the password is contained in the first line of the passwordstore entry. Additionally, if a second line is present, this line is interpreted as the username.
For this to work, you have to use pass insert --multiline to create a multi line password store entry.
Central Git server for pass in combination with GnuPG (SSH example)[編輯 | 編輯原始碼]
You are able to setup a password management system by setting up a central Git server for Pass. This allows you to synchronize your central password repository through multiple client environments.
Install a bare Git repository for Pass on the server[編輯 | 編輯原始碼]
On the server run git init --bare ~/.password-store to create a bare repository you can push to.
Import authorized public SSH keys[編輯 | 編輯原始碼]
See SSH keys#Copying the public key to the remote server
On the client[編輯 | 編輯原始碼]
This section assumes you have configured GnuPG and have a key pair to encrypt passwords. On your local client ensure you have a local password store on the client, then enable management of local changes through Git, add your remote Git repository, and push your local Pass history.
# Create local password store pass init <gpg key id> # Enable management of local changes through Git pass git init # Add the the remote git repository as 'origin' pass git remote add origin user@server:~/.password-store # Push your local Pass history pass git push -u --all
Now you can use the standard Git commands, prefixed by pass. For example: pass git push, or pass git pull. Pass will automatically create commits when you use it to modify your password store.
Troubleshooting[編輯 | 編輯原始碼]
Encryption failed: Unusable public key[編輯 | 編輯原始碼]
The following error can occur when attempting to insert a new entry:
$ pass insert archlinux.org/wiki/username Enter password for archlinux.org/wiki/username: Retype password for archlinux.org/wiki/username: gpg: XXXXXXXXX: There is no assurance this key belongs to the named user gpg: [stdin]: encryption failed: Unusable public key Password encryption aborted.
This occurs if the trust level of the GnuPG key is set to anything other than "ultimate." Edit the key used for pass to set its trust level to "ultimate."