Closed twpayne closed 2 years ago
Evidlo
commented
2 years ago That shouldn't be too hard to add. Does chezmoi prompt the user for the database password on its own, or is it stored in a config somewhere?
Non-interactive usage is already a design goal of passhole, but I've been operating under the assumption that such databases would not have a password (--no-password) (because what's the point of a password if the password is in plaintext on your filesystem).
twpayne
commented
2 years ago chezmoi prompts for the database password the first time it is needed, and then stores it in RAM for the duration of the chezmoi process, feeding it to passhole when needed, so that if the user needs to retrieve multiple secrets from passhole then only need to enter their password once.
There's a possible usecase for using a password in plaintext on the filesystem: you can still share the database publicly (e.g. storing it in a shared drive) without compromising your secrets, except on your personal machines where the password is present. I'm not sure if anyone would (or should) use this however.
Evidlo
commented
2 years ago I've published v1.10.0, which adds a --password PASSWORD argument. When the password is -, passhole will read the password from stdin.
[evan@blackbox tmp] echo password | ph --no-cache --database test4.kdbx --keyfile test4.key --password - ls
None
foobar_entry
foobar_entry - Clone
foobar_entry - Clone of clone
foobar_entry - Clone with prefix and suffix
quote test -> " <-
root_entry
testing_new
None
foobar_group
├── foobar_entry
├── group_entry
└── subgroup
├── foobar_entry
├── subentry
├── subentry2
└── subgroup2
foobar_group2
Работа
└── ТестThank you very much! Added passhole support to chezmoi in https://github.com/twpayne/chezmoi/pull/2317.
@JackTheMico and I would like to add support for passhole to the chezmoi dotfile manager. This requires passhole to be able to run with a password supplied securely by a third-party process, e.g. by sending the password over stdin.
In the current version of passhole, passhole will switch to zenity if stdin is not a TTY, which means that the password cannot be over stdin.
Would you consider adding a
--no-ttyflag (or similar) that would cause passhole to read the password from stdin whether or not stdin is a TTY?Other password managers solve this non-interactive-access-to-secrets by accepting passwords via locally secure channels that can only be read by the local user or root (e.g. stdin or environment variables or starting a local daemon in the background that only the user can communicate with).
I would be happy to submit a PR if needed, but it may be quicker for you to do it.
Refs https://github.com/twpayne/chezmoi/discussions/2098 and https://github.com/twpayne/chezmoi/issues/2099.