How to protect the password in config file

[Xunius]

Hi,

Thanks for creating this great little tool.

I'm trying to figure out a way to encrypt the password info in .snclirc file. I had some experiences in encrypting the password for mutt config so I tried doing the same by first creating a file containing:

[sncli]
cfg_sn_username = myname@example.com
cfg_sn_password = mypassword

Then encrpt it using gpg, giving an encrypted file password.gpg.

Then in ~/.snclirc, I put

source "gpg -d ~/.sncli/password.gpg |"

Running sncli gives this error:

Traceback (most recent call last):
  File "/usr/bin/sncli", line 11, in <module>
    load_entry_point('sncli==0.2.0', 'console_scripts', 'sncli')()
  File "/usr/lib/python3.6/site-packages/simplenote_cli/sncli.py", line 1343, in main
    sncli(sync, verbose, config).gui(key)
  File "/usr/lib/python3.6/site-packages/simplenote_cli/sncli.py", line 18, in __init__
    self.config         = Config(config_file)
  File "/usr/lib/python3.6/site-packages/simplenote_cli/config.py", line 128, in __init__
    self.configs_read = cp.read([os.path.join(self.home, '.snclirc')])
  File "/usr/lib/python3.6/configparser.py", line 697, in read
    self._read(fp, filename)
  File "/usr/lib/python3.6/configparser.py", line 1080, in _read
    raise MissingSectionHeaderError(fpname, lineno, line)
configparser.MissingSectionHeaderError: File contains no section headers.
file: '/home/guangzhi/.snclirc', line: 1
'source "gpg -d ~/.sncli/password.gpg |"\n'

I guess the python configparser is not recognizing the source command.

I got around this by creating an alias:

alias sncli="gpg -d ~/.sncli/password.gpg > ~/.snclirc && sncli"

I guess aliasing is not recursive in bash so it seems to be working. But this prevents me from adding other configs in .snclirc because using >> instead of >, I will get a duplicate error.

What do you think will be my best way out? Maybe add a prompt if the password is not given in the config file?

Thanks

[samuelallan72]

Adding support for dynamically getting the password has been on my todo list for a while. I'd like to be able to eventually add a config line in the file similar to:

[sncli]
cfg_sn_password_eval = gpg -d password.gpg

However, really in practice, if you don't trust your computer to store a password in plain text in your home folder, why would you trust it when you input your gpg key password, or trust it to secure the password in memory... I'm somewhat unsure of the type of attack this would actually guard against in practice.

By the way, security related, it also seems that sncli logs all the network requests, which includes your api token. Just a heads up.

[Xunius]

well, I think there is never any ultimate solution when security is concerned, you just stack layers of security measures to filter out (relatively) easy attacks. I'm no expert in these that's why I'm asking for help.

I did some simple modifications of the config.py file, basically I copied the authentification() function from the simplenote.py file into config.py, and add a while loop asking the user to input the password for the account user, which is read from .snclirc, the loop calls the authentification() function to check the validity of the password, and keeps on prompting for password as long as it is wrong. Should maybe add a 3-time fail limit to it, but it's just my own dirty hack.

[samuelallan72]

@Xunius I added this feature in commit https://github.com/insanum/sncli/commit/77d8568fb8faf4fd8d0d7edb50268df0ffda59d5 - please check it out and let me know if it fixes this issue. :smiley:

[Xunius]

What a quick update!

I tried it, the 1st time I forgot to change the encrypted password file so the password was wrong, and sncli hangs without showing the message of "check the credential" or something. After re-generating the .gpg file, it works great.

[samuelallan72]

Great!

sncli should display the check credentials message... perhaps the network was slow for a while or something (it worked fine when I tested it with an eval command with the wrong password). The only time it might hang without a message could be if the eval command was slow.