From: Dan Cross <cross@math.psu.edu>
To: 9fans@cse.psu.edu
Subject: [9fans] Hmm, где secstore на KFS?
Date: Fri, 11 Oct 2002 16:03:10 -0400 [thread overview]
Message-ID: <200210112003.g9BK3Ai08290@augusta.math.psu.edu> (raw)
[-- Attachment #1: Type: text/plain, Size: 1389 bytes --]
This is slightly goofy, please bear with me.
It occured to me that over the course of time, I tend to end up with a
lot of keys in the factotum on my local laptop. However, it's always
the same keys, and it's repetative and annoying to type every time I
login. Naturally, I want to put them this in a file, but because I'm
just a little paranoid about my laptop getting stolen (and someone
finding a file called ``passwords!''), I don't want it in plain text.
Secstore is the obvious answer, but only works on a network, and I
don't really want to bother running secstored locally. It'd be nice
to have something simple that just encrypts and decrypts files on my
local machine.
Auth/aescbc does this, but isn't particularly convenient since you
have to pass the raw key to it (in hex) via the environment (in the
variable HEX). So, I wrote a small program that acts as a wrapper
around auth/aescbc, and called it µsecstore. It gets the key to use
from factotum, so it's pretty convenient, and I feel safer using this
than storing my passwords in a file in the clear. I usually run it
out of my $lib/lib/profile as:
µsecstore -r $home/lib/factotum.aes | read -m >
/mnt/factotum/ctl
I've attached it below, along with a man page. Is there another way
to do this, btw, that might be better? Criticisms and suggestions are
welcome.
- Dan C.
[-- Attachment #2: Type: text/plain, Size: 1744 bytes --]
/*
* Tiny version of secstore, for a local KFS.
*/
#include <u.h>
#include <libc.h>
#include <mp.h>
#include <libsec.h>
#include <auth.h>
#define max(X, Y) ((X) > (Y) ? (X) : (Y))
#define min(X, Y) ((X) < (Y) ? (X) : (Y))
void
usage(void)
{
fprint(2, "Usage: µsecstore [-u user] {-r|-w} file.\n");
exits("usage");
}
char *
getpass(char *u, char *s)
{
UserPasswd *p;
p = auth_getuserpasswd(auth_getkey,
"proto=pass service=µsecstore server=%q user=%q", s, u);
if (p == nil) {
exits("no key");
}
return(p->passwd);
}
char *
mkkey(char *p)
{
uchar digest[MD5dlen];
static char tmp[128];
md5((uchar *)p, strlen(p), digest, nil);
enc16(tmp, sizeof tmp, digest, sizeof digest);
return(tmp);
}
void
µsread(char *f)
{
close(0);
if (open(f, OREAD) < 0) {
sysfatal("can't redirect input from %s: %r\n", f);
}
}
void
µswrite(char *f)
{
int fd;
close(1);
fd = open(f, OWRITE | OTRUNC);
if (fd < 0) {
fd = create(f, OWRITE, 0600);
}
if (fd < 0) {
sysfatal("couldn't open or create %s: %r");
}
}
void
main(int argc, char *argv[])
{
char *f, *o, *p, *s, *u;
void (*m)(char *f);
m = nil;
u = getuser();
s = sysname();
if (s == nil) {
s = "localhost";
}
ARGBEGIN {
case 'u':
u = EARGF(usage);
break;
case 'r':
if (m != nil)
usage();
o = "-d";
m = µsread;
break;
case 'w':
if (m != nil)
usage();
o = "-e";
m = µswrite;
break;
} ARGEND
f = argv[0];
if (f == nil || m == nil || u == nil || s == nil) {
usage();
}
p = getpass(u, s);
rfork(RFCENVG);
(*m)(f);
putenv("HEX", mkkey(p));
execl("/bin/auth/aescbc", "aescbc", o, nil);
exits(0);
}
[-- Attachment #3: Type: text/plain, Size: 1422 bytes --]
.TH µSECSTORE 1
.SH NAME
µsecstore \- manipulate small repositories of secret
.SH SYNOPSIS
.B µsecstore
[
.B -u
.I user
]
.B -r
file
.PP
.B µsecstore
[
.B -u
.I user
]
.B -w
file
.SH DESCRIPTION
.I µsecstore
is a wrapper around
.IR aescbc (1)
and is intended to provide standalone machines functionality
similar to that of
.IR secstore(1).
.PP
When
.I µsecstore
starts up, it looks in the local
.IR factotum (4)
for an encryption key corresponding to the
current system and user, prompting if one
isn't found. An alternate user name can
be specified with
.BR \-u .
.PP
If
.B \-w
is given, µsecstore reads data from the standard input,
encrypts it using the key it retrieved from
.IR factotum ,
and writes the result to the named file. If
.B \-r
is given, it reads and decrypts data from the named file and
writes the result to the standard output.
.PP
In either case, the real work is done by invoking
.IR aescbc (1)
with the appropriate options.
.PP
To load the
.I factotum
with secrets from an encrypted file when logging in, invoke
.I µsecstore
from
.I $home/lib/profile
as:
.EX
µsecstore -r $home/lib/factotum.aes | read -m > /mnt/factotum/ctl
.EE
.SH FILES
.B $home/lib/profile
.SH SOURCE
.B /sys/src/cmd/µsecstore.c
.SH SEE ALSO
.I Aescbc
in
.IR secstore (1),
.IR secstore (1),
.IR aes (2),
.IR factotum (4),
.IR secstored (1)
next reply other threads:[~2002-10-11 20:03 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2002-10-11 20:03 Dan Cross [this message]
2002-10-12 4:18 [9fans] Hmm, где secstore на KFS? Eric Grosse
2002-10-12 16:48 ` Dan Cross
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200210112003.g9BK3Ai08290@augusta.math.psu.edu \
--to=cross@math.psu.edu \
--cc=9fans@cse.psu.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).