From mboxrd@z Thu Jan 1 00:00:00 1970 Message-Id: <200210112003.g9BK3Ai08290@augusta.math.psu.edu> To: 9fans@cse.psu.edu MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----- =_aaaaaaaaaa0" Content-ID: <8281.1034366557.0@augusta.math.psu.edu> From: Dan Cross Subject: [9fans] Hmm, где secstore на KFS? Date: Fri, 11 Oct 2002 16:03:10 -0400 Topicbox-Message-UUID: 0409f88a-eacb-11e9-9e20-41e7f4b1d025 ------- =_aaaaaaaaaa0 Content-Type: text/plain; charset="UTF-8" Content-ID: <8281.1034366557.1@augusta.math.psu.edu> Content-Transfer-Encoding: quoted-printable This is slightly goofy, please bear with me. It occured to me that over the course of time, I tend to end up with a lot of keys in the factotum on my local laptop. However, it's always the same keys, and it's repetative and annoying to type every time I login. Naturally, I want to put them this in a file, but because I'm just a little paranoid about my laptop getting stolen (and someone finding a file called ``passwords!''), I don't want it in plain text. Secstore is the obvious answer, but only works on a network, and I don't really want to bother running secstored locally. It'd be nice to have something simple that just encrypts and decrypts files on my local machine. Auth/aescbc does this, but isn't particularly convenient since you have to pass the raw key to it (in hex) via the environment (in the variable HEX). So, I wrote a small program that acts as a wrapper around auth/aescbc, and called it =C2=B5secstore. It gets the key to use from factotum, so it's pretty convenient, and I feel safer using this than storing my passwords in a file in the clear. I usually run it out of my $lib/lib/profile as: =C2=B5secstore -r $home/lib/factotum.aes | read -m > /mnt/factotum/ctl I've attached it below, along with a man page. Is there another way to do this, btw, that might be better? Criticisms and suggestions are welcome. - Dan C. ------- =_aaaaaaaaaa0 Content-Type: text/plain; charset="UTF-8" Content-ID: <8281.1034366557.2@augusta.math.psu.edu> Content-Transfer-Encoding: quoted-printable /* * Tiny version of secstore, for a local KFS. */ #include #include #include #include #include #define max(X, Y) ((X) > (Y) ? (X) : (Y)) #define min(X, Y) ((X) < (Y) ? (X) : (Y)) void usage(void) { fprint(2, "Usage: =C2=B5secstore [-u user] {-r|-w} file.\n"); exits("usage"); } char * getpass(char *u, char *s) { UserPasswd *p; p =3D auth_getuserpasswd(auth_getkey, "proto=3Dpass service=3D=C2=B5secstore server=3D%q user=3D%q", s, u); if (p =3D=3D nil) { exits("no key"); } return(p->passwd); } char * mkkey(char *p) { uchar digest[MD5dlen]; static char tmp[128]; md5((uchar *)p, strlen(p), digest, nil); enc16(tmp, sizeof tmp, digest, sizeof digest); return(tmp); } void =C2=B5sread(char *f) { close(0); if (open(f, OREAD) < 0) { sysfatal("can't redirect input from %s: %r\n", f); } } void =C2=B5swrite(char *f) { int fd; close(1); fd =3D open(f, OWRITE | OTRUNC); if (fd < 0) { fd =3D create(f, OWRITE, 0600); } if (fd < 0) { sysfatal("couldn't open or create %s: %r"); } } void main(int argc, char *argv[]) { char *f, *o, *p, *s, *u; void (*m)(char *f); m =3D nil; u =3D getuser(); s =3D sysname(); if (s =3D=3D nil) { s =3D "localhost"; } ARGBEGIN { case 'u': u =3D EARGF(usage); break; case 'r': if (m !=3D nil) usage(); o =3D "-d"; m =3D =C2=B5sread; break; case 'w': if (m !=3D nil) usage(); o =3D "-e"; m =3D =C2=B5swrite; break; } ARGEND f =3D argv[0]; if (f =3D=3D nil || m =3D=3D nil || u =3D=3D nil || s =3D=3D nil) { usage(); } p =3D getpass(u, s); rfork(RFCENVG); (*m)(f); putenv("HEX", mkkey(p)); execl("/bin/auth/aescbc", "aescbc", o, nil); exits(0); } ------- =_aaaaaaaaaa0 Content-Type: text/plain; charset="UTF-8" Content-ID: <8281.1034366557.3@augusta.math.psu.edu> Content-Transfer-Encoding: quoted-printable .TH =C2=B5SECSTORE 1 .SH NAME =C2=B5secstore \- manipulate small repositories of secret .SH SYNOPSIS .B =C2=B5secstore [ .B -u .I user ] .B -r file .PP .B =C2=B5secstore [ .B -u .I user ] .B -w file .SH DESCRIPTION .I =C2=B5secstore is a wrapper around .IR aescbc (1) and is intended to provide standalone machines functionality similar to that of .IR secstore(1). .PP When .I =C2=B5secstore starts up, it looks in the local .IR factotum (4) for an encryption key corresponding to the current system and user, prompting if one isn't found. An alternate user name can be specified with .BR \-u . .PP If .B \-w is given, =C2=B5secstore reads data from the standard input, encrypts it using the key it retrieved from .IR factotum , and writes the result to the named file. If .B \-r is given, it reads and decrypts data from the named file and writes the result to the standard output. .PP In either case, the real work is done by invoking .IR aescbc (1) with the appropriate options. .PP To load the .I factotum with secrets from an encrypted file when logging in, invoke .I =C2=B5secstore from .I $home/lib/profile as: .EX =C2=B5secstore -r $home/lib/factotum.aes | read -m > /mnt/factotum/ctl .EE .SH FILES .B $home/lib/profile .SH SOURCE .B /sys/src/cmd/=C2=B5secstore.c .SH SEE ALSO .I Aescbc in .IR secstore (1), .IR secstore (1), .IR aes (2), .IR factotum (4), .IR secstored (1) ------- =_aaaaaaaaaa0--