Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Add simple ability to show passwords via CLI #150

Open
vaygr opened this issue Aug 31, 2023 · 10 comments
Open

Add simple ability to show passwords via CLI #150

vaygr opened this issue Aug 31, 2023 · 10 comments

Comments

@vaygr
Copy link
Contributor

vaygr commented Aug 31, 2023

keepmenu can already read keepass databases, so implementation of this should be trivial. We probably don't need to spin up a daemon for this and should forego caching altogether.

Rationale: software like mutt or weechat allow you to specify commands to decrypt data that can be used for passphrase purposes (SMTP/POP3/IMAP/IRC auth, certificate decryption, etc.). Typically you would use plain gpg for this: gpg --batch -q --decrypt ~/.config/mutt/master.gpg. Or a password manager like pass: pass show weechat/passphrase. This forces to either use another password manager or different encrypted files, which promotes secret sprawl.

Furthermore, solving this will unlock usage in software like chezmoi for secret retrieval: https://www.chezmoi.io/reference/templates/secret-functions/secret/. Maybe it'll deserve its own function for chezmoi in the future.

This way all secrets can be kept in one database and retrieved by the same tool.

The proposal is to add -s/--show "mode" with an argument to display a password entry at the specified path. This can be extended to other fields, but I think just the password entry could be a good start.

@firecat53
Copy link
Owner

Sounds reasonable and likely not too difficult.

@firecat53
Copy link
Owner

Better late than never :) Started to work on this...are you envisioning that the db needs to be unlocked and operating already in the background or that all the necessary info to unlock the db is passed on the CLI each time or in the config file?

@vaygr
Copy link
Contributor Author

vaygr commented Mar 14, 2025

Second.

I think how keepassxc-cli works is you pass the database and entry and it asks for the password interactively:

$ keepassxc-cli show -h
Missing positional argument(s).

Usage: keepassxc-cli show [options] database entry
Show an entry's information.

Options:
  -q, --quiet                    Silence password prompt and other secondary
                                 outputs.
  -k, --key-file <path>          Key file of the database.
  --no-password                  Deactivate password key for the database.
  -y, --yubikey <slot[:serial]>  Yubikey slot and optional serial used to
                                 access the database (e.g., 1:7370001).
  -t, --totp                     Show the entry's current TOTP.
  -a, --attributes <attribute>   Names of the attributes to show. This option
                                 can be specified more than once, with each
                                 attribute shown one-per-line in the given
                                 order. If no attributes are specified, a
                                 summary of the default attributes is given.
  -s, --show-protected           Show the protected attributes in clear text.
  --all                          Show all the attributes of the entry.
  --show-attachments             Show the attachments of the entry.
  -h, --help                     Display this help.

Arguments:
  database                       Path of the database.
  entry                          Name of the entry to show.

That would be most secure. Then, for example, when chezmoi uses it, it would cache the password in plaintext in case of fetching multiple entries before exiting.

@firecat53
Copy link
Owner

Chezmoi would cache the keepass database password? How is that passed? Or are saying it will cache the chezmoi db password that you retrieve from keepmenu?

@vaygr
Copy link
Contributor Author

vaygr commented Mar 14, 2025

Yes, chezmoi would cache the keepass database password. In case of keepassxc-cli I think they use tty.

@firecat53
Copy link
Owner

Sorry if I'm being dense, but it seems like you're looking for something different than I'm understanding.

I'm thinking: keepmenu --show "Joe's Grill" -d db.kdbx -> Prompts for passphrase on the CLI (not launcher) -> outputs Joe's Grill password to stdout (or to clipboard if the -C flag is passed).

  • If the database is not passed and there is more than one db listed in the config->error.
  • If the keyfile isn't included in the config file-> error
  • If keepmenu is already running and one of the open db names is passed with -d ->outputs password.

I'm not understanding your intended workflow.

@vaygr
Copy link
Contributor Author

vaygr commented Mar 15, 2025

Yes, what you've described is exactly how I see it.

Above I showed how keepassxc-cli integrates with chezmoi, so when this functionality is implemented in keepmenu, we could implement/ask about chezmoi integration, so keepmenu could be used in chezmoi templating system to fetch passwords/attachments.

@firecat53
Copy link
Owner

Ah, ok 😄 Thanks for the clarification!

I'm almost done, although I still have to see how complex it will be to detect the already open databases.

@firecat53
Copy link
Owner

Initial working idea on the run_once branch. It doesn't have detection of currently open db's.

@vaygr
Copy link
Contributor Author

vaygr commented Mar 15, 2025

OK, simple cases work, that's great:

$ keepmenu -s "DigiCert"
Password:
changeme

A bit more complex need massaging though:

$ keepmenu -s "Duo"
Password:
Multiple entries found matching 'Duo'. Please be more specific.
  - Hosting/Auth/Duo (user1@domain1.tld)
  - Hosting/Auth/Duo (user2@domain2.tld)

I have a multi-level topology here, so how can I be more specific? keepmenu -s "Duo (user1@domain1.tld)" didn't work, but also..:

We need to be able to distinguish between these two even with the same usernames:

- Hosting/Auth/Duo (user1@domain1.tld)
- Work/Place/Duo (user1@domain1.tld)

Lastly, even if I had just one entry in the previous example but need to distinguish between the same entry in a different folder, keepmenu -s "Hosting/Auth/Duo" didn't work for me either.

# for free to join this conversation on GitHub. Already have an account? # to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants