Site Navigation

Date:      Mon, 3 Jul 2017 21:03:01 +0200
From:      Matthias Apitz <guru@unixarea.de>
To:        freebsd-questions@freebsd.org
Subject:   Re: browserpass addon for FF
Message-ID:  <20170703190301.GA2963@c720-r314251>
In-Reply-To: <20170703142356.GA18729@venera>
References:  <20170703121324.GA26289@sh4-5.1blu.de> <20170703142356.GA18729@venera>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

--AhhlLboLdkugWU4S
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

At the end of the day, I have now all the pieces together and using
GnuPG encrypted credential with FF works really fine; the credentials
are stored as a tree in the file system and access requires the 6 digit
PIN to unlock the secret key on the GnuPG-card. There is no way to use the
credentials meanwhile the laptop and GnuPG-card are not stolen together
*and* connected, i.e. the card is PIN unlocked.

I'm attaching a small how-to if someone else wants to wade through about
password-storage and browserpass.

Thanks for all helping hints.

	matthias

How to use GnuPG-card with Firefox and credentials

We need as root some more ports:

# cd /usr/ports/sysutils/password-store
# make install clean
# cd /usr/ports/lang/go
# make install clean

The 'fdescfs' must be mounted:

# mount -t fdescfs null /dev/fd

and/or inserted into /etc/fstab as:

    fdescfs /dev/fd fdescfs rw 0 0

If 'fdescfs' is not mounted, the command 'pass init ...' will fail with:

$ pass init foo
Password store initialized for foo
/usr/local/bin/pass: l=C3=ADnea 84: /dev/fd/62: No such file or directory

I've used to init the ~/.password-store (note 'guru@unixarea.de' is
not an email addr, but something which identifies the GnuPG secret key
stored on the GnuPG-card):

$ pass init guru@unixarea.de

Which gives:

$ ls -la ~/.password-store
total 48
drwx------    3 guru  wheel    512  3 jul.  08:19 .
drwxr-xr-x  248 guru  wheel  33792  3 jul.  08:12 ..
-rw-------    1 guru  wheel     17  3 jul.  08:17 .gpg-id
$ cat ~/.password-store/.gpg-id
guru@unixarea.de

Now we can insert userid/passwords into the tree of the ~/.password-store; =
note
the syntax Business/cheese-whiz-factory where 'Business' is some domain and
'cheese-whiz-factory' the userid in this:

$ pass insert Business/cheese-whiz-factory
Enter password for Business/cheese-whiz-factory: cheese
Retype password for Business/cheese-whiz-factory: cheese

$ pass
Password Store
=E2=94=94=E2=94=80=E2=94=80 Business
    =E2=94=94=E2=94=80=E2=94=80 cheese-whiz-factory.gpg

$ pass Business/cheese-whiz-factory  # this will ask for the PIN to unlock =
the GnuPG-card
cheese

The file 'Business/cheese-whiz-factory.gpg' contains the password 'cheese'
but GnuPG encrypted:

$ file ~/.password-store/Business/cheese-whiz-factory.gpg=20
/home/guru/.password-store/Business/cheese-whiz-factory.gpg: PGP RSA encryp=
ted session key - keyid: B6ECF161 C3A6C925 RSA (Encrypt or Sign) 4096b .



The 2nd part now is a bit tricky: the 'browserpass' mozialla add-on:

I followed a hint from from Boris Samorodov <bsam@passap.ru> how to install=
 'browserpass'
directly from github.com:  =20

$ cd
$ go get -u github.com/dannyvankooten/browserpass
$ GOPATH=3D/home/guru/go export GOPATH
$ cd $GOPATH/src/github.com/dannyvankooten/browserpass/cmd/browserpass
$ go build           [*]
$ ls -l
total 2884
-rwxr-xr-x  1 guru  wheel  2901409  3 jul.  13:02 browserpass
-rw-r--r--  1 guru  wheel      357  3 jul.  13:00 main.go

$ PATH=3D$PATH:$GOPATH/bin
$ go install
$ ls -l $GOPATH/bin
total 2880
-rwxr-xr-x  1 guru  wheel  2901409  3 jul.  13:03 browserpass

so far so good, but:

Now the installation requires the integration with the browser through
some script 'install.sh'; I looked for it and did:

$ bash src/github.com/dannyvankooten/browserpass/install.sh

Select your browser:
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
1) Chrome
2) Chromium
3) Firefox
4) Vivaldi
1-4: 3

Installing Firefox host config
cp: /home/guru/go/src/github.com/dannyvankooten/browserpass/firefox-host.js=
on: No such file or directory

Hmmm, where the hell is the *.json file we need?

$ find ~/go -name *.json
=2E/src/github.com/dannyvankooten/browserpass/chrome/host.json
=2E/src/github.com/dannyvankooten/browserpass/chrome/manifest.json
=2E/src/github.com/dannyvankooten/browserpass/chrome/policy.json
=2E/src/github.com/dannyvankooten/browserpass/firefox/host.json
=2E/src/github.com/dannyvankooten/browserpass/firefox/manifest.json
=2E/src/github.com/dannyvankooten/browserpass/package.json
=2E/src/github.com/dannyvankooten/browserpass/vendor/vendor.json

I fixed the above install.sh and copied over=20

$ cp src/github.com/dannyvankooten/browserpass/firefox/host.json /home/guru=
/.mozilla/native-messaging-hosts/com.dannyvankooten.browserpass.json

and modified the 'path' in it to show:

$ cat /home/guru/.mozilla/native-messaging-hosts/com.dannyvankooten.browser=
pass.json

{
  "name": "com.dannyvankooten.browserpass",
  "description": "Browserpass binary for the Firefox extension",
  "path": "/home/guru/go/src/github.com/dannyvankooten/browserpass/cmd/brow=
serpass/browserpass",
  "type": "stdio",
  "allowed_extensions": [
     "browserpass@dannyvankooten.com"
   ]
}

XXX:
Maybe the exec /home/guru/go/src/github.com/dannyvankooten/browserpass/cmd/=
browserpass/browserpass
should be copied to some better place;

Now install the 'browserpass' add-on from:
https://addons.mozilla.org/en-US/firefox/addon/browserpass/                =
  =20
(one must fake the User-agent string to, for example, Ubuntu)

this made the 'browserpass' add-on working in general, but the command chain
needs to know where the GNUPGHOME is, in my case GNUPGHOME=3D/home/guru/.gn=
upg-ccid,
because firefox starts /usr/local/bin/pass, which itself starts /usr/local/=
bin/gpg2
and this needs the correct GNUPGHOME env value; so I modified the FF icon t=
o launch

    GNUPGHOME=3D/home/guru/.gnupg-ccid firefox %U

some more hints:

- I have not found a way to enter new user/password from the browser; I alw=
ays
  do it from cmdline with

  $ pass insert domain.foo/username

- if the 'username' contains blanks (or other shell meta chars), they must =
escaped as:

  $ pass insert 'domain.foo/Apitz Matthias'

- if there is no 'username', but only the password, just use

  $ pass insert domain.foo
  or
  $ pass insert 192.168.2.1

- XXX still todo: convert all old FF-credentials to the password-store (whi=
ch is
  relatively easy: unload them to a file and build 'pass insert ....' comma=
nds;
  once done this, remove the credentials in FF; really! they are unsave the=
re;


--=20
Matthias Apitz, =E2=9C=89 guru@unixarea.de, =E2=8C=82 http://www.unixarea.d=
e/  =E2=98=8E +49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub
8. Mai 1945: Wer nicht feiert hat den Krieg verloren.
8 de mayo de 1945: Quien no festeja perdi=C3=B3 la Guerra.
May 8, 1945: Who does not celebrate lost the War.

--AhhlLboLdkugWU4S
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEXmn7rBYYViyzy/vBR8z35Hb+nREFAllalOIACgkQR8z35Hb+
nREilw/9HefWKAQt59QGw1kTKBEYVN1qDyMk6j/sQH3DSGuVDhr5TYk+ZV6P/QwJ
AAocYKgWxp6fpK/9Gf8grpST3kTuf6TkObVfLkrS9TYVS56tqh7jERyrv4XB9B6q
CJQUJpuwEutDwPLeJv/89TV0wZ7GoaoZrxKi9jvIphfvX3S/WmJFjFq7N3eT3h+z
JcVyYBpMCNQWBPmPYYqORZa+TwVL1Db1FtanIjqSJnIRy504Q6QuQY/+Ir8WKWgE
TDBxvRGp8TowuzY/2Elrwh2QGMGJX99Dtt/wegSG0YL4lszErlDJCTbLnJNsAhzp
Oyv0WVy5y7V2MwuhyjQ/BVgGZhePqqHuxm0rJui4gBKAfltJIEVU0Wqx29aYbZ09
ccOt/v+bLsHjokkHA6smSaMkjxZq6zLyKkmLco6L4aWbcOj6coCdV+s1mZRdFNRl
ii69DLyRuGOZ6OUD9U9Ku/OYNp8Fgv2EdciOWrKQH2REjDAuFipqCR0035ytw+81
nQ8B8Bsag1US3CZHiljsbHUpsgAOj3YGk9R1jkBHJWbP7KgZkKH45sWso8YwCSUJ
BLNWLDnzX99tk4tnmw3ubI1MohnsqvZ5TKiWbxXi5/VPMcrdG172KSF1UP/PtRit
jbuV1nTqOHtVEoXstNztjZH/S0YmytM6JvEZ8SLr+obwbx3/7Os=
=SLFE
-----END PGP SIGNATURE-----

--AhhlLboLdkugWU4S--

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20170703190301.GA2963>

Legal Notices | © 1995-2024 The FreeBSD Project. All rights reserved.

Contact