From owner-freebsd-questions@freebsd.org Mon Jul 3 19:03:13 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8BC9E9EDAD1 for ; Mon, 3 Jul 2017 19:03:13 +0000 (UTC) (envelope-from guru@unixarea.de) Received: from ms-10.1blu.de (ms-10.1blu.de [178.254.4.101]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4D8EB7D0A7 for ; Mon, 3 Jul 2017 19:03:12 +0000 (UTC) (envelope-from guru@unixarea.de) Received: from [85.181.68.124] (helo=localhost.unixarea.de) by ms-10.1blu.de with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.86_2) (envelope-from ) id 1dS6cg-00085C-PR for freebsd-questions@freebsd.org; Mon, 03 Jul 2017 21:03:03 +0200 Received: from localhost.my.domain (localhost [127.0.0.1]) by localhost.unixarea.de (8.15.2/8.14.9) with ESMTPS id v63J31s7003052 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Mon, 3 Jul 2017 21:03:01 +0200 (CEST) (envelope-from guru@unixarea.de) Received: (from guru@localhost) by localhost.my.domain (8.15.2/8.14.9/Submit) id v63J31M4003051 for freebsd-questions@freebsd.org; Mon, 3 Jul 2017 21:03:01 +0200 (CEST) (envelope-from guru@unixarea.de) X-Authentication-Warning: localhost.my.domain: guru set sender to guru@unixarea.de using -f Date: Mon, 3 Jul 2017 21:03:01 +0200 From: Matthias Apitz To: freebsd-questions@freebsd.org Subject: Re: browserpass addon for FF Message-ID: <20170703190301.GA2963@c720-r314251> Reply-To: Matthias Apitz Mail-Followup-To: Matthias Apitz , freebsd-questions@freebsd.org References: <20170703121324.GA26289@sh4-5.1blu.de> <20170703142356.GA18729@venera> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="AhhlLboLdkugWU4S" Content-Disposition: inline In-Reply-To: <20170703142356.GA18729@venera> X-Operating-System: FreeBSD 12.0-CURRENT r314251 (amd64) X-message-flag: Mails containing HTML will not be read! Please send only plain text. User-Agent: Mutt/1.8.0 (2017-02-23) X-Con-Id: 51246 X-Con-U: 0-guru X-Originating-IP: 85.181.68.124 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Jul 2017 19:03:13 -0000 --AhhlLboLdkugWU4S Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable At the end of the day, I have now all the pieces together and using GnuPG encrypted credential with FF works really fine; the credentials are stored as a tree in the file system and access requires the 6 digit PIN to unlock the secret key on the GnuPG-card. There is no way to use the credentials meanwhile the laptop and GnuPG-card are not stolen together *and* connected, i.e. the card is PIN unlocked. I'm attaching a small how-to if someone else wants to wade through about password-storage and browserpass. Thanks for all helping hints. matthias How to use GnuPG-card with Firefox and credentials We need as root some more ports: # cd /usr/ports/sysutils/password-store # make install clean # cd /usr/ports/lang/go # make install clean The 'fdescfs' must be mounted: # mount -t fdescfs null /dev/fd and/or inserted into /etc/fstab as: fdescfs /dev/fd fdescfs rw 0 0 If 'fdescfs' is not mounted, the command 'pass init ...' will fail with: $ pass init foo Password store initialized for foo /usr/local/bin/pass: l=C3=ADnea 84: /dev/fd/62: No such file or directory I've used to init the ~/.password-store (note 'guru@unixarea.de' is not an email addr, but something which identifies the GnuPG secret key stored on the GnuPG-card): $ pass init guru@unixarea.de Which gives: $ ls -la ~/.password-store total 48 drwx------ 3 guru wheel 512 3 jul. 08:19 . drwxr-xr-x 248 guru wheel 33792 3 jul. 08:12 .. -rw------- 1 guru wheel 17 3 jul. 08:17 .gpg-id $ cat ~/.password-store/.gpg-id guru@unixarea.de Now we can insert userid/passwords into the tree of the ~/.password-store; = note the syntax Business/cheese-whiz-factory where 'Business' is some domain and 'cheese-whiz-factory' the userid in this: $ pass insert Business/cheese-whiz-factory Enter password for Business/cheese-whiz-factory: cheese Retype password for Business/cheese-whiz-factory: cheese $ pass Password Store =E2=94=94=E2=94=80=E2=94=80 Business =E2=94=94=E2=94=80=E2=94=80 cheese-whiz-factory.gpg $ pass Business/cheese-whiz-factory # this will ask for the PIN to unlock = the GnuPG-card cheese The file 'Business/cheese-whiz-factory.gpg' contains the password 'cheese' but GnuPG encrypted: $ file ~/.password-store/Business/cheese-whiz-factory.gpg=20 /home/guru/.password-store/Business/cheese-whiz-factory.gpg: PGP RSA encryp= ted session key - keyid: B6ECF161 C3A6C925 RSA (Encrypt or Sign) 4096b . The 2nd part now is a bit tricky: the 'browserpass' mozialla add-on: I followed a hint from from Boris Samorodov how to install= 'browserpass' directly from github.com: =20 $ cd $ go get -u github.com/dannyvankooten/browserpass $ GOPATH=3D/home/guru/go export GOPATH $ cd $GOPATH/src/github.com/dannyvankooten/browserpass/cmd/browserpass $ go build [*] $ ls -l total 2884 -rwxr-xr-x 1 guru wheel 2901409 3 jul. 13:02 browserpass -rw-r--r-- 1 guru wheel 357 3 jul. 13:00 main.go $ PATH=3D$PATH:$GOPATH/bin $ go install $ ls -l $GOPATH/bin total 2880 -rwxr-xr-x 1 guru wheel 2901409 3 jul. 13:03 browserpass so far so good, but: Now the installation requires the integration with the browser through some script 'install.sh'; I looked for it and did: $ bash src/github.com/dannyvankooten/browserpass/install.sh Select your browser: =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D 1) Chrome 2) Chromium 3) Firefox 4) Vivaldi 1-4: 3 Installing Firefox host config cp: /home/guru/go/src/github.com/dannyvankooten/browserpass/firefox-host.js= on: No such file or directory Hmmm, where the hell is the *.json file we need? $ find ~/go -name *.json =2E/src/github.com/dannyvankooten/browserpass/chrome/host.json =2E/src/github.com/dannyvankooten/browserpass/chrome/manifest.json =2E/src/github.com/dannyvankooten/browserpass/chrome/policy.json =2E/src/github.com/dannyvankooten/browserpass/firefox/host.json =2E/src/github.com/dannyvankooten/browserpass/firefox/manifest.json =2E/src/github.com/dannyvankooten/browserpass/package.json =2E/src/github.com/dannyvankooten/browserpass/vendor/vendor.json I fixed the above install.sh and copied over=20 $ cp src/github.com/dannyvankooten/browserpass/firefox/host.json /home/guru= /.mozilla/native-messaging-hosts/com.dannyvankooten.browserpass.json and modified the 'path' in it to show: $ cat /home/guru/.mozilla/native-messaging-hosts/com.dannyvankooten.browser= pass.json { "name": "com.dannyvankooten.browserpass", "description": "Browserpass binary for the Firefox extension", "path": "/home/guru/go/src/github.com/dannyvankooten/browserpass/cmd/brow= serpass/browserpass", "type": "stdio", "allowed_extensions": [ "browserpass@dannyvankooten.com" ] } XXX: Maybe the exec /home/guru/go/src/github.com/dannyvankooten/browserpass/cmd/= browserpass/browserpass should be copied to some better place; Now install the 'browserpass' add-on from: https://addons.mozilla.org/en-US/firefox/addon/browserpass/ = =20 (one must fake the User-agent string to, for example, Ubuntu) this made the 'browserpass' add-on working in general, but the command chain needs to know where the GNUPGHOME is, in my case GNUPGHOME=3D/home/guru/.gn= upg-ccid, because firefox starts /usr/local/bin/pass, which itself starts /usr/local/= bin/gpg2 and this needs the correct GNUPGHOME env value; so I modified the FF icon t= o launch GNUPGHOME=3D/home/guru/.gnupg-ccid firefox %U some more hints: - I have not found a way to enter new user/password from the browser; I alw= ays do it from cmdline with $ pass insert domain.foo/username - if the 'username' contains blanks (or other shell meta chars), they must = escaped as: $ pass insert 'domain.foo/Apitz Matthias' - if there is no 'username', but only the password, just use $ pass insert domain.foo or $ pass insert 192.168.2.1 - XXX still todo: convert all old FF-credentials to the password-store (whi= ch is relatively easy: unload them to a file and build 'pass insert ....' comma= nds; once done this, remove the credentials in FF; really! they are unsave the= re; --=20 Matthias Apitz, =E2=9C=89 guru@unixarea.de, =E2=8C=82 http://www.unixarea.d= e/ =E2=98=8E +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub 8. Mai 1945: Wer nicht feiert hat den Krieg verloren. 8 de mayo de 1945: Quien no festeja perdi=C3=B3 la Guerra. May 8, 1945: Who does not celebrate lost the War. --AhhlLboLdkugWU4S Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEXmn7rBYYViyzy/vBR8z35Hb+nREFAllalOIACgkQR8z35Hb+ nREilw/9HefWKAQt59QGw1kTKBEYVN1qDyMk6j/sQH3DSGuVDhr5TYk+ZV6P/QwJ AAocYKgWxp6fpK/9Gf8grpST3kTuf6TkObVfLkrS9TYVS56tqh7jERyrv4XB9B6q CJQUJpuwEutDwPLeJv/89TV0wZ7GoaoZrxKi9jvIphfvX3S/WmJFjFq7N3eT3h+z JcVyYBpMCNQWBPmPYYqORZa+TwVL1Db1FtanIjqSJnIRy504Q6QuQY/+Ir8WKWgE TDBxvRGp8TowuzY/2Elrwh2QGMGJX99Dtt/wegSG0YL4lszErlDJCTbLnJNsAhzp Oyv0WVy5y7V2MwuhyjQ/BVgGZhePqqHuxm0rJui4gBKAfltJIEVU0Wqx29aYbZ09 ccOt/v+bLsHjokkHA6smSaMkjxZq6zLyKkmLco6L4aWbcOj6coCdV+s1mZRdFNRl ii69DLyRuGOZ6OUD9U9Ku/OYNp8Fgv2EdciOWrKQH2REjDAuFipqCR0035ytw+81 nQ8B8Bsag1US3CZHiljsbHUpsgAOj3YGk9R1jkBHJWbP7KgZkKH45sWso8YwCSUJ BLNWLDnzX99tk4tnmw3ubI1MohnsqvZ5TKiWbxXi5/VPMcrdG172KSF1UP/PtRit jbuV1nTqOHtVEoXstNztjZH/S0YmytM6JvEZ8SLr+obwbx3/7Os= =SLFE -----END PGP SIGNATURE----- --AhhlLboLdkugWU4S--