Date: Mon, 23 Oct 2017 20:46:08 +0000 (UTC) From: Stefan Esser <se@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r452741 - in head/security: . pwned-check pwned-check/files Message-ID: <201710232046.v9NKk88Y050992@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: se Date: Mon Oct 23 20:46:08 2017 New Revision: 452741 URL: https://svnweb.freebsd.org/changeset/ports/452741 Log: This script uses a downloaded copy of the pwned passwort hashes available from https://haveibeenpwned.com/Passwords/ to allow passwords to be locally checked, whether they are known to have been obtained in a data breach and therefore should not be used. Approved by: Antoine (mentor) Added: head/security/pwned-check/ head/security/pwned-check/Makefile (contents, props changed) head/security/pwned-check/files/ head/security/pwned-check/files/pkg-message.in (contents, props changed) head/security/pwned-check/files/pwned-check.1.in (contents, props changed) head/security/pwned-check/files/pwned-check.conf.sample (contents, props changed) head/security/pwned-check/files/pwned-check.sh.in (contents, props changed) head/security/pwned-check/pkg-deinstall (contents, props changed) head/security/pwned-check/pkg-descr (contents, props changed) head/security/pwned-check/pkg-plist (contents, props changed) Modified: head/security/Makefile Modified: head/security/Makefile ============================================================================== --- head/security/Makefile Mon Oct 23 20:35:19 2017 (r452740) +++ head/security/Makefile Mon Oct 23 20:46:08 2017 (r452741) @@ -855,6 +855,7 @@ SUBDIR += pwauth SUBDIR += pwman SUBDIR += pwman3 + SUBDIR += pwned-check SUBDIR += pxytest SUBDIR += py-AccessControl SUBDIR += py-PF Added: head/security/pwned-check/Makefile ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/pwned-check/Makefile Mon Oct 23 20:46:08 2017 (r452741) @@ -0,0 +1,29 @@ +# Created by: Charlie Root <se@FreeBSD.org> +# $FreeBSD$ + +PORTNAME= pwned-check +PORTVERSION= 1.0 +CATEGORIES= security +MASTER_SITES= # +DISTFILES= # + +MAINTAINER= se@FreeBSD.org +COMMENT= Check whether password is known to have been exposed in data breaches + +LICENSE= BSD2CLAUSE + +NO_ARCH= yes +NO_BUILD= yes +WRKSRC= ${WRKDIR}/src + +SRC= ${.CURDIR}/src + +SUB_FILES= ${PORTNAME}.sh ${PORTNAME}.1 pkg-message + +do-install: + ${INSTALL_SCRIPT} ${WRKDIR}/${PORTNAME}.sh ${STAGEDIR}${PREFIX}/bin/${PORTNAME} + ${INSTALL_DATA} ${FILESDIR}/${PORTNAME}.conf.sample ${STAGEDIR}${PREFIX}/etc + ${INSTALL_MAN} ${WRKDIR}/${PORTNAME}.1 ${STAGEDIR}${MAN1PREFIX}/man/man1 + ${MKDIR} ${STAGEDIR}/var/db/${PORTNAME} + +.include <bsd.port.mk> Added: head/security/pwned-check/files/pkg-message.in ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/pwned-check/files/pkg-message.in Mon Oct 23 20:46:08 2017 (r452741) @@ -0,0 +1,13 @@ +------------------------------------------------------------------------- +This port needs a password hash database that is to be downloaded with +the following command: + + pwned-check -u + +The database files will be installed into /var/db/pwned-check by default. +This directory can be changed in %%PREFIX%%/etc/pwned-check.conf. + +The installation procedure will fetch 6 GB of compressed data and will +temporarily need 18 GB of free space in that directory and 13 GB when +the installation is complete. +------------------------------------------------------------------------- Added: head/security/pwned-check/files/pwned-check.1.in ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/pwned-check/files/pwned-check.1.in Mon Oct 23 20:46:08 2017 (r452741) @@ -0,0 +1,66 @@ +.Dd October 23, 2017 +.Dt PWNED-CHECK 1 +.Os +.Sh NAME +.Nm pwned-check +.Nd Check word against list of known stolen passwords. +.Sh SYNOPSIS +.Nm +.Op Fl u +.Sh DESCRIPTION +The +.Nm +utility checks the passwords piped in via standard input (one per line) +against a huge database of passwords that are known to have been stolen +in data breaches. +.Pp +SHA1 hashes of these passwords have been published at +.Lk https://haveibeenpwned.com/ +.Pp +If any of the checked passwords is found in the database, it is printed +on standard output and the exit status of +.Nm +is set to 1. +No output is generated for passwords not found in the database. +.Pp +Instead of plain passwords, SHA1 hashes of passwords may be supplied. +Matches will be reported, but there is no provision to report the +plain text password corresponding to a given SHA1 hash. +.Pp +If the option +.Fl u +is used, the password hash database is downloaded and initialized. +This process will temporarily require some 18 GB of free space in the +database directory, which is +.Pa /var/db/pwned-check +by default. +This location can be changed in the configuration file, prior to starting +the download. +.Sh FILES +.Bl -tag -width %%PREFIX%%/etc/pwned-check.conf +.It Pa %%PREFIX%%/etc/pwned-check.conf +Optional configuration file. +.It Pa /var/db/pwned-check +Default location of pwned password hash database. +Needs 18 GB of free space during download, 13 GB when finished. +.El +.Sh EXIT STATUS +.Nm +returns 0 if none of the passwords to check have been found in the +pwned password database, else 1. +.Pp +If the +.Fl u +option is used to download the pwned password hashes, an exit code of 0 +indicates success, 1 failure to fetch and initialize the database. +.Sh EXAMPLES +Download the pwned password hash files: +.Bd -literal -offset indent +pwned-check -u +.Ed +.Pp +Check passwords passed on standard input against pwned password database: +.Bd -literal -offset indent +echo badpasswd | pwned-check +.Ed +.\" .Sh AUTHORS Added: head/security/pwned-check/files/pwned-check.conf.sample ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/pwned-check/files/pwned-check.conf.sample Mon Oct 23 20:46:08 2017 (r452741) @@ -0,0 +1,2 @@ +DBDIR= /var/db/pwned-check +URLBASE=i https://downloads.pwnedpasswords.com/passwords Added: head/security/pwned-check/files/pwned-check.sh.in ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/pwned-check/files/pwned-check.sh.in Mon Oct 23 20:46:08 2017 (r452741) @@ -0,0 +1,111 @@ +#!/bin/sh +# +# Copyright (c) 2017 by Stefan Esser <se@freebsd.org> +# All rights reserved. +# +# Distributed under the BSD 2-clause Simplified License. +# + +CFGFILE="%%PREFIX%%/etc/pwned-check.conf" + +[ -r "$CFGFILE" ] && . $CFGFILE +: ${DBDIR:=/var/db/pwned-check} +: ${URLBASE:=https://downloads.pwnedpasswords.com/passwords} + +# Helper functions +progname () +{ + basename "$0" +} + +errexit () +{ + echo $(progname)": $@" + exit 1 +} + +usage () +{ + echo "usage: "$(progname)" [-u]" + exit 2 +} + +# Fetch files with pwned password hashes +fetchpwfiles () +{ + umask 022 + mkdir -p $DBDIR || errexit "No write permission on data directory." + local f s_txt s_txt_7z hash + while read f s_txt s_txt_7z hash + do + local f7z="$f.7z" + echo "Checking '$DBDIR/$f' ..." + local s_txt_is=$(stat -f %z $f 2>/dev/null) + if [ "$s_txt_is" != "$s_txt" ]; then + echo "Fetching '$DBDIR/$f' ..." + fetch -S $s_txt_7z "$URLBASE/$f7z" || errexit "Could not fetch '$URLBASE/$f7z'" + local hash_is=$(sha1 -q "$f7z") + if [ "$hash_is" != "$hash" ]; then + rm -f "$f7z" + errexit "File '$f7z' fails SHA1 check: '$hash_is' should be '$hash'." + fi + tar xf $f7z + local s_txt_is=$(stat -f %z $f) + if [ "$s_txt_is" != "$s_txt" ]; then + rm -f "$f" + errexit "File '$f' has size $s_txt_is after decompression, should be $s_txt." + fi + fi + rm -f "$f7z" + done <<EOF +pwned-passwords-1.0.txt 12862899504 5702869528 90d57d16a2dfe00de6cc58d0fa7882229ace4a53 +pwned-passwords-update-1.txt 574389228 262300582 00fc585efad08a4b6323f8e4196aae9207f8b09f +pwned-passwords-update-2.txt 16791180 8000810 20318090278bbd196945025bc7bf93e99f261f9a +EOF + echo "All data files have been successfully downloaded and extracted." +} + +# Password lookup +exitcode=0 + +lookup () +{ + local hash="$1" + look "$hash" pwned-passwords*.txt > /dev/null +} + +checkpw () +{ + local pwd="$1" + local hash=$(echo -n "$pwd" | sha1 | tr 'a-z' 'A-Z') + if lookup "$hash"; then + echo "$pwd" + exitcode=1 + elif expr "$pwd" : '[A-Fa-f0-9]\{40\}$' > /dev/null; then + if lookup "$pwd"; then + echo "$pwd" + exitcode=1 + fi + fi +} + +# Main program +cd "$DBDIR" || errexit "Database directory '$DBDIR' not found." +export LC_COLLATE=C + +if [ "$#" -gt 0 ]; then + if [ "$1" = "-u" ]; then + fetchpwfiles + exit 0 + else + echo "usage: "$(progname)" [-u]" + exit 2 + fi +fi + +while read pwd +do + checkpw "$pwd" +done + +exit $exitcode Added: head/security/pwned-check/pkg-deinstall ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/pwned-check/pkg-deinstall Mon Oct 23 20:46:08 2017 (r452741) @@ -0,0 +1,15 @@ +#!/bin/sh + +PORTNAME=${1%-*} + +[ "$2" = DEINSTALL ] && cat <<***EOM +------------------------------------------------------------------------------ + +If you are no longer using the $PORTNAME port, then manually delete +the following directory and all its contents: + + /var/db/$PORTNAME + +------------------------------------------------------------------------------ +***EOM +exit 0 Added: head/security/pwned-check/pkg-descr ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/pwned-check/pkg-descr Mon Oct 23 20:46:08 2017 (r452741) @@ -0,0 +1,10 @@ +Pwned Passwords are hundreds of millions of real world passwords exposed in +data breaches. This exposure makes them unsuitable for ongoing use as they +are at much greater risk of being used to take over other accounts. + +This script uses a downloaded copy of the pwned passwort hashes available +from https://haveibeenpwned.com/Passwords/ to allow passwords to be locally +checked, whether they are known to have been obtained in a data breach and +therefore should not be used. + +WWW: https://haveibeenpwned.com/ Added: head/security/pwned-check/pkg-plist ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/pwned-check/pkg-plist Mon Oct 23 20:46:08 2017 (r452741) @@ -0,0 +1,4 @@ +bin/pwned-check +@sample etc/pwned-check.conf.sample +man/man1/pwned-check.1.gz +@dir /var/db/pwned-check
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201710232046.v9NKk88Y050992>