Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add pass support #22

Open
SISheogorath opened this issue Apr 11, 2019 · 7 comments
Open

Add pass support #22

SISheogorath opened this issue Apr 11, 2019 · 7 comments
Labels
enhancement New feature or request

Comments

@SISheogorath
Copy link
Collaborator

The UNIX passwordstore called pass is a very handy unix tool that allows to have GPG encrypted passwords stored in a git repository and being used as a password safe.

CodiMD CLI could integrate with pass by checking for its existence and reading login (i.e. pass show demo.codimd.org/myuser) data from there.

In order to make it easy to integrate, we should provide a function that abstracts provided password. Means check if a password is supplied by CLi parameter, check if passwordstore is there and if so, check for a password. When non of the above provides a password, show a prompt.

Just my rough idea, feel free to extend/change/improve.

@SISheogorath SISheogorath added the enhancement New feature or request label Apr 11, 2019
@Fumesover
Copy link
Contributor

Fumesover commented Apr 11, 2019

Using #23 and settings such as those of isync it will be possible.
Cf man mbsync:

Pass password

Specify the password for username on the IMAP server. Note that this option is not required. If neither a password nor a password command is specified in the configuration file, mbsync will prompt you for a password.

PassCmd [+]command

Specify a shell command to obtain a password rather than specifying a password directly. This allows you to use password files and agents. The command must produce exactly one line on stdout; the trailing newline is optional. Prepend + to the command to indicate that it produces TTY output (e.g., a decryption password prompt); failure to do so will merely produce messier output.

@SISheogorath
Copy link
Collaborator Author

SISheogorath commented Apr 11, 2019

@Fumesover I'm sorry to say, but I'm not really sure what you say with your comment 😅

Could you elaborate (maybe with links to documentations) what you mean?

Mhm, so you suggest to have a parameter --password-cmd which refers to a binary that will run in order to get he password out?

Maybe we should take the approach that ansible uses: Having a --vault-password-file (in our case probably just --password-file) which can be either a plaintext file container a password or a executable file that will run in order to get the password.

@Fumesover
Copy link
Contributor

Fumesover commented Apr 11, 2019

If we use codimd in command line, we can just do something like that: codimd codimd login --email email@example.net $(pass show my/pass/for/codi) do not do that, the password leaks and can be accessed by anyone
My first comment was about hypotetic configuration file where some secrets could be written in clear

@ccoenen
Copy link
Collaborator

ccoenen commented Apr 11, 2019

Depending on how big and how versatile a change would have to be, I'm against integrating stuff for a single other product (pass in this case).

@pirate
Copy link
Member

pirate commented Apr 17, 2019

FWIW I run this on a Mac where pass is not supported not natively installed, but a system keychain CLI does exist. I'm not sure it's worth adding this relatively complex dependency for such a small thing, especially considering things like Amazon AWS keys, entire chrome data directories with all cookies/sessions keys, and SSH private keys are routinely stored unencrypted in user's home folders.

@SISheogorath
Copy link
Collaborator Author

@pirate I might be mistaken, but I think it is supported: https://www.passwordstore.org/#macintosh

@davidak
Copy link

davidak commented Mar 21, 2020

I would prefer a universal solution where you can specify a command that outputs the password.

This way other popular password-managers are also supported.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

5 participants