Pass (简体中文)
官网提到:
- 密码管理应该要简易且遵照Unix哲学。Pass将你的密码保存在由gpg加密的文件中,并以相关的网站和资源的名称来命名文件。这些加密文件会被组织成合理的文件体系,你可以从一台装置复制到另一台装置,并用命令行程序来管理和操作它们。
Pass是一款简易的命令行密码管理器,本质上,它其实是利用GnuPG、tree、和Git的脚本。
安装
基本用法
初始化:
$ pass init <gpg-id or email>
若要创建一组新密码,提供一个文件名,注意文件名需要能体现出文件层次,如:archlinux.org/wiki/username。
$ pass insert archlinux.org/wiki/username
以文件组织的方式查看储存的密码:
$ pass
Password Store └── archlinux.org └── wiki └── username
生成一组随机的新密码,执行如下命令,其中,正整数n
代表想要的密码长度。
$ pass generate archlinux.org/wiki/username n
若要取得一组密码,执行如下命令,并在弹出窗口输入你的gpg密码短语(passphrase),如使用以上范例:
$ pass archlinux.org/wiki/username
若您是Xorg用户并安装了xclip,您可以直接将取得的密码暂时的复制到剪贴板(clipboard)上;若您是Wayland用户,pass-gitAUR 则会使用 wl-clipboard,如使用以上范例:
$ pass -c archlinux.org/wiki/username
~/.shellrc
中添加:export PASSWORD_STORE_X_SELECTION=primary
pass 也有附加的功能可与dmenu相结合,让用户可以轻松的搜索和复制粘贴。若要使用它,安装如下可选依赖dmenu后,执行:
$ passmenu
当您选择一组密码时,dmenu将会复制密码到剪贴版上。dmenu(1) 有更多相关的自定义选项。为了更快的取得密码,您可以把这个命令绑定在一组系统快捷键上。
信息格式
由pass insert
新建的信息文件预设只会包含您的密码,有时这仍旧不太足够,因为一些应用可能会要求取得您的其他信息如:用户名、网站地址等。这时,您可以用以下命令,编辑一个已存在的信息文件:
$ pass edit password_name
如下是由官网推荐的信息排版格式。使用这种格式时,选项-c
或--clip
仅会复制第一行的密码。
YwrZSNH35z164ym9pI URL: *.amazon.com/* Username: AmazonianChicken@example.com Secret Question 1: What is your childhood best friend's most bizarre superhero fantasy? Oh god, Amazon, it's too awful to say... Phone Support PIN #: 84719
迁移到pass
在这里可以找到相当多脚本可将其他应用的密码导入pass。
扩充
自版本1.7起,pass开始支援由社区开发的扩充,这些扩充包含一些新的命令,用以延伸pass的功能。
可将信息文件以tomb加密
一次性密码(OTP)支援
- pass-import (pass-importAUR)
从其他管理器导入密码的综合工具
- pass-update (pass-updateAUR)
一种更新密码的快捷方式
- pass-audit (pass-auditAUR)
一款用以审查密码安全性的扩充
进阶用法
可使用环境变量修改pass设定中执行存取和git命令的地方:
PASSWORD_STORE_DIR=/path/to/store
若想进一步了解怎么修改变量使pass支持存取多个密码仓库,参阅此处
以下的pw()
别名范例将信息文件中第一行复制到剪贴板上,五秒后再复制第二行,再五秒后复制一组一次性密码(OTP)。如果信息文件中的第一行为密码(password),第二行为用户名(username),并包含一组一次性密码(OTP)URI,此范例可按照username > password > otp code的顺序将三者贴入空白栏位中(如浏览器的登入注册表)。
pw() { export PASSWORD_STORE_CLIP_TIME=8 export PASSWORD_STORE_X_SELECTION=primary pass -c2 $1; sleep 5; pass -c $1; sleep 5; pass otp -c $1; exit }
Multiple pass Contexts (e.g. Teaming)
One can use aliases to set up different pass contexts, which helps when collaborating with different teams. We have gotten this working in bash as follows:
Add aliases to your ~/.bashrc
:
alias passred="PASSWORD_STORE_DIR=~/.pass/red pass" alias passblue="PASSWORD_STORE_DIR=~/.pass/blue pass"
Add these for bash-completion to your ~/.bash_completion
and make sure bash-completion is installed:
source /usr/share/bash-completion/completions/pass _passred(){ PASSWORD_STORE_DIR=~/.pass/red/ _pass } complete -o filenames -o nospace -F _passred passred _passblue(){ PASSWORD_STORE_DIR=~/.pass/blue/ _pass } complete -o filenames -o nospace -F _passblue passblue
Now you can initialize into ~/.pass/red
and ~/.pass/blue
and have two pass contexts with the passred
and passblue
aliases. You can generalize this further into as many contexts as you like.
Git integration
Git helper usage
You can use pass
as a credentials helper for git
. Install the pass-git-helperAUR or pass-git-helper-gitAUR package.
Detail are described in the github README file.
git
Configuration
Install pass-git-helper
as a git credentials helper by calling:
git config --global credential.helper /usr/bin/pass-git-helper
Mapping File
Create the file ~/.config/pass-git-helper/git-pass-mapping.ini
. It is used to map git remote hosts to your pass
database. The format is something like this:
[github.com] target=dev/github [*.fooo-bar.*] target=dev/fooo-bar
You can use wildcards in the host part, as shown in the example.
Password Store Layout
As usual with pass, the helper assumes that the password is contained in the first line of the passwordstore entry. Additionally, if a second line is present, this line is interpreted as the username.
For this to work, you have to use pass insert --multiline
to create a multi line password store entry.
Central Git server for pass in combination with GnuPG (SSH example)
You are able to setup a password management system by setting up a central Git server for Pass. This allows you to synchronize your central password repository through multiple client environments.
Install a bare Git repository for Pass on the server
On the server run git init --bare ~/.password-store
to create a bare repository you can push to.
Import authorized public SSH keys
See SSH keys#Copying the public key to the remote server
On the client
This section assumes you have configured GnuPG and have a key pair to encrypt passwords. On your local client ensure you have a local password store on the client, then enable management of local changes through Git, add your remote Git repository, and push your local Pass history.
# Create local password store pass init <gpg key id> # Enable management of local changes through Git pass git init # Add the the remote git repository as 'origin' pass git remote add origin user@server:~/.password-store # Push your local Pass history pass git push -u --all
Now you can use the standard Git commands, prefixed by pass
. For example: pass git push
, or pass git pull
. Pass will automatically create commits when you use it to modify your password store.
Troubleshooting
Encryption failed: Unusable public key
The following error can occur when attempting to insert a new entry:
$ pass insert archlinux.org/wiki/username Enter password for archlinux.org/wiki/username: Retype password for archlinux.org/wiki/username: gpg: XXXXXXXXX: There is no assurance this key belongs to the named user gpg: [stdin]: encryption failed: Unusable public key Password encryption aborted.
This occurs if the trust level of the GnuPG key is set to anything other than "ultimate." Edit the key used for pass
to set its trust level to "ultimate."