LinOxide

Command Line Password Managers for Linux

Updated November 6, 2017LINUX HOWTO

commandline passwordPassword Management should be simple. These command line password managers store our credentials, titles, web URLs, notes and other details in an encrypted file. We can use these tools to easily manage our credentials. We can even manage individual password files which are extremely easy to identify and sort.

These tools provide options for editing, adding, generating, and retrieving passwords. It contains a very short and simple shell script capable of temporarily putting passwords on your clipboard and tracking password changes.

In this article, I'll explain about two of the command line Password Manager tools.

1. Passmgr

It is simple and portable password manager tool. It securely stores passphrases and retrieves them via command line. In its default mode, passmgr allows selecting stored passphrases which are then copied to the clipboard for a limited amount of time in order to be pasted into a passphrase field. After this time, the clipboard is erased.

All credentials are stored AES256-GCM encrypted in a single file which by default is located in the users home directory. The encryption key for this file is derived from a master passphrase using scrypt.

Pre-requisites

  • Installing Go
  • Xclip or Xsel command to be installed

Before installing Passmgr, we need to fulfill these pre-requisites.

Installing Go

Depending on our server architecture, we can download the required package and extract to install.

#yum update
# wget https://storage.googleapis.com/golang/go1.6.2.linux-amd64.tar.gz
# tar -xzvf go1.6.2.linux-amd64.tar.gz -C /usr/local/

I've downloaded the package for a 64 bit architecture. You can create a work folder set environment variables server-wide as before.

# cd /root
# mkdir go
# cat /etc/profile.d/goenv.sh
export GOROOT=/usr/local/go
export GOPATH=$HOME/go
export PATH=$PATH:$GOROOT/bin:$GOPATH/bin
# source /etc/profile.d/goenv.sh
# go version
go version go1.6.2 linux/amd64

Installing Xclip or Xsel

To enable these commands in the CentOS 7 server, we need to install these dependency packages followed by the package installation. Please follow these steps to enable this command.

# yum install libX11.x86_64
# yum install libX11-devel.x86_64
# yum install libXmu.x86_64
# yum install libXmu-devel.x86_64
# wget ftp://mirror.switch.ch/pool/4/mirror/epel/7/x86_64/x/xclip-0.12-5.el7.x86_64.rpm
# wget http://dl.fedoraproject.org/pub/epel/7/x86_64/x/xsel-1.2.0-15.el7.x86_64.rpm
# rpm -Uvh xsel-1.2.0-15.el7.x86_64.rpm
warning: xsel-1.2.0-15.el7.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 352c64e5: NOKEY
Preparing... ################################# [100%]
Updating / installing...
1:xsel-1.2.0-15.el7 ################################# [100%]
# rpm -Uvh xclip-0.12-5.el7.x86_64.rpm
warning: xclip-0.12-5.el7.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 352c64e5: NOKEY
Preparing... ################################# [100%]
Updating / installing...
1:xclip-0.12-5.el7 ################################# [100%]

Installing Passmgr

After completing the above installation, we can enable this Passmgr tool in one single step as below:

# go get github.com/urld/passmgr/cmd/passmgr

Now we can run "passmgr" to set the master password for our Password Manager tool and make our Primary entry to our tool.

# passmgr
 [passmgr] new master passphrase for /root/.passmgr_store:
 [passmgr] retype master passphrase for /root/.passmgr_store:

-- store is empty --

Choose a command [(S)elect/(f)ilter/(a)dd/(d)elete/(q)uit] a
 Enter the values for the new entry
 User: Saheetha
 URL: linoxide.com
 Passphrase:

n) User URL
 1) Saheetha linoxide.com

Passmgr Usages

This tool provides various options to manage the password. We can add, delete, search using a particular string using these options. We can run the help command to list out all possible options using this tool.

# passmgr --help
 Usage of passmgr:
 -add
 store new credentials
 -appTTL int
 time in seconds after which the application quits if there is no user interaction (default 120)
 -clipboardTTL int
 time in seconds after which the clipboard is reset (default 15)
 -del
 delete stored credentials
 -file string
 specify the passmgr store (default "/root/.passmgr_store")

Examples:

You can add new entries to our Password Manager tool using the option --add as below:

# passmgr -add
[passmgr] master passphrase for /root/.passmgr_store: docker

n) User URL
1) Saheetha linoxide.com

Enter the values for the new entry
User: sshameer@example.com
URL: work.example.com
Passphrase:

n) User URL
1) Saheetha linoxide.com
2) sshameer@example.com work.example.com

We can store/read the credentials to a file using the option --file. By default, all passwords will be stored inside "/root/.passmgr_store" file.  We can read the password file for a particular entry using this command as below:

# passmgr -file /root/.passmgr_store
[passmgr] master passphrase for /root/.passmgr_store:

n) User URL
1) Saheetha linoxide.com
2) sshameer@example.com work.example.com
3) testuser website.com

Choose a command [(S)elect/(f)ilter/(a)dd/(d)elete/(q)uit] 1
Choose a command [(S)elect/(f)ilter/(a)dd/(d)elete/(q)uit] S
Select: 1

Passphrase copied to clipboard!
Clipboard will be erased in 15 seconds.

We can use the filter option to restrict our search to a particular string as below:

# passmgr
 [passmgr] master passphrase for /root/.passmgr_store:

n) User URL
 1) Saheetha linoxide.com
 2) sshameer@example.com work.example.com
 3) testuser website.com
 4) test test.com

Choose a command [(S)elect/(f)ilter/(a)dd/(d)elete/(q)uit] f
 Filter: test

n) User URL
 3) testuser website.com
 4) test test.com

The filter can be reset by leaving it empty.

For deleting an entry from the Password Manager tool, we can use the option d or delete. Please see the example below:

# passmgr
 [passmgr] master passphrase for /root/.passmgr_store:

n) User URL
 1) Saheetha linoxide.com
 2) sshameer@example.com work.example.com
 3) testuser website.com
 4) test test.com

Choose a command [(S)elect/(f)ilter/(a)dd/(d)elete/(q)uit] d
 Delete: 3
 Delete all secrets for 'testuser | website.com? [Y/n] y

n) User URL
 1) Saheetha linoxide.com
 2) sshameer@example.com work.example.com
 3) test test.com

Choose a command [(S)elect/(f)ilter/(a)dd/(d)elete/(q)uit] q

In this example, I've deleted the "testuser" entry from my Password Manager.

2. Titan

Titan is another Commandline Password Manager tool which can be used in any of the Unix types of Operating systems. It uses OpenSSL library to perform the encryption. AES encryption is used with 256 bit keys. In titan password database is also protected from tampering by using a keyed-hash message authentication code (HMAC). Unique, cryptographically random initialization vector is used during the encryption. New initialization vector is generated each time the password database is encrypted.

Titan uses SQlite for storing the passwords. Database schema is simple and easy.

I've followed these steps to install Titan for our CentOS7 server.

# yum install sqlite-devel.x86_64 sqlite-tcl.x86_64
# yum install openssl-devel
# git clone https://github.com/nrosvall/titan.git
# cd titan/
# make
# make install

Titan Usages

Titan also provides some options for managing the passwords via command line. Let's take a look on few of them below:

To begin with, we need to create a database for storing our passwords. We can create our new database by just running this command.

# titan --init /home/passwords/passwd.db

You can provide the password to protect this database while creating. Now you can add all the required entries to this database using the --add or just -a option as below:

# titan --add
Title: Work
Username: sshameer
Url: linoxide.com
Notes: Admin notes
Password (empty to generate new):

Our database should be decrypted for adding the entries. In order to decrypt it you can use the option titan --decrypt [database path]. Here we can use:

# titan --decrypt /home/passwords/passwd.db

For viewing the added entries you can use the option "--list-all".

# titan --list-all
 =====================================================================
 ID: 1
 Title: Work
 User: sshameer
 Url: linoxide.com
 Password: **********
 Notes: Admin notes
 Modified: 2017-07-08 15:11:56
 =====================================================================

After adding all possible entries you should encrypt our password database for security. We can just run this command to encrypt it.

#titan --encrypt /home/passwords/passwd.db

Please see man titan or titan --help for more information.

I have recently found another command line password manager "Passhole" that uses KeePass databases.

Wrapping up

Command-line password managers are simple and great when you remotely login via SSH. Getting all of your existing passwords into the password manager is a good first step. A password manager makes good security as easy as possible. All you need to do is remember one master password (make it a good one!), and the password manager handles the rest, generating and saving a unique password for every account as required. In addition to encrypting these login credentials, it stores them safely. Thanks for reading this article and if you found more tools please feel free to share it here.

 

Saheetha Shameer 2:30 am

Comments

Your email address will not be published. Required fields are marked *

All comments are subject to moderation.