Name your favorite password manager. Now, name your favorite password manager that you can run on your headless Linux servers.
Actually, that’s not entirely true. There is a text-based password manager that does a great job of obscuring the storage of passwords, in a text-only file, with pgp encryption. The tool in question is called Pass, and anyone running Linux, FreeBSD, or Mac should give this a try.
Pass stores all passwords in the ~/.password-store, and provides commands for adding, editing, generating, and retrieving passwords. Pass is also capable of temporarily adding passwords to your clipboard, as well as tracking password changes using git.
Let’s install Pass on Elementary OS Loki and start using this handy tool.
SEE: Password Management Policy (Tech Pro Research)
Since you’ll find Pass in the standard repositories, installation can be completed with a single command:
sudo apt-get install pass
The above command will install Pass and the necessary dependencies: git, git-man, liberror-perl, pwgen, tree, and xclip.
First, you need to initialize the password store. To do this, you must already have your pgp keys stored on the machine (if you haven’t generated pgp keys, do so now). On the machine with Pass installed, open a terminal window (or login, if it’s a headless server) and issue the command (GnuPG ID is the ID of the pgp key you want to associate with the password storage):
pass init GnuPG ID
The above command will create the ~/.password-store directory and initialize it for the associated user.
Let’s say you want to add a password for a webmin instance on your primary server (we’ll call that primary server MONKEYPANTZ). To add this new password to Pass, you issue a command like so:
When you enter that command, you will be asked to type the GnuPG passphrase for the associated pgp key. After you authenticate against your key, you will be asked to type and verify the password you want to add for MONKEYPANTZ/webmin.
Say you want to add a password for webmail on MONKEYPANTZ—you can enter the command:
If you type the command pass without any arguments, you’ll see all the categories and entries for each (Figure A).
Let’s say you want to view the password for MONKEYPANTZ/webmail; for this, you would type the command:
When you hit Enter, you will be prompted for the passphrase for the associated pgp key. Upon successful authentication against that key, your password will be displayed.
You can also automatically copy that password to the clipboard (which has the added bonus of not displaying that password on the screen). Type the command:
pass -c MONKEYPANTZ/webmail
You will see that Pass has copied the password to your clipboard and will make it available for 45 seconds.
Pass can also generate passwords. Say you want to generate a new password for MONKEYPANTZ/Wordpress. To do this, type the command (X is the length of password you want to generate, such as 15 for a 15-character password):
pass generate MONKEYPANTZ/Wordpress X
Passwords can be removed with the command:
pass rm MONKEYPANTZ/Webmin
Passwords can be edited with the command:
pass edit MONKEYPANTZ/Webmin
The above command will open the password in your default editor, where you can change the password as needed.
Security by obfuscation and more
Pass is incredibly simple to use, reliable, secured by pgp, and makes it possible to obfuscate your password manager from prying eyes (most people would be looking for a GUI tool to serve this purpose). I like having Pass available even if only for that last reason…because if someone is going to look for a password manager on my system, the last place they’ll probably look is the command line. Until now. 😉