Shell Script for "Password Management"

Hi all,

Does anyone know of a 'simple' shell script available out there to do with 'password management'?

Age is really quickly catching up so one of these days I will really need to have a password management of some sort. Unfortunately, I am not the sysadmin of the servers and I can't install any utilities of sort, I can only use whatever's available now on the server. I've found some password manager tools, like pass, gopass, titan etc but as mentioned, I can 't install it. There are some Perl and Python scripts available now I presume, but I am sure I don't have much of the modules used on those scripts.

At the moment, am using KeePass on Windows and copying/pasting stuff from Windows to *nix server that I access via RDP and PuTTY/ssh to the server.

Am just looking at something real 'basic'. one that I can 'store' my password as an encrypted file. And then, whenever I need it, I just run the same script passing a username which will then display the password in plaintext. I will have to supply a password or pass phrase or something like that when I run the script.

Anyway, hoping for some feedback, suggestion, advise on this. Maybe someone already know of a script that I can use and modify to suit for what I am wanting to do.

Thanks in advance.

I'd have a basic tryout-draft...
Where I 'currently' 'fail' using LUKS (properly ; cryptsetup ) to "mount" an encrypted file to a folder.
Currently as in: havent looked at the file for five years and gave it one quick shot today before I had to leave.

As it is right now (fallback), it allows you to mount a file that will contain the password file (anything for that matter).

So, not yet encrypted, but at least not as a loose file.

But it will require sudo rights for your account / at least for mount.

So I'm not sure if it would be of help?

Hi,

Thanks for your reply.
Unfortunately, I can't use what you are suggesting. I am more or less looking for something 'simple' actually.
So there are several servers that I ssh to, I can copy the rsa keys to several hosts and then ssh with no password. So that's all well and good.
But there are also a Windows login, AWS login, database password login, my bank account login, just kidding, and several other 'clients' / customer that I support that I unfortunately cannot copy the rsa keys too.

So what am thinking is for each client, I create a text file with the login and password information and then I run the following

openssl enc -aes-256-cbc -salt -in list.txt -out list.txt.enc
openssl enc -aes-256-cbc -d -in list.txt.enc | cat

The first one is obviously an encrypt after which I delete the plain text file, and when I need to access the password information, I run the second command which is a decrypt and then copy and paste the output from the decrypt. xclip or any UNIX clip command are not available.

So it is kinda like a shell script for maintaining a text file that I encrypt and delete the text file and decrypt the encrypted file if/when I need to access the password information.

The other 'easier' option/alternative that I am hoping to have maybe is if I have the password text file as below:

mickey mouse
donald duck
bugs bunny

Then if I can encrypt and masked it like below:

mickey ******
donald ******
bugs ******

And then run an unmasked/decrypt that will toggle the ****** to show/hide the password.

At the moment, I can manage with using openssl to encrypt/decrypt. Just need some kind of menu/script to manage it maybe

I know there are other password management scripts/tools around for Linux/Unix, but unfortunately, as I am not the SysAdmin and the client possibly not approving to install such utility in the server, am left with only 'writing' my own shell script option with using one text file for each username/password Obviously, I still need to remember the one 'master' password that I used for doing the openssl -enc

Hi

Thinking about it, I guess what am looking for is like an encrypted text database of some sort or an encrypted note taking app but one that I can run as a shell script, not one that I need to install or download and run make on 'coz am not the UNIX SysAdmin.

At the moment, I can make do with creating several text files, openssl encrypt it with a salt and remove the text file and then openssl decrypt, enter the required code/password and there I can see the 'secret' notes

Hey @newbie_01, I've implemented a solution for this (my company Plyint - https://plyint.com, maintains it) as just a single shell script. It can be sourced into your shell scripts or you can interact with it directly from the CLI. It generates AES 256-bit symmetric keys for each script or user-defined bucket and then encrypts secrets for the script or bucket using that key. The only real requirement is that OpenSSL must be installed on the machine where you want to use it.

The script is usable on POSIX compliant shell environments. (sh, bash, ksh, zsh) The full description is available in the github repo -> https://github.com/plyint/encpass.sh. It stores the keys and secrets in a hidden directory under your user (i.e. ~/.encpass). Note, you can define an environment variable ENCPASS_HOME_DIR if you want to change the directory it uses.

To add a password you simply call the add command to add a secret to a bucket.

$ encpass.sh add personal password
Adding secret "password" to bucket "personal"...
Enter password:
Confirm password:

To show it you just call the show command

$ encpass.sh show personal password
toomanysecrets

If you have shell scripts you'd like to use encpass.sh for, you just need to source encpass.sh and then call the get_secret method. For example:

#!/bin/sh
. encpass.sh
password=$(get_secret)

Let me know if you have any questions.

Thanks for posting @ahnick

Looks like an interested repo. Thanks.

keepass-xc for instance, has a command line utility as well.

So you can copy the keepass database to server, install keepass software and use it via command line calls to get what you need.
It is multiplatfrom, so copying password db files around OS-es should work fine.

Just be carefull with your input, you do not want your passwords in shell history!

Other alternatives would be using local sqlite3 encrypted database with small program in language you are comfortable with, to achieve desired result.

All the approaches here maintain a copy of DB per server, if you do not copy every time you update/add on central location, you will have different databases.

Hope that helps
Regards
Peasant.

One thing that might make synchronization or just initial loading of secrets onto a remote machine easier with encpass.sh is using the import/export capabilities.

You can create an encrypted export of all your keys/secrets with the following command (you'll be prompted to enter a password when exporting keys):

$ encpass.sh export -k \*
Exporting keys requires a password to be set for the export file.

Enter Password for export file:
Confirm Password:

Exporting all keys and secrets for ALL buckets

Successfully created export file encpass-openssl-2020-05-29-1590733750.tgz.enc in /home/<user>/.encpass/exports

Note: you can also just export specific keys and passwords if you don't want to make all of them available on a remote machine.

Now you can copy the encrypted export file to the remote machine using SSH or whatever mechanism you prefer, and then run the import command (Make sure to use the -p option, so you can enter the password to decrypt the export file):

$ encpass.sh import -p encpass-openssl-2020-05-29-1590733750.tgz.enc
Import file: encpass-openssl-2020-05-29-1590733750.tgz.enc
To directory: /home/<user>/.encpass

Enter Password for import file:
Confirm Password:

Are you sure you want to proceed with the import? [y/N]y
Import successful.

Bonus: To make the remote import even more secure you can use the lock command to lock your keys before creating the export file from your local machine, so that when you import the file on the remote machine the keys are in a locked state. Then, whenever you want to use your passwords on the remote machine you can unlock the keys and access your passwords. This way the keys are only readable by your user and the root user on the remote machine for a small window of time when you want to unlock them and use them.