browserpass addon for FF

Matthias Apitz guru at unixarea.de
Mon Jul 3 19:03:13 UTC 2017


At the end of the day, I have now all the pieces together and using
GnuPG encrypted credential with FF works really fine; the credentials
are stored as a tree in the file system and access requires the 6 digit
PIN to unlock the secret key on the GnuPG-card. There is no way to use the
credentials meanwhile the laptop and GnuPG-card are not stolen together
*and* connected, i.e. the card is PIN unlocked.

I'm attaching a small how-to if someone else wants to wade through about
password-storage and browserpass.

Thanks for all helping hints.

	matthias

How to use GnuPG-card with Firefox and credentials

We need as root some more ports:

# cd /usr/ports/sysutils/password-store
# make install clean
# cd /usr/ports/lang/go
# make install clean

The 'fdescfs' must be mounted:

# mount -t fdescfs null /dev/fd

and/or inserted into /etc/fstab as:

    fdescfs /dev/fd fdescfs rw 0 0

If 'fdescfs' is not mounted, the command 'pass init ...' will fail with:

$ pass init foo
Password store initialized for foo
/usr/local/bin/pass: línea 84: /dev/fd/62: No such file or directory

I've used to init the ~/.password-store (note 'guru at unixarea.de' is
not an email addr, but something which identifies the GnuPG secret key
stored on the GnuPG-card):

$ pass init guru at unixarea.de

Which gives:

$ ls -la ~/.password-store
total 48
drwx------    3 guru  wheel    512  3 jul.  08:19 .
drwxr-xr-x  248 guru  wheel  33792  3 jul.  08:12 ..
-rw-------    1 guru  wheel     17  3 jul.  08:17 .gpg-id
$ cat ~/.password-store/.gpg-id
guru at unixarea.de

Now we can insert userid/passwords into the tree of the ~/.password-store; note
the syntax Business/cheese-whiz-factory where 'Business' is some domain and
'cheese-whiz-factory' the userid in this:

$ pass insert Business/cheese-whiz-factory
Enter password for Business/cheese-whiz-factory: cheese
Retype password for Business/cheese-whiz-factory: cheese

$ pass
Password Store
└── Business
    └── cheese-whiz-factory.gpg

$ pass Business/cheese-whiz-factory  # this will ask for the PIN to unlock the GnuPG-card
cheese

The file 'Business/cheese-whiz-factory.gpg' contains the password 'cheese'
but GnuPG encrypted:

$ file ~/.password-store/Business/cheese-whiz-factory.gpg 
/home/guru/.password-store/Business/cheese-whiz-factory.gpg: PGP RSA encrypted session key - keyid: B6ECF161 C3A6C925 RSA (Encrypt or Sign) 4096b .



The 2nd part now is a bit tricky: the 'browserpass' mozialla add-on:

I followed a hint from from Boris Samorodov <bsam at passap.ru> how to install 'browserpass'
directly from github.com:   

$ cd
$ go get -u github.com/dannyvankooten/browserpass
$ GOPATH=/home/guru/go export GOPATH
$ cd $GOPATH/src/github.com/dannyvankooten/browserpass/cmd/browserpass
$ go build           [*]
$ ls -l
total 2884
-rwxr-xr-x  1 guru  wheel  2901409  3 jul.  13:02 browserpass
-rw-r--r--  1 guru  wheel      357  3 jul.  13:00 main.go

$ PATH=$PATH:$GOPATH/bin
$ go install
$ ls -l $GOPATH/bin
total 2880
-rwxr-xr-x  1 guru  wheel  2901409  3 jul.  13:03 browserpass

so far so good, but:

Now the installation requires the integration with the browser through
some script 'install.sh'; I looked for it and did:

$ bash src/github.com/dannyvankooten/browserpass/install.sh

Select your browser:
====================
1) Chrome
2) Chromium
3) Firefox
4) Vivaldi
1-4: 3

Installing Firefox host config
cp: /home/guru/go/src/github.com/dannyvankooten/browserpass/firefox-host.json: No such file or directory

Hmmm, where the hell is the *.json file we need?

$ find ~/go -name *.json
./src/github.com/dannyvankooten/browserpass/chrome/host.json
./src/github.com/dannyvankooten/browserpass/chrome/manifest.json
./src/github.com/dannyvankooten/browserpass/chrome/policy.json
./src/github.com/dannyvankooten/browserpass/firefox/host.json
./src/github.com/dannyvankooten/browserpass/firefox/manifest.json
./src/github.com/dannyvankooten/browserpass/package.json
./src/github.com/dannyvankooten/browserpass/vendor/vendor.json

I fixed the above install.sh and copied over 

$ cp src/github.com/dannyvankooten/browserpass/firefox/host.json /home/guru/.mozilla/native-messaging-hosts/com.dannyvankooten.browserpass.json

and modified the 'path' in it to show:

$ cat /home/guru/.mozilla/native-messaging-hosts/com.dannyvankooten.browserpass.json

{
  "name": "com.dannyvankooten.browserpass",
  "description": "Browserpass binary for the Firefox extension",
  "path": "/home/guru/go/src/github.com/dannyvankooten/browserpass/cmd/browserpass/browserpass",
  "type": "stdio",
  "allowed_extensions": [
     "browserpass at dannyvankooten.com"
   ]
}

XXX:
Maybe the exec /home/guru/go/src/github.com/dannyvankooten/browserpass/cmd/browserpass/browserpass
should be copied to some better place;

Now install the 'browserpass' add-on from:
https://addons.mozilla.org/en-US/firefox/addon/browserpass/                   
(one must fake the User-agent string to, for example, Ubuntu)

this made the 'browserpass' add-on working in general, but the command chain
needs to know where the GNUPGHOME is, in my case GNUPGHOME=/home/guru/.gnupg-ccid,
because firefox starts /usr/local/bin/pass, which itself starts /usr/local/bin/gpg2
and this needs the correct GNUPGHOME env value; so I modified the FF icon to launch

    GNUPGHOME=/home/guru/.gnupg-ccid firefox %U

some more hints:

- I have not found a way to enter new user/password from the browser; I always
  do it from cmdline with

  $ pass insert domain.foo/username

- if the 'username' contains blanks (or other shell meta chars), they must escaped as:

  $ pass insert 'domain.foo/Apitz Matthias'

- if there is no 'username', but only the password, just use

  $ pass insert domain.foo
  or
  $ pass insert 192.168.2.1

- XXX still todo: convert all old FF-credentials to the password-store (which is
  relatively easy: unload them to a file and build 'pass insert ....' commands;
  once done this, remove the credentials in FF; really! they are unsave there;


-- 
Matthias Apitz, ✉ guru at unixarea.de, ⌂ http://www.unixarea.de/  ☎ +49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub
8. Mai 1945: Wer nicht feiert hat den Krieg verloren.
8 de mayo de 1945: Quien no festeja perdió la Guerra.
May 8, 1945: Who does not celebrate lost the War.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20170703/4c291254/attachment.sig>


More information about the freebsd-questions mailing list