browserpass addon for FF
Matthias Apitz
guru at unixarea.de
Mon Jul 3 19:03:13 UTC 2017
At the end of the day, I have now all the pieces together and using
GnuPG encrypted credential with FF works really fine; the credentials
are stored as a tree in the file system and access requires the 6 digit
PIN to unlock the secret key on the GnuPG-card. There is no way to use the
credentials meanwhile the laptop and GnuPG-card are not stolen together
*and* connected, i.e. the card is PIN unlocked.
I'm attaching a small how-to if someone else wants to wade through about
password-storage and browserpass.
Thanks for all helping hints.
matthias
How to use GnuPG-card with Firefox and credentials
We need as root some more ports:
# cd /usr/ports/sysutils/password-store
# make install clean
# cd /usr/ports/lang/go
# make install clean
The 'fdescfs' must be mounted:
# mount -t fdescfs null /dev/fd
and/or inserted into /etc/fstab as:
fdescfs /dev/fd fdescfs rw 0 0
If 'fdescfs' is not mounted, the command 'pass init ...' will fail with:
$ pass init foo
Password store initialized for foo
/usr/local/bin/pass: línea 84: /dev/fd/62: No such file or directory
I've used to init the ~/.password-store (note 'guru at unixarea.de' is
not an email addr, but something which identifies the GnuPG secret key
stored on the GnuPG-card):
$ pass init guru at unixarea.de
Which gives:
$ ls -la ~/.password-store
total 48
drwx------ 3 guru wheel 512 3 jul. 08:19 .
drwxr-xr-x 248 guru wheel 33792 3 jul. 08:12 ..
-rw------- 1 guru wheel 17 3 jul. 08:17 .gpg-id
$ cat ~/.password-store/.gpg-id
guru at unixarea.de
Now we can insert userid/passwords into the tree of the ~/.password-store; note
the syntax Business/cheese-whiz-factory where 'Business' is some domain and
'cheese-whiz-factory' the userid in this:
$ pass insert Business/cheese-whiz-factory
Enter password for Business/cheese-whiz-factory: cheese
Retype password for Business/cheese-whiz-factory: cheese
$ pass
Password Store
└── Business
└── cheese-whiz-factory.gpg
$ pass Business/cheese-whiz-factory # this will ask for the PIN to unlock the GnuPG-card
cheese
The file 'Business/cheese-whiz-factory.gpg' contains the password 'cheese'
but GnuPG encrypted:
$ file ~/.password-store/Business/cheese-whiz-factory.gpg
/home/guru/.password-store/Business/cheese-whiz-factory.gpg: PGP RSA encrypted session key - keyid: B6ECF161 C3A6C925 RSA (Encrypt or Sign) 4096b .
The 2nd part now is a bit tricky: the 'browserpass' mozialla add-on:
I followed a hint from from Boris Samorodov <bsam at passap.ru> how to install 'browserpass'
directly from github.com:
$ cd
$ go get -u github.com/dannyvankooten/browserpass
$ GOPATH=/home/guru/go export GOPATH
$ cd $GOPATH/src/github.com/dannyvankooten/browserpass/cmd/browserpass
$ go build [*]
$ ls -l
total 2884
-rwxr-xr-x 1 guru wheel 2901409 3 jul. 13:02 browserpass
-rw-r--r-- 1 guru wheel 357 3 jul. 13:00 main.go
$ PATH=$PATH:$GOPATH/bin
$ go install
$ ls -l $GOPATH/bin
total 2880
-rwxr-xr-x 1 guru wheel 2901409 3 jul. 13:03 browserpass
so far so good, but:
Now the installation requires the integration with the browser through
some script 'install.sh'; I looked for it and did:
$ bash src/github.com/dannyvankooten/browserpass/install.sh
Select your browser:
====================
1) Chrome
2) Chromium
3) Firefox
4) Vivaldi
1-4: 3
Installing Firefox host config
cp: /home/guru/go/src/github.com/dannyvankooten/browserpass/firefox-host.json: No such file or directory
Hmmm, where the hell is the *.json file we need?
$ find ~/go -name *.json
./src/github.com/dannyvankooten/browserpass/chrome/host.json
./src/github.com/dannyvankooten/browserpass/chrome/manifest.json
./src/github.com/dannyvankooten/browserpass/chrome/policy.json
./src/github.com/dannyvankooten/browserpass/firefox/host.json
./src/github.com/dannyvankooten/browserpass/firefox/manifest.json
./src/github.com/dannyvankooten/browserpass/package.json
./src/github.com/dannyvankooten/browserpass/vendor/vendor.json
I fixed the above install.sh and copied over
$ cp src/github.com/dannyvankooten/browserpass/firefox/host.json /home/guru/.mozilla/native-messaging-hosts/com.dannyvankooten.browserpass.json
and modified the 'path' in it to show:
$ cat /home/guru/.mozilla/native-messaging-hosts/com.dannyvankooten.browserpass.json
{
"name": "com.dannyvankooten.browserpass",
"description": "Browserpass binary for the Firefox extension",
"path": "/home/guru/go/src/github.com/dannyvankooten/browserpass/cmd/browserpass/browserpass",
"type": "stdio",
"allowed_extensions": [
"browserpass at dannyvankooten.com"
]
}
XXX:
Maybe the exec /home/guru/go/src/github.com/dannyvankooten/browserpass/cmd/browserpass/browserpass
should be copied to some better place;
Now install the 'browserpass' add-on from:
https://addons.mozilla.org/en-US/firefox/addon/browserpass/
(one must fake the User-agent string to, for example, Ubuntu)
this made the 'browserpass' add-on working in general, but the command chain
needs to know where the GNUPGHOME is, in my case GNUPGHOME=/home/guru/.gnupg-ccid,
because firefox starts /usr/local/bin/pass, which itself starts /usr/local/bin/gpg2
and this needs the correct GNUPGHOME env value; so I modified the FF icon to launch
GNUPGHOME=/home/guru/.gnupg-ccid firefox %U
some more hints:
- I have not found a way to enter new user/password from the browser; I always
do it from cmdline with
$ pass insert domain.foo/username
- if the 'username' contains blanks (or other shell meta chars), they must escaped as:
$ pass insert 'domain.foo/Apitz Matthias'
- if there is no 'username', but only the password, just use
$ pass insert domain.foo
or
$ pass insert 192.168.2.1
- XXX still todo: convert all old FF-credentials to the password-store (which is
relatively easy: unload them to a file and build 'pass insert ....' commands;
once done this, remove the credentials in FF; really! they are unsave there;
--
Matthias Apitz, ✉ guru at unixarea.de, ⌂ http://www.unixarea.de/ ☎ +49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub
8. Mai 1945: Wer nicht feiert hat den Krieg verloren.
8 de mayo de 1945: Quien no festeja perdió la Guerra.
May 8, 1945: Who does not celebrate lost the War.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20170703/4c291254/attachment.sig>
More information about the freebsd-questions
mailing list