This is part 4 of a multi-part article. Part 1 is available here, part 2 is available here, part 3 is available here. Part 1 discusses the importance of complex passwords and also discusses some ways to create them in Linux. Part 2 covers the KeepassX, a program with a very nice graphical user interface. In part 3, takes a look at the gpass program which is a nice graphical user interface for the gnome desktop (will work on others too), part 4 takes a look at the command line pwsafe.
pwsafe is a unix commandline program that manages encrypted password databases.
PWSAFE
Features:
- Pure command-line operation if desired (good for remote access over ssh)
- or can interact with X11 selection & clipboard.
- Portable, endianess-clean, misaligned-access-free C++. Compiles cleanly on linux, *bsd, macos x, solaris.
- Compatible with CounterPane's PasswordSafe Win32 program versions 2.x and 1.x. (the latest release of PasswordSafe at the time of this article publication was 3.11 which is not compatible with the linux commandline pwsafe application)
- Funny comments included in source code.
INSTALLATION
pwsafe should be available for most distributions in their specific package formats. However, if it is not, I will show you how to compile the application from source code.
First, download the latest release of pwsafe (Sept 30, 2005) from here
Next, extract the archive onto your hard drive using the tar command:
[code]
tar xzf pwsafe-0.2.0.tar.gz
[/code]
|
Change directories to the extracted files:
Issue the configure command:
Followed by the make and make install commands (you will need to be the root user to run make install or use sudo):
[code]
make && make install
[/code]
|
RUNNING PWSAFE
The pwsafe application is run from a shell, terminal, console, bash, or whatever you call it. It does not have a graphical user interface. To run it, first check the man page for pwsafe:
[code]
PWSAFE(1) PWSAFE(1)
NAME
pwsafe - commandline password database utility compatible with Counterpane's Passwordsafe
SYNOPSIS
pwsafe [options] command [arg]
DESCRIPTION
pwsafe manipulates Counterpane Passwordsafe username/password databases.
It is compatible with Counterpane Passwordsafe 1.9.x and 2.0 databases.
COMMANDS
pwsafe accepts the following commands:
--createdb
Create a new database.
--exportdb
Export database as text.
--mergedb=DATABASE_FILE
Merge DATABASE_FILE into database. Common entries are merged interactively.
--passwd
Change the database's passphrase.
--list[=REGEX]
List all [matching] entries in database. If -u or -p is given then REGEX must match only one entry, and only the requested
field(s) are emitted.
-a, --add[=NAME]
Add an entry to database.
-e, --edit=REGEX
Edit an entry.
--delete=NAME
Delete an entry from database.
If no command is given, an interactive mode is entered.
OPTIONS
pwsafe accepts the following options:
-f, --file=DATABASE_FILE
Specify the database to manipulate. Default is $HOME/.pwsafe.dat
--dbversion=[1|2]
Specify the database's version. Default is 2.
-I, --case
REGEX is case-sensative. Any uppercase character in REGEX implies --case.
-l Show login and notes in list output.
-u, --username
Show username of listed account(s).
-p, --password
Show password of listed accounts(s).
-E, --echo
Force echo'ing of entry to stdout. This is selected by default if $DISPLAY is not set.
-o, --output=FILE
Redirect username and password output to FILE. Implies --echo.
-x, --xclip
Force copying of username and password to X clipboard. This is selected by default if $DISPLAY is set.
-d, --display=XDISPLAY
Override $DISPLAY. Implies --xclip.
-s, --selection={Primary,Secondary,Clipboard,Both}
Select the X selection effected. Default is Both primary and clipboard. Implies --xclip.
-G, --ignore=NAME@HOST
Add NAME to windows or hosts that do not receive the selection. If just NAME is given it matches any host, and if just @HOST
is given it matches any name.
-v, --verbose
Print more information.
-q, --quiet
Print less information. In fact, print only exactly what was requested.
-h, --help
Show summary of options.
-V, --version
Show version of program.
ENVIRONMENT
PWSAFE_DATABASE
Default database file. If this is a relative path it is assumed to be relative to $HOME. Defaults to ".pwsafe.dat". Overridden
by -f.
PWSAFE_DEFAULT_USER
Default user. Defaults to $USER or $LOGNAME.
PWSAFE_IGNORE
Overrides built-in --ignore list. --ignore overrides. Format is a list of --ignore arguments, seperated by colons (':').
HOME Used to locate the default database "~/.pwsafe.dat" and default RANDFILE "~/.rnd".
RANDFILE
Used to locate the random number generator entropy pool file. Defaults to "$HOME/.rnd".
FILES
~/.pwsafe.dat
The password database.
~/.pwsafe.dat~
Backup of database.
~/.rnd Random number generator's entropy pool.
WARNINGS
Use a good password for your database.
Don't use pwsafe over telnet or from untrusted terminals.
To seed RANDFILE decently, do something like
md5sum /var/log/* >~/.rnd
EXAMPLES
For those who can't read the rest of this file:
Create $HOME/.pwsafe.dat.
pwsafe --createdb
Add an entry named 'test'.
pwsafe -a test
Copy username and password of 'test' to console or X clipboard & primary selection.
pwsafe -up test
Upgrade a version passwordsafe version 1.7 database to version 2.0 (we do this by merging it with itself, but specifying version 2
output)
pwsafe --mergedb $HOME/.pwsafe.dat --dbversion 2
AUTHOR
Nicolas S. Dade
|
Creating the Database
The first thing you need to do is to create a database to hold your passwords. The man page for pwsafe says we use this command to accomplish that:
[code]
pwsafe --createdb
[/code]
|
Actually running the command looks like this:
[code]
$ pwsafe --createdb
WARNING: pwsafe unable to seed rng from /home/ewiget/.rnd
WARNING: pwsafe unable to use secure ram (need to be setuid root)
Enter passphrase for /home/ewiget/.pwsafe.dat:
Reenter passphrase for /home/ewiget/.pwsafe.dat:
[/code]
|
The warnings in the above is because I don't allow setuid root applications on this system.
Add an entry to the database
Also, straight from the man page, we can add an entry for test. This is done using this command:
[code]
pwsafe -a test
[/code]
|
When you actually run the command, it looks like this (I will explain it below the code window):
[code]
$ pwsafe -a test
WARNING: pwsafe unable to use secure ram (need to be setuid root)
Enter passphrase for /home/ewiget/.pwsafe.dat:
group []:
username: user
password [return for random]:
Generate random password? [y] y
Use gh8jpgvwvl>zS1k?-MT3rvu=#svU=-JdvQRg
type alpha/digit/symbol, length 36, 160 bits of entropy [y/N/ /+/-/q/?] ? y
notes: test password
[/code]
|
The very first line starts with pwsafe -a test
There is a warning about unable to use secure ram - this is because I don't have the program, by choice, setuid root -- this is a choice for security reasons.
Next, I enter the passphrase that I used when I created the database earlier.
I then accept the default value for group which is none by simply pressing enter.
I typed in "user" for the username because this is just a test of the program.
For the password, I let it automatically generate the password. You can either type a password in if you already have one for the account you are creating, or you can leave it blank and accept the password it suggests.
For the notes, I entered test password.
Then the program exited.
Listing Entries from the database
The command we use is below:
[code]
$ pwsafe --list
[/code]
|
Actually running the command results in this output:
[code]
$ pwsafe --list
WARNING: pwsafe unable to use secure ram (need to be setuid root)
Enter passphrase for /home/ewiget/.pwsafe.dat:
test
[/code]
|
As you can see, there is our test entry on the last line after running the command and entering the correct password. However, you are probably wondering how to get the username or the password from that entry.
Retrieving the Password from and Entry
The command options I obtained from the man page, it says the option -u is username and the option -p is for password. So, If I want to list the username and password for the test entry, I then use this command:
[code]
pwsafe -up test
[/code]
|
Actually running the command on my computer gives me this information:
[code]
$ pwsafe -up test
Going to copy login and password to X selection
WARNING: pwsafe unable to use secure ram (need to be setuid root)
Enter passphrase for /home/ewiget/.pwsafe.dat:
You are ready to paste the username for test from PRIMARY and CLIPBOARD
Press any key when done
Sending username for test to klipper@urfuct via PRIMARY
You are ready to paste the password for test from PRIMARY and CLIPBOARD
Press any key when done
[/code]
|
The command above basically sends the username and password from our entry to the clipboard so we can past it.
Still not what I am looking for and still not your either. However, the --exportdb option will do exactly what we want, which is to export the username and password in plain text so we can copy and paste it.
The option to actually display the information we need is this:
[code]
pwsafe --exportdb
[/code]
|
The above command is not very secure if you have someone shoulder surfing. I will run the command and show you the output and then show you an easier way that is only slightly more secure.
[code]
$ pwsafe --exportdb
WARNING: pwsafe unable to use secure ram (need to be setuid root)
Enter passphrase for /home/ewiget/.pwsafe.dat:
# passwordsafe version 2.0 database
uuid group name login passwd notes
"ffffe8ad-30b3-cd79-802c-3dbfda29a68a" "" "test" "user" "gh8jpgvwvl>zS1k?-MT3rvu=#svU=-JdvQRg" "test password"
"22b1978c-8984-7247-036e-f70dd485eed0" "" "test2" "username2" "1C870^&v" "test2 with username username2 and password is 1C870^&v"
[/code]
|
Basically the stored information follows a tabbed format like this:
uuid group name login passwd notes
To keep from exposing your entire password list to your screen and possibly have someone shoulder surfing and able to get your passwords, we can grep for the information we need. In the following example, I used grep to search for just a single known username. The reason I chose this method, If I notice someone shoulder surfing, I now only have to worry about changing one password that I know they have seen.....verses changing all passwords that were displayed on the screen and not even know for sure which they may have seen or remembered.
The command I use to pull out one single group of information is this (I used the test2 entry as the grep):
[code]
$ pwsafe --exportdb | grep test2
WARNING: pwsafe unable to use secure ram (need to be setuid root)
Enter passphrase for /home/ewiget/.pwsafe.dat:
"22b1978c-8984-7247-036e-f70dd485eed0" "" "test2" "username2" "1C870^&v" "test2 with username username2 and password is 1C870^&v"
[/code]
|
SUMMARY
pwsafe has not had a new release in some 3+ years. However, it is still a great little shell application for managing passwords. The requirements of pwsafe are minimal, it is very fast, and makes a pretty good choice for password management providing you do not plan to --exportdb. pwsafe is also compatible with older versions of the windows passwordsafe application (must be pre-version 3 release for compatibility)
Note: Ed Wiget, http://www.edwiget.name, has been a linux/unix system admin since 1995. He has many certifications. He is currently working on a degree in computer engineering, with an emphasis on computer/network security and forensics.
![[x]](themes/mlug/images/pixel.gif "Show/hide content"){kind=tracking}
Community
Content
Support Us
Membership:
Latest: 
New Today: 0
New Yesterday: 0
Overall: 218
People Online:
Visitors: 8
Members: 0
Total: 8
