PHPasswordPusher is a PHP port of the PasswordPusher project, which provides a more secure method for sharing sensitive information (like passwords) with others. It operates on the principle that using a soon-to-be-expiring link to retrieve sensitive information is better than having the sensitive information persist in email, chat, etc...
Note: PHPasswordPusher is appropriate for constrained deployment environments requiring older version of PHP >= 5.3. For modern environments capable of PHP >= 5.5.9, Agrippa is recommended for this purpose instead. Both versions are being actively maintained as of September 2015.
A user will enter the sensitive information (password, etc.) into the link form, set a view and time limit, and receive a link. That link is communicated to the intended recipient, who then can retrieve the sensitive information until the view or time limits are breached.
A demo is available at https://vaindil.pw/pwpushdemo.
- Secure Password/Credential Sharing and Storage
- Emailing Features
- Language Translation
- Deletion Link
- CAS (via phpCAS) and Apache Authentication Support
PHPasswordPusher has so far been tested with the following environment:
- Linux (RHEL 5 and CentOS 5, though other distributions should work.)
- MySQL 5.1.6+
- PHP 5.3+
- Central Authentication Service (CAS) 3.5.1 (optional)
- Set up the environment. You will need to install these packages: mysql-server, httpd (apache2), php, php-mcrypt, php-mysql, and php-xml.
- Change configuration options in ./pwpusher_private/config.php
- Change configuration options in ./install.php. Remember to remove the credentials in this file when you're done with step 4!
- From the command-line interface, run
- Copy the pwpusher_private and pwpusher_public directories to the same NON-PUBLIC directory of your choice (for instance, /var/www, but not inside public_html).
- Configure Apache (customize the below sample as noted). If you care about security enough to use this project, you should definitely be using HTTPS and redirecting users requests from non-secure ports (for instance 80, in the default configuration) to whatever port is HTTPS-enabled (typically 443). The Apache documentation will help here: http://httpd.apache.org/docs/2.2/ssl/ssl_faq.html
- Enable the mcrypt extension, either with
sudo php5enmod mcrypt(Ubuntu) or by editing
extension=mcrypt.so(CentOS). Be sure to reload Apache.
- Test your installation by navigating to http(s)://yourwebserver/youralias
- Celebrate victory.
Apache Config Example
##### PHPasswordPusher ##### ### Change "/youralias" and "/your/installation/dir/" to fit your installation: Alias /youralias /your/installation/dir/pwpusher_public ### Change "/your/installation/dir/" to fit your installation: <Directory /your/installation/dir/pwpusher_public> #If you use the email functionality, you should definitely enable authentication of some sort. #PHPassword Pusher supports both Apache auth (below) and CAS authentication (see config.ini for details) #AuthName "Your login message." #AuthType Basic #AuthUserFile /your/.htpasswd #require valid-user AllowOverride None # Include the below when using Apache 2.4+: # Require all granted Order allow,deny Allow from all DirectoryIndex pw.php </Directory> ### Change "/your/installation/dir/" to fit your installation: <Directory /your/installation/dir/pwpusher_private> AllowOverride None Order deny,allow Deny from all </Directory>
Fork and create changes against the
develop branch, then create a pull request. Thank you!