New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

alpine: suppress master password #2023

Closed
rrthomas opened this Issue Jan 11, 2018 · 9 comments

Comments

Projects
None yet
3 participants
@rrthomas

rrthomas commented Jan 11, 2018

I built the latest alpine package (for some reason, the version in the APT repo is out of date; I can't find any documentation about when the repo is updated…?), and it now supports storing passwords, which is good.

Unfortunately, the latest version of alpine (2.21) introduces a mandatory "master password" for the password file, and there is no explicitly documented way to avoid this. (I am assuming that Termux users will want to avoid it, since typing passwords on phones is fiddly.)

Fortunately, it's quite simple: the master password file consists of a self-signed X509 certificate, so it's merely necessary to generate one without a password. This can be achieved with, for example, the following incantation:

openssl req -x509 -newkey rsa:4096 -keyout MasterPassword.key -out MasterPassword.crt -days 10000 -nodes

(The -nodes argument is what prevents a password being required by OpenSSL; alpine then happily uses this key without prompting for a password.)

It would be nice if the alpine package worked like this by default, but I'm not sure how this is done. Presumably even Termux packages don't install files in the home directory? Also, there's a question over whether the passwordless key/certificate pair should be generated at package build time, or, for a bit more security, at package installation time (so that merely losing one's .pine-passfile doesn't enable it to be decrypted by anyone with the same alpine package).

I'm a total Termux newbie (I came to it to see if I could put alpine on my phone!) hence I'm not proposing a full solution here, and would appreciate guidance.

@its-pointless

This comment has been minimized.

Contributor

its-pointless commented Jan 11, 2018

i will make a pull request in a few hours that should do it. If you want to do it yourself it requires cloning this repo and editing alpine's build.sh and making pull request.
It is scriptable to make masterpassword at install time on the phone but it requires making a preinst script during the packages creation. There are a few example in the packages directory

@its-pointless

This comment has been minimized.

Contributor

its-pointless commented Jan 11, 2018

rather postinst script would be the proper choice...

@rrthomas

This comment has been minimized.

rrthomas commented Jan 11, 2018

Thanks very much. I understand a bit about deb packaging (I'm a Debian maintainer), but I didn't know whether it was allowed to touch the user's home directory during package installation: on Debian I suspect it's not (at least, without a prompt), but on (single-user) Termux perhaps this is OK?

@its-pointless

This comment has been minimized.

Contributor

its-pointless commented Jan 11, 2018

single user means changing stuff is very unlikely to break since home directory is known and static on every install. So its a policy decision that makes sense on multi user ... but can be reasonably ignored here.

@its-pointless

This comment has been minimized.

Contributor

its-pointless commented Jan 11, 2018

but yeah you probably want to make sure script doesn't over write anything on install.

@its-pointless

This comment has been minimized.

Contributor

its-pointless commented Jan 12, 2018

still demands i create a password ?
im probably doing something obviously wrong.

@rrthomas

This comment has been minimized.

rrthomas commented Jan 12, 2018

Probably easiest if you can show me code or tell me exactly what you're doing.

@its-pointless

This comment has been minimized.

Contributor

its-pointless commented Jan 13, 2018

Pull request #2029
Its working ... but i guess you would understand how to improve it better than I would.

@fornwall

This comment has been minimized.

Contributor

fornwall commented Feb 9, 2018

Fixed by #2029 - nice work!

@fornwall fornwall closed this Feb 9, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment