Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

alpine: suppress master password #2023

Closed
rrthomas opened this issue Jan 11, 2018 · 9 comments
Closed

alpine: suppress master password #2023

rrthomas opened this issue Jan 11, 2018 · 9 comments

Comments

@rrthomas
Copy link

@rrthomas rrthomas commented Jan 11, 2018

I built the latest alpine package (for some reason, the version in the APT repo is out of date; I can't find any documentation about when the repo is updated…?), and it now supports storing passwords, which is good.

Unfortunately, the latest version of alpine (2.21) introduces a mandatory "master password" for the password file, and there is no explicitly documented way to avoid this. (I am assuming that Termux users will want to avoid it, since typing passwords on phones is fiddly.)

Fortunately, it's quite simple: the master password file consists of a self-signed X509 certificate, so it's merely necessary to generate one without a password. This can be achieved with, for example, the following incantation:

openssl req -x509 -newkey rsa:4096 -keyout MasterPassword.key -out MasterPassword.crt -days 10000 -nodes

(The -nodes argument is what prevents a password being required by OpenSSL; alpine then happily uses this key without prompting for a password.)

It would be nice if the alpine package worked like this by default, but I'm not sure how this is done. Presumably even Termux packages don't install files in the home directory? Also, there's a question over whether the passwordless key/certificate pair should be generated at package build time, or, for a bit more security, at package installation time (so that merely losing one's .pine-passfile doesn't enable it to be decrypted by anyone with the same alpine package).

I'm a total Termux newbie (I came to it to see if I could put alpine on my phone!) hence I'm not proposing a full solution here, and would appreciate guidance.

@its-pointless
Copy link
Contributor

@its-pointless its-pointless commented Jan 11, 2018

i will make a pull request in a few hours that should do it. If you want to do it yourself it requires cloning this repo and editing alpine's build.sh and making pull request.
It is scriptable to make masterpassword at install time on the phone but it requires making a preinst script during the packages creation. There are a few example in the packages directory

@its-pointless
Copy link
Contributor

@its-pointless its-pointless commented Jan 11, 2018

rather postinst script would be the proper choice...

@rrthomas
Copy link
Author

@rrthomas rrthomas commented Jan 11, 2018

Thanks very much. I understand a bit about deb packaging (I'm a Debian maintainer), but I didn't know whether it was allowed to touch the user's home directory during package installation: on Debian I suspect it's not (at least, without a prompt), but on (single-user) Termux perhaps this is OK?

@its-pointless
Copy link
Contributor

@its-pointless its-pointless commented Jan 11, 2018

single user means changing stuff is very unlikely to break since home directory is known and static on every install. So its a policy decision that makes sense on multi user ... but can be reasonably ignored here.

@its-pointless
Copy link
Contributor

@its-pointless its-pointless commented Jan 11, 2018

but yeah you probably want to make sure script doesn't over write anything on install.

@its-pointless
Copy link
Contributor

@its-pointless its-pointless commented Jan 12, 2018

still demands i create a password ?
im probably doing something obviously wrong.

@rrthomas
Copy link
Author

@rrthomas rrthomas commented Jan 12, 2018

Probably easiest if you can show me code or tell me exactly what you're doing.

@its-pointless
Copy link
Contributor

@its-pointless its-pointless commented Jan 13, 2018

Pull request #2029
Its working ... but i guess you would understand how to improve it better than I would.

@fornwall
Copy link
Member

@fornwall fornwall commented Feb 9, 2018

Fixed by #2029 - nice work!

@fornwall fornwall closed this Feb 9, 2018
@termux termux deleted a comment from youssefkk Feb 18, 2019
@termux termux deleted a comment from youssefkk Feb 18, 2019
@termux termux locked as resolved and limited conversation to collaborators Feb 18, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
3 participants