alpine: suppress master password #2023
Comments
|
i will make a pull request in a few hours that should do it. If you want to do it yourself it requires cloning this repo and editing alpine's build.sh and making pull request. |
|
rather postinst script would be the proper choice... |
|
Thanks very much. I understand a bit about deb packaging (I'm a Debian maintainer), but I didn't know whether it was allowed to touch the user's home directory during package installation: on Debian I suspect it's not (at least, without a prompt), but on (single-user) Termux perhaps this is OK? |
|
single user means changing stuff is very unlikely to break since home directory is known and static on every install. So its a policy decision that makes sense on multi user ... but can be reasonably ignored here. |
|
but yeah you probably want to make sure script doesn't over write anything on install. |
|
still demands i create a password ? |
|
Probably easiest if you can show me code or tell me exactly what you're doing. |
|
Pull request #2029 |
|
Fixed by #2029 - nice work! |
I built the latest alpine package (for some reason, the version in the APT repo is out of date; I can't find any documentation about when the repo is updated…?), and it now supports storing passwords, which is good.
Unfortunately, the latest version of alpine (2.21) introduces a mandatory "master password" for the password file, and there is no explicitly documented way to avoid this. (I am assuming that Termux users will want to avoid it, since typing passwords on phones is fiddly.)
Fortunately, it's quite simple: the master password file consists of a self-signed X509 certificate, so it's merely necessary to generate one without a password. This can be achieved with, for example, the following incantation:
openssl req -x509 -newkey rsa:4096 -keyout MasterPassword.key -out MasterPassword.crt -days 10000 -nodes(The
-nodesargument is what prevents a password being required by OpenSSL; alpine then happily uses this key without prompting for a password.)It would be nice if the alpine package worked like this by default, but I'm not sure how this is done. Presumably even Termux packages don't install files in the home directory? Also, there's a question over whether the passwordless key/certificate pair should be generated at package build time, or, for a bit more security, at package installation time (so that merely losing one's
.pine-passfiledoesn't enable it to be decrypted by anyone with the same alpine package).I'm a total Termux newbie (I came to it to see if I could put alpine on my phone!) hence I'm not proposing a full solution here, and would appreciate guidance.
The text was updated successfully, but these errors were encountered: