p-sherratt / sagecipher Goto Github PK
View Code? Open in Web Editor NEWUses SSH agent to encrypt/decrypt arbitrary data
License: Other
Uses SSH agent to encrypt/decrypt arbitrary data
License: Other
Python 3.6.9
keyring Version: 22.0.1
sagecipher, version 0.7.5
keyring set ansible-vault ${USER} < <(echo "super")
Please select from the following keys...
[1] ssh-rsa ...
[2] ssh-rsa ...
Selection (1..2): Traceback (most recent call last):
File "/home/ubuntu/.local/bin/keyring", line 8, in <module>
sys.exit(main())
File "/home/ubuntu/.local/lib/python3.6/site-packages/keyring/cli.py", line 135, in main
return cli.run(argv)
File "/home/ubuntu/.local/lib/python3.6/site-packages/keyring/cli.py", line 68, in run
return method()
File "/home/ubuntu/.local/lib/python3.6/site-packages/keyring/cli.py", line 85, in do_set
set_password(self.service, self.username, password)
File "/home/ubuntu/.local/lib/python3.6/site-packages/keyring/core.py", line 60, in set_password
get_keyring().set_password(service_name, username, password)
File "/home/ubuntu/.local/lib/python3.6/site-packages/keyring/backends/chainer.py", line 58, in set_password
return keyring.set_password(service, username, password)
File "/home/ubuntu/.local/lib/python3.6/site-packages/keyrings/alt/file_base.py", line 123, in set_password
password_encrypted = self.encrypt(password.encode('utf-8'), assoc)
File "/home/ubuntu/.local/lib/python3.6/site-packages/sagecipher/keyring.py", line 33, in encrypt
fingerprint = self.ssh_key_fingerprint
File "/home/ubuntu/.local/lib/python3.6/site-packages/sagecipher/keyring.py", line 24, in ssh_key_fingerprint
return prompt_for_key()
File "/home/ubuntu/.local/lib/python3.6/site-packages/sagecipher/cipher.py", line 125, in prompt_for_key
i = int(input("Selection (1..%s): " % len(keys)))
EOFError: EOF when reading a line
Looking at keyring.py and debgging at line 22, we see the following:
(Pdb++) pprint(getmembers(self))
[('__abstractmethods__', frozenset()),
('__class__', <class 'sagecipher.keyring.Keyring'>),
('__delattr__',
<method-wrapper '__delattr__' of Keyring object at 0x7fe1163a67b8>),
('__dict__', {}),
('__dir__', <built-in method __dir__ of Keyring object at 0x7fe1163a67b8>),
('__doc__', None),
('__eq__', <method-wrapper '__eq__' of Keyring object at 0x7fe1163a67b8>),
('__format__',
<built-in method __format__ of Keyring object at 0x7fe1163a67b8>),
('__ge__', <method-wrapper '__ge__' of Keyring object at 0x7fe1163a67b8>),
('__getattribute__',
<method-wrapper '__getattribute__' of Keyring object at 0x7fe1163a67b8>),
('__gt__', <method-wrapper '__gt__' of Keyring object at 0x7fe1163a67b8>),
('__hash__', <method-wrapper '__hash__' of Keyring object at 0x7fe1163a67b8>),
('__init__', <method-wrapper '__init__' of Keyring object at 0x7fe1163a67b8>),
('__init_subclass__',
<built-in method __init_subclass__ of KeyringBackendMeta object at 0x25ade38>),
('__le__', <method-wrapper '__le__' of Keyring object at 0x7fe1163a67b8>),
('__lt__', <method-wrapper '__lt__' of Keyring object at 0x7fe1163a67b8>),
('__module__', 'sagecipher.keyring'),
('__ne__', <method-wrapper '__ne__' of Keyring object at 0x7fe1163a67b8>),
('__new__', <built-in method __new__ of type object at 0x9d17a0>),
('__reduce__',
<built-in method __reduce__ of Keyring object at 0x7fe1163a67b8>),
('__reduce_ex__',
<built-in method __reduce_ex__ of Keyring object at 0x7fe1163a67b8>),
('__repr__',
<bound method FileBacked.__repr__ of <Keyring with [PBKDF2] AES256.CBC (sagecipher) v.1.0 at /home/ubuntu/.local/share/python_keyring/sagecipher_pass.cfg>>),
('__setattr__',
<bound method Keyring.__setattr__ of <Keyring with [PBKDF2] AES256.CBC (sagecipher) v.1.0 at /home/ubuntu/.local/share/python_keyring/sagecipher_pass.cfg>>),
('__sizeof__',
<built-in method __sizeof__ of Keyring object at 0x7fe1163a67b8>),
('__str__',
<bound method KeyringBackend.__str__ of <Keyring with [PBKDF2] AES256.CBC (sagecipher) v.1.0 at /home/ubuntu/.local/share/python_keyring/sagecipher_pass.cfg>>),
('__subclasshook__',
<built-in method __subclasshook__ of KeyringBackendMeta object at 0x25ade38>),
('__weakref__', None),
('_abc_cache', <_weakrefset.WeakSet object at 0x7fe1163a6518>),
('_abc_negative_cache', <_weakrefset.WeakSet object at 0x7fe1163a6588>),
('_abc_negative_cache_version', 203),
('_abc_registry', <_weakrefset.WeakSet object at 0x7fe1163a64e0>),
('_classes',
{<class 'keyring.backends.fail.Keyring'>,
<class 'keyrings.alt.Gnome.Keyring'>,
<class 'keyrings.alt.Google.KeyczarDocsKeyring'>,
<class 'keyrings.alt.Google.DocsKeyring'>,
<class 'keyrings.alt.Windows.RegistryKeyring'>,
<class 'keyrings.alt.Windows.EncryptedKeyring'>,
<class 'keyrings.alt.file.PlaintextKeyring'>,
<class 'keyrings.alt.file.EncryptedKeyring'>,
<class 'keyrings.alt.multi.MultipartKeyringWrapper'>,
<class 'keyrings.alt.pyfs.BasicKeyring'>,
<class 'keyrings.alt.pyfs.PlaintextKeyring'>,
<class 'keyrings.alt.pyfs.EncryptedKeyring'>,
<class 'keyrings.alt.pyfs.KeyczarKeyring'>,
<class 'keyring.backends.kwallet.DBusKeyring'>,
<class 'keyring.backends.kwallet.DBusKeyringKWallet4'>,
<class 'keyring.backends.SecretService.Keyring'>,
<class 'keyring.backends.Windows.WinVaultKeyring'>,
<class 'keyring.backends.chainer.ChainerBackend'>,
<class 'keyring.backends.macOS.Keyring'>,
<class 'sagecipher.keyring.Keyring'>}),
('_ensure_file_path',
<bound method Keyring._ensure_file_path of <Keyring with [PBKDF2] AES256.CBC (sagecipher) v.1.0 at /home/ubuntu/.local/share/python_keyring/sagecipher_pass.cfg>>),
('_generate_assoc',
<bound method Keyring._generate_assoc of <Keyring with [PBKDF2] AES256.CBC (sagecipher) v.1.0 at /home/ubuntu/.local/share/python_keyring/sagecipher_pass.cfg>>),
('_write_config_value',
<bound method Keyring._write_config_value of <Keyring with [PBKDF2] AES256.CBC (sagecipher) v.1.0 at /home/ubuntu/.local/share/python_keyring/sagecipher_pass.cfg>>),
('decrypt',
<bound method Keyring.decrypt of <Keyring with [PBKDF2] AES256.CBC (sagecipher) v.1.0 at /home/ubuntu/.local/share/python_keyring/sagecipher_pass.cfg>>),
('delete_password',
<bound method Keyring.delete_password of <Keyring with [PBKDF2] AES256.CBC (sagecipher) v.1.0 at /home/ubuntu/.local/share/python_keyring/sagecipher_pass.cfg>>),
('encrypt',
<bound method Keyring.encrypt of <Keyring with [PBKDF2] AES256.CBC (sagecipher) v.1.0 at /home/ubuntu/.local/share/python_keyring/sagecipher_pass.cfg>>),
('file_path', '/home/ubuntu/.local/share/python_keyring/sagecipher_pass.cfg'),
('file_version', None),
('filename', 'sagecipher_pass.cfg'),
('get_credential',
<bound method KeyringBackend.get_credential of <Keyring with [PBKDF2] AES256.CBC (sagecipher) v.1.0 at /home/ubuntu/.local/share/python_keyring/sagecipher_pass.cfg>>),
('get_password',
<bound method Keyring.get_password of <Keyring with [PBKDF2] AES256.CBC (sagecipher) v.1.0 at /home/ubuntu/.local/share/python_keyring/sagecipher_pass.cfg>>),
('get_viable_backends',
<bound method KeyringBackend.get_viable_backends of <class 'sagecipher.keyring.Keyring'>>),
('name', 'keyring Keyring'),
('priority', 1),
('scheme', '[PBKDF2] AES256.CBC (sagecipher)'),
('set_password',
<bound method Keyring.set_password of <Keyring with [PBKDF2] AES256.CBC (sagecipher) v.1.0 at /home/ubuntu/.local/share/python_keyring/sagecipher_pass.cfg>>),
('set_properties_from_env',
<bound method KeyringBackend.set_properties_from_env of <Keyring with [PBKDF2] AES256.CBC (sagecipher) v.1.0 at /home/ubuntu/.local/share/python_keyring/sagecipher_pass.cfg>>),
('version', '1.0'),
('viable', True)]
Inserting the statement on self.set_properties_from_env()
line 22 fixes this issue. We then see the following:
(Pdb++) pprint(getmembers(self))
...
('ssh_key_fingerprint', '...'),
...]
It seems set_properties_from_env was added in keyring 19.3.0 -- https://pypi.org/project/keyring/19.3.0/
Need an env switch to control the output keyring data path to a custom location.
decrypt_to_file
cannot write to normal file on python 3, "wb" mode should fix this.
pyinotify
is not avaliable on macos. when write to fifo, we could avoid depending on pyinotify
, invoke write_to_fifo
directly.
ssh-agent confirm feature could reduce a little attack surface when have to forward the ssh-agent. For a one-time password and a dedicated ssh-agent forwarded via unix domain sock file (not -A
option), if we can confirm on the signing, and a special ssh-askpass
helper which can delete the private key after a single success signature, it should be considered as a way of transferring the confidential via ssh with very little attack surface.
If the .ssh directory is deleted and re-generated, accessing keys generates the following error:
sagecipher keyring.errors.Keyring Locked: Failed to unlock the collection!
It would seem the encrypted keys are stored somewhere on the filesystem - where does sagecipher store these so the application can choose to erase them and start over?
the tip of "Reading from STDIN..." is written to stdout, which cause the stdout result cannot be decrypted correctly. when write the tip to stderr, the pipeline result can be decrypted:
echo secret | sagecipher encrypt | sagecipher decrypt
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.