Skip to content

Instantly share code, notes, and snippets.

@ronys
Forked from sauravg/ pwsafe-cli-enhancements.md
Last active April 7, 2020 10:37
Show Gist options
  • Save ronys/a0ee78c66ed4dca8342a to your computer and use it in GitHub Desktop.
Save ronys/a0ee78c66ed4dca8342a to your computer and use it in GitHub Desktop.
Add more functionality to PasswordSafe CLI

Add more functionality to PasswordSafe CLI

  1. New Actions
  2. Multi-safe operations

1. New Actions

Create a new safe

pwsafe-cli newsafe.psafe3 --new 

newsafe.psafe3 must not exist.

Search for an entry

pwsafe-cli mysafe.psafe3 --search='Group=Banks,Title=Citibank'

Search is a read-only operation. It would print the Group, Title & User of matching entries on stdout, which are usually enough to distinguish each entry.

Add a new entry

pwsafe-cli newsafe-psafe3 --add title='NewEntry' user='newuser' password='secret'...

// Perhaps it would be better to have a uniform way of specifying parameters, e.g., // pwsafe-cli mysafe.psafe3 --add='Group:Forums,Title:AVSForum,email:me@newmail.com,password=secret' // Password could be autogenrated if unspecified? // Error if entry exists?

Delete an existing entry

pwsafe-cli newsafe-psafe3 --select='Group:Forums,title:AndroidForum' --delete [--yes]

Would prompt for confirmation if the input is a terminal, unless --yes is specified. If invoked by another process, --yes must be passed or else it would result in a no-op. // Error if > 1 entries match

Update an existing entry

pwsafe-cli mysafe.psafe3 --select='Group:Forums,Title:AVSForum' --update=email:me@newmail.com

The entry must exist. This doesn't create a new entry.

Print some field(s) of an existing entry

pwsafe-cli mysafe.psafe3 --select='Group:Forums,Title:AVSForum' --print=password

It is an error if the entry is not found. pwsafe-cli would exit with an error code. However, its not an error if the field is not set or is set to an empty value (in which case pwsafe-cli would print nothing).

More details entry selection and actions below.

2. Multi-safe operations

Diff

pwsafe-cli mysafe.psafe3 --diff othersafe.psafe3 [-u|-c|-s] [--diffprog=<path>]

Show unified (default), context or side-by-side diff. Or just hand it over to an external program like vimdiff

Sync

pwsafe-cli mysafe.psafe3 --sync [-n] othersafe.psafe3 [--confirm]

Update entries of mysafe.psafe3 with matching entries from othersafe.psafe3, wherever they differ. Entries in othersafe.psafe3 that don't exist in mysafe.psafe3 are ignored.

--confirm prompts before making each change with yes,no,no-to-all,yes-to-all,quit,abort options.

// --dryrun?

Merge

pwsafe-cli mysafe.psafe3 --merge [-n] othersafe.psafe3 --mine|--other|--confirm

(-n for dry-run, to print out the changes without modifying mysafe.psafe3)

--confirm prompts before making each change for which value to prefer (--mine=mysafe, --other=othersafe), along with all-mine,all-other,quit,abort options.

3. Other mechanisms for safe password input

From an environment variable

// I really don't think we should do this. It's a security hole waiting to be exploited... export PASSWORSAFE_PASSWORD=mysecret

pwsafe-cli mysafe.psafe3 --combination-env=PASSWORDSAFE_PASSWORD --select='Title:ebay' --view

This idea is from ipmitool, which works somewhat like that.

From a keyring (if possible, like on OSX)

The keyring manager should prompt the user to allow/disallow specific apps from accessing the password.

pwsafe-cli mysafe.psafe3 --combination-keyring --select='Group:Forums,Title:AVSForum' --print=notes

From a file descriptor

An application having access to a safe's combination might want to launch pwsafe-cli and pass the combination to it securely. Passing safe combination as command line parameter has the security issue that the combination could be visible in the output of ps command. Instead, the parent application could create an fd and fork pwsafe such that pwsafe inherits it. The combination then be securely written to & read from the fd by the parent application and pwsafe-cli respectively.

pwsafe-cli mysafe.psafe3 --combination-fd=5 --select='Title:SomeTitle' --autotype

Selecting safe entries

The "select" argument essentially specifies the EXACT value of any field in the database. The field must be a known valid field type, which are

  1. Group
  2. Title
  3. User
  4. Password
  5. URL
  6. E-Mail
  7. Notes
  8. Autotype
  9. Run Command
  10. DCA & Shift-DCA

Multiple fields can be specified, but typically it would be Title, sometimes in combination with User. Selecting entries by partial matching is not supported, to prevent accidental overwriting/deletion of a wrong entry. However, entries can be search for by supplying a partial value for one of its fields, which is a read-only operation. All matching entries would be printed, and the desired entry can be selected exactly in the next command for any modifications.

Any operation whose '--select=' clause results in multiple matches would fail.

Actions on selected entries

Possible actions are as follows. They could take a valid field name a valid value for that field, depending on the semantics of that action

Both field name and a valid value are required

1. Update

pwsafe-cli mysafe.psafe3 --select='Title:Amazon' --update='email:me@newmail.com'

Only the fieldname is required

2. Copy to clipboard (only if X is running)

pwsafe-cli mysafe.psafe3 --select='Title:Github' --to-clipboard='password'

// Would be nice to be able to do this without linking in any X windows library.

3. Delete

pwsafe-cli mysafe.psafe3 --select='Title:SourceForge' --delete='URL'

No fieldname or field value are required for these

4. Generate new password

pwsafe-cli mysafe.psafe3 --select='Title:Hotmail' --generate-new-password

5. Autotype

pwsafe-cli mysafe.psafe3 --select='Title:Gmail' --autotype

// How would this work on a CLI version??

6. Run Command

pwsafe-cli mysafe.psafe3 --select='Title:HomeNAS' --run-command

7. View (dump all fields. May be in some parseable format like JSON, YAML?)

// I'd call this 'export', and specify format from text and XML - trivial. JSON/YAML should be simple to add. pwsafe-cli mysafe.psafe3 --select='Title:Netflix' --view

8. Clear Password History

pwsafe-cli mysafe.psafe3 --select='Title:Atlassian' --clear-pw-history
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment