|
Tag: Redirect target changed |
| (9 intermediate revisions by 4 users not shown) |
| Line 1: |
Line 1: |
| [[Category:Password managers (简体中文)]]
| | #REDIRECT [[zh-hans:Pass]] |
| [[Category:Console applications (简体中文)]]
| |
| [[en:Pass]]
| |
| [[ja:Pass]]
| |
| {{TranslationStatus (简体中文)|Pass|2020-05-14|612679}}
| |
| [https://www.passwordstore.org/ 官网]提到:
| |
| :密码管理应该要简易且遵照Unix哲学。Pass将你的密码保存在由gpg加密的文件中,并以相关的网站和资源的名称来命名文件。这些加密文件会被组织成合理的文件体系,你可以从一台装置复制到另一台装置,并用命令行程序来管理和操作它们。
| |
| Pass是一款简易的命令行密码管理器,本质上,它其实是利用[[GnuPG_(简体中文)|GnuPG]]、{{Pkg|tree}}、和[[Git_(简体中文)|Git]]的脚本。
| |
| | |
| == 安装 ==
| |
| | |
| [[Install|安装]] {{Pkg|pass}} 软件包.
| |
| | |
| 另外还有图形[[Qt_(简体中文)|Qt]]界面软件包可供安装:{{Pkg|qtpass}}
| |
| | |
| == 基本用法 ==
| |
| {{Note|在使用Pass前,请先配置好[[GnuPG_(简体中文)|GnuPG]]。Pass所使用的密钥信任程度(trust level)必须为"ultimate"。}}
| |
| | |
| 初始化:
| |
| | |
| $ pass init ''<gpg-id or email>''
| |
| | |
| 若要创建一组新密码,提供一个文件名,注意文件名需要能体现出文件层次,如:''archlinux.org/wiki/username''。
| |
| | |
| $ pass insert archlinux.org/wiki/username
| |
| | |
| 以文件组织的方式查看储存的密码:
| |
| | |
| {{hc|$ pass|
| |
| Password Store
| |
| └── archlinux.org
| |
| └── wiki
| |
| └── username
| |
| }}
| |
| | |
| 生成一组随机的新密码,执行如下命令,其中,正整数{{ic|''n''}}代表想要的密码长度。
| |
| | |
| $ pass generate archlinux.org/wiki/username ''n''
| |
| | |
| 若要取得一组密码,执行如下命令,并在弹出窗口输入你的gpg密码短语(passphrase),如使用以上范例:
| |
| | |
| $ pass archlinux.org/wiki/username
| |
| | |
| 若您是Xorg用户并安装了{{Pkg|xclip}},您可以直接将取得的密码暂时的复制到剪贴板(clipboard)上;若您是Wayland用户,{{aur|pass-git}} 则会使用 {{Pkg|wl-clipboard}},如使用以上范例:
| |
| | |
| $ pass -c archlinux.org/wiki/username
| |
| | |
| {{Note|如果您喜欢以点击鼠标滚轮的方式来贴上密码,您可以在自己的 {{ic|~/.shellrc}} 中添加:{{ic|1=export PASSWORD_STORE_X_SELECTION=primary}}}}
| |
| | |
| pass 也有附加的功能可与{{Pkg|dmenu}}相结合,让用户可以轻松的搜索和复制粘贴。若要使用它,安装如下可选依赖{{Pkg|dmenu}}后,执行:
| |
| | |
| $ passmenu
| |
| | |
| 当您选择一组密码时,dmenu将会复制密码到剪贴版上。{{man|1|dmenu}} 有更多相关的自定义选项。为了更快的取得密码,您可以把这个命令绑定在一组系统快捷键上。
| |
| | |
| {{Note|如果使用passmenu让您[[Dmenu#Current window loses focus|无法定位在当前窗口]],请将dmenu降级为4.8}}
| |
| | |
| == 信息格式 ==
| |
| | |
| 由{{ic|pass insert}}新建的信息文件预设只会包含您的密码,有时这仍旧不太足够,因为一些应用可能会要求取得您的其他信息如:用户名、网站地址等。这时,您可以用以下命令,编辑一个已存在的信息文件:
| |
| | |
| $ pass edit ''password_name''
| |
| | |
| 如下是由[https://www.passwordstore.org 官网]推荐的信息排版格式。使用这种格式时,选项{{ic|-c}}或{{ic|--clip}}仅会复制第一行的密码。
| |
| | |
| {{bc|
| |
| YwrZSNH35z164ym9pI
| |
| URL: *.amazon.com/*
| |
| Username: AmazonianChicken@example.com
| |
| Secret Question 1: What is your childhood best friend's most bizarre superhero fantasy? Oh god, Amazon, it's too awful to say...
| |
| Phone Support PIN #: 84719
| |
| }}
| |
| | |
| == 迁移到pass ==
| |
| | |
| 在[http://www.zx2c4.com/projects/password-store/ 这里]可以找到相当多脚本可将其他应用的密码导入pass。
| |
| | |
| == 扩充 ==
| |
| | |
| 自版本1.7起,pass开始支援由社区开发的扩充,这些扩充包含一些新的命令,用以延伸pass的功能。
| |
| | |
| * [https://github.com/roddhjav/pass-tomb pass-tomb] ({{aur|pass-tomb}})
| |
| | |
| 可将信息文件以[[tomb]]加密
| |
| | |
| * [https://github.com/tadfisher/pass-otp pass-otp] ({{Pkg|pass-otp}})
| |
| | |
| 一次性密码(OTP)支援
| |
| | |
| * [https://github.com/roddhjav/pass-import pass-import] ({{aur|pass-import}})
| |
| | |
| 从其他管理器导入密码的综合工具
| |
| | |
| * [https://github.com/roddhjav/pass-update pass-update] ({{aur|pass-update}})
| |
| | |
| 一种更新密码的快捷方式
| |
| | |
| * [https://github.com/roddhjav/pass-audit pass-audit] ({{aur|pass-audit}})
| |
| | |
| 一款用以审查密码安全性的扩充
| |
| | |
| == 进阶用法 ==
| |
| | |
| 可使用[[Environment_variables_(简体中文)|环境变量]]修改pass设定中执行存取和git命令的地方:
| |
| | |
| PASSWORD_STORE_DIR=/path/to/store
| |
| | |
| 若想进一步了解怎么修改变量使pass支持存取多个密码仓库,参阅[https://lists.zx2c4.com/pipermail/password-store/2016-November/002463.html 此处]
| |
| | |
| 以下的{{ic|pw()}}别名范例将信息文件中第一行复制到剪贴板上,五秒后再复制第二行,再五秒后复制一组一次性密码(OTP)。如果信息文件中的第一行为密码(password),第二行为用户名(username),并包含一组[https://github.com/google/google-authenticator/wiki/Key-Uri-Format 一次性密码(OTP)URI],此范例可按照''username > password > otp code''的顺序将三者贴入空白栏位中(如浏览器的登入注册表)。
| |
| | |
| pw() {
| |
| export PASSWORD_STORE_CLIP_TIME=8
| |
| export PASSWORD_STORE_X_SELECTION=primary
| |
| pass -c2 $1; sleep 5; pass -c $1; sleep 5; pass otp -c $1; exit
| |
| }
| |
| | |
| == Multiple pass Contexts (e.g. Teaming) ==
| |
| | |
| One can use aliases to set up different pass contexts, which helps when collaborating with different teams. We have gotten this working in bash as follows:
| |
| | |
| Add aliases to your {{ic|''~/.bashrc''}}:
| |
| | |
| alias passred="PASSWORD_STORE_DIR=~/.pass/red pass"
| |
| alias passblue="PASSWORD_STORE_DIR=~/.pass/blue pass"
| |
| | |
| Add these for bash-completion to your {{ic|''~/.bash_completion''}} and make sure {{Pkg|bash-completion}} is installed:
| |
| | |
| source /usr/share/bash-completion/completions/pass
| |
| _passred(){
| |
| PASSWORD_STORE_DIR=~/.pass/red/ _pass
| |
| }
| |
| complete -o filenames -o nospace -F _passred passred
| |
| _passblue(){
| |
| PASSWORD_STORE_DIR=~/.pass/blue/ _pass
| |
| }
| |
| complete -o filenames -o nospace -F _passblue passblue
| |
| | |
| Now you can initialize into {{ic|''~/.pass/red''}} and {{ic|''~/.pass/blue''}} and have two pass contexts with the {{ic|''passred''}} and {{ic|''passblue''}} aliases. You can generalize this further into as many contexts as you like.
| |
| | |
| == Git integration ==
| |
| | |
| === Git helper usage ===
| |
| | |
| You can use {{ic|pass}} as a credentials helper for {{ic|git}}. [[Install]] the {{Aur|pass-git-helper}} or {{Aur|pass-git-helper-git}} package.
| |
| Detail are described in the [https://github.com/languitar/pass-git-helper github README file].
| |
| | |
| ==== {{ic|git}} Configuration ====
| |
| | |
| Install {{ic|pass-git-helper}} as a git credentials helper by calling:
| |
| git config --global credential.helper /usr/bin/pass-git-helper
| |
| | |
| ==== Mapping File ====
| |
| | |
| Create the file {{ic|~/.config/pass-git-helper/git-pass-mapping.ini}}. It is used to map git remote hosts to your {{ic|pass}} database. The format is something like this:
| |
| | |
| {{bc|code=[github.com]
| |
| target=dev/github
| |
| | |
| [*.fooo-bar.*]
| |
| target=dev/fooo-bar
| |
| }}
| |
| | |
| You can use wildcards in the host part, as shown in the example.
| |
| | |
| ==== Password Store Layout ====
| |
| | |
| As usual with pass, the helper assumes that the password is contained in the first line of the passwordstore entry.
| |
| Additionally, if a second line is present, this line is interpreted as the username.
| |
| | |
| For this to work, you have to use {{ic|pass insert --multiline}} to create a multi line password store entry.
| |
| | |
| === Central Git server for pass in combination with GnuPG (SSH example) ===
| |
| | |
| You are able to setup a password management system by setting up a central Git server for Pass. This allows you to synchronize your central password repository through multiple client environments.
| |
| | |
| ==== Install a bare Git repository for Pass on the server ====
| |
| On the server run {{ic|git init --bare ~/.password-store}} to create a bare repository you can push to.
| |
| | |
| ==== Import authorized public SSH keys ====
| |
| See [[SSH keys#Copying the public key to the remote server]]
| |
| | |
| ==== On the client ====
| |
| This section assumes you have configured GnuPG and have a key pair to encrypt passwords.
| |
| On your local client ensure you have a local password store on the client, then enable management of local changes through Git, add your remote Git repository, and push your local Pass history.
| |
| {{bc|code=# Create local password store
| |
| pass init <gpg key id>
| |
| # Enable management of local changes through Git
| |
| pass git init
| |
| # Add the the remote git repository as 'origin'
| |
| pass git remote add origin user@server:~/.password-store
| |
| # Push your local Pass history
| |
| pass git push -u --all
| |
| }}
| |
| | |
| Now you can use the standard Git commands, prefixed by {{ic|pass}}. For example: {{ic|pass git push}}, or {{ic|pass git pull}}. Pass will automatically create commits when you use it to modify your password store.
| |
| | |
| == Troubleshooting ==
| |
| === Encryption failed: Unusable public key ===
| |
| The following error can occur when attempting to insert a new entry:
| |
| | |
| {{bc|
| |
| $ pass insert archlinux.org/wiki/username
| |
| Enter password for archlinux.org/wiki/username:
| |
| Retype password for archlinux.org/wiki/username:
| |
| gpg: XXXXXXXXX: There is no assurance this key belongs to the named user
| |
| gpg: [stdin]: encryption failed: Unusable public key
| |
| Password encryption aborted.
| |
| }}
| |
| | |
| This occurs if the trust level of the GnuPG key is set to anything other than "ultimate." Edit the key used for {{ic|pass}} to set its trust level to "ultimate."
| |
| | |
| == See also ==
| |
| * [http://blog.sanctum.geek.nz/linux-crypto-passwords/ A more comprehensive pass tutorial]
| |
| * [https://www.passwordstore.org/ Pass home page]
| |
| * [https://www.passwordstore.org/#other List of Compatible clients and possibilities for migration to Pass]
| |