ttyprompt

command module
v1.0.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 13, 2018 License: MIT Imports: 15 Imported by: 0

README

ttyprompt

Ask for passwords on separate TTY to combat X11 keyloggers.

Yes, you may use Wayland but some people have reasons to stay with X.Org. If you have no idea what Wayland is - check it out and consider switching to it because this program is actually a dirty hack.

Installation

Install Golang toolchain (https://golang.org/dl).

Included Makefile will take care of everything else:

$ make
# make install

As an additional security measure you may want to run ttyprompt as a separate user which will be only one member of ttyprompt:

# useradd -lMNr -s /sbin/nologin -g ttyprompt ttyprompt

To always run ttyprompt using this user account:

# chown ttyprompt /usr/local/bin/ttyprompt
# chmod u+s /usr/local/bin/ttyprompt
Build tags
Tag Meaning
nomlock Don't lock entire memory of process.
nopinentry Disable pinentry mode support.

Usage

Simple Mode

Just run ttyprompt, entered password will be written to stdout.

There are some options you may want to use to customize dialog, see ttyprompt --help.

Polkit Agent Mode

Not implemeneted yet.

ssh-askpass

Set SSH_ASKPASS environment variable to /usr/local/bin/ttyprompt-ssh.

Note: Check out https://unix.stackexchange.com/a/83991 if you want to always use ttyprompt for SSH.

Note 2: setsid trick breaks group-only execution mode set on ttyprompt binary and scripts. To use it you should run the following command first:

chmod o+x /usr/local/bin/*ttyprompt*
sudo

ttyprompt-ssh works for sudo too:

export SSH_ASKPASS=/usr/local/bin/ttyprompt-ssh

Then use sudo -A instead of just sudo.

Pinentry Emulation Mode (GnuPG passphrase prompt)

Add pinentry-program /usr/local/bin/pinentry-ttyprompt to .gnupg/gpg-agent.conf. Make sure to restart gpg-agent: gpgconf --kill gpg-agent.

Room for improvement

  • Make prompt customizable in simple mode
  • Allow to select prompt TTY
  • Implement pinentry emulation mode
    • Implement Assuan protocol wrappers
    • Fix video driver permission error.
  • Use advisory locking on TTY to prevent race conditions.
  • ssh-askpass
  • Show "execution context" (parent process info, real UID/GID and similar)
  • Polkit agent emulation mode
    • Polkit Authority interface wrapper
    • PAM wrapper
  • Modularize build (disable/enable polkit/pinentry mode using build tags)
  • All remaining // TODO: in code
  • Clean up code

Security issues

Contact me privately via email (fox.cpp at disroot dot org). Use PGP encryption if possible.

License

As usual: ttyprompt is published under the terms of the MIT license. You can do anything as long as you keep copyright notice.

Documentation

The Go Gopher

There is no documentation for this package.

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.