How many times have you worked on a Linux server (without a GUI) and wished you had a way to store passwords securely? Having such a feature available for your headless servers would be such a time saver.
TO SEE: Password Breach: Why Pop Culture and Passwords Don’t Mix (Free PDF) (TechRepublic)
If you’ve worked with Linux long enough, you probably already know that it’s actually quite simple. Using the GnuPG application, you can create password stores protected by a GPG key for security purposes (so that only those who have the key can access them).
I will show you how to use GnuPG and the pass order specifically for this purpose.
What you will need
To use GnuPG for this you will need a running instance of Linux and a user with sudo privileges. With these things at hand, let’s get creative.
How to install GnuPG and pass
The first thing we are going to do is install the GnuPG application. If you are on an Ubuntu server, the install command would be:
sudo apt-get install gnupg2 pass -y
On an RHEL-based machine, this would be:
sudo dnf install gnupg2 pass -y
If SUSE is your distribution of choice:
sudo zypper install gpg2 pass -y
Arch Linux your jam? Then:
sudo pacman -S pass gnupg pass
How to create a GPG key for your store
We will create a specific GPG key to use with our store. To create the GPG key, run the command:
gpg2 --full-generate-key
Select the default key type (RSA), the default key size (3072), an expiration of 0 (meaning it never expires) and answer Y that everything is correct. You will then add your name to the key, an email address, a comment (whatever you want), and finally, give the key a passphrase (Figure A).
Figure A
Now is the time to launch the new GPG store. Access your home directory with:
cd ~/
Start the store with:
pass init EMAIL
Where EMAIL is the email address associated with the GPG you generated. You should see the following two lines of output:
mkdir: created directory '/home/USER/.password-store/'
Password store initialized for EMAIL
Where USER is your username and EMAIL is the email address associated with your GPG key.
How to add a password to your store
With our store ready, we can add a password. By using the pass command, we can create directories to house the associated passwords. Let’s say you first want to create a directory to house website passwords and the first entry will be for TechRepublic. This command might look like this:
pass generate websites/techrepublic.com 12
The above command will generate a random (12 character) password and associate it with the TechRepublic entry in the directory website. You should see output similar to:
mkdir: created directory '/home/jack/.password-store/websites'
The generated password for websites/techrepublic.com is:
@Kh^B##
If you already know the password you want to store, the command would be:
pass insert websites/techrepublic.com
You can change a password with the command:
pass edit websites/techrepublic.com
Once registered, you can then view the password by entering the command:
pass websites/techrepublic.com
The caveat to using pass to store passwords
This is where one of the biggest usability issues pass as storage for your password. If you’re using a distro with a GUI, you’re fine. when you run pass websites/techrepublic.com, you will be prompted to enter the password you created for your key. However, on a server without a GUI, it will just print the password, since the GTK input dialog cannot be displayed in an SSH session.
To work around this, install another application with the command:
sudo apt install pinentry-tty -y
Once installed, set it with:
sudo update-alternatives --config pinentry
Be sure to select pinentry-tty.
After taking care of this, when running the pass command, you will be prompted to enter the password associated with your GPG key. After successful authentication, you will see the password displayed.
One thing to keep in mind is that pass will cache the GPG key password for a period of time. So the next time you issue the pass command, it will not ask you for your password. To work around this, you can immediately clear the stored password with the command:
gpg-connect-agent reloadagent /bye
The caveat is that you always have to remember to run the gpg-connect-agent command before logging out of your SSH session, otherwise the password will be cached for a while, and then someone could log into your server with your credentials and steal your password. Prevention is better than cure.
And that’s all there is to securely storing passwords on a headless Linux server with GnuPG and the pass ordered.
Subscribe to TechRepublic How to make technology work on YouTube for all the latest tech tips for professionals from Jack Wallen.
