bjk's blog

October 28, 2014

Pwmd version 3.0.12 released

Filed under: projects, pwmd — bjk @ 9:24 pm

This version fixes the LIST command appending an unneeded “T” flag to root elements without a target attribute. It also fixes a potential DoS in the OPEN command and updates the Debian package information.

Download it here.

October 5, 2014

Pwmd version 3.0.11 released

Filed under: projects, pwmd — bjk @ 9:43 am

This version is updated to work with gpg-agent 2.1 since, although not yet officially released, recently removed the GPG_AGENT_INFO environment variable. So this adds a new configuration parameter gpg_agent_socket and removes parameter agent_env_file.

Download it here.

September 29, 2014

Pwmd and OpenPGP

Filed under: projects, pwmd — bjk @ 9:50 pm

Starting work on implementing OpenPGP support in pwmd via libgpgme. It looks like its going to be easier than what I thought.

September 27, 2014

QPwmc version 0.3.0 released

Filed under: projects, qpwmc — bjk @ 10:13 pm

This version parses the LIST permission flag introduced in pwmd 3.0.10, adds background color configuration for the element tree items, reconnects to the remote host after any socket arguments have been changed and fixes a few bugs.

Download it here.

Libpwmd version 7.2.0 released

Filed under: libpwmd, projects — bjk @ 10:07 pm

This version requires that TLS fingerprint hashes be in SHA-256 format rather than SHA-1. It also adds pwmd_tls_error() to get the error code of a failed gnutls function and fixes a few of bugs.

Download it here.

Pwmd version 3.0.10 released

Filed under: projects, pwmd — bjk @ 10:04 pm

This version fixes a few (important) usability bugs and adds the “GETINFO USER” command.

Download it here.

September 21, 2014

Pwmd version 3.0.9 released

Filed under: projects, pwmd — bjk @ 1:01 pm

This version fixes a couple bugs with ACL’s and requires that a permission check is done before modifying a “target” attribute. It also fixes a SAVE bug when inquiring key parameters for new files.

Download it here.

September 20, 2014

Pwmd version 3.0.8 released

Filed under: projects, pwmd — bjk @ 4:23 pm

This version adds support for per-element ACL’s which means you can now limit which clients have access to which elements. This feature also adds a couple of configuration parameters and requires that TLS fingerprint hashes are prefixed with a #. A recursion loop in the LIST command was fixed along with a few other changes and bug fixes.

Please read the NEWS file for more information about this release. It is also recommended to read the pwmd manual for details about the Access Control feature.

Download it here.

August 31, 2014

Pwmd work

Filed under: projects, pwmd — bjk @ 6:49 pm

I think I’m going to rewrite pwmd to work with a filesystem rather than an XML document. This would allow for better access control by using filesystem ACL’s and permissions and would be easier to use and less bug-prone. The idea is borrowed from the pass(1) shell script but that method uses gpg(1) for decryption of an encrypted file and doesn’t support passphrase caching as well as pwmd.

This would also allow for caching of a single file path rather than an entire XML document containing passphrases. It would also handle symbolic links (target attributes), NFS, SSHFS (fuse), among other things, better.

As an example, the libpwmd ‘pwmc’ client would basically be the same:

echo 'GET /some/file/path' | pwmc --cache-timeout 300 --rootdir ~/.store
echo 'GET /http:\/\/host.com/username | pwmc

Pwmc would connect to a (default) pwmd socket. Pwmd then determines whether the file path is cached or not. If not, calls gpg/2 to decrypt the file using gpg-agent for prompting of passphrase input if needed, then returns the decrypted data back to pwmc while optionally caching the data.

A better GUI client could be written to behave more like a file manager. A hidden file could replace what is an XML element attribute now.

The only real drawback I can tell is performance. Pwmd would use GPGME for encryption and decryption and that requires forking a new gpg/2 process for each file path. May not be too bad, though. We’ll see how it goes…

UPDATE (Sat Sep 6 12:26): I’m going to stick with the way it’s done now rather than using the filesystem. Caching multiple files (and even secret keys) is just too cumbersome. I will add per-element ACL support obtained via SO_PEERCRED or a TLS fingerprint hash, though. I may also add OpenPGP support but that will be a major version bump would remove the native pwmd file format.

May 15, 2014

Pwmd version 3.0.7 released

Filed under: projects, pwmd — bjk @ 9:15 pm

This version lets element (attribute) name requirements be less strict. It pretty much reverts the changes made in version 3.0.5 that required them to conform to the XML standard which made pwmd less useful. Download it here.

There was a reason why I made that change but I don’t remember why. If you get a parsing error when trying to re-open the data file then an invalid character is probably the reason. I have tested it and can’t find a problem with the way it is now. Bug reports are appreciated. And I’ll make a test case or a more verbose commit message next time.

Older Posts »

The Silver is the New Black Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.