File: README.md

package info (click to toggle)
rust-pwtool 0.12.0-1
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 196 kB
  • sloc: makefile: 24
file content (223 lines) | stat: -rw-r--r-- 8,301 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
 
# pwtool

Generate passwords from random characters or words and optionally show their cryptographic hash.

The default generated password set is copy/paste friendly without extended characters that would break the default copy selection you get when double-clicking a word. They also are don't break quotation strings (quote marks, double quotes or backticks).

# installing

From cargo, ensuring that the install path (normally ~/.cargo/bin) is in your `PATH` environment.

```
cargo install pwtool
```


source code

```
git clone https://gitlab.com/edneville/pwtool.git
cd pwtool
cargo build --release
```

please or sudo

```
please install -m0755 -o0 -g0 target/release/pwtool /usr/local/bin/
```

snap

```
please snap install pwtool
```

# modifiers

`lowercase`, `uppercase`, `numeric` and `extended` will set requirements on the passwords.

# word lists

If you want a password generated from words rather than a mixture of letters and numbers, use the `words` option, which by default uses the file `/usr/share/dict/words`. Use `wordsfile` to specify a different list.

# cryptographic hash

The `--md5`, `--bcrypt`, `--des`, `--sha1`, `--sha256` and `--sha512` options will print the cryptographic hash which can be used instead of storing the password in some systems.

The hash output can be used with `useradd`/`usermod` or `.htaccess`:

```
LINE=`pwtool --number 1 --sha256`
PW="${LINE% *}"
HASH="${LINE##* }"
USR=newuser
useradd -m -p "$HASH" -s /bin/bash $USR
echo "Password for $USR  is $PW"
```

Or issue a new password to an existing user with `usermod`:

```
LINE=`pwtool --number 1 --sha256`
PW=`echo "$LINE" | sed -e 's/ .*//g'`
HASH=`echo "$LINE" | sed -e 's/.* //g'`
USR=newuser
usermod -p "$HASH" $USR
echo "Password for $USR is now $PW"
```

# options

`--userfmt`, `--mysqlfmt`, `--pgfmt`, `--htauthfmt`, `--usermodfmt`, `--totpfmt` are convenience options for format variables below, with the exception that they will also print the password in a comment:

    pwtool --username thingy --userfmt

This then outputs like this:

    useradd -m -s /bin/bash -p '$5$YLtTnPhYiQ891nAz$SHzSCc5vMIARxd4PYtxIOZ7mGICNsLGEGimMyFpRjE7' thingy # 8OtQUoUjV9

`--createdatabase` when combined with one of the database options will prefix with a `create database %{database};` string.

The `--totp`, `--totpstep` options are for the key (base32), length of digits and step.

KeePass DBs can be updated using `--keepassdb` and `--keepassphrase`/`KEEPASSPHRASE`. If the file does not exist, and the passphrase is not supplied the file will be created and new password written to output.

# format strings

With `--format` the variables can be used to output a custom string.

The variables (below) can be used within a `--format` string to output in a convenient way:

    pwtool --username thingy --format "useradd -m -s /bin/bash -p '%{sha256}' %{username} # %{password}\n"

This then outputs like this:

    useradd -m -s /bin/bash -p '$5$YLtTnPhYiQ891nAz$SHzSCc5vMIARxd4PYtxIOZ7mGICNsLGEGimMyFpRjE7' thingy # 8OtQUoUjV9

You can then copy/paste that around different systems where people need the same account.

Another common way is to use it for mysql setup at the same time:

    pwtool --username thingy --database thing --createdatabase --mysqlfmt --number 1
    create database thing; grant all privileges on thing.* to thingy@'%' identified with mysql_native_password as '*5d9d5f3aaf18e16ba7014f339697d841a736b133'; -- # epoEPMbATs

| variable | output |
|----------|--------|
| %{des}       | traditional crypt |
| %{base32}    | base32 of password |
| %{bcrypt}    | BSD standard hash |
| %{md5}       | MD5 hash |
| %{sha1}      | HMAC SHA1 |
| %{sha256}    | SHA256 |
| %{sha512}    | SHA512 |
| %{mysql}     | password in mysql_native format |
| %{password}  | cleartext password |
| %{username}  | placeholder for --username |
| %{database}  | placeholder for --database |
| %{postgres}  | postgres SCRAM-SHA-256 password |
| %{userfmt}   | expands to `useradd -m -s /bin/bash -p '%{sha256}' %{username}` |
| %{usermodfmt}   | expands to `usermod -p '%{sha256}' %{username}` |
| %{mysqlfmt}  | expands to `grant all privileges on %{database}.* to %{username}@'%' identified with mysql_native_password as '%{mysql}';` |
| %{mysqluserfmt} | expands to `create user %{username}@'%'; alter user %{username}@'%' identified with 'caching_sha2_password' as %{mysql_caching_sha2}; grant all privileges on %{database}.* to %{username}@'%';` |
| %{pgfmt}     | expands to `create user %{username} password '%{postgres}';` |
| %{htauthfmt} | expands to `%{username}:%{sha256}` |
| %{wpinstfmt} | expands to `wp core install --url=https://%{{servername}}/ --title=%{{servername}} --admin_email=%{{username}}@%{{servername}} --admin_user=%{{username}} --admin_password=%{{password}} --skip-email` |
| %{wpuserfmt} | expands to `update wp_users set user_pass = '%{bcrypt}' where user_login = '%{username}'` |
| %{totp} | displays the current TOTP SHA1 | 
| %{totpfmt} | an alias for the TOTP number and remaining time progress | 
| %{totpsecs} | displays the remaining seconds | 
| %{totpsecsmax} | displays the max sec step | 
| %{totpprogress} | displays a progress bar for remaining secs | 
| %{totpalgo} | displays the TOTP algorithm used | 

# executing output

Should you want to execute the output, `tee` is quite handy as it will print to stdout and an elevated file descriptor:

    pwtool --username moo --format "useradd -m -s /bin/bash -p '%{sha256}' %{username} # %{password}\n" --number 1 | tee >( please /bin/bash )
    useradd -m -s /bin/bash -p '$5$pZxFddWqXpBuozZF$l1Eyw2HqsGP0E9pdQctqeCPTOL3eJOPq4pNiI6MoZG5' moo # 6nIFhAKJSC

This will both add the user and print the password in the shell.

# http basic authentication

You can populate entries in basic authentication files too:

    pwtool --username moo --format '%{htauthfmt}'

Not the output has the password in a comment prior to the auth line as data after the `:` is normally treated as the hashed password. You can store this in `/etc/apache2/restricted`:

    AuthType Basic
    AuthName "Keep out!"
    AuthUserFile "/etc/apache2/restricted"
    Require valid-user

or with nginx, in `/etc/nginx/restricted`:

    auth_basic "Keep out!";
    auth_basic_user_file /etc/nginx/restricted;

# as a totp authenticator program

If you want to leave a TOTP authentication display in your terminal, it can run like this:

    TOTP=metalisbest pwtool --totpfmt

It will then run and leave a display like this:

    202924 [#########################     ]

If you have multiple accounts, they can be displayed like this:

    TOTP="metalisbest;grungeisbest" pwtool --totpfmt

    617989 [##################            ]
    826783 [##################            ]

This can be customised, to show a name aside each:

    TOTP="key=metalisbest,name=metal;key=grungeisbest,name=grunge" pwtool --totpfmt

    488833 [#################             ] metal
    967495 [#################             ] grunge

The following key=value pairs are supported:

| key | definition |
|----------|--------|
| key / totp | the totp string | 
| name / username | a meaningful name for this key | 
| step | number of step seconds | 
| digits | the length of the output | 
| algo | which hmac to use (sha1, sha256, sha512) | 
| seconds | a user-defined time |

# wp setup

In some cases you might want to create a user, a DB and a WP and store the user account details in a DB called `$USR.kdbx`:

    #!/bin/sh

    PW=`pwtool --number 1 --createdatabase --database "$DB" --keepassdb "${USR}.kdbx" --username "$USR" --servername "$DOM" --userfmt --mysqlfmt --wpconfigfmt`

    echo "$PW" | grep ^useradd | sh
    echo "$PW" | grep ^create  | mysql

    CONF=`echo "$PW" | grep '^wp config'`

    WPINST=`pwtool --number 1 --username "$USR" --keepassdb "${USR}.kdbx" --servername "$DOM" --wpinstfmt`
    INST=`echo "$WPINST" | grep '^wp core'`

    echo "mkdir public_html && cd public_html && wp core download && $CONF && $INST" | su - "$USR"

    echo "$PW" | grep ^useradd 
    echo "$PW" | grep ^create
    echo "$WPINST"

In a script, that can be called like so:

    USR=fish DB=chips DOM=bigcookie.com KEEPASSPHRASE=wibble ./setup.sh

I've used a fixed passphrase, but there's nothing stopping that from being scripted too.