Command line client for KeePass via the KeePassHttp plugin
Copy and pasting secrets to the command line sucks. How about we just pull them out of keepass, and save ourselves the trouble? As a bonus, we still get a useful entry in our shell's history, without leaking the secret.
Before:
justinf@wyvern:/home/justinf/src/cmdipass
master ✔ > vault auth -method=github token=redacted1234
Successfully authenticated! You are now logged in.
justinf@wyvern:/home/justinf/src/cmdipass
master ✔ > history | grep github | tail -n 1
10037 vault auth -method=github token=redacted1234
After:
justinf@wyvern:/home/justinf/src/cmdipass
master ✔ > vault auth -method=github token=$(cmdipass get-one github-token --index=0 --password-only)
Successfully authenticated! You are now logged in.
justinf@wyvern:/home/justinf/src/cmdipass
master ✔ > history | grep github | tail -n 1
10043 vault auth -method=github token=$(cmdipass get-one github-token --index=0 --password-only)
cmdipass
uses KeePassHttp to securely fetch secrets from KeePass. The first time you execute cmdipass
, it will attempt to register with KeePassHttp. It also works with MacPass and MacPassHTTP, although with some caveats.
From then on, you'll get a notification whenever cmdipass is used to look up a value.
cmdipass get <search-string>
cmdipass get-one <search-string> (--index=<index> | --uuid=<uuid>) [--password-only | --username-only]
cmdipass --version
cmdipass (-h | --help)
Options:
-h --help Show this screen.
--version Show version.
--index=<index> Select the entry at this 0-indexed location.
--uuid=<uuid> Select the entry with this uuid.
--password-only Print only the password.
--username-only Print only the username.
By default, cmdipass
will write the configuration to ~/.cmdipass
after first use. You can change the path of the config file by setting the CMDIPASS_CONFIG
environment variable to a path of your choosing.
Binary releases are available at https://github.com/Fitzsimmons/cmdipass/releases/.
You'll need rust. I recommend using rustup to get it, although you may want to use an alternative installation method to avoid the curl | bash
anti-pattern.
Then, just clone the repo and run cargo build
from the root of the repo. Your executable will be available at target/debug/cmdipass
. Debug build recommended since performance is not a significant factor and it'll help you submit a useful bug report when something goes wrong. 😄
MacPassHTTP currently expects there to be a scheme present in the string that is used to search the database. MacPassHTTP#31. There is also a defect that will cause the entire database to be returned when there is no match with the search string. MacPassHTTP#30. You can work around these issues by adding a bogus scheme to your cmdipass query, e.g. cmdipass get-one http://github-token
. You do not need to alter the entry in MacPass.
Happy to accept issues and pull requests.
Chat with me on keybase or one of the other accounts I've verified: https://keybase.io/jsfitzsimmons/