Skip to content

Command line client for KeePass via the KeePassHttp plugin

License

Notifications You must be signed in to change notification settings

Fitzsimmons/cmdipass

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

39 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

cmdipass

Command line client for KeePass via the KeePassHttp plugin

Intro

Copy and pasting secrets to the command line sucks. How about we just pull them out of keepass, and save ourselves the trouble? As a bonus, we still get a useful entry in our shell's history, without leaking the secret.

Before:

justinf@wyvern:/home/justinf/src/cmdipass
master ✔ > vault auth -method=github token=redacted1234
Successfully authenticated! You are now logged in.

justinf@wyvern:/home/justinf/src/cmdipass
master ✔ > history | grep github | tail -n 1
10037  vault auth -method=github token=redacted1234

After:

justinf@wyvern:/home/justinf/src/cmdipass
master ✔ > vault auth -method=github token=$(cmdipass get-one github-token --index=0 --password-only)
Successfully authenticated! You are now logged in.

justinf@wyvern:/home/justinf/src/cmdipass
master ✔ > history | grep github | tail -n 1
10043  vault auth -method=github token=$(cmdipass get-one github-token --index=0 --password-only)

cmdipass uses KeePassHttp to securely fetch secrets from KeePass. The first time you execute cmdipass, it will attempt to register with KeePassHttp. It also works with MacPass and MacPassHTTP, although with some caveats.

Screenshot of the trust dialog

From then on, you'll get a notification whenever cmdipass is used to look up a value.

Usage

cmdipass get <search-string>
cmdipass get-one <search-string> (--index=<index> | --uuid=<uuid>) [--password-only | --username-only]
cmdipass --version
cmdipass (-h | --help)

Options:
  -h --help         Show this screen.
  --version         Show version.
  --index=<index>   Select the entry at this 0-indexed location.
  --uuid=<uuid>     Select the entry with this uuid.
  --password-only   Print only the password.
  --username-only   Print only the username.

Config file

By default, cmdipass will write the configuration to ~/.cmdipass after first use. You can change the path of the config file by setting the CMDIPASS_CONFIG environment variable to a path of your choosing.

Downloads

Binary releases are available at https://github.com/Fitzsimmons/cmdipass/releases/.

Compiling from source

You'll need rust. I recommend using rustup to get it, although you may want to use an alternative installation method to avoid the curl | bash anti-pattern.

Then, just clone the repo and run cargo build from the root of the repo. Your executable will be available at target/debug/cmdipass. Debug build recommended since performance is not a significant factor and it'll help you submit a useful bug report when something goes wrong. 😄

MacPass caveats

MacPassHTTP currently expects there to be a scheme present in the string that is used to search the database. MacPassHTTP#31. There is also a defect that will cause the entire database to be returned when there is no match with the search string. MacPassHTTP#30. You can work around these issues by adding a bogus scheme to your cmdipass query, e.g. cmdipass get-one http://github-token. You do not need to alter the entry in MacPass.

Contributing

Happy to accept issues and pull requests.

Contact

Chat with me on keybase or one of the other accounts I've verified: https://keybase.io/jsfitzsimmons/