mirror of
https://github.com/LCTT/TranslateProject.git
synced 2025-01-25 23:11:02 +08:00
commit
bc17ecc8ee
@ -1,158 +0,0 @@
|
||||
[#]: subject: (Enter invisible passwords using this Python module)
|
||||
[#]: via: (https://opensource.com/article/21/7/invisible-passwords-python)
|
||||
[#]: author: (Seth Kenlon https://opensource.com/users/seth)
|
||||
[#]: collector: (lujun9972)
|
||||
[#]: translator: (geekpi)
|
||||
[#]: reviewer: ( )
|
||||
[#]: publisher: ( )
|
||||
[#]: url: ( )
|
||||
|
||||
Enter invisible passwords using this Python module
|
||||
======
|
||||
Give your password an extra layer of security with GPG and the Python
|
||||
getpass module.
|
||||
![Password lock][1]
|
||||
|
||||
Passwords are particularly problematic for programmers. You're not supposed to store them without encrypting them, and you're not supposed to reveal what's been typed when your user enters one. This became particularly important to me when I decided I wanted to boost security on my laptop. I encrypt my home directory—but once I log in, any password stored as plain text in a configuration file is potentially exposed to prying eyes.
|
||||
|
||||
Specifically, I use an application called [Mutt][2] as my email client. It lets me read and compose emails in my Linux terminal, but normally it expects a password in its configuration file. I restricted permissions on my Mutt config file so that only I can see it, but I'm the only user of my laptop, so I'm not really concerned about authenticated users inadvertently looking at my configs. Instead, I wanted to protect myself from absent-mindedly posting my config online, either for bragging rights or version control, with my password exposed. In addition, although I have no expectations of unwelcome guests on my system, I did want to ensure that an intruder couldn't obtain my password just by running `cat` on my config.
|
||||
|
||||
### Python GnuPG
|
||||
|
||||
The Python module `python-gnupg` is a Python wrapper for the `gpg` application. The module's name is `python-gnupg`, which you must not confuse with a module called `gnupg`.
|
||||
|
||||
[GnuPG][3] (GPG) is the default encryption system for Linux, and I've been using it since 2009 or so. I feel comfortable with it and have a high level of trust in its security.
|
||||
|
||||
I decided that the best way to get my password into Mutt was to store my password inside an encrypted GPG file, create a prompt for my GPG password to unlock the encrypted file, and hand the password over to Mutt (actually to the `offlineimap` command, which I use to synchronize my laptop with the email server).
|
||||
|
||||
[Getting user input with Python][4] is pretty easy. You make a call to `input`, and whatever the user types is stored as a variable:
|
||||
|
||||
|
||||
```
|
||||
print("Enter password: ")
|
||||
myinput = input()
|
||||
|
||||
print("You entered: ", myinput)
|
||||
```
|
||||
|
||||
My problem was when I typed a password into the terminal in response to my password prompt, everything I typed was visible to anyone looking over my shoulder or scrolling through my terminal history:
|
||||
|
||||
|
||||
```
|
||||
$ ./test.py
|
||||
Enter password: my-Complex-Passphrase
|
||||
```
|
||||
|
||||
### Invisible password entry with getpass
|
||||
|
||||
As is often the case, there's a Python module that's already solved my problem. The module is `getpass4`, and from the user's perspective, it behaves exactly like `input` except without displaying what the user is typing.
|
||||
|
||||
You can install both modules with [pip][5]:
|
||||
|
||||
|
||||
```
|
||||
$ python -m pip install --user \
|
||||
python-gnupg getpass4
|
||||
```
|
||||
|
||||
Here's my Python script to create a password prompt:
|
||||
|
||||
|
||||
```
|
||||
#!/usr/bin/env python
|
||||
# by Seth Kenlon
|
||||
# GPLv3
|
||||
|
||||
# install deps:
|
||||
# python3 -m pip install --user python-gnupg getpass4
|
||||
|
||||
import gnupg
|
||||
import getpass
|
||||
from pathlib import Path
|
||||
|
||||
def get_api_pass():
|
||||
homedir = str(Path.home())
|
||||
gpg = gnupg.GPG(gnupghome=os.path.join(homedir,".gnupg"), use_agent=True)
|
||||
passwd = getpass.getpass(prompt="Enter your GnuPG password: ", stream=None)
|
||||
|
||||
with open(os.path.join(homedir,'.mutt','pass.gpg'), 'rb') as f:
|
||||
apipass = (gpg.decrypt_file(f, passphrase=passwd))
|
||||
|
||||
f.close()
|
||||
|
||||
return str(apipass)
|
||||
|
||||
if __name__ == "__main__":
|
||||
apipass = get_api_pass()
|
||||
print(apipass)
|
||||
```
|
||||
|
||||
Save the file as `password_prompt.py` if you want to try it out. If you're using `offlineimap` and want to use this solution for your own password entry, then save it to some location you can point `offlineimap` to in your `.offlineimaprc` file (I use `~/.mutt/password_prompt.py`).
|
||||
|
||||
### Testing the password prompt
|
||||
|
||||
To see the script in action, you first must create an encrypted file (I'll assume that you already have GPG set up):
|
||||
|
||||
|
||||
```
|
||||
$ echo "hello world" > pass
|
||||
$ gpg --encrypt pass
|
||||
$ mv pass.gpg ~/.mutt/pass.gpg
|
||||
$ rm pass
|
||||
```
|
||||
|
||||
Now run the Python script:
|
||||
|
||||
|
||||
```
|
||||
$ python ~/.mutt/password_prompt.py
|
||||
Enter your GPG password:
|
||||
hello world
|
||||
```
|
||||
|
||||
Nothing displays as you type, but as long as you enter your GPG passphrase correctly, you will see the test message.
|
||||
|
||||
### Integrating the password prompt with offlineimap
|
||||
|
||||
I needed to integrate my new prompt with the `offlineimap` command. I chose Python for this script because I knew that `offlineimap` can make calls to Python applications. If you're an `offlineimap` user, you'll appreciate that the only "integration" required is changing two lines in your `.offlineimaprc` file.
|
||||
|
||||
First, add a line referencing the Python file:
|
||||
|
||||
|
||||
```
|
||||
`pythonfile = ~/.mutt/password_prompt.py`
|
||||
```
|
||||
|
||||
And then replace the `remotepasseval` line in `.offlineimaprc` with a call to the `get_api_pass()` function in `password_prompt.py`:
|
||||
|
||||
|
||||
```
|
||||
`remotepasseval = get_api_pass()`
|
||||
```
|
||||
|
||||
No more passwords in your config file!
|
||||
|
||||
### Security matters
|
||||
|
||||
It sometimes feels almost paranoid to think about security minutiae on your personal computer. Does your SSH config really need to be restricted to 600? Does it really matter that your email password is in an inconsequential config file buried within a hidden folder called, of all things, `.mutt`? Probably not.
|
||||
|
||||
And yet knowing that I don't have sensitive data quietly hidden away in my config files makes it a lot easier for me to commit files to public Git repositories, to copy and paste snippets into support forums, and to share my knowledge in the form of actual, known-good configuration files. For that alone, improved security has made my life easier. And with so many great Python modules available to help, it's easy to implement.
|
||||
|
||||
--------------------------------------------------------------------------------
|
||||
|
||||
via: https://opensource.com/article/21/7/invisible-passwords-python
|
||||
|
||||
作者:[Seth Kenlon][a]
|
||||
选题:[lujun9972][b]
|
||||
译者:[译者ID](https://github.com/译者ID)
|
||||
校对:[校对者ID](https://github.com/校对者ID)
|
||||
|
||||
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
|
||||
|
||||
[a]: https://opensource.com/users/seth
|
||||
[b]: https://github.com/lujun9972
|
||||
[1]: https://opensource.com/sites/default/files/styles/image-full-size/public/lead-images/password.jpg?itok=ec6z6YgZ (Password lock)
|
||||
[2]: http://www.mutt.org/
|
||||
[3]: https://gnupg.org/
|
||||
[4]: https://opensource.com/article/20/12/learn-python
|
||||
[5]: https://opensource.com/article/19/11/python-pip-cheat-sheet
|
@ -0,0 +1,156 @@
|
||||
[#]: subject: (Enter invisible passwords using this Python module)
|
||||
[#]: via: (https://opensource.com/article/21/7/invisible-passwords-python)
|
||||
[#]: author: (Seth Kenlon https://opensource.com/users/seth)
|
||||
[#]: collector: (lujun9972)
|
||||
[#]: translator: (geekpi)
|
||||
[#]: reviewer: ( )
|
||||
[#]: publisher: ( )
|
||||
[#]: url: ( )
|
||||
|
||||
使用这个 Python 模块输入不可见的密码
|
||||
======
|
||||
用 GPG 和 Python 的 getpass 模块给你的密码多一层安全保障。
|
||||
![Password lock][1]
|
||||
|
||||
密码对程序员来说尤其成问题。你不应该在不加密的情况下存储它们,而且你也不应该在用户输入密码的时候透露出输入的内容。当我决定要提高我的笔记本电脑的安全性时,这对我来说变得特别重要。我对我的家目录进行了加密,但当我登录后,任何以纯文本形式存储在配置文件中的密码都有可能暴露在偷窥者面前。
|
||||
|
||||
具体来说,我使用一个名为 [Mutt][2] 的应用作为我的电子邮件客户端。它可以让我在我的 Linux 终端中阅读和撰写电子邮件,但通常它希望在其配置文件中有一个密码。我限制了我的 Mutt 配置文件的权限,以便只有我可以看到它,但我是我的笔记本电脑的唯一用户,所以我并不真的担心经过认证的用户会无意中看到我的配置文件。相反,我想保护自己不至于心不在焉地把我的配置发布到网上,无论是为了吹嘘还是为了版本控制,我的密码都暴露了。此外,虽然我不希望我的系统上有不受欢迎的客人,但我确实想确保入侵者不能通过对我的配置上运行 `cat` 就获得我的密码。
|
||||
|
||||
### Python GnuPG
|
||||
|
||||
Python 模块 `python-gnupg` 是 `gpg` 应用的一个 Python 封装。该模块的名字是 `python-gnupg`,你不要把它和一个叫做 `gnupg` 的模块混淆。
|
||||
|
||||
[GnuPG][3](GPG) 是 Linux 的默认加密系统,我从 2009 年左右开始使用它。我对它感到很舒服,对它的安全性有很高的信任。
|
||||
|
||||
我决定将我的密码输入 Mutt 的最好方法是将我的密码存储在一个加密的 GPG 文件中,创建一个提示我的 GPG 密码来解锁这个加密文件,然后将密码交给 Mutt(实际上是交给 `offlineimap` 命令,我用它来同步我的笔记本和电子邮件服务器)。
|
||||
|
||||
[用 Python 获取用户输入][4]是非常容易的。对 `input` 进行调用,无论用户输入什么,都会被存储为一个变量:
|
||||
|
||||
|
||||
```
|
||||
print("Enter password: ")
|
||||
myinput = input()
|
||||
|
||||
print("You entered: ", myinput)
|
||||
```
|
||||
|
||||
我的问题是,当我根据密码提示在终端上输入密码时,我所输入的所有内容对任何从我肩膀上看过去或滚动我的终端历史的人来说都是可见的:
|
||||
|
||||
|
||||
```
|
||||
$ ./test.py
|
||||
Enter password: my-Complex-Passphrase
|
||||
```
|
||||
|
||||
### 用 getpass 输入不可见密码
|
||||
|
||||
正如通常的情况一样,有一个 Python 模块已经解决了我的问题。这个模块是 `getpass4`,从用户的角度来看,它的行为和 `input` 完全一样,只是不显示用户输入的内容。
|
||||
|
||||
你可以用 [pip][5] 安装这两个模块:
|
||||
|
||||
|
||||
```
|
||||
$ python -m pip install --user \
|
||||
python-gnupg getpass4
|
||||
```
|
||||
|
||||
下面是我的 Python 脚本,用于创建密码提示:
|
||||
|
||||
|
||||
```
|
||||
#!/usr/bin/env python
|
||||
# by Seth Kenlon
|
||||
# GPLv3
|
||||
|
||||
# install deps:
|
||||
# python3 -m pip install --user python-gnupg getpass4
|
||||
|
||||
import gnupg
|
||||
import getpass
|
||||
from pathlib import Path
|
||||
|
||||
def get_api_pass():
|
||||
homedir = str(Path.home())
|
||||
gpg = gnupg.GPG(gnupghome=os.path.join(homedir,".gnupg"), use_agent=True)
|
||||
passwd = getpass.getpass(prompt="Enter your GnuPG password: ", stream=None)
|
||||
|
||||
with open(os.path.join(homedir,'.mutt','pass.gpg'), 'rb') as f:
|
||||
apipass = (gpg.decrypt_file(f, passphrase=passwd))
|
||||
|
||||
f.close()
|
||||
|
||||
return str(apipass)
|
||||
|
||||
if __name__ == "__main__":
|
||||
apipass = get_api_pass()
|
||||
print(apipass)
|
||||
```
|
||||
|
||||
如果你想试试,把文件保存为 `password_prompt.py`。如果你使用 `offlineimap` 并想在你自己的密码输入中使用这个方案,那么把它保存到某个你可以在 `.offlineimaprc` 文件中指向 `offlineimap` 的位置(我使用 `~/.mutt/password_prompt.py`)。
|
||||
|
||||
### 测试密码提示
|
||||
|
||||
要查看脚本的运行情况,你首先必须创建一个加密文件(我假设你已经设置了 GPG):
|
||||
|
||||
|
||||
```
|
||||
$ echo "hello world" > pass
|
||||
$ gpg --encrypt pass
|
||||
$ mv pass.gpg ~/.mutt/pass.gpg
|
||||
$ rm pass
|
||||
```
|
||||
|
||||
现在运行 Python 脚本:
|
||||
|
||||
|
||||
```
|
||||
$ python ~/.mutt/password_prompt.py
|
||||
Enter your GPG password:
|
||||
hello world
|
||||
```
|
||||
|
||||
当你输入时没有任何显示,但只要你正确输入 GPG 口令,你就会看到测试信息。
|
||||
|
||||
### 将密码提示符与 offlineimap 整合起来
|
||||
|
||||
我需要将我的新提示与 `offlineimap` 命令结合起来。我为这个脚本选择了 Python,因为我知道 `offlineimap` 可以对 Python 程序进行调用。如果你是一个 `offlineimap` 用户,你会明白唯一需要的“整合”是在你的 `.offlineimaprc` 文件中改变两行。
|
||||
|
||||
首先,添加一行引用 Python 文件的内容:
|
||||
|
||||
|
||||
```
|
||||
`pythonfile = ~/.mutt/password_prompt.py`
|
||||
```
|
||||
|
||||
然后将 `.offlineimaprc`中的 `remotepasseval` 行改为调用 `password_prompt.py`中的 `get_api_pass()` 函数:
|
||||
|
||||
```
|
||||
`remotepasseval = get_api_pass()`
|
||||
```
|
||||
|
||||
配置文件中不再有密码!
|
||||
|
||||
### 安全问题
|
||||
|
||||
在你的个人电脑上考虑安全问题有时会让人觉得很偏执。你的 SSH 配置是否真的需要限制为 600?隐藏在名为 `.mutt` 的无关紧要的电子邮件密码真的重要吗?也许不重要。
|
||||
|
||||
然而,知道我没有把敏感数据悄悄地藏在我的配置文件里,使我更容易把文件提交到公共 Git 仓库,把片段复制和粘贴到支持论坛,并以实际的、已知的好的配置文件的形式分享我的知识。仅就这一点而言,安全性的提高使我的生活更加轻松。而且有这么多好的 Python 模块可以提供帮助,这很容易实现。
|
||||
|
||||
--------------------------------------------------------------------------------
|
||||
|
||||
via: https://opensource.com/article/21/7/invisible-passwords-python
|
||||
|
||||
作者:[Seth Kenlon][a]
|
||||
选题:[lujun9972][b]
|
||||
译者:[geekpi](https://github.com/geekpi)
|
||||
校对:[校对者ID](https://github.com/校对者ID)
|
||||
|
||||
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
|
||||
|
||||
[a]: https://opensource.com/users/seth
|
||||
[b]: https://github.com/lujun9972
|
||||
[1]: https://opensource.com/sites/default/files/styles/image-full-size/public/lead-images/password.jpg?itok=ec6z6YgZ (Password lock)
|
||||
[2]: http://www.mutt.org/
|
||||
[3]: https://gnupg.org/
|
||||
[4]: https://opensource.com/article/20/12/learn-python
|
||||
[5]: https://opensource.com/article/19/11/python-pip-cheat-sheet
|
Loading…
Reference in New Issue
Block a user