Like many I use pass for storing usernames and passwords. This gives me easy access to credentials in a secure manner.
I don't like the way that the metadata (i.e. filenames) are public, but that aside it is a robust tool I've been using for several years.
The last time I talked about pass was when I talked about showing the age of my credentials, via the integrated git support.
That then became a pass-plugin:
frodo ~ $ pass age
6 years ago GPG/root@localhost.gpg
6 years ago GPG/steve@steve.org.uk.OLD.gpg
..
4 years, 8 months ago Domains/Domain.fi.gpg
4 years, 7 months ago Mobile/dna.fi.gpg
..
1 year, 3 months ago Websites/netlify.com.gpg
1 year ago Financial/ukko.fi.gpg
1 year ago Mobile/KiK.gpg
4 days ago Enfuce/sre.tst.gpg
..
Anyway today's work involved writing another plugin, named env. I store my data in pass in a consistent form, each entry looks like this:
username: steve
password: secrit
site: http://example.com/login/blah/
# Extra data
The keys vary, sometimes I use "login", sometimes "username", other times "email", but I always label the fields in some way.
Recently I was working with some CLI tooling that wants to have a username/password specified and I patched it to read from the environment instead. Now I can run this:
$ pass env internal/cli/tool-name
export username="steve"
export password="secrit"
That's ideal, because now I can source that from within a shell:
$ source <(pass env internal/cli/tool-name)
$ echo username
steve
Or I could directly execute the tool I want:
$ pass env --exec=$HOME/ldap/ldap.py internal/cli/tool-name
you are steve
..
TLDR: If you store your password entries in "key: value" form you can process them to export $KEY=$value, and that allows them to be used without copying and pasting into command-line arguments (e.g. "~/ldap/ldap.py --username=steve --password=secrit")
Tags: git, pass, passwordstore, shell 7 comments