• ✯ "Computer Science"

• ✮ Infosec

• ✫ Corp. consultant

• ✰ Open? Free!

• ✭ Hackeriet

• ✬ AMA

• Keep track of passwords

• Avoid losing passwords.

• Secure storage

• Share with trusted people.

apt-get install cpm
create-cpmdb
cpm

https://github.com/comotion/cpm/wiki

• The whys

• The hows

• Getting it

• Setting it up

• Using it

• Advanced topics

• postits are dumb

• random textfiles: terrible!

• Xwallet and friends: too gooey!

• what is remote console friendly?

• for sysadmins!

• flexible, open, extendible

• xml blob in gpg/git

• infoleaks

• paranoid delusions

• jkeyring is less than perfect

• shared passwords? Trust!

• Did you say Web of Trust? GPG!

• CPM: sucking less

• History lesson: Harry Brueckner

• orphaned, adopted

• fixed, improved

• packaged and friendly

• because someone asked me

• pick up orphaned tool

• give it some love

• fix bugs

• document issues

• package it

• keep giving love

• covered elsewhere

• getting stuff into Debian is NP-complete

• I can haz EPEL?

• C

• CDK/ncurses

• xml

• zlib

• gpgme

• PARANOIA

• gzipped encrypted

• never swapped

• no core

• ptrace safety

• runtime environ checked

• signed by last modifier

• cracklib

• XML is DTD validated

• done right!

gpg --decrypt ~/.cpmdb | gunzip | xmlindent

• customizable hierarchy

• comment nodes

• one password visible at a time

• import scripts

• multiuser!

• older versions have poor error messages

• ubuntu kernel problem (fixed in 0.29)

• RHEL build problem (fix: mv cpm.h cpm/)

http://github.com/comotion/cpm/downloads

• Tested on Debian, Ubuntu, FC, ARCH

• Contrib packaging accepted!

apt-get install cpm
create-cpmdb
cpm

• must have a keypair:

  gpg --gen-key

• Defaults are OK.

• If paranoid => use 4096 keybits

• DSA/ElGamal is fine, or whatever

• initialize an empty database

• add keys to it

• sign and crypt it

me@mine:~$ create-cpmdb

me@mine:~$ cpm

• Cursor keys + enter navigates

• Ctrl-A Adds

• Ctrl-E Edits

• Ctrl-P Password generator

• Ctrl-K View/edit keys

• search for a password by key

me@mine:~$ cpm minid

• gpg-agent

• conf file

• data import

• multiuser

• distributed CPM

• roll your own

• stores your gpg passord

• may work with a smart card

• setup automagically in Ubuntu

• .xsession:

  eval $(gpg-agent --daemon)

Arguments arent all: cpmrc

• global file

• per-user config

• ships with detailed example

PasswordLength 10
PasswordAlphabet "abc.."
TemplateName "category"
SearchPattern

• create cpmdb with own data

• pms, passwordsafe or general

• general is tabulated 8 fields

echo "host comment service c2 user c3 passwd c4;" |
/usr/share/cpm/import.sh

• import keys

• trust keys:

  gpg --search-keys Wysocki
  gpg --recv-key 674A506F
  gpg --sign-key 674A506F  # maybe

• add keys to cpmdb

• careful of permissions.

• cpm users in one group

• setgid on data dir

• wrapper script

• lock on cpmdb

• create repo

• import cpmdb and cpmrc

• view/add passwords via wrapper

mkdir garbage_file
cd garbage_file
git init
cpm -f cpmdb
git add cpmdb
git commit -m 'initial'
git remote add garbage me@mine:garbage -m master -t master
git push

cat > garbage << EOF
 #!/bin/sh
 cd ~/docs/passwords
 git pull
 /usr/bin/cpm -f cpmdb -c cpmrc $@
 if [ -z "`git diff --name-only`" ]
 then
    echo "No change"
 else
    git commit -am 'moar'
    git push
 fi
EOF

http://github.com/comotion/cpm/wiki/multiuser-CPM

• rip out CDK

• simple trust management

• feature requests

• bugs and usability problems

• need: packaging!

• contributions welcome!

=> http://github.com/comotion/cpm/issues

Thanks!

https://github.com/comotion

• PRADS gigabit asset sniffer

• VSF web app firewall

• pussydns distributed dns

• gone configuration management