While I cannot wait to fire my last PGP into the Sun, my GnuPG and Yubikey combined with gopass is a pretty useful combination. The important parts here are gopass itself, as a way of managing passwords in a git repository while keeping them encrypted, and the use of Yubikey to be the thing which actually holds the key material to decrypt those passwords. I can have my password repository living off in my AFS homedirs on machines, keep them encrypted, and require a physical object (the Yubikey) and a PIN to decrypt things, a process which works because I can perform all crypto operations back to a local agent via a socket forwarded over ssh.
One of the things I’ve wanted to do for a while is continue to have sudo
require a password, but have that password be something in my gopass repository.
My initial attempts focused on the -S option to sudo, reading the password
from stdin. I couldn’t get that to work no matter what I tried, but then came
across the -A option to sudo.
The -A option triggers the use of “askpass”, where sudo will execute a
program which is expected to read/obtain the user’s password and then print
it to stdout. With this you can tie together a little function which asks
for a path in your pass repository (or defaults to using the one set in a
specific environment variable) and then spits it to stdout. Normally you
don’t want to do this, but since sudo is running this in a subprocess
it gets captured by it and uses that password to attempt to authenticate.
See it in my one-offs repository