While I cannot wait to fire my last PGP into the Sun, my GnuPG and Yubikey combined with gopass is a pretty useful combination. The important parts here are gopass itself, as a way of managing passwords in a git repository while keeping them encrypted, and the use of Yubikey to be the thing which actually holds the key material to decrypt those passwords. I can have my password repository living off in my AFS homedirs on machines, keep them encrypted, and require a physical object (the Yubikey) and a PIN to decrypt things, a process which works because I can perform all crypto operations back to a local agent via a socket forwarded over ssh.

One of the things I’ve wanted to do for a while is continue to have sudo require a password, but have that password be something in my gopass repository. My initial attempts focused on the -S option to sudo, reading the password from stdin. I couldn’t get that to work no matter what I tried, but then came across the -A option to sudo.

The -A option triggers the use of “askpass”, where sudo will execute a program which is expected to read/obtain the user’s password and then print it to stdout. With this you can tie together a little function which asks for a path in your pass repository (or defaults to using the one set in a specific environment variable) and then spits it to stdout. Normally you don’t want to do this, but since sudo is running this in a subprocess it gets captured by it and uses that password to attempt to authenticate.

See it in my one-offs repository