Dependency on pwqgen not mentioned in readme #147

New Issue

@roxxers do you have pwgen (without the Q) installed? We could use that as a fallback if pwqgen isn't available. If not, yeah let's use /dev/urandom or some excitement.

Did you at least get an error message "ERROR: 'pwqgen' program is not installed" or is that also not working?

Lastly you can manually hack around this using the <cmd> option to abra .. secret generate, e.g.

abra app foo_bar secret generate --all "pwgen"

@roxxers do you have `pwgen` (without the Q) installed? We could use that as a fallback if `pwqgen` isn't available. If not, yeah let's use /dev/urandom or some excitement. Did you at least get an error message `"ERROR: 'pwqgen' program is not installed"` or is that also not working? Lastly you can manually hack around this using the `<cmd>` option to `abra .. secret generate`, e.g. abra app foo_bar secret generate --all "pwgen"

roxxers commented

2021-04-17 10:23:09 +00:00

pwgen is installed. Still get the same error which is the "ERROR: 'pwqgen' program is not installed one and providing my own command like you showed still shows the same error so I think the logic might be bugged a lil from what I saw of the code. Didnt deep dive the bash but I did see how it might just ignore everything of pwqgen isn't installed

pwgen is installed. Still get the same error which is the `"ERROR: 'pwqgen' program is not installed` one and providing my own command like you showed still shows the same error so I think the logic might be bugged a lil from what I saw of the code. Didnt deep dive the bash but I did see how it might just ignore everything of pwqgen isn't installed

3wordchant commented

2021-04-17 10:25:52 +00:00

I think the logic might be bugged a lil from what I saw of the code.

Yep, seems so. Looking at it now

> I think the logic might be bugged a lil from what I saw of the code. Yep, seems so. Looking at it now

roxxers commented

2021-04-17 10:26:04 +00:00

I'll provide screenshots in a bit

3wordchant referenced this issue from a commit

2021-04-17 10:32:26 +00:00

Only check for pw(q)gen if we're tryna use them

3wordchant commented

2021-04-17 10:40:28 +00:00

It now seems to work with the <cmd> option, at least:

➜ abra app traefik_demo secret generate foobar v1 pwgen
SUCCESS: Password: di3Avohl
^C
➜ abra app traefik_demo secret generate foobar v1 
ERROR: 'pwqgen' program is not installed

(I tested by renaming my pwqgen binary)

Suggest keeping this ticket open until we have the default fallback -- @roxxers do you think pwgen is a safe option here or should we do some exciting pure-bash generation?

It now seems to work with the `<cmd>` option, at least: ``` ➜ abra app traefik_demo secret generate foobar v1 pwgen SUCCESS: Password: di3Avohl ^C ➜ abra app traefik_demo secret generate foobar v1 ERROR: 'pwqgen' program is not installed ``` (I tested by renaming my `pwqgen` binary) Suggest keeping this ticket open until we have the default fallback -- @roxxers do you think `pwgen` is a safe option here or should we do some exciting pure-bash generation?

roxxers commented

2021-04-17 10:59:40 +00:00

@3wordchant I think just moving to a more native solution as a fallback would help portability. As for security, I think the default length when using pwgen is too small. Using something like pwgen 1 32 for a 32 char length is safer. The ones generated for me after the fix were 8 chars long. I'd have to research which method is best but from what I recall, urandom should be fine. Esp when secrets don't need memorisation or ease of typing like passphrases do.

@3wordchant I think just moving to a more native solution as a fallback would help portability. As for security, I think the default length when using pwgen is too small. Using something like `pwgen 1 32` for a 32 char length is safer. The ones generated for me after the fix were 8 chars long. I'd have to research which method is best but from what I recall, urandom should be fine. Esp when secrets don't need memorisation or ease of typing like passphrases do.

decentral1se referenced this issue

2021-04-17 22:02:05 +00:00

Invalid password length: "105" #149

decentral1se added the

secrets

label 2021-04-17 22:45:05 +00:00

roxxers referenced this issue

2021-04-19 12:17:11 +00:00

Using pwgen creates small passwords #153

3wordchant referenced this issue

2021-04-20 09:00:41 +00:00

Using pwgen creates small passwords #153

3wordchant commented

2021-04-20 09:04:45 +00:00

I think just moving to a more native solution as a fallback would help portability.

Yeah sounds legit, patch welcome! Otherwise I'll get to it ASAP.

As for security, I think the default length when using pwgen is too small.

See #153; I think this was my mistake providing the above workaround. Normally, abra already generates passwords of the length specified in an app's .env.sample file – a quick rg --hidden length in my ~/.abra/apps dir suggests that the shortest length we'll generate will be 43 (for Gitea's SECRET_JWT_SECRET_VERSION).

Esp when secrets don't need memorisation or ease of typing like passphrases do.

Depends which; it seems possible that someone at some point is gonna need to read a MySQL root password over the phone, in which case pwqgen-generated passwords are going to be many many times easier.

> I think just moving to a more native solution as a fallback would help portability. Yeah sounds legit, patch welcome! Otherwise I'll get to it ASAP. > As for security, I think the default length when using pwgen is too small. See #153; I think this was my mistake providing the above workaround. Normally, `abra` already generates passwords of the length specified in an app's `.env.sample` file – a quick `rg --hidden length` in my `~/.abra/apps` dir suggests that the shortest length we'll generate will be 43 (for Gitea's `SECRET_JWT_SECRET_VERSION`). > Esp when secrets don't need memorisation or ease of typing like passphrases do. Depends which; it seems possible that someone at some point is gonna need to read a MySQL root password over the phone, in which case `pwqgen`-generated passwords are going to be many many times easier.

3wordchant changed title from ~~Dependancy on pwqgen not mentioned in readme~~ to Dependency on pwqgen not mentioned in readme

2021-04-20 09:06:20 +00:00

3wordchant referenced this issue

2021-05-30 19:23:43 +00:00

Pure-Bash fallback for pwqgen / pwgen #167

3wordchant referenced this issue from a commit

2021-05-30 19:25:58 +00:00

List some requirements in README

3wordchant closed this issue

2021-05-30 19:25:58 +00:00

This repo is archived. You cannot comment on issues.