Console Password Manager (cpm)

This program is a ncurses based console tool to manage passwords and store them public key encrypted in a file - even for more than one person. The encryption is handled via GnuPG so the programs data can be accessed via gpg as well, in case you want to have a look inside. The data is stored as as zlib compressed XML so it's even possible to reuse the data for some other purpose.

The software uses CDK (ncurses) to handle the user interface, libxml2 to store the information, the zlib library to compress the data and the library GpgMe to encrypt and decrypt the data securely.

The next release 0.25beta will work with the latest CDK5 version 20090215 and I will publish it as soon as this CDK release makes it into the distributions.

Moreover I am currently looking for a volunteer for Debian and/or Ubuntu package maintenance. I am not familiar with packaging for the official distributions but would like to see cpm into these distributions as well.

A mailinglist is available at SourceForge and you can subscribe here.

Screenshots of cpm in action are here.

The features of CPM are listed below. A detailed description of the features is available here.

• datafiles can be encrypted for more than one person (public key encryption)
• data files are always signed by the last person who saved it so forging data files is not possible
• encryption is handled by the GPGME library so it's supposed to be very secure
• data inside the encryption is a gzipped XML file so almost nothing is known about the encrypted data
• the application memory is protected from paging; sensitive data does not get written to the swap space
• no core dumps are created in case the program crashes; no sensitive data ends up in the core file
• the application is protected from ptrace attacks so even the local root user can't look into the process data
• the runtime environment is carefully checked
• datafiles are en- and decryptable directly by gpg and gzip
• data is stored XML formatted
• data is validated with an internal DTD to detect invalid or broken XML code
• backup files are created if possible
• it is possible to store several passwords per account
• it's possible to handle several datafiles, each encrypted for different people
• check of password strength and warnings about weak passwords (via cracklib)
• user definable hierarchy with unlimited depth
• long comments for any node in the hierarchy
• password generator
• there is only one password visible at a time
• searchable database from the commandline
• regex patterns can be used for the search
• user definable searchpatterns (e.g. user@hostname)
• several hits can be displayed at once (e.g. several accounts per host)
• conversion scripts for Password Management System (pms), Password Safe and CSV files

This is my current todo list for this project:

• Add an auto-quit function so the program can terminate automatically after a configurable timespan.

• Provide a statically linked binary.
• When adding an item, place the cursor right there.

• Fix the missing status line after a terminal was resized.
• Add support for FreeBSD.

• Add <CTRL><Q> to quit the program at once.

• 2495575 will be fixed in release 0.25beta.
• 2495570 will be fixed in release 0.25beta.
• 2495565 will be fixed in release 0.25beta.
• 1881523 will be fixed in release 0.25beta.
• 1708078 will be fixed in release 0.25beta.
• 1458208 is fixed in release 0.22beta.
• 1457707 is fixed in release 0.22beta.
• 1437432 is fixed in release 0.21beta.
• 1370607 I can't fix this without access to a FreeBSD machine.
• 1370314 is fixed in release 0.20beta.
• 1296188 is fixed in release 0.19beta.
• 1283983 is a CDK bug and checked for in release 0.18beta; it's not possible to fix this though.
• 1282944 is a libxml2 bug which was fixed in version 2.6.16.
• 1282940 is fixed in release 0.18beta.
• 1235987 is fixed in release 0.15beta.
• 1235984 is fixed in release 0.15beta.
• 1205894 is invalid.
• 1205873 is fixed in release 0.9beta.
• 1203336 is fixed in release 0.8beta.
• 1199825 is fixed in release 0.7beta.
• 1190234 is fixed in release 0.6beta.

• tar.gz (signature)
• tar.bz2 (signature)

All the files can be viewed here and a sample configuration file is there.

The package is also available as a Debian package. The package is available at http://debian.harry-b.de/unstable/.

To add this package to your APT-repository, just add the line

deb http://debian.harry-b.de/ unstable/

or

deb http://debian.harry-b.de/ sarge/

to your sources list in /etc/apt/sources.list.

To get the the Debian package's signature validated with SecureApt, please download my public key and save it into a file e.g. named cpm-key.txt and then, as user root the following command:

$ apt-key add cpm-key.txt

After you have issued this command, the public key is added to the apt-get keyring and when you now run apt-get, the package's signature gets validated to make sure you got the original, unmodified package.

For Gentoo Linux a ebuild file is available here.

First add PORTDIR_OVERLAY=/usr/local/portage to /etc/make.conf.

To use this, you have to perform the following steps:

$ mkdir -p /usr/local/portage/app-admin/cpm
$ cp cpm-0.8_beta.ebuild /usr/local/portage/app-admin/cpm
$ ebuild /usr/local/portage/app-admin/cpm/cpm-0.8_beta.ebuild digest
$ emerge /usr/local/portage/app-admin/cpm/cpm-0.8_beta.ebuild

where you have to replace the version number with the current version.

The ebuild file was created by Marc Jauvin. Thanks alot for the support!

The key used for the signature is

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.1 (GNU/Linux)

mQGiBEKtgVQRBACnQkjlPR7qmpnhmtpVnxH2L7vaa5ZWUbk7JFIU053j3oXyiJdG
KkyQ21DcK2w3YzB/960ONN+nPvGJOc57U0cuTaBiFK5ofzZ0MOkblTXFpSi1ylIy
dpwGgqlESH8ZgSaGLZeswAFuvu6KbRVpyVFhl7nOYRXaf+c3iCBSwk2UiwCg5VR/
qX/H1CMnuRvT3b6iCGtTnfkEAJIezX3RYjS2e/+2Z21+pCbFPFXPtYbWR4/iMr9F
t6DEaWa6r6f3/3zTMBHfHbzQNdiWYoom/nVj5M49WvJ+Wd+90jPxaFWn/IEYYVlt
wVB7MoY0DserdnuAJXiDAE48A4qHE57/lyVmrvpAdQTF4v41MBGJVyMC/6z7rDWz
QwecA/wImyYjAYJYHuok66MSrUv+HIhokSRuXpTpxBCEtUDvsKdQvhIncbQvMmmh
xOOLhm/+sYxOUC/i9A4a/FwlXD4bsoqPYe1fwbBwjHuj4g2yXfpQIt7y4W2WreAO
u+BILFMlNQiZOFBtCgBK/22omZLi/3VdHuep1a1A8b8M5e1rnLQ6Q29uc29sZSBQ
YXNzd29yZCBNYW5hZ2VyIFZlcmlmaWNhdGlvbiBLZXkgPGNwbUBoYXJyeS1iLmRl
PoheBBMRAgAeBQJCrYFUAhsDBgsJCAcDAgMVAgMDFgIBAh4BAheAAAoJEF9/lP5R
z3V71+EAn0M8JKcqI7f89QvbBb5tVngMND2DAKCYPKXomzsYbuhBPuRDoBg7bG2B
x4hGBBARAgAGBQJCrYF7AAoJEMCsVvu3qFs+or8AnRxANV5o2zbtceAZEaCH2x12
4VEwAJ9dZpxp2pG6p+zbHjb+rmTAMXXR1LkCDQRCrYFqEAgAuXOLmt2aJ3818Ynk
6NxgiTdRJIZZN3+Hybb7VaMLc027bfVXL0iU/B+yNrxREkmFKSS4czIm+6j439mX
dBDGsHqV6MIyIYbg3chJJgPP11bFJ6/R1+vWURI7LYYvKhg4Dis1UdDRhRWXpfan
0k42RT7xsD2PeM0J8d8mH2RkZAYRx7eu33fgtPzmSjZnyCbOzGf0qP7+qeWWNRGH
BfF7Ob6iD20nRSPq0R6fd1nr16DfQsVKCxZ2CerT9sp48zVg/Jsd91/IS6jCM8TI
XYjQFbfyaB7+q7Bk0wqea1co+Tc3nFwXXAtVVUcqDozHcIxZm1T3nd83lrP7qsns
c2DqcwADBQf/Zp4oZ//y+zfRGdmZ4YQJAWbpFYXHLIO5tZ0kSrZe36rkveP4VLJ9
pxZbl4XH4YXsHHPgbnkuCClakHPCJKSck07EkMNDUmYwXdLV0r+mdFVPRGKXFTG7
ZxDtm7EBMCCxx5J9lVvvwMaQq2pJoHasNFPm+CyOugvfeZn81DDBAHo2mIBR5BWB
9VcWxLY93jmBR8mc7Cg7TeLO9TKam+5xLVZxFHs+V0z1lugQ2pMTfH/wzgwgF5qW
smD8vdt4uEVCEWE5uIKSUIecPh4hC1GQUXzLfpAbVzmVFGE6UekO8m+ZwS4Rnd6t
ko9Sb6l69VJiISKa+UyvePITwlqNSHVN+ohJBBgRAgAJBQJCrYFqAhsMAAoJEF9/
lP5Rz3V7JwQAoIRHaS4A4AZUGzy0R1xdNjxLuvSJAKCz7yaaYl2GCzmyQCiiv0rY
Qd7EfQ==
=v4bV
-----END PGP PUBLIC KEY BLOCK-----

and can be downloaded as well.

There are packages available for Fedora and Red Hat Enterprise Linux 5 and compatible. Details can be found here. Thanks to Marek Mahut for the packaging.

CPM has been tested on the following platforms:

• Ubuntu 8.04 LTS, 8.10
• RedHat Enterprise Linux 5
• Fedora Linux
• Debian Sarge, Sid, Woody (i386)
• Gentoo Linux (i386)
• Fedora Core 3 (AMD64 Opteron)
• Solaris 10

If you encounter memory problems, e.g. on Gentoo Linux, please read the section Memory issues in the security section of this document.

In case you use CPM on another platform it would be nice if you could send me a short email reporting success (or failure which I will try to fix as soon as possible).

To install this program, the following libraries are required:

• cdk4 (>= 4.9.9) or cdk5 (>=5.0.20090215)
• crack (>= 2.7)
• dotconf (>= 1.0.13)
• gpgme (>= 1.0.2, >= 1.1 recommended)
• ncurses or ncursesw (>= 5.4)
• xml2 (>= 2.6.16)
• zlib (>= 1.2.2)

On Ubuntu systems, the package names are:

• cracklib-runtime
• libcdk5
• libcdk5-dev
• libcrack2
• libcrack2-dev
• libdotconf1.0
• libdotconf-dev
• libgpg-error-dev
• libgpgme11
• libgpgme11-dev
• libncursesw5
• libncursesw5-dev
• libxml2
• libxml2-dev
• zlib1g
• zlib1g-dev

Installation should be quite simple if all requirements are met:

1. ./configure
2. make
3. make check (this only works if it's compiled with -DTEST_OPTION)
4. make install

In case the constant CRACKLIB_DICTPATH is not defined in your crack.h file, you might have to tell configure where the dictionary files of libcrack are. This can be done by passing e.g. –with-crack-dict=/var/cache/cracklib/cracklib_dict to configure. Please note, that the file extension must not be specified.

If you don't have cracklib installed, you can turn off it's use by passing –without-crack-lib to the configure command.

To handle memory problems, the option –without-memlock might help you. Please read the section about Memory Issues in the security section very carefully.

A detailed GPG setup procedure for GPG rookies is here.

For debugging, testing and configuration these labels can be defined:

1. -DFORCE_CDK_V4 to force the correct calls for CDK version 4, even if it looks like version 5.
2. -DKEY_DEBUG can be used to get information about the used keys during the signing process.
3. -DMEMDEBUG can be used to find memory leaks and such nasty stuff all memory operations show what they do and how much memory they allocate or free.
4. -DMEMLOCK_LIMIT is used to define the memory limit to be defined for the max. locked memory check. See –with-memlock configure argument.
5. -DNO_CRACKLIB can be used to not use the crack library - this reduces the security level of the application though (this gets automatically added if configure is started with –without-crack-lib).
6. -DTEST_OPTION can be used to run some tests for the final program it enables the commandline option –testrun thus 'make check' can be used.
7. -DTRACE_DEBUG enable can be used to enable the TRACE() function for debugging.

The program tries to find it's configuration file at the following locations in the given order:

1. ${HOME}/.cpmrc
2. /etc/cpm/cpmrc
3. /etc/cpmrc

As soon as one of these files is found, it's used and the others (in case they exist) are ignored. You can find a default configuration in the file cpmrc-default.

The binary should be suid root (mode 4755) to enable memory locking and protection from ptrace attacks.

The applications runs a check on each startup on the following things:

• if core dumps are disabled
• if memory is locked from paging (so memory does not get written to swap space) WARNING: some computers (mostly notebooks) can create memory images for 'hibernation'. It's not possible to protect the sensitive data from being written to those partitions!
• if the application is protected from ptrace spying
• if the application has environment checks enabled
• if it's running without root privileges (right after program startup and memory locking, root privilges are dropped)

If one of these tests fail, a warning is displayed and a key must be pressed to continue or abort the application. The current security level can be displayed using the '–security' commandline argument.

On some systems, the locked memory for an application is limited. This is the case e.g. on Gentoo and SuSE systems.

In this case the limit is set to something like 32k which you can see using the command ulimit -l. The interesting part of it's output is the line max locked memory - it should be at least 5120k.

I have no idea why this limit is used at all (except for some special purpose machines) and especially at this low limit. If anyone has an idea why it is used and set to such a small value please send me an email.

cpm locks it's memory because it is the only way to prevent the memory from being swapped to disk, in case the operating system decides that it needs memory.

If you want to disable memory locking (and take the risk that your passwords land in clear text on your harddisk) you can use the option –without-memlock to the configure command.

!!! WARNING !!! It is NOT recommended to use this option - it opens a well known security leak!!! !!! WARNING !!!

Unfortunately it is not possible to predict the exact amount of memory which is necessary to run cpm. It depends on the size of the XML structure and many other things which are not known at program startup.

Hence, the default security procedure checks for at least 5120k of memory to lock. If you expect to handle alot of data with cpm, you can set this limit somewhat higher by using the –with-memlock option which specifies the amount of memory in kByte.

Many thanks go to Daniel Schröder mail@dschroeder.info and Holger Dinkel holger.dinkel@med.uni-erlangen.de for helping me to track this problem down and the explanation how to get around it.

To test if cpm fails because of the ulimit problem, run this procedure:

$ su -
Password:
$ ulimit -l 5120
$ su - your_user
$ cpm -s

After these steps, the program should run correctly without any memory hassles.

In case you are running a Debian like system, you might want to change the file /etc/security/limits.conf.

Add the following entry into that file (as root) to set a proper limit for a specific user:

my_user           -       memlock         6144

where my_user is the username you want to use CPM with.

To get a detailed help during runtime, press <CTRL><H>.

Right now there are three interfaces available for importing data. All these are handled by the import.sh script which can be found in /usr/share/cpm. The basic procedure always converts the 'foreign' format to cpm's own CSV format and then this data gets imported.

The general interface imports a properly formatted CSV file.

The passwordsafe interface can read CSV export files from Password Safe (by Bruce Schneier)

The PMS interface can read CSV files created by pms_export

<?xml version="1.0" encoding="ISO-8859-1"?>
<root version="0.2alpha">
  <template>
    <title level="1">host</title>
    <title level="2">service</title>
    <title level="3">user</title>
    <title level="4">password</title>
  </template>
  <editor>
    <user uid="1">unknown</user>
    <user uid="2">Harry Brueckner</user>
  </editor>
  <node label="label 1" >
    <node label="label 1.1" />
      <comment>here goes the comment</comment>
    <node label="label 1.2" />
    <node label="label 1.3" />
  </node>
  <node label="label 2" >
    <node label="label 2.1" />
    <node label="label 2.2" />
      <comment>here goes anothe comment</comment>
    <node label="label 2.3" />
  </node>
</root>

Here are some backlinks to my project in alphabetical order:

• All-Internet-Security
• .bootstrap Blog
• debian-administration.org
• English Wikipedia
• Jerris Blog
• Kevin Rosenberg's Blog
• Lars Strand Blog
• Linux Links
• net-security.org
• Softpedia

• Linux Journal 01/2005 (PMS)
• slashdot.org (PMS)