cloudflare / gokey Goto Github PK

Looking at https://travis-ci.org/github/cloudflare/gokey, we see the following banner at the top of the page:

Since June 15th, 2021, the building on travis-ci.org is ceased. Please use travis-ci.com from now on.

Also, looks like the last time Travis CI ran on this repo was a year ago per the same page. Given the Travis CI change of support for open-source projects, it may make sense to either upgrade to a paid Travis CI offering or migrate to an alternative, such as GitHub Actions or any other service provider.

FWIW, I'm not affiliated with any of these, just thought I'd give you a heads up.

Hi, @secumod

I watched your presentation here:

https://www.usenix.org/conference/srecon17asia/program/presentation/korgachin

I have a question in regards to managing setups which consist of many servers. Do I need to store the same master seed in UEFI on every server? Is there a way to use different master seeds on different servers and still have secure trusted communication between the servers.

If the same master seed is stored on every server then it is easy but can this be done with separate unique master seeds stored in the UEFI and based on a random number generator for example.

I am trying to figure out if gokey can be used for something similar to this:

Each server machine in the data center has its own specific identity that can be tied to the hardware root of trust and the software with which the machine booted. This identity is used to authenticate API calls to and from low-level management services on the machine.

Does this implement a password-based encryption from a master password which is passed as a command line argument?
Not Recommended.

It seems that the master key is being used as entropy, and humans are super lazy so this means human picks something relatively short which has very small key space. not good for encryption. it seems then the master password is used as a limited key space to derive subsequent passwords through master-password-entropy + identifier string.
Not Recommended.

The PBDKF and HKDF algos are being used as derivation functions, for which they were not designed.
Not Recommended.

At the end of this little ditty, the standard algos are utilized, but its not going to help because the design is broken from the start.

"This way you need to remember only your master password and you can always recreate passwords for your services/resources."
LOL, no.

Please support ed25519 for SSH host keys.

% m1-terraform-provider-helper install hashicorp/template -v 2.2.0
Getting provider data from terraform registry
2023/11/28 10:46:34 Getting provider data from https://registry.terraform.io/v1/providers/hashicorp/template
2023/11/28 10:46:35 Provider data: {https://github.com/hashicorp/terraform-provider-template terraform-provider-template}
Getting source code...
2023/11/28 10:46:35 Extracted repo https://github.com/hashicorp/terraform-provider-template to terraform-provider-template
2023/11/28 10:46:35 Resetting /Users/loka/.m1-terraform-provider-helper/terraform-provider-template and pulling latest changes
Compiling...
FATA[0005] Bash execution did not run successfully: exit status 2.
Output:
go: github.com/hashicorp/[email protected] requires
labix.org/v2/[email protected]: unrecognized import path "labix.org/v2/mgo": GOVCS disallows using bzr for public labix.org/v2/mgo; see 'go help vcs'
make: *** [build] Error 1

Go getting and building gokey on Windows OS

go get github.com/cloudflare/gokey/cmd/gokey

gives this errors:

# github.com/cloudflare/gokey/cmd/gokey
...\src\github.com\cloudflare\gokey\cmd\gokey\main.go:121:43: cannot use syscall.Stdin (type syscall.Handle) as type int in argument to terminal.ReadPassword
...\src\github.com\cloudflare\gokey\cmd\gokey\main.go:133:47: cannot use syscall.Stdin (type syscall.Handle) as type int in argument to terminal.ReadPassword

The build is successful after replacing in main.go:

terminal.ReadPassword(syscall.Stdin)

with:

terminal.ReadPassword(int(syscall.Stdin))

Several tests fail with go1.19, but pass with go1.18:

$ go version
go version go1.19 linux/amd64
$ go test ./...
--- FAIL: TestGetKey (2.99s)
    gokey_test.go:161: keys with same invocation options do not match
FAIL
FAIL	github.com/cloudflare/gokey	3.153s
?   	github.com/cloudflare/gokey/cmd/gokey	[no test files]
--- FAIL: TestKnownKey (0.20s)
    keygen_test.go:129: generated RSA 2048 does not match the expected result
--- FAIL: TestStdKey (0.25s)
    keygen_test.go:149: mitigating crypto/internal/randutil.MaybeReadByte...
    keygen_test.go:149: mitigating crypto/internal/randutil.MaybeReadByte...
    keygen_test.go:194: RSA key generation algorithm from stdlib deviates from the one in gokey
FAIL
FAIL	github.com/cloudflare/gokey/rsa	0.454s
FAIL

See the Debian FTBFS (fail-to-build-from-source) bug at https://bugs.debian.org/1017300 where @lnussbaum routinely rebuilds packages with the latest tools and libraries, and in this case, go1.19. It probably has to do with changes made to go1.19 built-in crypto libraries, see https://go.dev/doc/go1.19#minor_library_changes

Many thanks!

README is showing no hints on how to install the package. After go get github.com/cloudflare/gokey there's no binary in $GOPATH/bin.

At present either a password must be typed in or an unencrypted file must be present to encrypt a realm.

If the password could be specified with an environment variable the command requirements could be cut by 50% and concerns over master file storage security would be removed.

Would be nice if the master password prompt went to stderr so the output can be piped to a clipboard-grabber, e.g. on a Mac:

gokey -s myseed -r some/password | pbcopy

... resulting in the password being placed in the clipboard, rather than making the user select and copy it manually. In addition to being less manual, it also means the password doesn't actually ever need to be seen.

Note that this requires the newline after the password to not go to stdout either.

I really like the idea of this, but I'm struggling to understand how you'd deal with a situation where you might have generated passwords for a hundred sites/services, and one of them contacts you to say they've had a compromise and you need to change your password for that site.

Is this a scenario that gokey can cope with?

Guys,
Just downloaded Linux x64 binary from the release page and while playing with he app I've noticed strange thing:

seba@sebapc Pobrane]$ ./gokey-v0.1.2-linux-amd64 -p example-p@ss -r github.com -l 10
sPYL`0_9rj
[seba@sebapc Pobrane]$ ./gokey-v0.1.2-linux-amd64 -p example-p@ss -r github.com -l 11
D5`0Nm*nuY;
[seba@sebapc Pobrane]$ ./gokey-v0.1.2-linux-amd64 -p example-p@ss -r github.com -l 12
z/Beul!Q1,.V
[seba@sebapc Pobrane]$ ./gokey-v0.1.2-linux-amd64 -p example-p@ss -r github.com -l 13
/Beul!Q1,.V>]
[seba@sebapc Pobrane]$ ./gokey-v0.1.2-linux-amd64 -p example-p@ss -r github.com -l 14
Beul!Q1,.V>]<@
[seba@sebapc Pobrane]$ ./gokey-v0.1.2-linux-amd64 -p example-p@ss -r github.com -l 15
w+m6j-vJH{"bz/B
[seba@sebapc Pobrane]$ ./gokey-v0.1.2-linux-amd64 -p example-p@ss -r github.com -l 16
w+m6j-vJH{"bz/Be
[seba@sebapc Pobrane]$ ./gokey-v0.1.2-linux-amd64 -p example-p@ss -r github.com -l 17
w+m6j-vJH{"bz/Beu
[seba@sebapc Pobrane]$ ./gokey-v0.1.2-linux-amd64 -p example-p@ss -r github.com -l 18
w+m6j-vJH{"bz/Beul
[seba@sebapc Pobrane]$ ./gokey-v0.1.2-linux-amd64 -p example-p@ss -r github.com -l 19
w+m6j-vJH{"bz/Beul!
[seba@sebapc Pobrane]$ ./gokey-v0.1.2-linux-amd64 -p example-p@ss -r github.com -l 20
w+m6j-vJH{"bz/Beul!Q
[seba@sebapc Pobrane]$ ./gokey-v0.1.2-linux-amd64 -p example-p@ss -r github.com -l 50
w+m6j-vJH{"bz/Beul!Q1,.V>]<@0psPYL`0_9rjP[b,d~^`:%
seba@sebapc Pobrane]$ ./gokey-v0.1.2-linux-amd64 -p example-p@ss -r github.com -l 51
w+m6j-vJH{"bz/Beul!Q1,.V>]<@0psPYL`0_9rjP[b,d~^`:%3

As you may see the result password with additional character is very similar to the previous password.
The same is for different Master Password and different websites.

Is it the expected behaviour or not?
Thanks,

These days monitoring the commands, is becoming common. You have another option which does not see the secret password on the command line. Any chance of a python direct interface.

Used gokey on ClearLinux and Win10 to generate output (text/password) with/without seedfile.
Observed that the output from it is the same always-on respective OS.
The expectation was that the output is the same on both ClearLinux and Win10 so that gokey is reusable.
If it is an incorrect expectation then close this issue else consider enhancing gokey.

With the upcoming Go1.20, the tests fail

$ go version
go version go1.20rc2 linux/amd64

$ go test -count=1 ./...
?       github.com/cloudflare/gokey/cmd/gokey   [no test files]
--- FAIL: TestGetKey (0.02s)
    gokey_test.go:161: keys with same invocation options do not match
FAIL
FAIL    github.com/cloudflare/gokey     0.135s
ok      github.com/cloudflare/gokey/rsa 2.279s
FAIL

It looks like real issue that the key generation is changed in Go1.20, but I haven't found related changelog in Go.

Hi,
On youtube in one of talks from 2017 @ignatk you mentioned that it's possible to re-encrypt seed file with new master password, so you still can generate the same passwords for all the realms as previous.

Could you please share the example command?
Every seed file generation needs a Master Password and when I use the seed file I already have it simply overwrites it.

Thank you

When I run go install github.com/cloudflare/gokey/cmd/gokey@latest I am getting the following error

../go/pkg/mod/golang.org/x/[email protected]/unix/zsyscall_darwin_amd64.go:28:3: //go:linkname must refer to declared function or variable
../go/pkg/mod/golang.org/x/[email protected]/unix/zsyscall_darwin_amd64.go:43:3: //go:linkname must refer to declared function or variable
../go/pkg/mod/golang.org/x/[email protected]/unix/zsyscall_darwin_amd64.go:59:3: //go:linkname must refer to declared function or variable
../go/pkg/mod/golang.org/x/[email protected]/unix/zsyscall_darwin_amd64.go:75:3: //go:linkname must refer to declared function or variable
../go/pkg/mod/golang.org/x/[email protected]/unix/zsyscall_darwin_amd64.go:90:3: //go:linkname must refer to declared function or variable
../go/pkg/mod/golang.org/x/[email protected]/unix/zsyscall_darwin_amd64.go:105:3: //go:linkname must refer to declared function or variable
../go/pkg/mod/golang.org/x/[email protected]/unix/zsyscall_darwin_amd64.go:121:3: //go:linkname must refer to declared function or variable
../go/pkg/mod/golang.org/x/[email protected]/unix/zsyscall_darwin_amd64.go:136:3: //go:linkname must refer to declared function or variable
../go/pkg/mod/golang.org/x/[email protected]/unix/zsyscall_darwin_amd64.go:151:3: //go:linkname must refer to declared function or variable
../go/pkg/mod/golang.org/x/[email protected]/unix/zsyscall_darwin_amd64.go:166:3: //go:linkname must refer to declared function or variable
../go/pkg/mod/golang.org/x/[email protected]/unix/zsyscall_darwin_amd64.go:166:3: too many errors

When I am on a Linux machine, it works like a charm. But when I do this on a Mac(OS version 11.2) I run into this issue. go version go1.18.3 darwin/amd64

A few issues for reference: golang/go#49219, golang/go#51706

After installing go(go version go1.18.3 darwin/amd64) when I run go install github.com/cloudflare/gokey/cmd/gokey@latestgetting following error response-

# golang.org/x/sys/unix
../../../go/pkg/mod/golang.org/x/[email protected]/unix/zsyscall_darwin_amd64.go:28:3: //go:linkname must refer to declared function or variable
../../../go/pkg/mod/golang.org/x/[email protected]/unix/zsyscall_darwin_amd64.go:43:3: //go:linkname must refer to declared function or variable
../../../go/pkg/mod/golang.org/x/[email protected]/unix/zsyscall_darwin_amd64.go:59:3: //go:linkname must refer to declared function or variable
../../../go/pkg/mod/golang.org/x/[email protected]/unix/zsyscall_darwin_amd64.go:75:3: //go:linkname must refer to declared function or variable
../../../go/pkg/mod/golang.org/x/[email protected]/unix/zsyscall_darwin_amd64.go:90:3: //go:linkname must refer to declared function or variable
../../../go/pkg/mod/golang.org/x/[email protected]/unix/zsyscall_darwin_amd64.go:105:3: //go:linkname must refer to declared function or variable
../../../go/pkg/mod/golang.org/x/[email protected]/unix/zsyscall_darwin_amd64.go:121:3: //go:linkname # golang.org/x/sys/unix
../../../go/pkg/mod/golang.org/x/[email protected]/unix/zsyscall_darwin_amd64.go:28:3: //go:linkname must refer to declared function or variable
../../../go/pkg/mod/golang.org/x/[email protected]/unix/zsyscall_darwin_amd64.go:43:3: //go:linkname must refer to declared function or variable
../../../go/pkg/mod/golang.org/x/[email protected]/unix/zsyscall_darwin_amd64.go:59:3: //go:linkname must refer to declared function or variable
../../../go/pkg/mod/golang.org/x/[email protected]/unix/zsyscall_darwin_amd64.go:75:3: //go:linkname must refer to declared function or variable
../../../go/pkg/mod/golang.org/x/[email protected]/unix/zsyscall_darwin_amd64.go:90:3: //go:linkname must refer to declared function or variable
../../../go/pkg/mod/golang.org/x/[email protected]/unix/zsyscall_darwin_amd64.go:105:3: //go:linkname must refer to declared function or variable
../../../go/pkg/mod/golang.org/x/[email protected]/unix/zsyscall_darwin_amd64.go:121:3: //go:linkname must refer to declared function or variable
../../../go/pkg/mod/golang.org/x/[email protected]/unix/zsyscall_darwin_amd64.go:136:3: //go:linkname must refer to declared function or variable
../../../go/pkg/mod/golang.org/x/[email protected]/unix/zsyscall_darwin_amd64.go:151:3: //go:linkname must refer to declared function or variable
../../../go/pkg/mod/golang.org/x/[email protected]/unix/zsyscall_darwin_amd64.go:166:3: //go:linkname must refer to declared function or variable
../../../go/pkg/mod/golang.org/x/[email protected]/unix/zsyscall_darwin_amd64.go:166:3: too many errorsmust refer to declared function or variable
../../../go/pkg/mod/golang.org/x/[email protected]/unix/zsyscall_darwin_amd64.go:136:3: //go:linkname must refer to declared function or variable
../../../go/pkg/mod/golang.org/x/[email protected]/unix/zsyscall_darwin_amd64.go:151:3: //go:linkname must refer to declared function or variable
../../../go/pkg/mod/golang.org/x/[email protected]/unix/zsyscall_darwin_amd64.go:166:3: //go:linkname must refer to declared function or variable
../../../go/pkg/mod/golang.org/x/[email protected]/unix/zsyscall_darwin_amd64.go:166:3: too many errors

As seen on https://travis-ci.org/cloudflare/gokey, with https://travis-ci.org/cloudflare/gokey/builds/474000487 from PR #16 in particular, the test TestGetKey fails on Go 1.11.4 as well as master (Go 1.12 in beta), while it passes on Go 1.10.7:

--- FAIL: TestGetKey (26.58s)
    gokey_test.go:161: keys with same invocation options do not match

This was first detected by "autopkgtest" on Debian CI when we migrated the default Go version from 1.10 to 1.11, as reported at https://tracker.debian.org/pkg/golang-defaults:

• autopkgtest for gokey/0.0~git20170602.05f83bb-1: amd64: Regression ♻
• https://ci.debian.net/packages/g/gokey/unstable/amd64/

Thanks in advance! Have a Happy New Year!

Anthony

Another way to avoid the password ending up in the shell history

It would be nice to have proper releases. Otherwise I have to take git snapshots for the Debian package which leads to long versions like 0.0~git20190103.40eba7e+really0.0~git20181023.b4e2780-2.

Just wanted to try this tool but unable to go get ... it...

$ go get -v github.com/cloudflare/gokey/cmd/gokey
github.com/cloudflare/gokey
# github.com/cloudflare/gokey
dev/go/src/github.com/cloudflare/gokey/gokey.go:103:39: key.(*ed25519.PrivateKey).Seed undefined (type *ed25519.PrivateKey has no field or method Seed)

$ go version
go version go1.13 linux/amd64

Any idea, please? Also tried go get -u ... without any success...

Please describe the algorithm used for key generation.
For somebody unfamiliar with go, this would save a lot of time.
Thanks!

Hey @ignatk,

Based on your comment I understand that you want to add auto-release via GitHub actions, I am willing to help with this.

Here is how I am envisioning the workflow:

1. We use this action.
2. We add a CHANGELOG.md file to this repo.
3. Whenever a new version # is added to the CHANGELOG.md file in the master/main branch, a release is triggered.

If you have a different vision for the auto-release, please do share it with me.

Before we start doing this, we could also change the primary branch to main (If I recall correctly, you wanted to change master to main).

Let me know your thoughts.......

The Debian package gokey 0.1.0-1 executes the test suite on build and takes normally a few minutes, but it takes hours on mips (running into a timeout for mipsel):

Source: https://buildd.debian.org/status/package.php?p=gokey

Can the test suite be made faster for mips?

Go no longer uses go get to install a binary from a project:

go get github.com/cloudflare/gokey/cmd/gokey
go: go.mod file not found in current directory or any parent directory.
  'go get' is no longer supported outside a module.
  To build and install a command, use 'go install' with a version,
  like 'go install example.com/cmd@latest'
  For more information, see https://golang.org/doc/go-get-install-deprecation
  or run 'go help get' or 'go help install'.

Instead, use go install with a version or @latest:

$ go install github.com/cloudflare/gokey/cmd/gokey@latest
go: downloading github.com/cloudflare/gokey v0.1.0
go: downloading golang.org/x/crypto v0.0.0-20190701094942-4def268fd1a4
go: downloading golang.org/x/sys v0.0.0-20190626221950-04f50cda93cb
$ which gokey
/home/user/go/bin/gokey

Trying to use -l as shown in the documentation doesn't work:

$ gokey -s seedfile -r domain.com -t pass -l 30
flag provided but not defined: -l

It's defined in the init() function in gokey/main.go, but the function doesn't seem to be called.