Skip to content

Instantly share code, notes, and snippets.

@hellekin
Created May 4, 2013 13:15
Show Gist options
  • Select an option

  • Save hellekin/5517489 to your computer and use it in GitHub Desktop.

Select an option

Save hellekin/5517489 to your computer and use it in GitHub Desktop.
Using Awk and GPG to protect authinfo network credentials with .netrc
#! /bin/zsh
#
## Get password from an encrypted .netrc file
#
# Copyright 2013 hellekin <hellekin@cepheide.org>
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
set -e
# Pass the account as first (and unique) argument
ACCOUNT="$1"
# Passwords are stored in .netrc format
# See: info inetutils 'ftp invocation' 'The .netrc File'
PASSWORD_FILE="$HOME/.netrc.gpg"
PATH="/usr/bin"
AWK="/usr/bin/awk"
GPG="/usr/bin/gpg"
[[ -x $GPG && -x $AWK ]] || {
cat >&2 <<EXECUTABLES
ERROR: missing executable!
We need $GPG and $AWK.
Please install them first!
EXECUTABLES
exit 1
}
[[ $# -ne 1 || "$1" = "-h" || "$1" = "--help" ]] && {
$AWK '
/{{X}}/ { sub(/{{X}}/, "'"${0##*/}"'"); }
/{{P}}/ { sub(/{{P}}/, "'"$PASSWORD_FILE"'"); }
/^## USAGE/,EOF { sub(/^## /, ""); print }
' $0 >&2
exit 64
}
[[ -f "$PASSWORD_FILE" ]] || {
cat >&2 <<NETRC_INFO
ERROR: Missing password file '$PASSWORD_FILE'!
Did you create it? You can do it by issuing, e.g.:
\$ gpg -e ~/.netrc
To learn about the '.netrc' file format, consult the manual:
\$ info inetutils 'ftp invocation' 'The .netrc File'
NETRC_INFO
exit 1
}
# Return the password
# We want to match a line like '#@ $ACCOUNT'
# and get the password from the next line starting with 'password'
$GPG --batch -q -d "$PASSWORD_FILE" | \
$AWK '/^#@ '"$ACCOUNT"'$/,/^pass/ { if ($1 == "password") print $NF; }'
exit $?
##
## USAGE: {{X}} account
##
## Retrieve password for `account' from an encrypted .netrc
## file. Passwords are stored in "{{P}}".
##
## The .netrc file must contain a marker preceding the
## relevant password entry, i.e.: #@ account
##
## Example usage
##
## In order to get the password for `foo' from the following
## sample file, you would run:
##
## $ {{X}} X
## It_Works!
##
## Sample file
##
## #
## # Sample ~/.netrc.gpg (obviously, deciphered)
## #
##
## #@ X
## machine foo.example.org
## login foo
## password It_Works!
##
## #@ Y
## # You can put some comments
## machine bar.example.net
## login user
## password WhydopeoplekeepusingWEAKpasswordswhentheycanuseGnuPG?
##
## #@ Z
## # You should now stop using weak passwords,
## # and start using keyring, gpg-agent, and ssh-agent...
## machine fubar.example.com
## login ping
## password pong
##
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment