vorstrelok · February 2, 2021 15:20
diff --git a/keepassxc_pam.fish b/keepassxc_pam.fish
 #!/usr/bin/fish --private

 # !!!Security note!!!
 # This will give any process running as your user access to your password while
 # key has not expired (2 minutes or revocation by service, whatever comes first)
 # Proper solution would probably be writing PAM module and transfering key
 # straight to KeePassXC's own keyring

 set userid (/usr/bin/id -u "$PAM_USER")
 if test "$PAM_TYPE" = 'auth'
    if keyctl show %:_uid.$userid
        # reap just in case something went wrong and key expired by timeout
        /usr/bin/keyctl reap
        /usr/bin/keyctl padd user keepassxc:password %:_uid.$userid | read keynumber
    else
        /usr/bin/keyctl padd user keepassxc:password @u | read keynumber
        # give root permission to access key
        /usr/bin/keyctl setperm $keynumber 0x3f190000
    end
    /usr/bin/keyctl timeout $keynumber 120
 else if test "$PAM_TYPE" = 'open_session'
    /usr/bin/keyctl move -f %user:keepassxc:password %keyring:_uid.0 %keyring:_uid.$userid
 else
    exit 1
 end
diff --git a/keepassxc_sendpass.fish b/keepassxc_sendpass.fish
 #!/usr/bin/env fish

 keyctl watch @u | while read from type key
    if test $key -eq (keyctl id %user:keepassxc:password)
        for i in (seq 30)
            if dbus-send --print-reply --dest=org.keepassxc.KeePassXC.MainWindow /keepassxc org.keepassxc.MainWindow.openDatabase string:Documents/Passwords.kdbx string:(keyctl print $key)
                keyctl revoke $key
                break
            end
            sleep 1
        end
    end
 end
diff --git a/keepassxc_sso.service b/keepassxc_sso.service
 [Unit]
 Description=KeePassXC password input

 [Service]
 ExecStart=/home/vorstrel/keepassxc_sendpass.fish

 [Install]
 WantedBy=default.target
diff --git a/system-local-login b/system-local-login
 #%PAM-1.0

 auth      include   system-login
 auth      optional  pam_exec.so expose_authtok /home/vorstrel/keepassxc_pam.fish 
 account   include   system-login
 password  include   system-login
 session   include   system-login
 session   optional  pam_exec.so /home/vorstrel/keepassxc_pam.fish
	#!/usr/bin/fish --private

	# !!!Security note!!!
	# This will give any process running as your user access to your password while
	# key has not expired (2 minutes or revocation by service, whatever comes first)
	# Proper solution would probably be writing PAM module and transfering key
	# straight to KeePassXC's own keyring

	set userid (/usr/bin/id -u "$PAM_USER")
	if test "$PAM_TYPE" = 'auth'
	if keyctl show %:_uid.$userid
	# reap just in case something went wrong and key expired by timeout
	/usr/bin/keyctl reap
	/usr/bin/keyctl padd user keepassxc:password %:_uid.$userid \| read keynumber
	else
	/usr/bin/keyctl padd user keepassxc:password @u \| read keynumber
	# give root permission to access key
	/usr/bin/keyctl setperm $keynumber 0x3f190000
	end
	/usr/bin/keyctl timeout $keynumber 120
	else if test "$PAM_TYPE" = 'open_session'
	/usr/bin/keyctl move -f %user:keepassxc:password %keyring:_uid.0 %keyring:_uid.$userid
	else
	exit 1
	end
	#!/usr/bin/env fish

	keyctl watch @u \| while read from type key
	if test $key -eq (keyctl id %user:keepassxc:password)
	for i in (seq 30)
	if dbus-send --print-reply --dest=org.keepassxc.KeePassXC.MainWindow /keepassxc org.keepassxc.MainWindow.openDatabase string:Documents/Passwords.kdbx string:(keyctl print $key)
	keyctl revoke $key
	break
	end
	sleep 1
	end
	end
	end
	[Unit]
	Description=KeePassXC password input

	[Service]
	ExecStart=/home/vorstrel/keepassxc_sendpass.fish

	[Install]
	WantedBy=default.target
	#%PAM-1.0

	auth include system-login
	auth optional pam_exec.so expose_authtok /home/vorstrel/keepassxc_pam.fish
	account include system-login
	password include system-login
	session include system-login
	session optional pam_exec.so /home/vorstrel/keepassxc_pam.fish