cp -f doc/govpn.info $(INFODIR)
chmod 644 $(INFODIR)/govpn.info
mkdir -p $(SHAREDIR)
- cp -f utils/newclient.sh utils/storekey.sh $(SHAREDIR)
- chmod 755 $(SHAREDIR)/newclient.sh $(SHAREDIR)/storekey.sh
+ cp -f utils/newclient.sh $(SHAREDIR)
+ chmod 755 $(SHAREDIR)/newclient.sh
mkdir -p $(DOCDIR)
cp -f -L AUTHORS INSTALL NEWS README README.RU THANKS $(DOCDIR)
chmod 644 $(DOCDIR)/*
Our client's @ref{Verifier}.
@item -key
-Path to the file with the passphrase. See @ref{Verifier} for
-how to enter passphrase from stdin silently and store it in the file.
+Path to the file with the passphrase. If omitted, then you will be asked
+to enter it in the terminal.
@item -timeout
@ref{Timeout} setting in seconds.
@verbatim
client% ./utils/newclient.sh Alice
-Enter passphrase:
+Passphrase:
Your client verifier is: $argon2d$m=4096,t=128,p=1$bwR5VjeCYIQaa8SeaI3rqg
Place the following YAML configuration entry on the server's side:
up: /path/to/up.sh
iface: or TAP interface name
verifier: $argon2d$m=4096,t=128,p=1$bwR5VjeCYIQaa8SeaI3rqg$KCNIqfS4DGsBTtVytamAzcISgrlEWvNxan1UfBrFu10
-
-Verifier was generated with:
-
- ./utils/storekey.sh /tmp/passphrase
- govpn-verifier -key /tmp/passphrase
@end verbatim
@strong{Prepare the server}. Add this entry to @code{peers.yaml}
@strong{Prepare network on GNU/Linux IPv4 server}:
@example
-server% umask 077
server% ip addr add 192.168.0.1/24 dev wlan0
server% tunctl -t tap10
server% ip addr add 172.16.0.1/24 dev tap10
@strong{Prepare network on GNU/Linux IPv4 client}:
@example
-client% umask 066
-client% utils/storekey.sh key.txt
client% ip addr add 192.168.0.2/24 dev wlan0
client% tunctl -t tap10
client% ip addr add 172.16.0.2/24 dev tap10
@strong{Run client daemon itself}:
@example
client% govpn-client \
- -key key.txt \
-verifier '$argon2d$m=4096,t=128,p=1$bwR5VjeCYIQaa8SeaI3rqg' \
-iface tap10 \
-remote 192.168.0.1:1194
client% ifconfig tap10 inet6 fc00::2/96 up
client% route -6 add default fc00::1
client% govpn-client \
- -key key.txt \
-verifier '$argon2d$m=4096,t=128,p=1$bwR5VjeCYIQaa8SeaI3rqg' \
-iface tap10 \
-remote "[fe80::1%me0]":1194
@table @strong
+@item Release 5.2
+@cindex Release 5.2
+@itemize
+@item Ability to read passphrases directly from the terminal (user's
+input) without using of keyfiles. @code{storekey.sh} utility removed.
+@end itemize
+
@item Release 5.1
@cindex Release 5.1
@itemize
@node Verifier
@cindex Verifier
-@cindex storekey.sh
@cindex govpn-verifier
@subsection Verifier
-Verifier is created using @code{govpn-verifier} utility. But currently
-Go does not provide native instruments to read passwords without echoing
-them to stdout. You can use @code{utils/storekey.sh} script to read them
-silently.
+Verifier is created using @code{govpn-verifier} utility.
@example
-% utils/storekey.sh mypass.txt
-Enter passphrase:[hello world]
-% govpn-verifier -key mypass.txt
+% govpn-verifier
+Passphrase:[hello world]
$argon2d$m=4096,t=128,p=1$bwR5VjeCYIQaa8SeaI3rqg$KCNIqfS4DGsBTtVytamAzcISgrlEWvNxan1UfBrFu10
$argon2d$m=4096,t=128,p=1$bwR5VjeCYIQaa8SeaI3rqg
@end example
option with the path to verifier file:
@example
-% govpn-verifier -key mypass.txt -verifier '$argon2d...'
+% govpn-verifier -verifier '$argon2d...'
+Passphrase:[hello world]
true
@end example
-Plaintext passphrases @strong{must} be stored on volatile memory, for
-example either in memory disk, or on encrypted filesystem with
-restrictive permissions to the file.
+Optionally you can store plaintext passphrases on volatile memory
+(memory disk, encrypted filesystem with restrictive permissions to the
+file) and provide @code{-key} option.
if err != nil {
log.Fatalln(err)
}
- priv := verifier.PasswordApply(govpn.StringFromFile(*keyPath))
+ key, err := govpn.KeyRead(*keyPath)
+ if err != nil {
+ log.Fatalln("Unable to read the key", err)
+ }
+ priv := verifier.PasswordApply(key)
if *encless {
if *proto != "tcp" {
log.Fatalln("Currently encryptionless mode works only with TCP")
if *egdPath != "" {
govpn.EGDInit(*egdPath)
}
+ key, err := govpn.KeyRead(*keyPath)
+ if err != nil {
+ log.Fatalln("Unable to read the key", err)
+ }
if *verifier == "" {
id := new([govpn.IDSize]byte)
if _, err := govpn.Rand.Read(id[:]); err != nil {
}
pid := govpn.PeerId(*id)
v := govpn.VerifierNew(*mOpt, *tOpt, *pOpt, &pid)
- v.PasswordApply(govpn.StringFromFile(*keyPath))
+ v.PasswordApply(key)
fmt.Println(v.LongForm())
fmt.Println(v.ShortForm())
return
log.Fatalln("Verifier does not contain public key")
}
pub := *v.Pub
- v.PasswordApply(govpn.StringFromFile(*keyPath))
+ v.PasswordApply(key)
fmt.Println(bytes.Equal(v.Pub[:], pub[:]))
}
"github.com/agl/ed25519"
"github.com/magical/argon2"
+ "golang.org/x/crypto/ssh/terminal"
)
const (
)
}
-// Read string from the file, trimming newline.
-func StringFromFile(path string) string {
- s, err := ioutil.ReadFile(path)
+// Read the key either from text file (if path is specified), or
+// from the terminal.
+func KeyRead(path string) (string, error) {
+ var p []byte
+ var err error
+ var pass string
+ if path == "" {
+ fmt.Print("Passphrase:")
+ p, err = terminal.ReadPassword(0)
+ fmt.Print("\n")
+ pass = string(p)
+ } else {
+ p, err = ioutil.ReadFile(path)
+ pass = strings.TrimRight(string(p), "\n")
+ }
if err != nil {
- log.Fatalln("Can not read string from", path, err)
+ return "", err
+ }
+ if len(pass) == 0 {
+ return "", errors.New("Empty passphrase submitted")
}
- return strings.TrimRight(string(s), "\n")
+ return pass, err
}
golang.org/x/crypto/curve25519
golang.org/x/crypto/poly1305
golang.org/x/crypto/salsa20
+golang.org/x/crypto/ssh/terminal
golang.org/x/crypto/xtea
EOF
tar cfCI - src $tmp/includes | tar xfC - $tmp
}
username=$1
-umask 077
-passphrase=$(mktemp)
-$(dirname $0)/storekey.sh $passphrase
-verifier=$(govpn-verifier -key $passphrase)
-rm -f $passphrase
+verifier=$(govpn-verifier)
verifierS=$(echo $verifier | sed 's/^\(.*\) .*$/\1/')
verifierC=$(echo $verifier | sed 's/^.* \(.*\)$/\1/')
echo
up: /path/to/up.sh
iface: or TAP interface name
verifier: $verifierS
-
-Verifier was generated with:
-
- $(dirname $0)/storekey.sh /tmp/passphrase
- govpn-verifier -key /tmp/passphrase
EOF
+++ /dev/null
-#!/bin/sh -e
-
-[ -n "$1" ] || {
- cat <<EOF
-Read passphrase from stdin and store it in file.
-
-Usage: $0 <keyfilename>
-EOF
- exit 1
-}
-
-echo -n Enter passphrase:
-stty -echo
-read passphrase
-stty echo
-umask 077
-cat > $1 <<EOF
-$passphrase
-EOF