svn commit: r452741 - in head/security: . pwned-check pwned-check/files
Stefan Esser
se at FreeBSD.org
Mon Oct 23 20:46:10 UTC 2017
Author: se
Date: Mon Oct 23 20:46:08 2017
New Revision: 452741
URL: https://svnweb.freebsd.org/changeset/ports/452741
Log:
This script uses a downloaded copy of the pwned passwort hashes available
from https://haveibeenpwned.com/Passwords/ to allow passwords to be locally
checked, whether they are known to have been obtained in a data breach and
therefore should not be used.
Approved by: Antoine (mentor)
Added:
head/security/pwned-check/
head/security/pwned-check/Makefile (contents, props changed)
head/security/pwned-check/files/
head/security/pwned-check/files/pkg-message.in (contents, props changed)
head/security/pwned-check/files/pwned-check.1.in (contents, props changed)
head/security/pwned-check/files/pwned-check.conf.sample (contents, props changed)
head/security/pwned-check/files/pwned-check.sh.in (contents, props changed)
head/security/pwned-check/pkg-deinstall (contents, props changed)
head/security/pwned-check/pkg-descr (contents, props changed)
head/security/pwned-check/pkg-plist (contents, props changed)
Modified:
head/security/Makefile
Modified: head/security/Makefile
==============================================================================
--- head/security/Makefile Mon Oct 23 20:35:19 2017 (r452740)
+++ head/security/Makefile Mon Oct 23 20:46:08 2017 (r452741)
@@ -855,6 +855,7 @@
SUBDIR += pwauth
SUBDIR += pwman
SUBDIR += pwman3
+ SUBDIR += pwned-check
SUBDIR += pxytest
SUBDIR += py-AccessControl
SUBDIR += py-PF
Added: head/security/pwned-check/Makefile
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/security/pwned-check/Makefile Mon Oct 23 20:46:08 2017 (r452741)
@@ -0,0 +1,29 @@
+# Created by: Charlie Root <se at FreeBSD.org>
+# $FreeBSD$
+
+PORTNAME= pwned-check
+PORTVERSION= 1.0
+CATEGORIES= security
+MASTER_SITES= #
+DISTFILES= #
+
+MAINTAINER= se at FreeBSD.org
+COMMENT= Check whether password is known to have been exposed in data breaches
+
+LICENSE= BSD2CLAUSE
+
+NO_ARCH= yes
+NO_BUILD= yes
+WRKSRC= ${WRKDIR}/src
+
+SRC= ${.CURDIR}/src
+
+SUB_FILES= ${PORTNAME}.sh ${PORTNAME}.1 pkg-message
+
+do-install:
+ ${INSTALL_SCRIPT} ${WRKDIR}/${PORTNAME}.sh ${STAGEDIR}${PREFIX}/bin/${PORTNAME}
+ ${INSTALL_DATA} ${FILESDIR}/${PORTNAME}.conf.sample ${STAGEDIR}${PREFIX}/etc
+ ${INSTALL_MAN} ${WRKDIR}/${PORTNAME}.1 ${STAGEDIR}${MAN1PREFIX}/man/man1
+ ${MKDIR} ${STAGEDIR}/var/db/${PORTNAME}
+
+.include <bsd.port.mk>
Added: head/security/pwned-check/files/pkg-message.in
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/security/pwned-check/files/pkg-message.in Mon Oct 23 20:46:08 2017 (r452741)
@@ -0,0 +1,13 @@
+-------------------------------------------------------------------------
+This port needs a password hash database that is to be downloaded with
+the following command:
+
+ pwned-check -u
+
+The database files will be installed into /var/db/pwned-check by default.
+This directory can be changed in %%PREFIX%%/etc/pwned-check.conf.
+
+The installation procedure will fetch 6 GB of compressed data and will
+temporarily need 18 GB of free space in that directory and 13 GB when
+the installation is complete.
+-------------------------------------------------------------------------
Added: head/security/pwned-check/files/pwned-check.1.in
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/security/pwned-check/files/pwned-check.1.in Mon Oct 23 20:46:08 2017 (r452741)
@@ -0,0 +1,66 @@
+.Dd October 23, 2017
+.Dt PWNED-CHECK 1
+.Os
+.Sh NAME
+.Nm pwned-check
+.Nd Check word against list of known stolen passwords.
+.Sh SYNOPSIS
+.Nm
+.Op Fl u
+.Sh DESCRIPTION
+The
+.Nm
+utility checks the passwords piped in via standard input (one per line)
+against a huge database of passwords that are known to have been stolen
+in data breaches.
+.Pp
+SHA1 hashes of these passwords have been published at
+.Lk https://haveibeenpwned.com/
+.Pp
+If any of the checked passwords is found in the database, it is printed
+on standard output and the exit status of
+.Nm
+is set to 1.
+No output is generated for passwords not found in the database.
+.Pp
+Instead of plain passwords, SHA1 hashes of passwords may be supplied.
+Matches will be reported, but there is no provision to report the
+plain text password corresponding to a given SHA1 hash.
+.Pp
+If the option
+.Fl u
+is used, the password hash database is downloaded and initialized.
+This process will temporarily require some 18 GB of free space in the
+database directory, which is
+.Pa /var/db/pwned-check
+by default.
+This location can be changed in the configuration file, prior to starting
+the download.
+.Sh FILES
+.Bl -tag -width %%PREFIX%%/etc/pwned-check.conf
+.It Pa %%PREFIX%%/etc/pwned-check.conf
+Optional configuration file.
+.It Pa /var/db/pwned-check
+Default location of pwned password hash database.
+Needs 18 GB of free space during download, 13 GB when finished.
+.El
+.Sh EXIT STATUS
+.Nm
+returns 0 if none of the passwords to check have been found in the
+pwned password database, else 1.
+.Pp
+If the
+.Fl u
+option is used to download the pwned password hashes, an exit code of 0
+indicates success, 1 failure to fetch and initialize the database.
+.Sh EXAMPLES
+Download the pwned password hash files:
+.Bd -literal -offset indent
+pwned-check -u
+.Ed
+.Pp
+Check passwords passed on standard input against pwned password database:
+.Bd -literal -offset indent
+echo badpasswd | pwned-check
+.Ed
+.\" .Sh AUTHORS
Added: head/security/pwned-check/files/pwned-check.conf.sample
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/security/pwned-check/files/pwned-check.conf.sample Mon Oct 23 20:46:08 2017 (r452741)
@@ -0,0 +1,2 @@
+DBDIR= /var/db/pwned-check
+URLBASE=i https://downloads.pwnedpasswords.com/passwords
Added: head/security/pwned-check/files/pwned-check.sh.in
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/security/pwned-check/files/pwned-check.sh.in Mon Oct 23 20:46:08 2017 (r452741)
@@ -0,0 +1,111 @@
+#!/bin/sh
+#
+# Copyright (c) 2017 by Stefan Esser <se at freebsd.org>
+# All rights reserved.
+#
+# Distributed under the BSD 2-clause Simplified License.
+#
+
+CFGFILE="%%PREFIX%%/etc/pwned-check.conf"
+
+[ -r "$CFGFILE" ] && . $CFGFILE
+: ${DBDIR:=/var/db/pwned-check}
+: ${URLBASE:=https://downloads.pwnedpasswords.com/passwords}
+
+# Helper functions
+progname ()
+{
+ basename "$0"
+}
+
+errexit ()
+{
+ echo $(progname)": $@"
+ exit 1
+}
+
+usage ()
+{
+ echo "usage: "$(progname)" [-u]"
+ exit 2
+}
+
+# Fetch files with pwned password hashes
+fetchpwfiles ()
+{
+ umask 022
+ mkdir -p $DBDIR || errexit "No write permission on data directory."
+ local f s_txt s_txt_7z hash
+ while read f s_txt s_txt_7z hash
+ do
+ local f7z="$f.7z"
+ echo "Checking '$DBDIR/$f' ..."
+ local s_txt_is=$(stat -f %z $f 2>/dev/null)
+ if [ "$s_txt_is" != "$s_txt" ]; then
+ echo "Fetching '$DBDIR/$f' ..."
+ fetch -S $s_txt_7z "$URLBASE/$f7z" || errexit "Could not fetch '$URLBASE/$f7z'"
+ local hash_is=$(sha1 -q "$f7z")
+ if [ "$hash_is" != "$hash" ]; then
+ rm -f "$f7z"
+ errexit "File '$f7z' fails SHA1 check: '$hash_is' should be '$hash'."
+ fi
+ tar xf $f7z
+ local s_txt_is=$(stat -f %z $f)
+ if [ "$s_txt_is" != "$s_txt" ]; then
+ rm -f "$f"
+ errexit "File '$f' has size $s_txt_is after decompression, should be $s_txt."
+ fi
+ fi
+ rm -f "$f7z"
+ done <<EOF
+pwned-passwords-1.0.txt 12862899504 5702869528 90d57d16a2dfe00de6cc58d0fa7882229ace4a53
+pwned-passwords-update-1.txt 574389228 262300582 00fc585efad08a4b6323f8e4196aae9207f8b09f
+pwned-passwords-update-2.txt 16791180 8000810 20318090278bbd196945025bc7bf93e99f261f9a
+EOF
+ echo "All data files have been successfully downloaded and extracted."
+}
+
+# Password lookup
+exitcode=0
+
+lookup ()
+{
+ local hash="$1"
+ look "$hash" pwned-passwords*.txt > /dev/null
+}
+
+checkpw ()
+{
+ local pwd="$1"
+ local hash=$(echo -n "$pwd" | sha1 | tr 'a-z' 'A-Z')
+ if lookup "$hash"; then
+ echo "$pwd"
+ exitcode=1
+ elif expr "$pwd" : '[A-Fa-f0-9]\{40\}$' > /dev/null; then
+ if lookup "$pwd"; then
+ echo "$pwd"
+ exitcode=1
+ fi
+ fi
+}
+
+# Main program
+cd "$DBDIR" || errexit "Database directory '$DBDIR' not found."
+export LC_COLLATE=C
+
+if [ "$#" -gt 0 ]; then
+ if [ "$1" = "-u" ]; then
+ fetchpwfiles
+ exit 0
+ else
+ echo "usage: "$(progname)" [-u]"
+ exit 2
+ fi
+fi
+
+while read pwd
+do
+ checkpw "$pwd"
+done
+
+exit $exitcode
Added: head/security/pwned-check/pkg-deinstall
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/security/pwned-check/pkg-deinstall Mon Oct 23 20:46:08 2017 (r452741)
@@ -0,0 +1,15 @@
+#!/bin/sh
+
+PORTNAME=${1%-*}
+
+[ "$2" = DEINSTALL ] && cat <<***EOM
+------------------------------------------------------------------------------
+
+If you are no longer using the $PORTNAME port, then manually delete
+the following directory and all its contents:
+
+ /var/db/$PORTNAME
+
+------------------------------------------------------------------------------
+***EOM
+exit 0
Added: head/security/pwned-check/pkg-descr
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/security/pwned-check/pkg-descr Mon Oct 23 20:46:08 2017 (r452741)
@@ -0,0 +1,10 @@
+Pwned Passwords are hundreds of millions of real world passwords exposed in
+data breaches. This exposure makes them unsuitable for ongoing use as they
+are at much greater risk of being used to take over other accounts.
+
+This script uses a downloaded copy of the pwned passwort hashes available
+from https://haveibeenpwned.com/Passwords/ to allow passwords to be locally
+checked, whether they are known to have been obtained in a data breach and
+therefore should not be used.
+
+WWW: https://haveibeenpwned.com/
Added: head/security/pwned-check/pkg-plist
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/security/pwned-check/pkg-plist Mon Oct 23 20:46:08 2017 (r452741)
@@ -0,0 +1,4 @@
+bin/pwned-check
+ at sample etc/pwned-check.conf.sample
+man/man1/pwned-check.1.gz
+ at dir /var/db/pwned-check
More information about the svn-ports-head
mailing list