SherPass is a program to manage passwords, both for web sites and SSH access.
It uses the GNU Privacy Guard to PGP-encrypt login/password entries. By encrypting an entry with possibly multiple persons' public keys, several people will be able to obtain access to the password entry, each using his own private key. This allows password information for hosts or websites to be shared among several people, without needing a single master key.
To manage passwords, download the standalone program for your operating system. To be able to use passwords in web pages more easily, you can use
The manual explains how both the standalone program and the bookmarklet/extension can be used.
Installable packages for various platforms:
Debian/Ubuntu: SherPass-1.2.0.deb
OS X: SherPass-1.2.0.dmg
You'll need to install PySide
and Qt
separately for this to work.
This package includes QTerminal as a terminal to run SSH in,
sshpass to pass a password to the SSH session, and
GnuPG for the encryption and decryption of passwords.
MS-Windows: SherPass-1.2.0-installer.exe This version was created with PyInstaller and includes Gpg4Win, as well as PuTTY.
The standalone program was written in Python, using several extra software packages listed below. The source code of the Python application, as well as this web site can be found here:
Everything is licensed under the GPLv3, the short version of which is:
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
The full version can be found at http://www.gnu.org/licenses/gpl-3.0.txt
The main SherPass program works with two directories:
By using shared directories for this (e.g. using a shared filesystem like NFS, or something like Dropbox), this makes a shared password system possible. In this system each person can still have his own private key and passphrase, no globally known password or key is necessary.
This first movie demonstrates how you can configure SherPass. In this video, SherPass has already been installed. Once started, the following steps are performed:
The public key directory and the directory to use for the login/password entries are created and selected in the configuration dialog.
The necessary information is entered to generate a private/public key pair. Depending on the complexity, generating a keypair can take a while, much longer than is shown in the video here.
The 'TCP server' is enabled, and an access URL and AES encryption key are generated. This allows the bookmarklet/extension to connect directly to the running SherPass application. The first random string is needed for a correct URL, which should help to prevent other web pages from connecting to the main application. The data sent is also encrypted using the second random string as an extra safety measure.
A prefix for the filenames which will contain the public/private keys is entered. In this case, the
SherPass configuration directory will store the private key in jori.privkey
, while the public
key jori.pubkey
is automatically stored in the directory for the public keys.
In this movie you can see two login/password entries being added. One is for SSH access while the other contains information which can be used on a website. Each of these entries will correspond to a file that is stored in the 'password info directory' from the configuration phase above.
For an entry of type 'SSH', the specified host/IP will be used when launching an SSH session. For a type of 'HTTP' or 'HTTPS', that host/IP line is actually interpreted as a regular expression and is used to filter the entries so that only relevant entries are shown in the bookmarklet or Chrome extension.
To be able to SSH to a specific entry, you just need to make sure that the entry is of type 'SSH'. Pressing
the SSH
button in the user interface will then launch the command specified in the configuration dialog.
On GNU/Linux, the sshpass program is used to specify the SSH password using an
environment variable while on MS-Windows this is done on the command line using
putty.exe. Needless to say, passing a
password as a plain text argument or as an environment variable is not the most secure solution, so use
with care!
In the 'SSH command' specified in the configuration dialog, a number of substitutions will be made:
The hostname (%h) and port number (%P) will be derived from the 'Host/IP' line in a password
entry. For example, if this line says my.hostname.com:8022
, then the host will be my.hostname.com
and the port number will be 8022.
%u will be replaced by the contents of the 'Login' line in the password entry.
%p will be replaced by the contents of the 'Password' line in the password entry. Note that you may not need this if you're passing the password as an environment variable.
You can get an overview of your password entries using the SherPass web site. The login/password entries can be obtained in two ways:
The first way is by putting your password entries in a Dropbox directory and getting the 'share' link to this directory using the Dropbox web site. You'll also have to store your private key on Dropbox and obtain a link to it in a similar way. Making your private key available on the internet in this way is probably not the most secure practice, but in some cases it may be useful to access your password entries without having to run the standalone SherPass program.
The second approach is the one which is shown in the movie, and instructs the code from the web site to connect to the SherPass program running on your computer. To allow the web site to access the password entries that are currently loaded in the SherPass program, we need to copy-paste the access URL and the AES encryption key specified in the configuration dialog.
The main web site also contains a bookmarklet called 'SherPassLet'. You can install it in your browser by just dragging it to the bookmarks bar. This is a small utility that lets you access data stored in the login/password entries and use these data in another web page.
In the movie, we just surf to google.com
and click on the SherPassLet. You'll see that suddenly
an input field becomes greenish. When double clicking (or swiping) this input field, an overlay appears
with matching password entries for this site. The password entries are retrieved using one of the
two methods described in the previous step, in this case by connecting to the running SherPass
program.
The simple example does not have a matching site, so no entries are displayed. When the 'filter' option is disabled however, you'll see that our two login/password entries are shown. When you double click (or swipe) one of the fields, the text from that field is entered in the (now greenish) input field that was double clicked earlier.
As you can see in this video, if you're using the Chrome browser you can also install a Chrome extension with the same functionality as the bookmarklet. Because everything is locally installed on your computer it should be slightly faster. You will need to enter your Dropbox URLs or access codes again if you're using the extension though, but these settings will also be remembered.
You can find contact information on my Google+ page.