diff options
| author | Stefan Eßer <se@FreeBSD.org> | 2018-07-29 06:53:06 +0000 |
|---|---|---|
| committer | Stefan Eßer <se@FreeBSD.org> | 2018-07-29 06:53:06 +0000 |
| commit | b0df33bf3876b852d4c83c9398e2cb96664d2f96 (patch) | |
| tree | f71d39ee667d67eeb08adeb9b24347c11ca24f64 /security/pwned-check | |
| parent | 3ef93fc84e7600c8acf0df98fe2882519dca7277 (diff) | |
| download | ports-b0df33bf3876b852d4c83c9398e2cb96664d2f96.tar.gz ports-b0df33bf3876b852d4c83c9398e2cb96664d2f96.zip | |
Notes
Diffstat (limited to 'security/pwned-check')
| -rw-r--r-- | security/pwned-check/files/pwned-check.1.in | 11 | ||||
| -rw-r--r-- | security/pwned-check/files/pwned-check.sh.in | 16 |
2 files changed, 22 insertions, 5 deletions
diff --git a/security/pwned-check/files/pwned-check.1.in b/security/pwned-check/files/pwned-check.1.in index 9c0a51a49608..7606b694845a 100644 --- a/security/pwned-check/files/pwned-check.1.in +++ b/security/pwned-check/files/pwned-check.1.in @@ -10,7 +10,7 @@ .Sh DESCRIPTION The .Nm -utility checks the passwords piped in via standard input (one per line) +utility checks the passwords piped in via standard input (one per line) against a huge database of passwords that are known to have been stolen in data breaches. .Pp @@ -23,6 +23,15 @@ on standard output and the exit status of is set to 1. No output is generated for passwords not found in the database. .Pp +The database can be downloaded to a local directory or it can be queried +by a method that does not make the hash queried known to the remote +server. +The remote query is performed if the pawned password database has not +been fetched and stored on the local system. +While the remote accesses are not as fast as a local lookup, they will +query an always up-to-date database and allow to avoid the download and +storage of this huge database. +.Pp Instead of plain passwords, SHA1 hashes of passwords may be supplied. Matches will be reported, but there is no provision to report the plain text password corresponding to a given SHA1 hash. diff --git a/security/pwned-check/files/pwned-check.sh.in b/security/pwned-check/files/pwned-check.sh.in index d7cbe61dfcb5..bf4886f97833 100644 --- a/security/pwned-check/files/pwned-check.sh.in +++ b/security/pwned-check/files/pwned-check.sh.in @@ -82,14 +82,20 @@ exitcode=0 lookup () { - local hash="$1" - look "$hash" pwned-passwords*.txt > /dev/null + local hash=$(echo "$1" | tr 'a-z' 'A-Z') + if [ "$USEFILES" = yes ]; then + look "$hash" pwned-passwords*.txt > /dev/null + else + expected=${hash#?????} + prefix=${hash%$expected} + fetch -q -o - https://api.pwnedpasswords.com/range/$prefix 2>/dev/null | grep -i "^$expected:" >/dev/null + fi } checkpw () { local pwd="$1" - local hash=$(echo -n "$pwd" | sha1 | tr 'a-z' 'A-Z') + local hash=$(echo -n "$pwd" | sha1) if lookup "$hash"; then echo "$pwd" exitcode=1 @@ -102,8 +108,10 @@ checkpw () } # Main program -cd "$DBDIR" || errexit "Database directory '$DBDIR' not found." export LC_COLLATE=C +if cd "$DBDIR" && ls pwned-passwords*.txt; then + USEFILES=yes +fi >/dev/null 2>&1 if [ "$#" -gt 0 ]; then if [ "$1" = "-u" ]; then |