securing muttrc on the mac
Hello,
A week or two ago there was a thread about how to secure one's .muttrc
file if it has passwords sitting there in plaintext. A bit of tooling
around has resulted in the following tip for those mutters working on
OSX.
The goal is not to encrypt the .muttrc, but rather to cleanse it of
vulnerable info. So we want to remove passwords from the muttrc file,
but still not have to enter them in mutt when prompted. The solution
is to let the OSX Keychain hold on to the passwords securely and give
them to mutt when needed. The problem is how to make mutt interact
with Keychain Acess.app.
The solution is to (1) make sure Keychain Access.app ("KA") has your
password, (2) invoke a middleman that's already on your computer, and
(3) create another one that isn't.
The already-there middleman is a cli utility called "security" that's
part of OSX. security will ask KA for the relevant password, and give
it to mutt. Once mutt has the password(s) it will have them until you
quit mutt.
The middleman you have to create is simply to get mutt to be able to
ask security to ask KA for the password. This middleman is a shell
script, which I called "vomit.sh". The script tells security to grab
some info from KA, but KA gives security more than just the password.
Hence there's a ruby command to pluck the password out from the
rest. Here are the contents of vomit.sh:
#!/bin/bash security 2>&1 >/dev/null find-internet-password -ga \
username|tee|ruby -e 'print $1 if STDIN.gets =~ /^password: \
"(.*)"$/'
NOTE 0: Everything after the #! line should be one line. The single
backslashes are just for email line break purposes. End note 0.
NOTE 1: I made this script using a tip from this webpage:
http://blog.macromates.com/2006/keychain-access-from-shell/. You
should look at it for yourself, especially if you're not sure how to
make sure that KA has your password to begin with. I don't know
anything about bash *or* ruby, so have at it. I think this would be
better if we didn't have to rely on ruby. End note 1.
NOTE 2: I had to modify it a bit (note the tee in between the username
and the ruby; without the tee I could not get security to properly
pass the string it retrived from KA to ruby). End note 2.
You can test the script by simply running it in the terminal and
observing your password spit back out. Once this is working properly,
you can do in your .muttrc:
set imap_pass = `~/vomit.sh` # (or wherever you want to put vomit.sh)
Note the backticks rather than apostrophes. This also worked for me
for smtp_pass, so I assume it will work with POP, etc.
NOTE 3: I tried for a while to get the command housed in vomit.sh to
work properly when placed directly into my .muttrc between the
backticks. I couldn't get it to work, so I resorted to the script.
I'd bet I just don't know how to properly escape special characters.
If someone knows, great. End note 3.
I'm no expert, so if someone spies a hole here, let the list know.
The 2>&1 >/dev/null part of the script, taken from the web page, is
supposed to make it so the string from KA is not just left hanging
around, if I understand correctly.
This setup does *not* mean you won't have to type any passwords at all
when using mutt. It only means you won't have to type any of your
*email* passwords. You will be prompted (by OSX) for your *keychain*
pw when you hit "mutt", unless of course you have your keychain pw the
same as your OSX login pw *and* have it set to autounlock. (But
presumably if you're worried about plaintext pw's sitting out there in
.muttrc for all to see, you won't have such lax keychain preferences).
-gmn