Index: head/security/pwned-check/files/pwned-check.1.in =================================================================== --- head/security/pwned-check/files/pwned-check.1.in (revision 475627) +++ head/security/pwned-check/files/pwned-check.1.in (revision 475628) @@ -1,66 +1,75 @@ .Dd October 23, 2017 .Dt PWNED-CHECK 1 .Os .Sh NAME .Nm pwned-check .Nd Check word against list of known stolen passwords. .Sh SYNOPSIS .Nm .Op Fl u .Sh DESCRIPTION The .Nm -utility checks the passwords piped in via standard input (one per line) +utility checks the passwords piped in via standard input (one per line) against a huge database of passwords that are known to have been stolen in data breaches. .Pp SHA1 hashes of these passwords have been published at .Lk https://haveibeenpwned.com/ .Pp If any of the checked passwords is found in the database, it is printed on standard output and the exit status of .Nm is set to 1. No output is generated for passwords not found in the database. +.Pp +The database can be downloaded to a local directory or it can be queried +by a method that does not make the hash queried known to the remote +server. +The remote query is performed if the pawned password database has not +been fetched and stored on the local system. +While the remote accesses are not as fast as a local lookup, they will +query an always up-to-date database and allow to avoid the download and +storage of this huge database. .Pp Instead of plain passwords, SHA1 hashes of passwords may be supplied. Matches will be reported, but there is no provision to report the plain text password corresponding to a given SHA1 hash. .Pp If the option .Fl u is used, the password hash database is downloaded and initialized. This process will temporarily require some 18 GB of free space in the database directory, which is .Pa /var/db/pwned-check by default. This location can be changed in the configuration file, prior to starting the download. .Sh FILES .Bl -tag -width %%PREFIX%%/etc/pwned-check.conf .It Pa %%PREFIX%%/etc/pwned-check.conf Optional configuration file. .It Pa /var/db/pwned-check Default location of pwned password hash database. Needs 18 GB of free space during download, 13 GB when finished. .El .Sh EXIT STATUS .Nm returns 0 if none of the passwords to check have been found in the pwned password database, else 1. .Pp If the .Fl u option is used to download the pwned password hashes, an exit code of 0 indicates success, 1 failure to fetch and initialize the database. .Sh EXAMPLES Download the pwned password hash files: .Bd -literal -offset indent pwned-check -u .Ed .Pp Check passwords passed on standard input against pwned password database: .Bd -literal -offset indent echo badpasswd | pwned-check .Ed .\" .Sh AUTHORS Index: head/security/pwned-check/files/pwned-check.sh.in =================================================================== --- head/security/pwned-check/files/pwned-check.sh.in (revision 475627) +++ head/security/pwned-check/files/pwned-check.sh.in (revision 475628) @@ -1,123 +1,131 @@ #!/bin/sh # # Copyright (c) 2017 by Stefan Esser # All rights reserved. # # Distributed under the BSD 2-clause Simplified License. # CFGFILE="%%PREFIX%%/etc/pwned-check.conf" [ -r "$CFGFILE" ] && . $CFGFILE : ${DBDIR:=/var/db/pwned-check} : ${URLBASE:=https://downloads.pwnedpasswords.com/passwords} # Helper functions progname () { basename "$0" } errexit () { echo $(progname)": $@" exit 1 } usage () { echo "usage: "$(progname)" [-u]" exit 2 } # Fetch files with pwned password hashes fetchpwfiles () { umask 022 mkdir -p $DBDIR || errexit "No write permission on data directory." local f s_txt s_txt_7z hash while read f s_txt s_txt_7z hash do local f7z="$f.7z" echo "Checking '$DBDIR/$f' ..." local s_txt_is=$(stat -f %z $f 2>/dev/null) if [ "$s_txt_is" != "$s_txt" ]; then local s_txt_7z_is=$(stat -f %z $f7z 2>/dev/null) if [ "$s_txt_7z_is" != "$s_txt_7z" ]; then echo "Fetching '$DBDIR/$f7z' ..." fetch -S $s_txt_7z "$URLBASE/$f7z" || errexit "Could not fetch '$URLBASE/$f7z'." fi echo "Checking '$DBDIR/$f7z' ..." local hash_is=$(sha1 -q "$f7z") if [ "$hash_is" != "$hash" ]; then rm -f "$f7z" errexit "File '$f7z' fails SHA1 check: '$hash_is' should be '$hash'." fi echo "Extracting '$DBDIR/$f' ..." tar xOf "$f7z" | cut -d ":" -f 1 > "$f" || errexit "Decompression of file '$f7z' failed." local s_txt_is=$(stat -f %z "$f") if [ "$s_txt_is" != "$s_txt" ]; then rm -f "$f" errexit "File '$f' has size $s_txt_is after decompression, should be $s_txt." fi fi rm -f "$f7z" done < /dev/null + local hash=$(echo "$1" | tr 'a-z' 'A-Z') + if [ "$USEFILES" = yes ]; then + look "$hash" pwned-passwords*.txt > /dev/null + else + expected=${hash#?????} + prefix=${hash%$expected} + fetch -q -o - https://api.pwnedpasswords.com/range/$prefix 2>/dev/null | grep -i "^$expected:" >/dev/null + fi } checkpw () { local pwd="$1" - local hash=$(echo -n "$pwd" | sha1 | tr 'a-z' 'A-Z') + local hash=$(echo -n "$pwd" | sha1) if lookup "$hash"; then echo "$pwd" exitcode=1 elif expr "$pwd" : '[A-Fa-f0-9]\{40\}$' > /dev/null; then if lookup "$pwd"; then echo "$pwd" exitcode=1 fi fi } # Main program -cd "$DBDIR" || errexit "Database directory '$DBDIR' not found." export LC_COLLATE=C +if cd "$DBDIR" && ls pwned-passwords*.txt; then + USEFILES=yes +fi >/dev/null 2>&1 if [ "$#" -gt 0 ]; then if [ "$1" = "-u" ]; then fetchpwfiles exit 0 else echo "usage: "$(progname)" [-u]" exit 2 fi fi while read pwd do checkpw "$pwd" done exit $exitcode