Abraxas Collaborative Password Utility

Be aware that Abraxas is being deprecated in favor of Advendesora. The only new functionality that has been added to Abraxas recently is the ability to export your accounts to Avendesora (abraxas –export). See the bottom of this file for instructions on how to use this new feature.

Introduction

Abraxas is powerful password utility that can store or generate your passwords and produce them from the command line. It can also be configured to autotype your username and password into the current window so that you can log in with a simple keystroke.

Abraxas is an alternative to the traditional password vault. The intent is not to store passwords, but rather to regenerate them as needed. This is done with the aid of two files. The first is an accounts file that contains useful information about each account along with the parameters that control how the password is generated for that account (which style of password to generate, how many characters or words to include, what alphabet to use, etc.) The second is the master password file. When you go to use the password generator, you will first need to unlock the master password file. You do so by providing its pass phrase, which only you should know. Thus, only you will be capable of generating the passwords associated with your accounts. Once generated, you can specify that they be displayed on the standard output, you can specify that they be copied to the clipboard, or you can specify that they be typed into some other program.

In your master password file you can store more than one master password (the password used to generate the passwords for your accounts). In this way this password generator makes it easy to collaborate with friends and colleagues. Simply start by sharing a master password that you only use for shared accounts. A password generated for a particular account is computed from the name of the account and the master password. Since your partner and you are sharing the master password, you will both generate the same password for an account as long as you both use the same name for the account. In other words, if Alice and Bob share a master password, and if Alice wants to create a Google Docs account for sharing documents with Bob, she need only create the account using the password generated by Abraxas using the shared master password, and then simply tells Bob that she has created a Google Docs account with the name “abdocs” and uploaded several documents. Without actually sharing the password, Bob uses the shared master password and the account name to regenerate the account’s password himself and downloads the documents.

Installing Prerequisites in Fedora with Yum

Abraxas is compatible with both python 2.6 and beyond or python 3.3 and beyond. It requires the following packages to fully function (run these commands as root):

yum install python
yum install python-setuptools
yum install libyaml-devel
yum install PyYAML
yum install pygobject3 (if using python2)
yum install python3-gobject (if using python3)
yum install python-docutils
yum install xdotool
yum install xsel
easy_install python-gnupg

On Centos you will also need:

yum install python-argparse

On Redhat-based systems you can get these dependencies by running ./yum.sh.

If you would like to run the tests, you will also need the inform package from my github account (https://github.com/KenKundert/inform.git).

Installing Prerequisites in Arch Linux with Pacman

Abraxas requires the following Arch Linux packages to fully function (run these commands as root):

pacman -S git
pacman -S python
pacman -S python-setuptools
pacman -S python-docutils
pacman -S python-gobject
pacman -S libyaml
pacman -S xdotool
pacman -S xsel
easy_install python-gnupg
easy_install PyYAML

You can install these prerequisites by running ./pacman.sh.

Installing Prerequisites in Ubuntu with Apt-Get

Abraxas requires the following Ubuntu packages to fully function (run these commands as root):

apt-get install git
apt-get install libyaml-dev
apt-get install python3
apt-get install python3-setuptools
apt-get install python3-docutils
apt-get install python3-gi
apt-get install python3-yaml
apt-get install xdotool
apt-get install xsel
easy_install3 python-gnupg

You can install these prerequisites by running ./ubuntu.sh. Ubuntu does not provide gpg2, so you will need to change GPG_BINARY in abraxas/prefs.py to gpg.

Installing Prerequisites from Source

Or, you can install Python from source. First get and install Python using:

$ cd ~/packages/python
$ wget http://www.python.org/download/releases/3.3.2/Python-3.3.2.tgz
$ tar zxf Python-3.3.2.tgz
$ cd Python-3.3.2
$ ./configure --prefix=$HOME/.local
$ make
$ make install

Now get easy_install:

$ wget -O http://python-distribute.org/distribute_setup.py
$ python3.3 distribute_setup.py

Then you can use easy_install to install python-gnupg, argparse, docutils, and PyYAML as above.

Configuring GPG Agent

If you do not yet have a GPG key, you can get one using:

$ gpg --gen-key

You should probably choose 4096 RSA keys. Now, edit ~/.gnupg/gpg-conf and add the line:

use-agent

That way, if you have an agent running (and most login environments such as Gnome or KDE will start an agent for you; if you do not have an agent running you can generally have one started for you when you login by configuring your Session settings) then you can just give your GPG key pass phrase once per login session.

The ultimate in convenience is to use Gnome Keyring to act as the GPG agent because it allows you to unlock the agent simply by logging in. To do so, make sure Keyring is installed:

yum install gnome-keyring gnome-keyring-pam

If you are using Gnome, it will start Keyring for you. Otherwise, you should modify your .xinitrc or .xsession file to add the following:

# Start the message bus if it is not already running
if test -z "$DBUS_SESSION_BUS_ADDRESS"; then
   eval $(dbus-launch --sh-syntax --exit-with-session)
fi

# Set ssh and gpg agent environment variables
export $(gnome-keyring-daemon --start)

GnuPG Issues

If abraxas crashes with the message:

ValueError: Unknown status message: u'PROGRESS'

you have encountered a bug in python-gnupg. I can be resolved by adding “PROGRESS” to line 219 of gnupg.py in the python-gnupg install (the path varies based on the version and where you install it, but you might try something like: /usr/lib/python3.3/site-packages/python_gnupg-0.3.6-py3.3.egg/gnupg.py).

If you use Gnome Keyring, you should be aware the Werner Koch is very annoyed at it and the latest versions of gnupg will emit a warning that Gnome Keyring has hijacked the GnuPG agent if you try to use Gnome Keyring as the GnuPG agent. You can safely ignore this message. The only way to use Gnome Keyring and avoid the message is to download the GnuPG source, delete the message, and compile it by hand.

Installing

To test the program, run:

$ ./test

or:

$ ./test3

if you plan to use python3 and have both python2 and python3 installed.

Once you are comfortable that everything is in order, you should install the program. To do so, first open the install file and make sure your version of python is given in the set python line. Then run:

$ ./install

The program along with the man pages should end up in ~/.local.

Once installed, you should be able to get information as follows:

$ man abraxas     (information on how to use abraxas from the command line)
$ man 3 abraxas   (information on how to use the abraxas API)
$ man 5 abraxas   (information about the configuration files)

Configuring Vim

To be able to easily edit encrypted files (such as the Abraxas master password file), download the gnupg vim plugin from:

http://www.vim.org/scripts/script.php?script_id=3645

Then copy it into:

cp gnupg.vim ~/.vim/plugin

Configuring Abraxas

To start using Abraxas you need to do a one-time setup to create your account directory (~/.config/abraxas):

$ abraxas -I <GPG-Key>

where <GPG-Key> would be replaced by the email you provided to GPG when you created your key.

You will need to edit ~/.config/abraxas to add your accounts (see man 5 abraxas for the details). For example, to add a gmail accounts, add the following to accounts:

"gmail-derrickAsh": {
     'aliases': ['gmail', 'google'],
     'template': "=words",
     'username': "derrickAsh",
     'url': 'https://accounts.google.com',
     'window': [
         'Gmail*',
         '*Google Accounts*',
     ],
     'autotype': "{username}{tab}{password}{return}",
},

You can now test this account using:

$ abraxas gmail
PASSWORD: fallacy derby twinge clone

You would then change your gmail password to the generated pass phrase. Alternatively, you can simply enter your existing password into password_overrides in ~/.config/abraxas/master.gpg until the next time you get around to changing your password.

Configuring the Window Manager for Abraxas Autotype

If you use Firefox or Thunderbird, I recommend you install the ‘Hostname in Titlebar’ add-on to both so that Abraxas can recognize the account to use purely from the URL.

Finally, you will want to chose a keystroke sequence and configure the window manager to run the password generator when you trigger it with that keystroke. How you do that depends on your window manager. With Gnome, it requires that you open your Keyboard Shortcuts preferences and create a new shortcut. I recommend Alt-p as a reasonable keystroke sequence. Enter:

$HOME/.local/bin/abraxas --autotype

as the command to run. Then, when you create your accounts, you should add the appropriate window titles to the account entry so that the appropriate account can be determined automatically from the window title. For example, with the gmail account entered above, you can go to gmail.com, select the username field and then type Alt p to login.

Exporting to Avendesora

Abraxas is no longer being developed and is being replaced by Avendesora. To facilitate the transition to Avendesora the –export option has been added to Abraxas. To use it, run:

abraxas --export

This will result in ~/.config/abraxas/avendesora being created in your Abraxas configuration directory. It contains all of your accounts converted to a form that can be read by Avendesora. During the export process the passwords are generated and saved in the Avendesora files. The intent is to give you access these accounts from Avendesora, but exported versions are somewhat limited. The expectation is that when you use these accounts and notice these limitation you would manually move the accounts to Avendesora. After this has occurred, you should add the names of the migrated accounts to ~/.config/abraxas/do-not-export and re-export your accounts. In this way, those accounts will not show up twice in Avendesora.

Exporting your accounts does not actually link them to Avendesora. The best way to do that is to go into your Avendesora configuration directory and create symbolic links from this directory to each of the exported Abraxas accounts files. Then add these files to your .accounts_files file. For example, if you export a single accounts file from Abraxas called accounts.gpg, then do the following:

cd ~/.config/avendesora
ln -s ../abraxas/avendesora/accounts.gpg abraxas_accounts.gpg

Then edit .accounts_files and add ‘abraxas_accounts.gpg’ to the accounts_files list.

Other than re-exporting your Abraxas accounts after migrating some of your accounts to Avendesora (and so adding them to do-not-export) this process should not need to be repeated. The symbolic links will point to the newly updated files and so Avendesora will see the latest exports. Only creating new account files in Abraxas, which of course is discouraged, would require you to add additional symbolic links.

Enjoy,
-Ken