Jump to content
bachya

LP Vault Manager: A Workflow for LastPass

Recommended Posts

Yes, that would help a bit.

The thing is that I don't want my passwords to be available straight away. And the "special" passwords which normally require an extra password/security input should require the entering of the master password again. I'll check the lastpass cli to see if I can add some extra security measures (i.e. small activation code for every password like the lastpass android app does).

I'm just a tad paranoid :)

 

I definitely hear your concern! It's good to be paranoid with this stuff. :)

 

As it stands right now, if you don't set LPASS_AGENT_TIMEOUT to 0, you'll see this every so often:

relogin-screenshot.png

...which is helpful, maybe?

 

What you're suggesting ("special" vault items that would force a master password re-entry) would definitely require a bit more than what the lpass command offers. If you fork the project and add your suggested fixes, I'd be happy to take a look at utilizing it.

Share this post


Link to post

Because, when you're snowed in, there's no better time to code away. :) 3.1 published and it has some cool features:

  • Entirely new settings/configuration management via `lpsettings`.
  • Added ability to login to LastPass.
  • Added ability to logout from LastPass.
  • Added ability to configure filepath to `lpass`.
  • Added new (and slimmer) icons.
  • Environment-proofed Python path in all scripts and Script Filters.

Share this post


Link to post

I am so stoked you have created this.  I am on Mac, I have logged into Last Pass from the CLI...I am able to retrieve a password from the CLI..but for the life of me I cannot find a version that has lpass export...

 

$ lpass --version  yields

LastPass CLI v0.3.0

 

I tried installing from "Brew" and from GitHub/Make/Make Install...

 

Any clues on a good URL to get the CLI needed.


Thanks,


T
 

Share this post


Link to post

I am so stoked you have created this.  I am on Mac, I have logged into Last Pass from the CLI...I am able to retrieve a password from the CLI..but for the life of me I cannot find a version that has lpass export...

 

$ lpass --version  yields

LastPass CLI v0.3.0

 

I tried installing from "Brew" and from GitHub/Make/Make Install...

 

Any clues on a good URL to get the CLI needed.

Thanks,

T

That's so bizarre. According to their issues page, they added that command about a month ago (https://github.com/lastpass/lastpass-cli/issues/4). When you run `lpass` by itself, what gets output?

 

FYI, I have the same version as you:

 

abach@xxxxx ~ $ lpass --version
LastPass CLI v0.3.0
Edited by Aaron B.

Share this post


Link to post

 

That's so bizarre. According to their issues page, they added that command about a month ago (https://github.com/lastpass/lastpass-cli/issues/4). When you run `lpass` by itself, what gets output?

 

FYI, I have the same version as you:

 

abach@xxxxx ~ $ lpass --version
LastPass CLI v0.3.0

 

I am a bit perplexed as well.

 

lpass

Usage:

  lpass {--help|--version}

  lpass login [--trust] [--plaintext-key [--force, -f]] USERNAME

  lpass logout [--force, -f]

  lpass show [--sync=auto|now|no] [--clip, -c] [--all|--username|--password|--url|--notes|--field=FIELD|--id|--name] {UNIQUENAME|UNIQUEID}

  lpass ls [--sync=auto|now|no] [GROUP]

  lpass edit [--sync=auto|now|no] [--non-interactive] {--name|--username|--password|--url|--notes|--field=FIELD} {NAME|UNIQUEID}

  lpass generate [--sync=auto|now|no] [--clip, -c] [--username=USERNAME] [--url=URL] [--no-symbols] {NAME|UNIQUEID} LENGTH

  lpass duplicate [--sync=auto|now|no] {UNIQUENAME|UNIQUEID}

  lpass rm [--sync=auto|now|no] {UNIQUENAME|UNIQUEID}

  lpass sync [--background, -b]

Share this post


Link to post

 

I am a bit perplexed as well.

 

lpass

Usage:

  lpass {--help|--version}

  lpass login [--trust] [--plaintext-key [--force, -f]] USERNAME

  lpass logout [--force, -f]

  lpass show [--sync=auto|now|no] [--clip, -c] [--all|--username|--password|--url|--notes|--field=FIELD|--id|--name] {UNIQUENAME|UNIQUEID}

  lpass ls [--sync=auto|now|no] [GROUP]

  lpass edit [--sync=auto|now|no] [--non-interactive] {--name|--username|--password|--url|--notes|--field=FIELD} {NAME|UNIQUEID}

  lpass generate [--sync=auto|now|no] [--clip, -c] [--username=USERNAME] [--url=URL] [--no-symbols] {NAME|UNIQUEID} LENGTH

  lpass duplicate [--sync=auto|now|no] {UNIQUENAME|UNIQUEID}

  lpass rm [--sync=auto|now|no] {UNIQUENAME|UNIQUEID}

  lpass sync [--background, -b]

 

 

Tommy, I recommend you go to the lastpass-cli Issues Page and report this; something's not right. See what they can do to help?

Share this post


Link to post

I'm getting an issue searching & I think it might be to do with my locale (which is en_IE.UTF-8).

 

I can login okay:

/usr/local/bin/lpass login *****@***.*** && exit
pinentry-curses: no LC_CTYPE known - assuming UTF-8
Success: Logged in as *****@***.***.

[Process completed]

However I get this when I search (sorry for size):

 

aLNZ4UW.png

 

& when I run it from command line I get:

	➜  user.workflow.*************  /usr/bin/env python lpvm.py search-vault "gmail"            
pinentry-curses: no LC_CTYPE known - assuming UTF-8
01:22:14 workflow.py:1634 DEBUG    Cached data saved at : /Users/xxxxxx/Library/Caches/com.runningwithcrayons.Alfred-2/Workflow Data/org.koffel.alfred.terminal-control/vault_items.cpickle
01:22:14 workflow.py:1951 ERROR    'ascii' codec can't decode byte 0xc3 in position 11: ordinal not in range(128)
Traceback (most recent call last):
  File "/Users/xxxxxx/Library/Application Support/Alfred 2/Alfred.alfredpreferences/workflows/user.workflow.*************/workflow/workflow.py", line 1946, in run
    func(self)
  File "lpvm.py", line 246, in main
    search_vault(wf, vault, args.query)
  File "lpvm.py", line 141, in search_vault
    results = _search_vault(wf, vault, query)
  File "lpvm.py", line 40, in _search_vault
    match_on=MATCH_ALL ^ MATCH_ALLCHARS
  File "/Users/xxxxxx/Library/Application Support/Alfred 2/Alfred.alfredpreferences/workflows/user.workflow.*************/workflow/workflow.py", line 1780, in filter
    value = key(item).strip()
  File "lpvm.py", line 88, in search_item_fields
    return ' '.join(elements)
UnicodeDecodeError: 'ascii' codec can't decode byte 0xc3 in position 11: ordinal not in range(128)
01:22:14 workflow.py:1969 DEBUG    Workflow finished in 5.407 seconds.

Share this post


Link to post

 

I'm getting an issue searching & I think it might be to do with my locale (which is en_IE.UTF-8).

 

I can login okay:

/usr/local/bin/lpass login *****@***.*** && exit
pinentry-curses: no LC_CTYPE known - assuming UTF-8
Success: Logged in as *****@***.***.

[Process completed]

However I get this when I search (sorry for size):

 

aLNZ4UW.png

 

& when I run it from command line I get:

	➜  user.workflow.*************  /usr/bin/env python lpvm.py search-vault "gmail"            
pinentry-curses: no LC_CTYPE known - assuming UTF-8
01:22:14 workflow.py:1634 DEBUG    Cached data saved at : /Users/xxxxxx/Library/Caches/com.runningwithcrayons.Alfred-2/Workflow Data/org.koffel.alfred.terminal-control/vault_items.cpickle
01:22:14 workflow.py:1951 ERROR    'ascii' codec can't decode byte 0xc3 in position 11: ordinal not in range(128)
Traceback (most recent call last):
  File "/Users/xxxxxx/Library/Application Support/Alfred 2/Alfred.alfredpreferences/workflows/user.workflow.*************/workflow/workflow.py", line 1946, in run
    func(self)
  File "lpvm.py", line 246, in main
    search_vault(wf, vault, args.query)
  File "lpvm.py", line 141, in search_vault
    results = _search_vault(wf, vault, query)
  File "lpvm.py", line 40, in _search_vault
    match_on=MATCH_ALL ^ MATCH_ALLCHARS
  File "/Users/xxxxxx/Library/Application Support/Alfred 2/Alfred.alfredpreferences/workflows/user.workflow.*************/workflow/workflow.py", line 1780, in filter
    value = key(item).strip()
  File "lpvm.py", line 88, in search_item_fields
    return ' '.join(elements)
UnicodeDecodeError: 'ascii' codec can't decode byte 0xc3 in position 11: ordinal not in range(128)
01:22:14 workflow.py:1969 DEBUG    Workflow finished in 5.407 seconds.

 

Try the 4.0 pre-release and let me know if it helps? https://github.com/bachya/lp-vault-manager/releases/tag/pre-v4.0

Share this post


Link to post

Thanks for the quick update!

 

I'm getting closer :)

 

When I run lpbrowser I'm having success:

 

nIVRi8z.png

 

however lpvs still doesn't work for some reason?

 

tcNG17V.png

 

The funny thing is I'm not sure that I'm able to login properly from the Alfred screen.  (edit: i.e. when the text in Alfred changes to lastpass-login and I press enter, nothing happens).  I think it only worked when I went to terminal and typed lpass login username@site.com

 

Then when I went back to try lastpass-login it told me I was already logged in.  I was then able to confirm I could list sites from the command line, and when I went back to alfred the lpvs display had changed from this:

 

LnZ6quG.png

 

to this:

 

3Gl1ZxN.pngIncidentally, should the 'lpdd' command output anything in the console?  It would be helpful if maybe this posted a notification to confirm the metadata downloads. 

Edited by rozling

Share this post


Link to post

The funny thing is I'm not sure that I'm able to login properly from the Alfred screen.  (edit: i.e. when the text in Alfred changes to lastpass-login and I press enter, nothing happens).  I think it only worked when I went to terminal and typed lpass login username@site.com

 

What is the exact value of Alfred when it comes up after you select "Login To LastPass" (it should be something like >/usr/local/bin/lpass login username@site.com)? Does the prefix character match what you have selected in "Terminal/Shell" in Alfred Preferences.

 

Incidentally, should the 'lpdd' command output anything in the console?  It would be helpful if maybe this posted a notification to confirm the metadata downloads.

Try highlighting the "Run Script" action connected to the "lpdd" keyword and running `lppd`. Assuming the download happens correctly, you most certainly should see something like this:

Starting debug for 'LastPass Vault Manager'

[ERROR: alfred.workflow.action.script] Code 0: 13:14:45 workflow.py:1386 DEBUG    Reading settings from `/Users/abach/Library/Application Support/Alfred 2/Workflow Data/com.bachya.lpvm/settings.json` ...
13:14:45 lpdd_exec.py:22 DEBUG    Exec arguments: [u'download-data']
13:14:45 lpdd_exec.py:34 DEBUG    Parsed command: download-data
13:14:45 lpdd_exec.py:35 DEBUG    Parsed argument: None
13:14:45 lpdd_exec.py:36 DEBUG    Parsed delimiter: >
13:14:45 lpdd_exec.py:43 DEBUG    Executing command: download-data
13:14:50 utilities.py:66 DEBUG    Downloaded data: [{'url': 'http://lifehacker.com/people/bachya/', 'hostname': 'Personal/Lifehacker'}, {'url': 'https://www.elevationscu.com/', 'hostname': 'Personal/Elevations Credit Union'}, {'url': 'https://www.facebook.com/', 'hostname': 'Personal/Facebook'}, {'url': 'http://www.geico.com/', 'hostname': 'Personal/Geico'}, {'url': 'https://www.linkedin.com/secure/login?trk=hb_signin', 'hostname': 'Personal/LinkedIn'}, {'url': 'http://espn.go.com/', 'hostname': 'Personal/ESPN'}, {'url': 'https://www.last.fm/login', 'hostname': 'Personal/Last.FM'}, {'url': 'https://secure.newegg.com/NewMyAccount/AccountLogin.aspx', 'hostname': 'Personal/Newegg'}, {'url': 'https://addons.mozilla.org/en-US/firefox/users/login?to=en-US%2Ffirefox%2F', 'hostname': 'Personal/Mozilla'}, {'url': 'https://www.amazon.com/gp/sign-in.html?ie=UTF8&email=&disableCorpSignUp=&path=%2Fgp%2Fyourstore&redirectProtocol=&mode=&useRedirectOnSuccess=1&query=signIn%3D1%26ref%5F%3Dpd%5Firl%5Fgw&pageAction=%2Fgp%2Fyourstore', 'hostname': 'Personal/Amazon'}, {'url': 'https://manage.slicehost.com/login', 'hostname': 'Personal/Slicehost'}, {'url': 'http://www.starwars.com/webapps/registration/sign-in.action?message=You+have+successfully+signed+off.%0A', 'hostname': 'Personal/starwars.com'}, {'url': 'http://wordpress.com', 'hostname': 'Personal/Wordpress'}, {'url': 'http://getsatisfaction.com/session/new', 'hostname': 'Personal/Get Satisfaction'}, {'url': 'https://www.shutterfly.com/signin/signin.sfly', 'hostname': 'Personal/Shutterfly'}, {'url': 'http://www.dyndns.com/', 'hostname': 'Personal/DynDNS'}, {'url': 'https://cart2.barnesandnoble.com/account/op.asp?x=01151712', 'hostname': 'Personal/Barnes & Noble'}, {'url': 'https://www.yelp.com/login?return_url=%2Fdenver', 'hostname': 'Personal/Yelp'}, {'url': 'http://www.macheist.com/loot', 'hostname': 'Personal/MacHeist'}, {'url': 'http://skitch.com/login/', 'hostname': 'Personal/Skitch'}, {'url': 'https://twitter.com/', 'hostname': 'Personal/Twitter'}, {'url': 'http://www.proactiv.com/#sign-in', 'hostname': 'Personal/Proactiv'}, {'url': 'http://musicbrainz.org', 'hostname': 'Personal/MusicBrainz'}, {'url': 'http://www.deviantart.com/users/lost-password/update', 'hostname': 'Personal/deviantART'}, {'url': 'https://reg.sun.com', 'hostname': 'Personal/Sun Microsystems'}, {'url': 'https://www.tiffany.com/Customer/Account/SignIn.aspx', 'hostname': 'Personal/Tiffany'}, {'url': 'https://github.com/login', 'hostname': 'Personal/Github'}, {'url': 'https://my.screenname.aol.com/_cqr/login/login.psp?sitedomain=startpage.aol.com&siteState=OrigUrl%3dhttp%3a%2f%2fwww.aol.com%2f&authLev=0〈=en&locale=us', 'hostname': 'Personal/AOL'}, {'url': 'https://www.redbox.com/Account/Login.aspx', 'hostname': 'Personal/Redbox'}, {'url': 'https://www.google.com/accounts/ServiceLogin?service=mail&passive=true&rm=false&continue=http%3A%2F%2Fmail.google.com%2Fmail%2F%3Fui%3Dhtml%26zy%3Dl&bsv=1k96igf4806cy&scc=1&ltmpl=default&ltmplcache=2', 'hostname': 'Personal/Google (bachya1208)'}, {'url': 'http://bit.ly/', 'hostname': 'Personal/bitly'}, {'url': 'http://consumerist.com', 'hostname': 'Personal/Consumerist'}, {'url': 'http://freeimages.com', 'hostname': 'Personal/Free Images'}, {'url': 'https://secure.www.denverpost.com/registration/?rPage=login&url=http%3A%2F%2Fwww.denverpost.com%2Fpremium%2Fbroncos%2Fci_13483974&eRightsSessionExpired=true&forced=true', 'hostname': 'Personal/Denver Post'}, {'url': 'https://www.discover.com/', 'hostname': 'Personal/Discover'}, {'url': 'http://du.edu', 'hostname': 'Personal/University of Denver'}, ...
[INFO: alfred.workflow.action.script] Processing output 'alfred.workflow.output.notification' with arg 'LastPass metadata successfully downloaded.'

Barring that, what happens if, in Terminal, you run:

ls ~/Library/Caches/com.runningwithcrayons.Alfred-2/Workflow\ Data/com.bachya.lpvm/vault_items.cpickle

?

Edited by Aaron B.

Share this post


Link to post

 

What is the exact value of Alfred when it comes up after you select "Login To LastPass" (it should be something like >/usr/local/bin/lpass login username@site.com)? Does the prefix character match what you have selected in "Terminal/Shell" in Alfred Preferences.

 

It just stays as 'lpsettings lastpass-login', even if I press return.  On the previous version when I hit return on that it would display the terminal command (ending in '&&exit'), but as far as I remember it never actually opened the terminal.  On that version my prefix character was set to '$' - I did then set it to '>' but I can't remember if it worked then or I had to enter it in Terminal manually.

 

When I run `python lpsettings_exec.py login user@email.com` in Terminal, the Alfred window pops up with 

/usr/local/bin/lpass login user@email.com && exit

When I hit enter that runs and I get prompted for my password and can login successfully.

 

 

 

 

Try highlighting the "Run Script" action connected to the "lpdd" keyword and running `lppd`. Assuming the download happens correctly, you most certainly should see something like this:

 

All I get, even with 'Log All Information' on is:

Starting debug for 'LastPass Vault Manager'

[INFO: alfred.workflow.input.keyword] Processing output 'alfred.workflow.action.script' with arg ''

 

Barring that, what happens if, in Terminal, you run:

ls ~/Library/Caches/com.runningwithcrayons.Alfred-2/Workflow\ Data/com.bachya.lpvm/vault_items.cpickle

?

 

 

This outputs:

/Users/xxxx/Library/Caches/com.runningwithcrayons.Alfred-2/Workflow Data/com.bachya.lpvm/vault_items.cpickle

Share this post


Link to post

When I run `python lpsettings_exec.py login user@email.com` in Terminal, the Alfred window pops up with 

/usr/local/bin/lpass login user@email.com && exit
When I hit enter that runs and I get prompted for my password and can login successfully.

 

That's the most concerning part: if it works via Terminal, it should work via Alfred. I simply cannot reproduce it. :( Because of that, I'm going to see if the Alfred community can help us out: http://www.alfredforum.com/topic/5356-script-filters-via-python-seem-to-sporadically-not-work/

Incidentally, what version of Alfred are you running?

Edited by Aaron B.

Share this post


Link to post

Version 4.1 released:

  • Implemented auto-updating.
  • Fixed a few small path bugs.
For those who are having issues with the Script Filters sometimes not working: I've implemented all the advice from this thread, but no visible change to me thus far. Check this version and see if your situation improves at all.

Share this post


Link to post

Version 4.2 released:

  • Fixed a bug where the full path to /usr/bin/python was not specified.
  • Fixed a settings selection bug.
  • Streamlined some verbiage within notifications.
Edited by Aaron B.

Share this post


Link to post

LOVE this workflow. If any of you have special characters in your master password for lastpass, you might run into an issue where it's hard to login via the lastpass CLI tool that the workflow launches when you try to login. To get around this, don't allow the CLI tool to prompt for your password with pinentry. When you install lastpass-cli via Homebrew don't include the "--with-pinentry" flag and it won't be installed. If you already installed it, either run "brew uninstall pinentry" or temporarily disable the pinentry prompt by running "LPASS_DISABLE_PINENTRY=1 lpass login <username>". Hopefully that helps anyone having issues like I was. I was able to pretty quickly figure out the issue, but others might not.

Edited by Chevex

Share this post


Link to post

When you see Alfred's fallback results (which is what your screenshot shows), that either means the keyword is wrong or the workflow has failed/crashed.

 

Open Alfred Preferences, select the workflow and open the debugger. Run the workflow and post what you see in the debugger.

Edited by deanishe

Share this post


Link to post

Alright.. I think I might be going crazy.. It's almost 1 am and I've been at this for 4 hours now. And I simply cannot get this to work..

This same error keeps coming up:

Error 13 Permission Denied.

Please help.

Share this post


Link to post

That error usually means you don't have permission to read/write a file you're trying to access.

Logging in and out almost certainly won't help.

This workflow is based on Alfred-Workflow, so you can try deleting all the cached data and settings by entering lpvs workflow:reset in Alfred. This should completely reset the workflow.

Share this post


Link to post

Hi guys, I'm getting this error when trying to log into LastPass form this workflow:

 

Error.jpg

 

 

Funny thing is, I can't find this command:

 

/usr/local/bin/lpass

 

anywhere, so I can't attempt the login from the command line.  I'm not tech expert, but I can find my way around terminal.  Perhaps a bad install?  I tried removing and adding many times.  It seems others are having the same issue here:

 

https://github.com/bachya/lp-vault-manager/issues/12

 

I must be missing something easy.  Any fixes?

Share this post


Link to post

This appears to be a workflow with huge potential.. The one thing that comes to mind...

 

How safe/secure is this workflow?

 

How safe/secure is this compared to other integrations, other tools, browsers integrated with lastpass, etc.

In theory, this workflow has full access to all your passwords, right?

 

Please, convince me to use this! :)

 

DJ

Share this post


Link to post

i am not a technical person and don't know anything about capture:tiny, homebrew etc. But I have installed everything and i am on the stage of logging in pinentry  :)  


 /usr/local/bin/lpass login [--trust] [--plaintext-key [--force, -f]] USERNAME


 


i am hesitant to ask, and you can laugh or beat me to death but I have gathered strength to ask this :


 


is there a risk of my master password or site passwords getting compromised this way? There is a lot going on in CLI and i don't know what all code my MasterPassword would go through and which host/domain these scripts might connect from background. I appreciate this fantastic workflow and don't doubt you at all. its just that i want to know the background work these scripts would do. 


Apologies if i offended you or anybody.


 


Regards,


Jay


Share this post


Link to post

Well first off, the workflow doesn't do anything stupid like store your passwords.

 

Fundamentally, to use any encrypted data, it first needs to be decrypted.

 

With any password manager, when your encrypted store is unlocked, either the master password/decryption key or the decrypted passwords are now in memory.

 

I don't know exactly how the LastPass CLI program works, or how it differs from the browser-based applications, but your data is fundamentally at risk whenever the password store is accessible (i.e. unlocked). Personally, I'd be more inclined to trust software that isn't directly connected to the browser I'm entering the password in: it insulates your sensitive data better from bugs in the browser or extension.

 

To maximise security, you want the password store to be automatically locked after use. The shorter the time it remains unlocked, the better.

 

In that regard, disabling the agent timeout is not a great idea, but it's no worse than setting the browser extension to never time out.

 

Ultimately, it's always a compromise between security and convenience. If you're happy to enter your master password every time you need a site password, then that will minimise the possibility of your passwords being pilfered from your machine by malware. On the other hand, if you leave your password store unlocked whenever the app is running, that makes it more tolerable to use a longer, stronger master password, which makes the encrypted data stored in the cloud more secure.

Share this post


Link to post

Well first off, the workflow doesn't do anything stupid like store your passwords.

 

Fundamentally, to use any encrypted data, it first needs to be decrypted.

 

With any password manager, when your encrypted store is unlocked, either the master password/decryption key or the decrypted passwords are now in memory.

 

I don't know exactly how the LastPass CLI program works, or how it differs from the browser-based applications, but your data is fundamentally at risk whenever the password store is accessible (i.e. unlocked). Personally, I'd be more inclined to trust software that isn't directly connected to the browser I'm entering the password in: it insulates your sensitive data better from bugs in the browser or extension.

 

To maximise security, you want the password store to be automatically locked after use. The shorter the time it remains unlocked, the better.

 

In that regard, disabling the agent timeout is not a great idea, but it's no worse than setting the browser extension to never time out.

 

Ultimately, it's always a compromise between security and convenience. If you're happy to enter your master password every time you need a site password, then that will minimise the possibility of your passwords being pilfered from your machine by malware. On the other hand, if you leave your password store unlocked whenever the app is running, that makes it more tolerable to use a longer, stronger master password, which makes the encrypted data stored in the cloud more secure.

Thank you for giving insights. This helped me in understanding it little more.  :)

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...