Configuration¶
Configuration can be either in YAML or sqlite format. The default paths searched for configuration files are, in order:
~/.config/passacre/passacre.sqlite
~/.config/passacre/passacre.yaml
~/.passacre.sqlite
~/.passacre.yaml
sqlite is the recommended configuration format.
A new sqlite config will be initialized by default at ~/.passacre.sqlite
with the passacre init
command.
Where sqlite uses dotted names,
YAML uses nested mappings.
For example,
to specify z
for the x.y
key in YAML:
x:
y: z
Global options¶
All of these options are set either as root keys in the YAML document
or with the passacre config
command for sqlite.
always-confirm-passwords
¶
Either true
or false
(the default).
If set to true
,
any time the user is prompted to enter their password,
a confirmation prompt will ask for the password a second time.
This helps ensure the correct password was entered.
method
¶
Either keccak
(the default) or skein
.
Controls which hash algorithm is used to generate passwords.
This is just a matter of personal preference and
neither one is better.
Can safely be ignored if you don’t understand or
don’t care.
Both methods are available by default in passacre on either python 2 or python 3.
Any sites which don’t specify their own method
in the configuration file will use the global method
.
The global method
is also used for hashing site names.
iterations
¶
The base number of iterations to use for password generation. It is safe to leave this alone if you don’t know what to do with it.
One iteration corresponds with adding another 1024 null bytes to the input to be hashed.
The default is 1000, though it can be comfortably be set higher.
As Skein/Threefish is a bit faster than Keccak as a pseudo-random number generator,
this value should probably be set higher if skein
is selected as the default method
.
words-file
¶
A path to a file containing words,
with one word per line.
This is used for generating passwords using the special word
name in the schema.
By default,
there is no words-file
and generating passwords containing words will fail.
site-hashing.enabled
¶
Either true
, false
, or 'always'
.
When looking up a site’s configuration information,
this controls whether or not
passacre should try to
find an entry for the site name or
instead hash the site name and find an entry for the resultant hash.
true
means that passacre will first try looking for configuration information on the unhashed site name,
then try on the hashed site name.
If no entry is found for either,
passacre will use the default configuration.
false
means that passacre will never try to use the hashed site name.
'always'
means that passacre will only try to use the hashed site name
and never try looking up an unhashed site name.
Additionally,
'always'
is respected by passacre site
and passacre config
when adding, removing, or modifying site configurations;
passacre will act as if the --hashed
flag is always passed.
site-hashing.method
¶
The method to use for hashing site names.
Defaults to the same value as method
and has the same semantics.
Safe to disregard if you either don’t understand or don’t care.
site-hashing.iterations
¶
The number of iterations to use when hashing the site name.
Defaults to the same value as iterations
and has the same semantics.
Site options¶
All of these options are set under keys corresponding to the site name in the root sites
mapping in the YAML config
or with passacre config
for sqlite.
method
¶
The method to use for hashing passwords for this site.
Defaults to the same value as method
and has the same semantics.
iterations
¶
The number of iterations to use when hashing passwords for this site.
Defaults to the same value as iterations
and has the same semantics.
increment
¶
A value which will be added to iterations
in order to find the number of iterations used for hashing the password for a site.
Defaults to 0.
This can be incremented to generate new passwords for the same site and master passphrase combination
without modifying the global iterations
.
schema
¶
The schema used to generate passwords for this site.
Required;
there is no default.
This is set with passacre schema
for sqlite.
See the section on password schemata for details of its format.
yubikey-slot
¶
The configuration slot used for YubiKey two-factor password generation.
The specified slot must be configured for HMAC challenge/response.
Generating a password for a site will then issue a challenge of the UUID dd34b62f-9ed5-597e-85a2-c15d48ed6832
and prepend the response to the input password being used for generation.
JSON-mini¶
Passacre uses a small superset of JSON for specifying configuration on the command line. Syntax is mostly the same, but with the following changes:
- Strings don’t require quotes for strings composed of just alphanumeric characters, hyphens, and underscores.
This works for both object keys and string values.
For example,
{foo-bar: baz}
is the same as{"foo-bar": "baz"}
. - The braces are optional for a top-level object.
For example,
spam: eggs, eggs: spam
is the same as{"spam": "eggs", "eggs": "spam"}
. Objects beyond the top level still require braces. null
can also be written as%
.