Suggest more future work (subcommands, documentation)
Marco Ricci commited on 2024-10-18 13:26:04
Zeige 1 geänderte Dateien mit 50 Einfügungen und 6 Löschungen.
Includes the "master password" or "spectre" derivation scheme and some tool functionality I've originally implemented as wrapper scripts around `vault` (load SSH key, decrypt notes, generate TOTPs from config in notes, and auto-run/wait for runit services). Also includes the two how-tos (supported/unsupported special characters, passphrase rotation) from the basic setup (passphrase) tutorial, FAQs for the misnamed `--repeat` option and the SSH agent on Windows, and new helper subcommands for making the previous two how-tos less painful. On that note, this TODO list no longer deals solely with future documentation, and so needs to be retitled and to recategorize its contents.
- docs/_future.md 447b351..d28d5b7
| ... | ... |
@@ -1,26 +1,70 @@ |
| 1 |
-# Some ideas for documentation that might be missing, or nice to have |
|
| 1 |
+# Some ideas for future work |
|
| 2 |
+ |
|
| 3 |
+## Subcommands |
|
| 4 |
+ |
|
| 5 |
+(In no particular order.) |
|
| 6 |
+ |
|
| 7 |
+### Derivation schemes |
|
| 8 |
+ |
|
| 9 |
+* `spectre` (`master-password`): derive passphrases according to the "Master Password" scheme as used by the Spectre app. ([#2]) |
|
| 10 |
+ |
|
| 11 |
+### Other functionality |
|
| 12 |
+ |
|
| 13 |
+* `explore-permitted-special-characters`: generate new configurations starting from a base configuration until one of them passes the "special characters" constraints. |
|
| 14 |
+* `rotate`: generate a new configuration suitable for passphrase rotation, compatible with the base configuration's constraints. |
|
| 15 |
+* `service-plugins`: manage plugins that automate certain tasks, as outlined in the notes of the queried service. |
|
| 16 |
+ |
|
| 17 |
+ * `load-ssh-key`: if the service uses an SSH key, autoload the key from a well-known location into the SSH agent if it isn't already loaded. |
|
| 18 |
+ |
|
| 19 |
+ `vault`-specific. |
|
| 20 |
+ |
|
| 21 |
+ * `decrypt-notes`: decrypt OpenPGP-encrypted notes with GnuPG or Sequoia `sq`. |
|
| 22 |
+ |
|
| 23 |
+ Open questions: |
|
| 24 |
+ |
|
| 25 |
+ - Use an automatic, symmetric encryption key, or rely on the standard OpenPGP key store? (Do *not* use the derived service passphrase for this: the quality may be arbitrarily bad due to the passphrase constaints, and the service itself could compromise that passphrase.) |
|
| 26 |
+ |
|
| 27 |
+ * `generate-otp`: if the service uses two-factor authentication and the configuration contains one-time password settings, call `oathtool` to obtain one or more OTPs. |
|
| 28 |
+ |
|
| 29 |
+ May require the `decrypt-notes` plugin first. |
|
| 30 |
+ |
|
| 31 |
+ * `manage-runit-services`: if the service contains `runit` service configuration, ensure the specified `runit` services are running concurrently, and stopped after signalling. |
|
| 32 |
+ |
|
| 33 |
+ Typical use case is a service only accessible via VPN or SSH proxy, where the VPN/proxy would run as a `runit` service. |
|
| 34 |
+ |
|
| 35 |
+ Open questions: |
|
| 36 |
+ |
|
| 37 |
+ - Interface with `inotifywait` to wait for SSH control socket? |
|
| 38 |
+ |
|
| 39 |
+[#2]: https://github.com/the-13th-letter/derivepassphrase/issues/2 |
|
| 40 |
+ |
|
| 41 |
+## Documentation |
|
| 2 | 42 |
|
| 3 | 43 |
(Categorized as per [the diataxis framework][DIATAXIS], but otherwise in no particular order.) |
| 4 | 44 |
|
| 5 | 45 |
|
| 6 | 46 |
[DIATAXIS]: https://diataxis.fr |
| 7 | 47 |
|
| 8 |
-## Tutorials |
|
| 48 |
+### Tutorials |
|
| 9 | 49 |
|
| 10 | 50 |
* [Setting up `derivepassphrase` from scratch for three existing accounts, with a master passphrase](tutorials/basic-setup-password.md) |
| 11 | 51 |
* Setting up `derivepassphrase` from scratch for three existing accounts, with a new SSH key |
| 12 | 52 |
|
| 13 |
-## How-tos |
|
| 53 |
+### How-tos |
|
| 14 | 54 |
|
| 15 | 55 |
* How to set up `derivepassphrase` with an SSH key |
| 16 | 56 |
* How to choose a good service name |
| 17 | 57 |
* How to edit a saved `derivepassphrase vault` configuration correctly |
| 58 |
+* How to deal with "supported" and "unsupported" special characters |
|
| 59 |
+* How to deal with regular passphrase rotation/rollover |
|
| 18 | 60 |
|
| 19 |
-## Reference |
|
| 61 |
+### Reference |
|
| 20 | 62 |
|
| 21 |
-* `derivepassphrase-vault.conf`(<b>5</b>) |
|
| 63 |
+* `derivepassphrase-vault.json`(<b>5</b>) |
|
| 22 | 64 |
|
| 23 |
-## Explanation |
|
| 65 |
+### Explanation |
|
| 24 | 66 |
|
| 25 | 67 |
* Security aspects and other tradeoffs when using deterministic password generators |
| 26 | 68 |
* Tradeoffs between a master passphrase and a master SSH key |
| 69 |
+* Why is `vault`'s `--repeat` option named this way if it counts occurrences, not repetitions? |
|
| 70 |
+* Why are master SSH keys not supported under Windows? |
|
| 27 | 71 |