Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Is lastpass-cli secure/safe?
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Budoka
l33t
l33t


Joined: 03 Jun 2012
Posts: 667
Location: Tokyo, Japan

PostPosted: Thu Oct 13, 2016 3:34 am    Post subject: Is lastpass-cli secure/safe? Reply with quote

I just saw that a cli interface to Lastpass was added to portage.

I've installed it but noticed that use is
Code:
-libressl


Code:
# eix lastpass-cli
[I] app-admin/lastpass-cli
     Available versions:  1.0.0 {X libressl +pinentry}
     Installed versions:  1.0.0(10:51:59 AM 10/13/2016)(X pinentry -libressl)
     Homepage:            https://github.com/lastpass/lastpass-cli
     Description:         Interfaces with LastPass.com from the command line.


I am a big fan of CLI tools when available but for obvious reasons have some general security concerns/questions about using this.

I am not sure why it pulled in as -libressl as I don't have that flag set globally or specifically when I emerged it. When I specify that the package can have the use libressl in package.use it is not being picked up even after re-emerging with new use flag.

Of course with a tool like this, I want it to talk to Lastpass over an encrypted channel and I am assuming that I want communication to go over libressl right? Or does the package use the existing OpenSSL on my system?

Also any general feedback on the security of this tool? I would hate to expose myself to a potential security problem. As it is LastPass only has one point of failure in it and that is all it would take.

I wasn't sure whether this should go in the portage subforum or security. If the Admins think it she be moved please do so.

Thanks.
Back to top
View user's profile Send private message
eccerr0r
Watchman
Watchman


Joined: 01 Jul 2004
Posts: 7051
Location: almost Mile High in the USA

PostPosted: Thu Oct 13, 2016 6:21 am    Post subject: Reply with quote

Yes if you do not have USE=libressl explicitly, it will default to using openssl, which you likely have installed already.

However after a quick look at the ebuilds it looks like that it is possible to build lastpass-cli wrong. I'm not sure what the behavior of lastpass-cli is if you somehow have both libressl and openssl installed (however, it does look like Portage will prevent LibreSSL from installing if you already have OpenSSL installed). You could try forcing a rebuild instead of a conditional rebuild as since the SSLs are a runtime dependency (currently) it shouldn't force a rebuild...

IMHO without reading lastpass-cli code, it should be a regular dependency, not just runtime, but that's not up to me to decide (package maintainer decision.) Don't know - I'm using OpenSSL at the moment.

If you don't care which ssl is used as long as one is, you're good to go - it will use one of them and can't be disabled.
_________________
Intel Core i7 2700K@ 4.1GHz/HD3000 graphics/8GB DDR3/180GB SSD
What am I supposed watching?
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 13509

PostPosted: Fri Oct 14, 2016 2:07 am    Post subject: Reply with quote

As I read the ebuild, everything in $RDEPEND is included in $DEPEND, so it does have both a runtime and a build-time dependency on whichever TLS implementation the user picked.
Back to top
View user's profile Send private message
eccerr0r
Watchman
Watchman


Joined: 01 Jul 2004
Posts: 7051
Location: almost Mile High in the USA

PostPosted: Fri Oct 14, 2016 6:21 am    Post subject: Reply with quote

Ah... missed that clause, looks good then.

Still not sure why setting USE=libressl and emerge --newuse just ignored the new USE for lastpass-cli ... though I'd expect it to bomb horribly (will we expect someday that there will be a virtual/libssl that depends on libressl or openssl so people can bomb their system at will because of how much libressl stripped out?)
_________________
Intel Core i7 2700K@ 4.1GHz/HD3000 graphics/8GB DDR3/180GB SSD
What am I supposed watching?
Back to top
View user's profile Send private message
Budoka
l33t
l33t


Joined: 03 Jun 2012
Posts: 667
Location: Tokyo, Japan

PostPosted: Fri Oct 14, 2016 12:41 pm    Post subject: Reply with quote

Thank you for the explanations everyone. I think I understand but just to be clear I can use it as it is without explicitly indicating anything right? It will pick up my OpenSSl config and use that?
Back to top
View user's profile Send private message
Budoka
l33t
l33t


Joined: 03 Jun 2012
Posts: 667
Location: Tokyo, Japan

PostPosted: Fri Oct 14, 2016 12:42 pm    Post subject: Reply with quote

eccerr0r wrote:
Ah... missed that clause, looks good then.

Still not sure why setting USE=libressl and emerge --newuse just ignored the new USE for lastpass-cli ... though I'd expect it to bomb horribly (will we expect someday that there will be a virtual/libssl that depends on libressl or openssl so people can bomb their system at will because of how much libressl stripped out?)


This is what confused/concerned me as well.
Back to top
View user's profile Send private message
eccerr0r
Watchman
Watchman


Joined: 01 Jul 2004
Posts: 7051
Location: almost Mile High in the USA

PostPosted: Fri Oct 14, 2016 1:26 pm    Post subject: Reply with quote

Seems like portage is completely throwing away USE=libressl -- and I think I know why now.
USE=libressl is in the use.stable.mask for the base configuration because libressl itself is unstable. You'll have to explicitly unmask this use flag to use it...

So you're good to go, it will be using openssl without the libressl flag.
_________________
Intel Core i7 2700K@ 4.1GHz/HD3000 graphics/8GB DDR3/180GB SSD
What am I supposed watching?
Back to top
View user's profile Send private message
Budoka
l33t
l33t


Joined: 03 Jun 2012
Posts: 667
Location: Tokyo, Japan

PostPosted: Fri Oct 14, 2016 1:59 pm    Post subject: Reply with quote

eccerr0r wrote:
Seems like portage is completely throwing away USE=libressl -- and I think I know why now.
USE=libressl is in the use.stable.mask for the base configuration because libressl itself is unstable. You'll have to explicitly unmask this use flag to use it...

So you're good to go, it will be using openssl without the libressl flag.


Thanks. And thanks for the detailed explanation as well. I like to try to "understand" as much as I can when dealing with this stuff.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum