View previous topic :: View next topic |
Author |
Message |
Budoka l33t
Joined: 03 Jun 2012 Posts: 777 Location: Tokyo, Japan
|
Posted: Thu Oct 13, 2016 3:34 am Post subject: Is lastpass-cli secure/safe? |
|
|
I just saw that a cli interface to Lastpass was added to portage.
I've installed it but noticed that use is
Code: | # eix lastpass-cli
[I] app-admin/lastpass-cli
Available versions: 1.0.0 {X libressl +pinentry}
Installed versions: 1.0.0(10:51:59 AM 10/13/2016)(X pinentry -libressl)
Homepage: https://github.com/lastpass/lastpass-cli
Description: Interfaces with LastPass.com from the command line.
|
I am a big fan of CLI tools when available but for obvious reasons have some general security concerns/questions about using this.
I am not sure why it pulled in as -libressl as I don't have that flag set globally or specifically when I emerged it. When I specify that the package can have the use libressl in package.use it is not being picked up even after re-emerging with new use flag.
Of course with a tool like this, I want it to talk to Lastpass over an encrypted channel and I am assuming that I want communication to go over libressl right? Or does the package use the existing OpenSSL on my system?
Also any general feedback on the security of this tool? I would hate to expose myself to a potential security problem. As it is LastPass only has one point of failure in it and that is all it would take.
I wasn't sure whether this should go in the portage subforum or security. If the Admins think it she be moved please do so.
Thanks. |
|
Back to top |
|
|
eccerr0r Watchman
Joined: 01 Jul 2004 Posts: 9679 Location: almost Mile High in the USA
|
Posted: Thu Oct 13, 2016 6:21 am Post subject: |
|
|
Yes if you do not have USE=libressl explicitly, it will default to using openssl, which you likely have installed already.
However after a quick look at the ebuilds it looks like that it is possible to build lastpass-cli wrong. I'm not sure what the behavior of lastpass-cli is if you somehow have both libressl and openssl installed (however, it does look like Portage will prevent LibreSSL from installing if you already have OpenSSL installed). You could try forcing a rebuild instead of a conditional rebuild as since the SSLs are a runtime dependency (currently) it shouldn't force a rebuild...
IMHO without reading lastpass-cli code, it should be a regular dependency, not just runtime, but that's not up to me to decide (package maintainer decision.) Don't know - I'm using OpenSSL at the moment.
If you don't care which ssl is used as long as one is, you're good to go - it will use one of them and can't be disabled. _________________ Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching? |
|
Back to top |
|
|
Hu Moderator
Joined: 06 Mar 2007 Posts: 21624
|
Posted: Fri Oct 14, 2016 2:07 am Post subject: |
|
|
As I read the ebuild, everything in $RDEPEND is included in $DEPEND, so it does have both a runtime and a build-time dependency on whichever TLS implementation the user picked. |
|
Back to top |
|
|
eccerr0r Watchman
Joined: 01 Jul 2004 Posts: 9679 Location: almost Mile High in the USA
|
Posted: Fri Oct 14, 2016 6:21 am Post subject: |
|
|
Ah... missed that clause, looks good then.
Still not sure why setting USE=libressl and emerge --newuse just ignored the new USE for lastpass-cli ... though I'd expect it to bomb horribly (will we expect someday that there will be a virtual/libssl that depends on libressl or openssl so people can bomb their system at will because of how much libressl stripped out?) _________________ Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching? |
|
Back to top |
|
|
Budoka l33t
Joined: 03 Jun 2012 Posts: 777 Location: Tokyo, Japan
|
Posted: Fri Oct 14, 2016 12:41 pm Post subject: |
|
|
Thank you for the explanations everyone. I think I understand but just to be clear I can use it as it is without explicitly indicating anything right? It will pick up my OpenSSl config and use that? |
|
Back to top |
|
|
Budoka l33t
Joined: 03 Jun 2012 Posts: 777 Location: Tokyo, Japan
|
Posted: Fri Oct 14, 2016 12:42 pm Post subject: |
|
|
eccerr0r wrote: | Ah... missed that clause, looks good then.
Still not sure why setting USE=libressl and emerge --newuse just ignored the new USE for lastpass-cli ... though I'd expect it to bomb horribly (will we expect someday that there will be a virtual/libssl that depends on libressl or openssl so people can bomb their system at will because of how much libressl stripped out?) |
This is what confused/concerned me as well. |
|
Back to top |
|
|
eccerr0r Watchman
Joined: 01 Jul 2004 Posts: 9679 Location: almost Mile High in the USA
|
Posted: Fri Oct 14, 2016 1:26 pm Post subject: |
|
|
Seems like portage is completely throwing away USE=libressl -- and I think I know why now.
USE=libressl is in the use.stable.mask for the base configuration because libressl itself is unstable. You'll have to explicitly unmask this use flag to use it...
So you're good to go, it will be using openssl without the libressl flag. _________________ Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching? |
|
Back to top |
|
|
Budoka l33t
Joined: 03 Jun 2012 Posts: 777 Location: Tokyo, Japan
|
Posted: Fri Oct 14, 2016 1:59 pm Post subject: |
|
|
eccerr0r wrote: | Seems like portage is completely throwing away USE=libressl -- and I think I know why now.
USE=libressl is in the use.stable.mask for the base configuration because libressl itself is unstable. You'll have to explicitly unmask this use flag to use it...
So you're good to go, it will be using openssl without the libressl flag. |
Thanks. And thanks for the detailed explanation as well. I like to try to "understand" as much as I can when dealing with this stuff. |
|
Back to top |
|
|
|