passwd-sso-cli 0.4.3

package/dist/lib/ssh-agent-socket.js

@@ -0,0 +1,187 @@
+/**
+ * SSH agent Unix domain socket server.
+ *
+ * Creates a Unix socket that implements the SSH agent protocol,
+ * serving keys from the passwd-sso vault.
+ */
+import { createServer } from "node:net";
+import { mkdirSync, lstatSync, chmodSync, unlinkSync } from "node:fs";
+import { join } from "node:path";
+import { readUint32, readString, SSH2_AGENTC_REQUEST_IDENTITIES, SSH2_AGENTC_SIGN_REQUEST, buildFailure, buildIdentitiesAnswer, buildSignResponse, } from "./ssh-agent-protocol.js";
+import { getLoadedKeys, findKeyByBlob, signData } from "./ssh-key-agent.js";
+let server = null;
+let socketPath = null;
+/**
+ * Get the socket directory path.
+ * Prefers $XDG_RUNTIME_DIR/passwd-sso/, falls back to /tmp/passwd-sso-<uid>/
+ */
+function getSocketDir() {
+    const xdg = process.env.XDG_RUNTIME_DIR;
+    if (xdg)
+        return join(xdg, "passwd-sso");
+    const uid = process.getuid?.();
+    if (uid === undefined) {
+        throw new Error("Cannot determine user ID for socket directory");
+    }
+    return join("/tmp", `passwd-sso-${uid}`);
+}
+/**
+ * Create the socket directory with proper permissions.
+ * Validates ownership and mode to prevent symlink attacks.
+ */
+function ensureSocketDir(dir) {
+    mkdirSync(dir, { recursive: true, mode: 0o700 });
+    // Verify ownership and permissions (TOCTOU mitigation — lstatSync to avoid following symlinks)
+    const stat = lstatSync(dir);
+    if (!stat.isDirectory()) {
+        throw new Error(`Socket path ${dir} is not a directory (possible symlink attack)`);
+    }
+    const uid = process.getuid?.();
+    if (uid !== undefined && stat.uid !== uid) {
+        throw new Error(`Socket directory ${dir} is owned by uid ${stat.uid}, expected ${uid}`);
+    }
+    const mode = stat.mode & 0o7777;
+    if (mode !== 0o700) {
+        throw new Error(`Socket directory ${dir} has mode ${mode.toString(8)}, expected 700`);
+    }
+}
+/**
+ * Handle a single SSH agent protocol message.
+ */
+function handleMessage(msgBuf) {
+    if (msgBuf.length < 1)
+        return buildFailure();
+    const msgType = msgBuf[0];
+    switch (msgType) {
+        case SSH2_AGENTC_REQUEST_IDENTITIES: {
+            const keys = getLoadedKeys();
+            return buildIdentitiesAnswer(keys.map((k) => ({
+                publicKeyBlob: k.publicKeyBlob,
+                comment: k.comment,
+            })));
+        }
+        case SSH2_AGENTC_SIGN_REQUEST: {
+            try {
+                let offset = 1;
+                // Read key blob
+                const { data: keyBlob, nextOffset: afterKey } = readString(msgBuf, offset);
+                offset = afterKey;
+                // Read data to sign
+                const { data, nextOffset: afterData } = readString(msgBuf, offset);
+                offset = afterData;
+                // Read flags
+                const flags = offset + 4 <= msgBuf.length
+                    ? readUint32(msgBuf, offset)
+                    : 0;
+                // Find the key
+                const key = findKeyByBlob(keyBlob);
+                if (!key)
+                    return buildFailure();
+                // Perform signing
+                const signature = signData(key, data, flags);
+                return buildSignResponse(signature);
+            }
+            catch {
+                return buildFailure();
+            }
+        }
+        default:
+            return buildFailure();
+    }
+}
+/**
+ * Handle data from a connected client.
+ * SSH agent protocol uses length-prefixed messages.
+ */
+function handleConnection(socket) {
+    let buffer = Buffer.alloc(0);
+    socket.on("data", (chunk) => {
+        buffer = Buffer.concat([buffer, chunk]);
+        // Process complete messages
+        while (buffer.length >= 4) {
+            const msgLen = readUint32(buffer, 0);
+            // Reject absurdly large messages (DoS protection)
+            if (msgLen > 256 * 1024) {
+                socket.destroy();
+                return;
+            }
+            if (buffer.length < 4 + msgLen)
+                break; // Need more data
+            const msgBuf = buffer.subarray(4, 4 + msgLen);
+            buffer = buffer.subarray(4 + msgLen);
+            const response = handleMessage(msgBuf);
+            socket.write(response);
+        }
+    });
+    socket.on("error", () => {
+        // Silently handle client disconnects
+    });
+}
+/**
+ * Start the SSH agent socket server.
+ *
+ * @returns The socket path for SSH_AUTH_SOCK
+ */
+export function startAgent() {
+    if (process.platform === "win32") {
+        throw new Error("SSH agent is not supported on Windows. Unix domain sockets are required.");
+    }
+    if (server) {
+        throw new Error("SSH agent is already running");
+    }
+    const dir = getSocketDir();
+    ensureSocketDir(dir);
+    const path = join(dir, `agent.${process.pid}.sock`);
+    // Clean up stale socket file
+    try {
+        unlinkSync(path);
+    }
+    catch {
+        // File doesn't exist, that's fine
+    }
+    server = createServer(handleConnection);
+    server.listen(path, () => {
+        // Set socket file permissions to owner-only
+        chmodSync(path, 0o600);
+    });
+    socketPath = path;
+    // Clean up on process exit
+    const cleanup = () => {
+        stopAgent();
+    };
+    process.on("exit", cleanup);
+    process.on("SIGINT", () => {
+        cleanup();
+        process.exit(0);
+    });
+    process.on("SIGTERM", () => {
+        cleanup();
+        process.exit(0);
+    });
+    return path;
+}
+/**
+ * Stop the SSH agent socket server.
+ */
+export function stopAgent() {
+    if (server) {
+        server.close();
+        server = null;
+    }
+    if (socketPath) {
+        try {
+            unlinkSync(socketPath);
+        }
+        catch {
+            // Already cleaned up
+        }
+        socketPath = null;
+    }
+}
+/**
+ * Get the current socket path, or null if not running.
+ */
+export function getSocketPath() {
+    return socketPath;
+}
+//# sourceMappingURL=ssh-agent-socket.js.map

package/dist/lib/ssh-key-agent.d.ts

@@ -0,0 +1,54 @@
+/**
+ * SSH key agent — PEM parsing + signing using Node.js crypto.
+ *
+ * Manages loaded SSH keys and performs signing operations for the
+ * SSH agent protocol.
+ */
+import type { KeyObject } from "node:crypto";
+export interface LoadedSshKey {
+    /** Entry ID from the vault */
+    entryId: string;
+    /** PEM-encoded private key */
+    pem: string;
+    /** Optional passphrase for encrypted keys */
+    passphrase?: string;
+    /** SSH public key blob (for identity listing) */
+    publicKeyBlob: Buffer;
+    /** Key comment (usually user@host) */
+    comment: string;
+    /** Node.js KeyObject (parsed from PEM) */
+    keyObject: KeyObject;
+    /** Key type identifier */
+    keyType: "ed25519" | "rsa" | "ecdsa-sha2-nistp256" | "ecdsa-sha2-nistp384" | "ecdsa-sha2-nistp521";
+}
+/**
+ * Load a PEM private key into memory.
+ *
+ * @returns The public key blob for identity listing
+ */
+export declare function loadKey(entryId: string, pem: string, publicKeyBlob: Buffer, comment: string, passphrase?: string): Promise<LoadedSshKey>;
+/**
+ * Get all loaded keys for identity listing.
+ */
+export declare function getLoadedKeys(): LoadedSshKey[];
+/**
+ * Find a loaded key by its public key blob.
+ */
+export declare function findKeyByBlob(publicKeyBlob: Buffer): LoadedSshKey | undefined;
+/**
+ * Clear all loaded keys and release references.
+ *
+ * Note: JavaScript strings are immutable — we cannot zero key.pem in-place.
+ * We clear object references so GC can collect them sooner, but the original
+ * string data may persist in V8 heap until garbage collected.
+ */
+export declare function clearKeys(): void;
+/**
+ * Sign data with a loaded key using the SSH agent protocol conventions.
+ *
+ * @param key The loaded key to sign with
+ * @param data The data to sign
+ * @param flags SSH agent flags (for RSA algorithm selection)
+ * @returns The SSH-formatted signature blob
+ */
+export declare function signData(key: LoadedSshKey, data: Buffer, flags: number): Buffer;

package/dist/lib/ssh-key-agent.js

@@ -0,0 +1,197 @@
+/**
+ * SSH key agent — PEM parsing + signing using Node.js crypto.
+ *
+ * Manages loaded SSH keys and performs signing operations for the
+ * SSH agent protocol.
+ */
+import { createPrivateKey, createSign, sign as cryptoSign } from "node:crypto";
+import { encodeString, SSH_AGENT_RSA_SHA2_256, SSH_AGENT_RSA_SHA2_512, } from "./ssh-agent-protocol.js";
+import { parseOpenSshPrivateKey } from "./openssh-key-parser.js";
+const loadedKeys = new Map();
+/**
+ * Load a PEM private key into memory.
+ *
+ * @returns The public key blob for identity listing
+ */
+export async function loadKey(entryId, pem, publicKeyBlob, comment, passphrase) {
+    let keyObject;
+    try {
+        keyObject = createPrivateKey({
+            key: pem,
+            ...(passphrase ? { passphrase } : {}),
+        });
+    }
+    catch {
+        // Fallback: manually parse OpenSSH format keys (handles encrypted keys)
+        keyObject = await parseOpenSshPrivateKey(pem, passphrase);
+    }
+    const keyType = detectKeyType(keyObject);
+    const loaded = {
+        entryId,
+        pem,
+        passphrase,
+        publicKeyBlob,
+        comment,
+        keyObject,
+        keyType,
+    };
+    loadedKeys.set(entryId, loaded);
+    return loaded;
+}
+/**
+ * Get all loaded keys for identity listing.
+ */
+export function getLoadedKeys() {
+    return Array.from(loadedKeys.values());
+}
+/**
+ * Find a loaded key by its public key blob.
+ */
+export function findKeyByBlob(publicKeyBlob) {
+    for (const key of loadedKeys.values()) {
+        if (key.publicKeyBlob.equals(publicKeyBlob)) {
+            return key;
+        }
+    }
+    return undefined;
+}
+/**
+ * Clear all loaded keys and release references.
+ *
+ * Note: JavaScript strings are immutable — we cannot zero key.pem in-place.
+ * We clear object references so GC can collect them sooner, but the original
+ * string data may persist in V8 heap until garbage collected.
+ */
+export function clearKeys() {
+    for (const key of loadedKeys.values()) {
+        // Drop references to sensitive data (JS strings are immutable, cannot zero)
+        key.keyObject = undefined;
+        key.pem = "";
+        key.passphrase = undefined;
+    }
+    loadedKeys.clear();
+}
+/**
+ * Sign data with a loaded key using the SSH agent protocol conventions.
+ *
+ * @param key The loaded key to sign with
+ * @param data The data to sign
+ * @param flags SSH agent flags (for RSA algorithm selection)
+ * @returns The SSH-formatted signature blob
+ */
+export function signData(key, data, flags) {
+    switch (key.keyType) {
+        case "ed25519": {
+            const sig = cryptoSign(null, data, key.keyObject);
+            return Buffer.concat([
+                encodeString("ssh-ed25519"),
+                encodeString(sig),
+            ]);
+        }
+        case "rsa": {
+            const algo = flags & SSH_AGENT_RSA_SHA2_512
+                ? "sha512"
+                : flags & SSH_AGENT_RSA_SHA2_256
+                    ? "sha256"
+                    : "sha256"; // Default to SHA-256 for modern SSH
+            const algoName = algo === "sha512"
+                ? "rsa-sha2-512"
+                : "rsa-sha2-256";
+            const signer = createSign(algo);
+            signer.update(data);
+            const sig = signer.sign(key.keyObject);
+            return Buffer.concat([
+                encodeString(algoName),
+                encodeString(sig),
+            ]);
+        }
+        case "ecdsa-sha2-nistp256":
+        case "ecdsa-sha2-nistp384":
+        case "ecdsa-sha2-nistp521": {
+            const hashMap = {
+                "ecdsa-sha2-nistp256": "sha256",
+                "ecdsa-sha2-nistp384": "sha384",
+                "ecdsa-sha2-nistp521": "sha512",
+            };
+            const hash = hashMap[key.keyType];
+            const signer = createSign(hash);
+            signer.update(data);
+            // ECDSA sign returns DER-encoded signature by default
+            const derSig = signer.sign(key.keyObject);
+            const sshSig = derToSshEcdsa(derSig);
+            return Buffer.concat([
+                encodeString(key.keyType),
+                encodeString(sshSig),
+            ]);
+        }
+        default:
+            throw new Error(`Unsupported key type: ${key.keyType}`);
+    }
+}
+/**
+ * Detect the SSH key type from a Node.js KeyObject.
+ */
+function detectKeyType(keyObject) {
+    const info = keyObject.asymmetricKeyType;
+    if (info === "ed25519")
+        return "ed25519";
+    if (info === "rsa")
+        return "rsa";
+    if (info === "ec") {
+        // Determine curve from key details
+        const details = keyObject.asymmetricKeyDetails;
+        switch (details?.namedCurve) {
+            case "prime256v1":
+            case "P-256":
+                return "ecdsa-sha2-nistp256";
+            case "secp384r1":
+            case "P-384":
+                return "ecdsa-sha2-nistp384";
+            case "secp521r1":
+            case "P-521":
+                return "ecdsa-sha2-nistp521";
+            default:
+                throw new Error(`Unsupported EC curve: ${details?.namedCurve}`);
+        }
+    }
+    throw new Error(`Unsupported key type: ${info}`);
+}
+/**
+ * Convert DER-encoded ECDSA signature to SSH mpint format.
+ * DER: SEQUENCE { INTEGER r, INTEGER s }
+ * SSH: string(r) || string(s)
+ */
+function derToSshEcdsa(derSig) {
+    // Parse DER SEQUENCE
+    let offset = 0;
+    if (derSig[offset++] !== 0x30)
+        throw new Error("Invalid DER sequence");
+    // Skip length byte(s)
+    const seqLen = derSig[offset++];
+    if (seqLen & 0x80) {
+        const lenBytes = seqLen & 0x7f;
+        offset += lenBytes;
+    }
+    // Read r INTEGER
+    if (derSig[offset++] !== 0x02)
+        throw new Error("Expected INTEGER for r");
+    const rLen = derSig[offset++];
+    let r = derSig.subarray(offset, offset + rLen);
+    offset += rLen;
+    // Read s INTEGER
+    if (derSig[offset++] !== 0x02)
+        throw new Error("Expected INTEGER for s");
+    const sLen = derSig[offset++];
+    let s = derSig.subarray(offset, offset + sLen);
+    // Strip leading zero bytes (DER uses them for positive sign)
+    while (r.length > 1 && r[0] === 0)
+        r = r.subarray(1);
+    while (s.length > 1 && s[0] === 0)
+        s = s.subarray(1);
+    return Buffer.concat([encodeString(r), encodeString(s)]);
+}
+// Cleanup on process exit
+process.on("exit", () => {
+    clearKeys();
+});
+//# sourceMappingURL=ssh-key-agent.js.map

package/dist/lib/totp.d.ts

@@ -0,0 +1,10 @@
+/**
+ * TOTP code generation — ported from extension/src/lib/totp.ts.
+ */
+export interface TOTPParams {
+    secret: string;
+    algorithm?: string;
+    digits?: number;
+    period?: number;
+}
+export declare function generateTOTPCode(params: TOTPParams): string;

package/dist/lib/totp.js

@@ -0,0 +1,31 @@
+/**
+ * TOTP code generation — ported from extension/src/lib/totp.ts.
+ */
+import { TOTP, Secret } from "otpauth";
+const ALLOWED_ALGORITHMS = ["SHA1", "SHA256", "SHA512"];
+function validateParams(params) {
+    const algo = (params.algorithm ?? "SHA1").toUpperCase();
+    if (!ALLOWED_ALGORITHMS.includes(algo)) {
+        throw new Error("INVALID_TOTP");
+    }
+    const digits = params.digits ?? 6;
+    if (!Number.isInteger(digits) || digits < 6 || digits > 8) {
+        throw new Error("INVALID_TOTP");
+    }
+    const period = params.period ?? 30;
+    if (!Number.isInteger(period) || period < 15 || period > 60) {
+        throw new Error("INVALID_TOTP");
+    }
+}
+export function generateTOTPCode(params) {
+    validateParams(params);
+    const algorithm = (params.algorithm ?? "SHA1").toUpperCase();
+    const otp = new TOTP({
+        secret: Secret.fromBase32(params.secret),
+        algorithm,
+        digits: params.digits ?? 6,
+        period: params.period ?? 30,
+    });
+    return otp.generate();
+}
+//# sourceMappingURL=totp.js.map

package/dist/lib/vault-state.d.ts

@@ -0,0 +1,15 @@
+/**
+ * In-memory vault state.
+ *
+ * Holds the encryption key while the vault is unlocked.
+ * The key exists only in process memory — never persisted to disk.
+ */
+export declare function setEncryptionKey(key: CryptoKey, userId?: string): void;
+/** Store the raw secret key bytes for IPC transfer (--eval daemon fork). */
+export declare function setSecretKeyBytes(bytes: Uint8Array): void;
+/** Get raw secret key bytes for IPC transfer. Returns null if not stored. */
+export declare function getSecretKeyBytes(): Uint8Array | null;
+export declare function getUserId(): string | null;
+export declare function getEncryptionKey(): CryptoKey | null;
+export declare function isUnlocked(): boolean;
+export declare function lockVault(): void;

package/dist/lib/vault-state.js

@@ -0,0 +1,37 @@
+/**
+ * In-memory vault state.
+ *
+ * Holds the encryption key while the vault is unlocked.
+ * The key exists only in process memory — never persisted to disk.
+ */
+let encryptionKey = null;
+let vaultUserId = null;
+let secretKeyBytes = null;
+export function setEncryptionKey(key, userId) {
+    encryptionKey = key;
+    if (userId)
+        vaultUserId = userId;
+}
+/** Store the raw secret key bytes for IPC transfer (--eval daemon fork). */
+export function setSecretKeyBytes(bytes) {
+    secretKeyBytes = bytes;
+}
+/** Get raw secret key bytes for IPC transfer. Returns null if not stored. */
+export function getSecretKeyBytes() {
+    return secretKeyBytes;
+}
+export function getUserId() {
+    return vaultUserId;
+}
+export function getEncryptionKey() {
+    return encryptionKey;
+}
+export function isUnlocked() {
+    return encryptionKey !== null;
+}
+export function lockVault() {
+    encryptionKey = null;
+    vaultUserId = null;
+    secretKeyBytes = null;
+}
+//# sourceMappingURL=vault-state.js.map

package/package.json

@@ -0,0 +1,56 @@
+{
+  "name": "passwd-sso-cli",
+  "version": "0.4.3",
+  "description": "CLI for passwd-sso password manager",
+  "type": "module",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/ngc-shj/passwd-sso.git",
+    "directory": "cli"
+  },
+  "homepage": "https://github.com/ngc-shj/passwd-sso/tree/main/cli",
+  "keywords": [
+    "password-manager",
+    "cli",
+    "sso",
+    "vault",
+    "ssh-agent"
+  ],
+  "engines": {
+    "node": ">=20"
+  },
+  "bin": {
+    "passwd-sso": "./dist/index.js"
+  },
+  "files": [
+    "dist/**/*.js",
+    "dist/**/*.d.ts"
+  ],
+  "scripts": {
+    "build": "tsc",
+    "dev": "tsx src/index.ts",
+    "prepublishOnly": "tsc",
+    "test": "vitest run",
+    "test:watch": "vitest"
+  },
+  "dependencies": {
+    "bcrypt-pbkdf": "^1.0.2",
+    "chalk": "^5.4.1",
+    "cli-table3": "^0.6.5",
+    "clipboardy": "^4.0.0",
+    "commander": "^13.1.0",
+    "inquirer": "^12.6.0",
+    "otpauth": "^9.4.0",
+    "zod": "^4.3.6"
+  },
+  "optionalDependencies": {
+    "keytar": "^7.9.0"
+  },
+  "devDependencies": {
+    "@types/node": "^22.15.3",
+    "tsx": "^4.19.4",
+    "typescript": "^5.9.0-beta",
+    "vitest": "^4.0.18"
+  }
+}