In the past year, you’ve probably come across ads trying to sell you a password manager. Like LastPass, 1Password or Dashlane. Password manager removes the burden of remembering passwords for all web sites. You no longer need to use passwords that are repetitive or easy to remember. Instead, you just need to remember one password that unlocks all the others.
This can make you more secure by using one strong password instead of many weak ones. If you have a cloud-based password manager (such as LastPass, 1Password, or Dashlane), you can also sync passwords across devices. Unfortunately, none of these products are open source. Fortunately, there are other open source alternatives.
Open source password manager
Alternatives include Bitwarden, LessPass or KeePass. Bitwarden is an open source password manager that stores all passwords encrypted on a server and works in the same way as LastPass, 1Password or Dashlane. LessPass is a little different in that it focuses on being a stateless password manager. This means that it generates passwords based on the master password, website, and user name, rather than saving encrypted passwords. KeePass, on the other hand, is a file-based password manager with great flexibility in plug-ins and applications.
Each of these three applications has its own disadvantages. Bitwarden keeps everything in one place and exposes it to the web through its API and website interface. LessPass cannot save custom passwords because it is stateless, so you need to use the passwords it generates. KeePass is a file-based password manager and therefore cannot be easily synchronized between devices. You can use cloud storage and WebDAV to solve this problem, but many clients do not support it, and you may encounter file conflicts if devices are not properly synchronized.
This article focuses on Bitwarden.
Run an unofficial Bitwarden implementation
There is a community implementation of a server called Bitwarden_RS and its API. This implementation is completely open source, as it can use SQLite or MariaDB/MySQL instead of the proprietary Microsoft SQL Server that official servers use.
It is important to recognize that there are some differences between the official and unofficial versions. For example, official servers have been audited by a third party, while unofficial servers have not. On the implementation side, the unofficial version lacks E-mail confirmation and two-factor authentication with Duo or mail code.
Let’s run the server in SELinux. According to the bitwarden_rs documentation, you can build a Podman command as follows:
$ podman run -d \
--userns=keep-id \
--name bitwarden \
-e SIGNUPS_ALLOWED=false \
-e ROCKET_PORT=8080 \
-v /home/egustavs/Bitwarden/bw-data/:/data/:Z \
-p 8080:8080 \
bitwardenrs/server:latest
Copy the code
This will download the Bitwarden_RS image and run it in the user container under the user namespace. It uses ports above 1024 so that non-root users can bind it. It also uses :Z to change the SELinux context of the volume to prevent read/write permissions issues in /data.
If you are hosting it in a domain, it is recommended that you place this server under Apache or Nginx’s reverse proxy. This way, you can use ports 80 and 443 to point to port 8080 of the container without having to run the container as root.
Run under Systemd
Bitwarden is up and running now, and you may want to keep it that way. Next, create a unit file that keeps the container running, restarts automatically if it doesn’t respond, and starts running when the system restarts. Create a file/etc/systemd/system/bitwarden. Service:
[Unit]
Description=Bitwarden Podman container
Wants=syslog.service
[Service]
User=egustavs
Group=egustavs
TimeoutStartSec=0
ExecStart=/usr/bin/podman run 'bitwarden'
ExecStop=-/usr/bin/podman stop -t 10 'bitwarden'
Restart=always
RestartSec=30s
KillMode=none
[Install]
WantedBy=multi-user.target
Copy the code
Now use Sudo to enable and start the service:
$ sudo systemctl enable bitwarden.service && sudo systemctl start bitwarden.service
$ systemctl status bitwarden.service
bitwarden.service - Bitwarden Podman container
Loaded: loaded (/etc/systemd/system/bitwarden.service; enabled; vendor preset: disabled)
Active: active (running) since Tue 2019-07-09 20:23:16 UTC; 1 day 14h ago
Main PID: 14861 (podman)
Tasks: 44 (limit: 4696) Memory: 463.4 MCopy the code
Success! Bitwarden is up and running and will continue to be.
Add LetsEncrypt
If you have a domain name, it is strongly recommended that you run your Bitwarden instance using an encrypted certificate similar to LetsEncrypt. Certbot is a robot that creates LetsEncrypt certificates for us, and here is a guide to doing so in Fedora.
Once the certificate is generated, you can follow the bitwarden_RS guide on HTTPS. Just remember to append :Z to LetsEncrypt to handle permissions without changing ports.
Photo by CMDR Shane, published on Unsplash.
Via: fedoramagazine.org/manage-your…
By Eric Gustavsson (lujun9972
This article is originally compiled by LCTT and released in Linux China