FreeBSD Manual Pages
KC(1) BSD General Commands Manual KC(1) NAME kc -- console based username and password management application SYNOPSIS kc [-k database file] [-c keychain name/idx] [-C keychain name] [-r] [-p password file] [-P kdf] [-e cipher] [-m mode] [-b] [-B] [-v] [-h] DESCRIPTION The kc utility is a console based username and password management appli- cation using an encrypted XML document as its database. The database file is protected by a password that the user supplies during the creation of a new database. This password can be at most 256 characters long, and is converted to a key with a KDF (key derivation function). If the supplied password (either by user input or in a password file) is longer than the allowed maximum, kc silently discards the rest of it. A database file can contain multiple keychains, and keychains in turn can contain multiple keys (usernames if you like) and values (passwords if you like). After starting kc the help command shows the available commands, and us- age information for them. If you're in a hurry, for starters, you create a new entry with the new command, then entering only a number in the com- mand line will display the entry with the given index. You quit from the display with 'q' or EOT (usually CTRL+d). The CLI supports tab-completion for commands and keychains. There is a utility in the source package (it is also available from the project website) that converts an exported pwsafe database to a kc com- patible XML database, which can be imported using the importxml command. When saving the database (write command) kc will create a temporary file (under the same directory as the opened database file), and will first try to save the whole database to that temporary database file. When this succeeds, only then will kc replace the old database with the new one, so you will always have a usable and intact (but potentially older) version of your database file. NOTE: It is considered a good practice, to periodically manually backup the database file(s) you use with kc. This could just mean a simple: $ cp ~/.kc/default ~/.kc/default-bkp kc doesn't try excessively hard to recover from hard and/or non-recover- able errors (OS, memory, disk etc...), and in some cases this could mean that it will simply exit with an appropriate error message. No need to worry, but keep this in mind like you would with a common word processor or text editor and save (write) periodically, for example when you edit many keys at once. See also the CAVEATS section regarding this. NOTE: Currently there is no character set conversion taking place in the program. In this case this means you must be ready to display anything you type in. If somehow you still end up with texts you can not display properly, and for whatever reason you can not edit them in kc, you can "repair" such database by dumping its content to a kc XML file (see the dump command below), converting the plain text XML file to a working character set, then importing back that XML file (see the importxml command below). PARAMETERS -k file Use file as database. The default is ~/.kc/default.kcd. -c keychain Change to the specified keychain after opening the database. -C keychain Same as -c, but force keychain to be the keychain's name, instead of its index number. More on this is in the c and cc commands' de- scription. -r Open the database in read-only mode. kc will not try to lock the database file, and commands which could modify the database will not be available. -p file Read password from file. The last new line gets stripped. -P kdf KDF to use with the password. Valid parameters are: sha1 OpenSSL's PKCS5 PBKDF2 with SHA-1. kc uses 5000 rounds. sha512 OpenSSL's PKCS5 PBKDF2 with SHA-512. This is the default. kc uses 5000 rounds. bcrypt Bcrypt PBKDF based on Blowfish. kc uses 16 rounds, and this is slightly slower than the SHA-* variants. On Linux, a bun- dled bcrypt implementation from OpenBSD is used, and its ver- sion is the one that was available at the time of this kc re- lease. scrypt If compiled with libscrypt, kc can use the scrypt KDF. Note that this can be slow on older machines, but therein lies the algorithm's strength. More information is in the KDF section. -e cipher Encryption cipher for database encryption. Valid parameters are: aes256 This is the default blowfish -m mode Cipher mode for database encryption. Different encryption ciphers can have different modes. The valid parameters are: aes256 cbc This is the default cfb128 ofb blowfish cbc ecb cfb64 ofb More information is in the CIPHERS section. -b Batch mode. Enable reading commands and the password from standard input. In this case, the password must be on the first line (like it would be in interactive mode). -B Batch mode. Enable reading commands from standard input, but prompt for the password. -v Display version. -h Display help. COMMANDS These commands are available in the CLI: new [name] Create a new key in the current keychain. Both key and value will be prompted for, except when name is specified; then it will be used as the key's name. Character sequences can be used in values: "\n" - create a new line, and make the result a multiline value. "\r", "\R" - these will be replaced with 2 and 4 (respectively) random printable characters. "\a", "\A" - these will be replaced with 2 and 4 (respectively) random alpha-numeric characters. Character sequences are to be used in values, regardless of their order or count, and can be escaped using double backslashes (eg.: "\\a"). list [pager [offset]] List pager number of keys per page from the current keychain, skip- ping offset indices if specified. Every key gets prefixed by its index number. If pager is not specified, the default value of 20 is used. The special value 0 means to not use the pager. If offset is not specified, it is not used. ls [pager [offset]] Alias of list. edit index Edit a key. index is the key's index number in the current key- chain. Character sequence rules in values apply to this command also. See command new for more information about this. swap index index Swap two keys, exchanging their index numbers. The two index param- eters are the keys' index numbers in the current keychain. insert index index Move the key at the first index parameter to the index at the sec- ond index parameter in the current keychain. Surrounding indices will be shifted backwards or forwards. search string Search for string in key names in the current keychain. Optional modifiers: `!' suffix (eg.: search!): show non-matching keys. `*' suffix (eg.: search*): search in every keychain. `i' suffix (eg.: searchi): case of characters doesn't matter. You can combine the modifiers. / pattern Search for pattern regular expression in key names in the current keychain. Optional modifiers: `!' suffix (eg.: /!): show non-matching keys. `*' suffix (eg.: /*): search in every keychain. `i' suffix (eg.: /i): case of characters doesn't matter. You can combine the modifiers. near index [context] Display the keyname of key at index position, and also print the surrounding keys' name in at most context vicinity. Only the keys' names and index numbers get displayed. csearch string Search for string in keychain names. Optional modifiers: `!' suffix (eg.: csearch!): show non-matching keychains. `i' suffix (eg.: csearchi): case of characters doesn't matter. You can combine the modifiers. c/ pattern Search for pattern regular expression in keychain names. Optional modifiers: `!' suffix (eg.: c/!): show non-matching keychains. `i' suffix (eg.: c/i): case of characters doesn't matter. You can combine the modifiers. c keychain Change the current keychain. keychain can be the keychain's index number or name. Index number takes priority when addressing a key- chain. (see command cc) cc keychain_name Works like c, but the keychain's name takes priority over its index number. (see command c) cdel keychain Delete a keychain. keychain can be the keychain's index number or name. Index number takes priority when addressing a keychain. (see command ccdel) ccdel keychain_name Works like cdel, but the keychain's name takes priority over its index number. (see command cdel) clear [count] Emulate a screen clearing. Scrolls a 100 lines by default, which can be multiplied by count times if specified. clist List all keychain names and their descriptions. Every keychain gets prefixed by its index number. cls Alias of clist. cnew [name] Create a new keychain. If name is not given then prompt for one. cedit Edit the current keychain's name and description. copy index keychain Copy a key from the current keychain to another keychain. index is the key's index number to copy and keychain is the destination key- chain's index number or name. Index number takes priority when ad- dressing a keychain. cp index keychain Alias of copy. move index keychain Move a key from the current keychain to another keychain. index is the key's index number to move and keychain is the destination key- chain's index number or name. Index number takes priority when ad- dressing a keychain. mv index keychain Alias of move. del index Delete a key. index is the key's index number in the current key- chain. rm index Alias of del. passwd [-P kdf] Change the database password and optionally the KDF. All changes will be written immediately. More information about the kdf optional argument is in the -P pa- rameter description and the KDF section of this manual. help [command] Print application help or describe a command. status Display information about the database. export -k filename [-P kdf [-e cipher [-m cipher_mode [-c keychain]]]] Export the database to a kc compatible encrypted database file named filename (if no extension specified, ".kcd" will be ap- pended). Optional arguments kdf, cipher and cipher_mode can be used to spec- ify a different KDF, encryption cipher and cipher mode to be used while exporting the database. This doesn't change the current data- base's parameters, but when importing this exported database, the parameters in use must be the same (or specified explicitly when using the import command). When specifying keychain, export only that keychain. keychain can be the keychain's index number or name. Index number takes priority when addressing a keychain. (see commands dump, import, append) dump -k filename [-c keychain] Dump the database to a kc compatible XML file named filename (if no extension specified, ".xml" will be appended). When specifying a keychain, dump only that keychain to the XML file. keychain can be the keychain's index number or name. Index number takes priority when addressing a keychain. (see command export) NOTE: the created XML file will be plain text. import -k filename [-P kdf [-e cipher [-m cipher_mode]]] Import and overwrite the current database with the one from a kc compatible encrypted database file named filename. filename must be a proper kc database. The kdf cipher and cipher_mode optional arguments can be used to specify these parameters if they differ from the current data- base's. (see commands importxml, export, append) importxml -k filename Import and overwrite the current database with the one from a kc compatible XML file named filename. filename must contain a prop- erly formatted kc XML document. (see commands import, export, append) append -k filename [-P kdf [-m cipher_mode]] Append new and merge existing keychains to the database from a kc compatible encrypted database file named filename. filename must be a proper kc database. The kdf and cipher_mode optional arguments can be used to specify these parameters if they differ from the current database's. See the LIMITS section for information about how kc deals with limits reached while appending. (see commands appendxml, export, import) appendxml -k filename Append new and merge existing keychains to the database from a kc compatible XML file named filename. filename must contain a prop- erly formatted kc XML document. See the LIMITS section for informa- tion about how kc deals with limits reached while appending. (see commands append, export, import) info [index] Print information about a key in the current keychain or the key- chain itself. If index is specified, it is the key's index number in the current keychain. If omitted, information is about the cur- rent keychain. quit Quit the program. If the database has been modified, then ask if it should be saved. exit Alias of quit. tmux index [line] Copy the value of index to tmux's paste buffer. index is the key's index number in the current keychain. line can be used to specify the line number to copy, if index is a multiline value (defaults to 1). This will try to execute the tmux(1) binary with the set-buffer command passing the value as its parameter. Check the CAVEATS section about the clipboard commands. Xclip index [line] xclip index [line] Copy the value of index to the CLIPBOARD (aka.: CTRL+c - CTRL+v) or PRIMARY X11 selection (ie.: middle mouse button), depending on the first `x' character's case, respectively. index is the key's index number in the current keychain. line can be used to specify the line number to copy, if index is a multiline value (defaults to 1). These will try to execute the xclip(1) binary, piping the value to its standard input. Check the CAVEATS section about the clipboard commands. version Display the program version. write Save the database. save Alias of write. any number To display a key's value, you enter the key's index (ie.: only a number) into the command line, then it will display the entry with the given index. You quit from the display with 'q' or EOT (usually CTRL+d). By specifying another number after the index (eg.: '12 2' -- here 12 is the index, and 2 is the extra number (spice) after it), that many random characters will be displayed between the value's characters. You can navigate up/down through a multiline value's lines with keys j/k, n/p, f/b, +/-, [/], {/}, </>, <SPACE>, <ENTER>, <BACKSPACE>. Typing a number between 1-9 will jump di- rectly to that line. It is possible to copy the displayed value to a clipboard (or such) with these hotkeys: t Copy the value to the tmux paste buffer like the tmux com- mand. x Copy the value to the PRIMARY X selection. like the xclip command. X Copy the value to the CLIPBOARD X selection, like the Xclip command. Check the CAVEATS section about the clipboard commands. Perhaps the extra number (spice) after a key's index and its use- fulness can use some further explanation. Let's say you want to display a password to use it on a website's form, but you don't want the people walking by or around you to recognize words, num- bers or parts of it. You can use this nifty "trick" to tell kc to display that many random characters between the value's original characters when showing it to you. Granted, it will look like a mess (although, that is what we wanted), but you can copy-paste it to the password entry in the website form in question. Then you can start to "blindly" delete the given number of characters from it by moving you cursor to the beginning (eg. HOME key), pressing 'spice' numbers of DEL, then jump over one character to the right (with the right arrow key), then delete the random characters again, then re- peating this until you reach the end of you original password (those who played Mortal Kombat will feel a bit nostalgic). You can catch on to this, because the random character padding is of fixed length, so the pattern remains the same for the whole password. You don't even have to pay attention to the original length of the password, because after you've completed the pattern (DELs-move- DELs-move...) and removed the spice (ie.: every padding random character), you end up with you original password, and you'll just be deleting nothing after the end of the string. This of course only makes sense if the form is a password input field, so you (and everybody else) just see stars or dots in place of the password. CIPHERS Databases are encrypted with the AES-256 cipher in CBC mode, if another cipher and mode was not specified explicitly. (see the -e and -m options). Ciphers use a 128 byte key generated with a KDF (key derivation function) from the supplied password (see the KDF section), and an IV (initialization vector) that is read from the host's specific random device (/dev/urandom on Linux and /dev/random on everything else) as characters. See also the CAVEATS section. To change the encryption ci- pher and/or its mode, you can use the export command. KDF The KDF converts the user supplied password with a generated salt to a strong key that can be used safely during encryption. Every SHA-* based PBKDF2 KDF uses 5000 rounds in kc. On changing the KDF in use, see the -P option and the passwd command. Of course, changing the KDF with which the database was created/opened means that the new KDF must be used from then on. This is because changing the KDF changes the key the database was encrypted with. LIMITS kc has limits when it deals with keychains and keys in keychains. The maximum number of elements for both is the upper limit an unsigned long integer can store on the running platform, minus one. These limits are enforced every time a new keychain or key is being created (or moved, copied, etc...). Appending is done in a non-atomic fashion. This means that kc will not create a keychain if it would not fit in the limit, and it will not append keys to an existing keychain if they would not fit in the limit. However, for example, if a database that is being appended contains a keychain whose keys could not fit in the existing keychain, and also contains a keychain whose keys could fit in the existing key- chain, then the one that could fit will be appended, and the one that could not will not be appended. This means that appending is atomic on the keychain level (or keys level, if you like), and not atomic on the database level. EXAMPLES pwsafe_to_kc.pl: # Export the pwsafe database to a cleartext file: $ pwsafe --exportdb > pwsafe_export Enter passphrase for .pwsafe.dat: # Convert the cleartext pwsafe database to a kc XML database file: $ pwsafe_to_kc.pl pwsafe_export kc_db.xml opening pwsafe_export for reading. opening kc_db.xml for writing. Converting... Done. After the above commands, you should end up with a kc compatible XML database. You can import it to kc using the importxml command. Adding new entries: Simple: <default% > new testuser <default% NEW value> testpass Prompt for both key and value: <default% > new <default% NEW key> testuser2 <default% NEW value> test_\r_pass_with_random_characters:\A Using the 'key' only as an indication: <default% > new www.mysecuresite.com <default% NEW value> user_name\npass-word Using the random and newline character sequences: <default% > new testuser3 <default% NEW value> \r\R\n\a\A\nthis is a multiline value! Creating new keychains: <default% > cnew email_accounts <default% > cnew <default% NEW keychain name> WebSite Accounts <default% NEW keychain description> description <default% > cnew 2 <default% NEW keychain description> Two Created keychain: 3. 2 Results: Listing the keys in the current keychain: <default% > list 0. testuser 1. testuser2 2. www.mysecuresite.com 3. testuser3 Displaying values in the current keychain: <default% > 0 [testuser] testpass <default% > 1 [testuser2] test_,x_pass_with_random_characters:6nzm <default% > 2 [www.mysecuresite.com] [1/2] user_name [www.mysecuresite.com] [2/2] pass-word <default% > 3 [testuser3] [1/3] v#)z!9 [testuser3] [2/3] HwRz7i [testuser3] [3/3] this is a multiline value! Listing keychains: <default% > clist 0. default 1. email_accounts 2. WebSite Accounts 3. 2 Switch to another keychains: <default% > c email_accounts <email_accounts% > c 2 <WebSite Accounts% > c 3 <2% > c 2 <WebSite Accounts% > cc 2 <2% > Editing existing entries: <default% > list 0. testuser 1. testuser2 2. www.mysecuresite.com 3. testuser3 Edit an entry in the current keychain: <default% > edit 1 <default% EDIT key> testuser2 <default% EDIT value> test_pass_with_random_characters:6nzm <default% > 1 [testuser2] test_pass_with_random_characters:6nzm Rename a keychain: <default% > cedit <default% EDIT keychain name> my_own keychain <default% EDIT keychain description> description my_own keychain% > CAVEATS If you use cfb128 or ofb as the cipher mode, there is no specific sign if you enter a wrong password during the opening of a database; in this case the database would seem to be corrupt after decrypting, and kc will not be able to open it. There is no character conversion taking place for the input fields. kc will exit without saving the database (with a corresponding error mes- sage) when an out-of-memory condition arises. Fair warnings before using the clipboard features: 1. If you don't trust the system where you're running kc then don't use these features, as you can not be sure that the binaries in your PATH are not tampered with and would record the passwords. 2. Removal of the values from the clipboards are not being dealt with. This should be the user's responsibility. AUTHOR kc was written by LEVAI Daniel <leva@ecentrum.hu> Source, information, bugs: https://github.com/levaidaniel/kc BSD August 27, 2014 BSD
NAME | SYNOPSIS | DESCRIPTION | EXAMPLES | CAVEATS | AUTHOR
Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=kc&sektion=1&manpath=FreeBSD+13.0-RELEASE+and+Ports>