SPHINX Password Storage – X11 Integration

1. Scripting X11 integration

SPHINX is not your average legacy consumer-grade password manager. SPHINX's CLI is powerful, but its X11 integration is what makes it truly efficient for daily use on Linux desktops and laptops. If you’re a power user working with X11, you’ll appreciate these features. One day, there might be support for Wayland, and even other proprietary prison-ware OS support.

SPHINX provides a simple domain-specific language (DSL) for scripting X11 interactions. This DSL relies on xdotool and xinput to automate keyboard and mouse actions, making password entry and multi-factor authentication seamless. Under the hood, the scripts use some sphinx commands as defined in the usage documentation.

1.1. Vocabulary

  • type "text...": Types the given text into the currently focused X11 window
  • wait-for-click: Waits until the user clicks anywhere
  • user: Types the username (usually given as the first parameter to the script) into the focused X11 window
  • host: Types the hostname (usually given as the second parameter to the script) into the focused X11 window
  • pwd: Retrieves a password using getpwd(1) and sphinx(1), then types it into the focused X11 window
  • otp: Retrieves a Time-based One-Time Password (TOTP) secret from sphinx(1) using getpwd(1), generates a TOTP pin with oathtool(1), and types it into the focused X11 window
  • tab: Types a tab character into the current X11 window, advancing between form fields
  • enter: Sends an Enter key press into the focused X11 window, usually submitting a form
  • gethost: Waits for a left mouse click on a browser window, copies the URL from the address bar, extracts the hostname, and sets it as the internal $host variable for use with host or pwd defined above.
  • getuser: Runs sphinx list $host, as described in the usage documentation. If multiple users are found, it presents them in a dmenu widget. If/when one user is found/selected, it is set as an internal $user variable which can then be used with user or pwd defined above

Any lines not consisting of these tokens are simply ignored.

1.2. Default Scripts

SPHINX comes with 5 default scripts: pass, user-pass, user-pass-otp, otp and getacc-user-pass. The first four can be run as follows:

  • pass.sphinx <user> <host>
  • otp.sphinx <user> <host>
  • user-pass.sphinx <user> <host>
  • user-pass-otp.sphinx <user> <host>

As an example, the user-pass-otp script is defined and explained below: 

#!sphinx-x11

wait-for-click
user
tab
pwd
tab
enter
wait-for-click
otp
enter

Here's how the script works:

  • The first line specifies sphinx-x11(1) as the interpreter.
  • The script waits for a click (line 3), sends X11 key press events with the value of the user parameter, which is specified as the first parameter to this script
  • Line 5 injects a Tab key press event, which selects the next field in the form.
  • In line 6 and 7, it tabs to the password field and types the password obtained from getpwd (included in the contrib directory and dependent on pinentry), which is used to get the password for user and host. Then, it tabs again.
  • An Enter key press is injected to submit this form in line 8
  • Since this is a new form, the script waits (line 9) for the user to click in the field where the TOTP value needs to be inserted.
  • In line 10, the TOTP value is queried using getpwd.
  • Finally, in the last line, the TOTP pin is sent as key press events and finally submitted by injecting enter into the application

The 5th script getacc-user-pass is special because it acts upon a browser window, unlike the other scripts: 

#!sphinx-x11

gethost
getuser
wait-for-click
user
tab
pwd
tab
enter

This script works as follows:

  • It waits for a click on a browser window, extracts the host and uses sphinx list to get the users associated with this host (line 1-3)
  • If one is selected, it waits for another click in the user input field of a login form (line 4)
  • Then, it gets a password using sphinx(1), types the user, then the password and submits it by injecting an Enter key press event (line 5-8)

The script is convenient, but be aware of potential phishing risks if a malicious site manipulates the clipboard. Therefore, use this script very carefully. Currently, this security issue remains unresolved since there is no simple way to securely get the current tab's URL from a browser via a web extension.

1.3. Customization and Security Notes

Using this DSL, you can create your own scripts for different sites and workflows, and bind them to keyboard shortcuts for even faster access. This approach keeps your passwords out of the clipboard and leverages X11 automation for secure, efficient logins. Try it out and see how much more efficient your daily logins can become!

If you prefer browser integration, SPHINX also provides web extensions for Firefox and Chrome-based browsers. However, always be cautious with browser extensions and review their security: https://lock.cmpxchg8b.com/passmgrs.html

Author: SPHINX

Created: 2025-10-06 Mon 02:39

Validate