The openssl man page says the "-pass pass:[password]" option for the openssl command is not secure because it's visible to utilities like ps, but is it secure through bash?
Like this:
#!/bin/bash
read -s psword
openssl enc -pass pass:$psword -aes-256-cbc -in text.plaintext -out text.encrypted
I've run a program like this on my computer and all ps seems to see is "openssl". Will other utilities be able to see the password?
The command line is normally easy in any operating system to get from any process normally. See this answer to getting a command line for a process. So it doesn't really matter what "starts" the process, be it bash or some custom application. This is the reason that that advise is given.
With any of these things it comes down to risk. If you accept the risk that it's not that secure then there is no reason not to use the command line (i.e. it's your machine and you are the only one using it). If lots of people can see your process sessions and possibility see a sensitive password then the risk may not be worth it. It's up to you to determine if the risk is acceptable.
if you want to secure the password, then its better to write it to a file that only your process has access to, and read the password from that file in your command. This will hide the plain password in the command line and make it invisible to other processes.
You can check the following answer. It is related to generating openssl keys but is similar to this topic:
How to generate an openSSL key using a passphrase from the command line?
Related
I have a small doubts because I don't know how can I prepare shell script which should execute other command with questions...
It means e.g. that I have to connect with VPN client and need to answer a several question. Accept trusting (yes/no), then choose VPN option (VPN/VPN-1), introduce login and password. I would like to have one script with all parameters (of course exclude password).
Any ideas? Thanks
If the answers file works, you can avoid placing the password into the file using replacement token. For example, write 'PASSWORD in the file, and then use 'sed' (or other tool) to replace it at run time.
Possible to use 'read -s password' or other method to get the password at run-time.
read -s REAL_PASSWORD
sed -e 's/__PASSWORD__/$REAL_PASSWORD/' | command-to-setup
If the number of items in the answer file is small, and do not change, you can inline them into your script
read -s REAL_PASSWORD
command-to-setup <<__ANSWERS__
yes
VPN-1
login
$REAL_PASSWORD
__ANSWERS__
I have some functions in my .bashrc file which are used to issue backup commands on remote websites. Right now, the username and password fields are stored as function-local strings in plain text within the function definition. Is there a better way of doing this?
My idea so far was to put a hashed version of the passwords in a file to which only my user account has read access, run a de-hashing command-line function on it and store the plain text result in memory, use it, then clear it.
Is there a better/safer or even a de-facto common way of accomplishing this?
Thank you.
There are 2 ways I can think of safely approaching this problem.
1. GPG
Keep a GPG encrypted file with your passwords in it in key=value format (shell parsable basically), one per line. Such as:
foo_pass='bar'
pop_pass='tart'
When you want to access them, just do:
eval "$(gpg -d /path/to/file | grep '^foo_pass=')"
SUPERSECRETPASSWORD="$foo_pass" somecmd
If the command needs the password as an argument (this is unsafe), just adjust that last line.
2. Keyring daemon
Depending on your OS, you might have access to a keyring which you can store your passwords in. On linux, this might be the gnome keyring daemon. Then this keyring can probably be accessed via CLI/script somehow.
For example, there is gkeyring for use with the gnome keyring daemon.
I have a shell script that produces sensitive content when run. It sits on a box that only a few users have permissions to access. However, I have also added layered obfuscation to prevent unauthorized usage, via the following:
script must be run as root
script must be passed specific command line arguments to produce any output
script has been encoded by the shell compiler "shc" to mask facts #1 and #2 from normal users (those who would not know to use TRACE or STRINGS to still view the actual code).
To then add a layer of actual security to protect again more advanced users and system admins, I have also encrypted the script with gpg.
My question is -- Is there a gpg command (or other encryption method) that I could run which prompts for the decryption passphrase, and decrypts the script and runs it in memory only (without saving the decrypted version of the file to the file system)?
I realize that sensitive information may still exist in unprotected memory while being executed, I'll address that separately.
You can capture the output of decrypting by
decrypted=$(gpg -d ...)
You can then eval the result
eval "$decrypted"
Another simple option to contrast with choroba's answer:
Save the decrypted output to a file in /dev/shm/. (It's an in-ram tmpfs filesystem there by default on virtually all Linux distros.) Setup a trap to delete the file when your script exits.
It's very possible I could refine this, but here's another idea where you execute the script rather than evaluate it like in choroba's example. It allows you to pass arguments...
bash <( gpg -d ... ) arg1 arg2
...it 'overrides' the interpreter, though. I.e. I'd run my scripts with bash -ue. May or may not be a problem depending on the scripts and whether you are writing them yourself or not :)
I have a bash script which uses a text file containing a list of logins:
LOGINLIST=/home/user/logins.txt
while read line
do
echo $line
done < $LOGINLIST
I'd rather not store the list of logins as plain text, but I don't want to have to manually decrypt it every time time I run the script. (Having the script prompt for a password would be OK.)
One way I could do this would be to include a line in the script where e.g openssl decrypts the file before it gets read. Unfortunately, if the script stalled (perhaps one of the sites it's logging in to isn't responding) this would leave the file unprotected for an indeterminate period of time.
So I'd rather keep the plaintext in memory only.
This post on LinuxQuestions ( http://www.linuxquestions.org/questions/programming-9/can-we-hide-the-code-of-a-shell-script-370328/#post1887648 ) suggests that sending the plaintext to a FIFO might do the trick, but that's wholly unfamiliar territory for me. Is there a better / simpler way? How do I wipe the memory when the script is done?
...and is there a way to edit the encrypted login list while also keeping the plaintext in memory?
You can do that with openssl and process substitution without changing the structure of your code.
To encrypt the file, use something like:
openssl blowfish -in plaint_text_file -out encrytped_file
(Choose the cipher you want, it will prompt you for a password.)
Then you can use the encrypted file with:
LOGINLIST=/path/to/encrypted/file
while read line
do
echo $line
done < <(openssl blowfish -d -in $LOGINLIST)
This will prompt you for the password. No temporary file generated.
(Careful with the spaces in the last command, it really is < <(.)
You can open an existing encrypted file named encrytped_file in vim with:
openssl blowfish -d -in encrytped_file | vim -
You can create or modify/overwrite an encrypted file named encrytped_file via vim with:
:w !openssl blowfish -in /dev/stdin -out encrytped_file
Just look for the password prompts. They will get obscured a bit by vim's ui.
Here are the tricks used in this answer. You should learn them rather than copy and paste them so that you can use them in other cases.
vim reads from a pipe (aka: stdin or standard input) when an argument of bare hyphen is given.
vim can pipe its buffer to a command with :w !command
It is very common for unix commands to interpret a bare hyphen as "read from standard input" but not all commands do. In this case, you can often use /dev/stdin
I have a bash script that uses bash's "read" builtin to obtain a username and password from the user and then uses them as part of an AFP URL. I'm encountering some problems, however, when passwords contain characters that affect URL parsing (';' for example).
I've looked around for a command-line utility that can do URL-filtering but haven't found one. Does anybody know of such a utility? I would like to be able to do something like the following:
mount_afp "afp://`urlfilter $USER`:`urlfilter $PASS`#server.com".
You can use a simple one-line Python script to do this:
echo $USER | python -c 'import urllib; print urllib.quote(raw_input())'
Note that, while acceptable for your usage, urllib.quote is designed for use on URL components, not the entire URL. See #120951 for more.