LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 09-09-2016, 09:03 AM   #16
s-h-a-w-n
LQ Newbie
 
Registered: Sep 2016
Posts: 10

Original Poster
Rep: Reputation: Disabled

Yes, insecure if the password is written in the script, on the HDD, but what about if it in a variable, on the RAM, entered by the user at each login?
 
Old 09-09-2016, 09:09 AM   #17
pan64
LQ Guru
 
Registered: Mar 2012
Location: Hungary
Distribution: debian i686 (solaris)
Posts: 8,104

Rep: Reputation: 2267Reputation: 2267Reputation: 2267Reputation: 2267Reputation: 2267Reputation: 2267Reputation: 2267Reputation: 2267Reputation: 2267Reputation: 2267Reputation: 2267
if you want to save that password and several invocations will use the same, stored string (if I understand it well) it will be insecure anyway either it was stored in hdd or ram or whatever. If your script can access it any other script will do too.
 
Old 09-09-2016, 09:19 AM   #18
rtmistler
Moderator
 
Registered: Mar 2011
Location: Sutton, MA. USA
Distribution: MINT Debian, Angstrom, SUSE, Ubuntu
Posts: 4,087
Blog Entries: 10

Rep: Reputation: 1521Reputation: 1521Reputation: 1521Reputation: 1521Reputation: 1521Reputation: 1521Reputation: 1521Reputation: 1521Reputation: 1521Reputation: 1521Reputation: 1521
Quote:
Originally Posted by s-h-a-w-n View Post
Yes, insecure if the password is written in the script, on the HDD, but what about if it in a variable, on the RAM, entered by the user at each login?
A variable where?

Is the script running or not? Seems like you re-run the script each time you wish to start a new session.
Quote:
Originally Posted by s-h-a-w-n View Post
An example would be:
-I'm in my linux session
-I start the script to connect to cisco switch A
-I start the script to connect to cisco switch B
-I start the script to connect to cisco router X
-I start the script to connect to server Y
There's no such thing as a RAM variable which you can access from a script or program unless it is 100% deterministic each time you enter the program or script. Meaning you have defined a specific memory address or a location on disk. And then having done that, what pan64 said is true, any other script or program can access this variable.
 
Old 09-09-2016, 09:33 AM   #19
keefaz
LQ Guru
 
Registered: Mar 2004
Distribution: Slackware
Posts: 5,387

Rep: Reputation: 397Reputation: 397Reputation: 397Reputation: 397
Maybe write an expect script, save it on an USB key and execute script from there, then try not to lose the key (or maybe crypt it)

Last edited by keefaz; 09-09-2016 at 09:35 AM.
 
Old 09-09-2016, 10:20 AM   #20
jpollard
Senior Member
 
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 4,602

Rep: Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241
Quote:
Originally Posted by keefaz View Post
Maybe write an expect script, save it on an USB key and execute script from there, then try not to lose the key (or maybe crypt it)
Even then... The variables and environment CAN be obtained.

Part of the problem is that the password ends up in many places - the shell, expect, ssh,...

ssh goes to extreme lengths to prevent the password from being anywhere but inside ssh, even to the point of disabling the ptrace access (both to itself and to ssh-agent).

None of the other tools go to this length to prevent access.
 
Old 09-09-2016, 11:48 AM   #21
keefaz
LQ Guru
 
Registered: Mar 2004
Distribution: Slackware
Posts: 5,387

Rep: Reputation: 397Reputation: 397Reputation: 397Reputation: 397
Quote:
Originally Posted by jpollard View Post
Even then... The variables and environment CAN be obtained.

Part of the problem is that the password ends up in many places - the shell, expect, ssh,...

ssh goes to extreme lengths to prevent the password from being anywhere but inside ssh, even to the point of disabling the ptrace access (both to itself and to ssh-agent).

None of the other tools go to this length to prevent access.
Maybe it's acceptable for OP I mean he may be concerned only not to have the password stored on local disk.
 
Old 09-09-2016, 12:16 PM   #22
s-h-a-w-n
LQ Newbie
 
Registered: Sep 2016
Posts: 10

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by keefaz View Post
Maybe it's acceptable for OP I mean he may be concerned only not to have the password stored on local disk.
Yes, the password variable can be accessible by any script of mine, just as long as it is unreachable by other users on logged on the linux machine (client).

UserA logs in the linux machine
UserA puts its password in VarX
UserA launches script.sh
script.sh launched by UserA can access VarX

UserB logs in the linux machine
UserB reads VarX, VarX has no content from UserA
UserB launches script.sh
script.sh launched by UserB cannot access VarX, because VarX has no content from UserA
UserB reads script.sh, script.sh contains UserA's username, but no password is embedded in script.sh
 
Old 09-09-2016, 12:48 PM   #23
keefaz
LQ Guru
 
Registered: Mar 2004
Distribution: Slackware
Posts: 5,387

Rep: Reputation: 397Reputation: 397Reputation: 397Reputation: 397
I was thinking of password stored in script and the script stored on external drive (usb key)
Now if the script is shared with other users, this plan won't work :/
 
Old 09-09-2016, 01:57 PM   #24
rtmistler
Moderator
 
Registered: Mar 2011
Location: Sutton, MA. USA
Distribution: MINT Debian, Angstrom, SUSE, Ubuntu
Posts: 4,087
Blog Entries: 10

Rep: Reputation: 1521Reputation: 1521Reputation: 1521Reputation: 1521Reputation: 1521Reputation: 1521Reputation: 1521Reputation: 1521Reputation: 1521Reputation: 1521Reputation: 1521
Quote:
Originally Posted by s-h-a-w-n View Post
Yes, the password variable can be accessible by any script of mine, just as long as it is unreachable by other users on logged on the linux machine (client).
This is rather difficult to achieve, you are defeating the purpose of having someone remember and type a password. If the script stays running and holds a previously entered password in a variable, this is one thing, to have some sort of system global memory of a password which is supposed to go away at some point, as yet not clearly defined, is difficult, barring on unrealistic, and clearly not so very secure anymore.

I sometimes say to people (about code and scripts):

"You can cute it up all you want, but is that really necessary?"

To whit: You write a program or script to fulfill functions that are complex, iterative, and save you typing; however when passwords are involved, the "user" of your program or script will question why it seemingly remembers their password and under which conditions it shall forget them, because ...
 
Old 09-09-2016, 01:59 PM   #25
rtmistler
Moderator
 
Registered: Mar 2011
Location: Sutton, MA. USA
Distribution: MINT Debian, Angstrom, SUSE, Ubuntu
Posts: 4,087
Blog Entries: 10

Rep: Reputation: 1521Reputation: 1521Reputation: 1521Reputation: 1521Reputation: 1521Reputation: 1521Reputation: 1521Reputation: 1521Reputation: 1521Reputation: 1521Reputation: 1521
I'm not saying this task is unable to be accomplished. I am questioning the choice to do these actions, and I'll leave it at that.
 
Old 09-09-2016, 02:47 PM   #26
s-h-a-w-n
LQ Newbie
 
Registered: Sep 2016
Posts: 10

Original Poster
Rep: Reputation: Disabled
Interesting, the users in question are technicians who could read the script if they questioned where the passwords are stored. Here is an example of what problem I am trying to bypass:

A user says it's dead phone is on the wall jack D-15 (local names for ethernet wall jacks in the compagny)
I seach the database and have no luck finding any record of D-15 (too many jacks, too may changes, the compagny did not keep up)
I search in the network switches for the interface descriptions using the hostnames specific to the location

ssh user@switch1
password
show interface description | i D-15
[no result]
exit

ssh user@switch2
password
show interface description | i D-15
[no result]
exit

ssh user@switch3
password
show interface description | i D-15
[no result]
exit

ssh user@switch4
password
show interface description | i D-15
[no result]
exit

ssh user@switch5
password
show interface description | i D-15
[no result]
exit

ssh user@switch6
password
show interface description | i D-15
Fa0/8 down down Jack D-15

That's a lot of User/password to enter to get there. Multiply that with the number of cases per day.
I can live with that, but I was hoping for a shortcut.
Thanks anyway for your opinion, I might use your idea of using Keys if I get to work on a small system (not hundreds) that I setup myself from scratch (not the case here)
 
Old 09-09-2016, 02:59 PM   #27
smallpond
Senior Member
 
Registered: Feb 2011
Location: Massachusetts, USA
Distribution: CentOS 6 (pre-systemd)
Posts: 2,609

Rep: Reputation: 702Reputation: 702Reputation: 702Reputation: 702Reputation: 702Reputation: 702Reputation: 702
Using ssh-copy-id to install your key in each Cisco is preferred.

Or you can put your passwords in a protected file and use sshpass to login so your password is not in a shell variable.
 
Old 09-09-2016, 07:13 PM   #28
jpollard
Senior Member
 
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 4,602

Rep: Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241
Quote:
Originally Posted by rtmistler View Post
This is rather difficult to achieve, you are defeating the purpose of having someone remember and type a password. If the script stays running and holds a previously entered password in a variable, this is one thing, to have some sort of system global memory of a password which is supposed to go away at some point, as yet not clearly defined, is difficult, barring on unrealistic, and clearly not so very secure anymore.
Don't forget swap.... Occasionally shell data does get swapped out, and that would put it on disk, unencrypted.
Quote:
I sometimes say to people (about code and scripts):

"You can cute it up all you want, but is that really necessary?"

To whit: You write a program or script to fulfill functions that are complex, iterative, and save you typing; however when passwords are involved, the "user" of your program or script will question why it seemingly remembers their password and under which conditions it shall forget them, because ...
 
Old 09-10-2016, 02:03 AM   #29
Turbocapitalist
Member
 
Registered: Apr 2005
Distribution: Ubuntu, Devuan, OpenBSD
Posts: 962
Blog Entries: 3

Rep: Reputation: 393Reputation: 393Reputation: 393Reputation: 393
Quote:
Originally Posted by s-h-a-w-n View Post
...
ssh user@switch5
password
show interface description | i D-15
[no result]
exit

ssh user@switch6
password
show interface description | i D-15
Fa0/8 down down Jack D-15

That's a lot of User/password to enter to get there. Multiply that with the number of cases per day.
Again, that's kind of a textbook use case for ssh keys. If you want passwords, "sshpass" has been mentioned at least once above, that will read from a file. But keeping passwords around in clear text is likely to end in trouble. Yes, you'd have to put keys (the public key part of each key pair) on each of the remote machines. However, that is likely to save you work and make the whole process more secure. There is the cost of potentially having to change all the passwords to consider, too.

That aside...

One characteristic of SSH that could save you work in another way is that the client does pass back the exit code from the last command processed on the remote host.

Code:
d='/bin/date -u | grep 2016'
ssh user@remote $d
echo $?
So that last line would print out a zero, for success, if it's run this year.

Code:
d='/usr/bin/false'
ssh user@remote $d
echo $?
And that would return a one, for failure.

Based on the example you gave, you could use that to automate the remote command.

Code:
cmd="show interface description | i D-15"

if ssh user@switch1 $cmd;
then echo found

elif  ssh user@switch2 $cmd;
then echo found

elif  ssh user@switch3 $cmd;
then echo found

...
else echo $cmd not found anywhere!

fi

exit
The output of the remote command would still be shown as usual so the "echo" part is redundant, but you could change it to say the name of the remote device as well. Keys would speed that up the second and subsequent runs by handling the authentication automatically but securely.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Bash script: How to assign variable to an sqlite3 command with variable embedded? ninja6o4 Linux - Software 10 02-15-2015 05:43 PM
[SOLVED] Bash Shell Script - Store a variable as a string not an integer RML1992 Linux - General 8 09-12-2012 10:19 AM
Bash: Input password into a variable 1veedo Linux - General 5 08-24-2010 04:07 AM
Problem with bash script - variable name within variable name steven.c.banks Linux - Newbie 3 03-10-2009 04:08 AM
Bash store last line from displayed text output in a variable carl0ski Programming 1 01-16-2007 04:38 AM


All times are GMT -5. The time now is 06:52 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration