Quote:
But any encryption scheme will require the key to be stored in a variable. You might as well assume that variables are safe.
|
But if the environment the script runs in has declared that PWORD is an environment variable then the password will appear in the process listing :-)
But generally yes you can assume variables are safe, as only someone with root access to your machine and thus to memory, or disk swap space, has any chance of recovering the password.
However if you can it is better to store them in some less obvious but simple form of encryption. And clear the password, before unsetting the variable (if the language allows it, as some languages just allocate new memory rather than overwrite old memory) as soon as you are finished with it.
Also in shell never use anything other than a built-in "echo" command to feed that password to some other program, or it will appear in the process table.
The better idea is not to store them at all but pipe the password direct from your password input program/function to the program that will use it. Of course if you need to use the password multiple times, then storing it in a variable may ba a lot easier than attempting some type of 'pipeline tee processing' methods.
Many commands that need a password will have options to read from a pipe or special file descriptor for the password to use. Use it as it is about the safest way to use the password.
If the program insists on reading from a TTY (user input only) used programs like "unbuffer" (from the "expect" package) to wrap the program in a TTY so you can pipe the password into the program. I have also used the use "expect" directly for PTY wrappers, but the new method is to use the "socat" command (a advanced "netcat" replacement) to do PTY wrappers around commands.
---
Also if you are reading individual characters yourself then YOU will need to handle normal terminal control characters such as backspace, delete, and ^U (kill input)
Type this ab{delete}{delete}cd{enter}
and you will see "cd" returned.
Now pipe the output though "od" (modify the script) and you find the password contains much more than just two letters!
Yes you could use such characters in a password, but typing them in most password readers just does not work very well. If you plan to use control characters in passwords, you may as will be giving your password in hex or base64, to make it more manageable.
It is far easier just to read direct from a TTY with echo turned off, and let the system do the work for you. It is much easier, and I have done this many times in many languages.
---
The better solution for password reading is to use programs that are designed for this, which generally pipe the password to stdout.
Examples include...
/usr/libexec/openssh/x11-ssh-askpass
/usr/libexec/openssh/ssh-askpass
/usr/bin/ssh-askpass
/usr/libexec/openssh/gnome-ssh-askpass
/usr/lib/openssh/gnome-ssh-askpass
zenity --title=Program --entry --text=Password: --hide-text
Xdialog --title Program --stdout --password --inputbox "Password:" 0x0
{ echo "SETDESC password:"; echo "GETPIN"; } | pinentry | sed -n 's/^D //p'
and probably many many others that essentially does exactly what your script is trying to do. I have often written encrypting and mounting scripts that search to find at least one of these programs to use for user password input.
For an example: the script "mount_encrypted" in my WWW software export looked for at least one of the programs listed above to get a password from the user.
http://www.ict.griffith.edu.au/antho...ount_encrypted
Many systems actually specify the password reading program to use in the SSH_ASSPASS environment variable (set during system login), which lets the user override the method by which passwords will be entered, and let them use other password control systems, and keyrings. However few programs needing passwords will use that environment variable :-(
Of course if X windows is not enable you will need to fall back to some form of TTY method, or even a curses method such as "dialog".
---
Anyone else have password reading or handling solutions?