There's no "best" way. They all suffer from exactly the same problem: Anyone who can see the code will know how to crack your password, and they'll have unlimited tries to guess your obfuscation. You might have noticed that you already had to brute-force your way around ssh's security features with 'expect' to do what you want; that's a subtle hint, in mile-high neon letters You're really not supposed to do that. It's really not a good idea. If you can pre-share a password, why can't you pre-share a key?
There's no "best" way. They all suffer from exactly the same problem: Anyone who can see the code will know how to crack your password, and they'll have unlimited tries to guess your obfuscation. You might have noticed that you already had to brute-force your way around ssh's security features with 'expect' to do what you want; that's a subtle hint, in mile-high neon letters You're really not supposed to do that. It's really not a good idea. If you can pre-share a password, why can't you pre-share a key?
That is so true Corona, and I should have quoted "Best" to imply what I really wanted when posting the question: I want to learn. Few days ago I still thought that ssh was impossible to be automated, and then I learned about expect. Now I want to learn a way (if there is one) to fool ps .
Automated ssh without my presence using my account is already not allowed if strictly considering the account policy, and of course I am not allowed to share my password. But it is really a matter of knowledge that I like the solution so much so that I want to learn more... Everything is still in development, and that I have them all in my control.
You are not going to fool ps. ps gets its process data from the kernel. You'd have to modify the kernel to lie/obfuscate, then recompile it. Or, you'd have to modify and recompile ps to lie/hide/obfuscate. And, you can forget about any LD_PRELOAD tricks since ps is a SUID binary.
You are not going to fool ps. ps gets its process data from the kernel. You'd have to modify the kernel to lie/obfuscate, then recompile it. Or, you'd have to modify and recompile ps to lie/hide/obfuscate.
Wrong. Any C program can lie to ps and the kernel, simply by changing it's arguments. The only restriction is that the new contents may not be larger than the original if you just overwrite it (example available on request). But with just shell scripting, no, it's not possible.
Quote:
Originally Posted by alister
And, you can forget about any LD_PRELOAD tricks since ps is a SUID binary.
Wrong. Any binary may query the kernel about running processes. On HP-UX:
On Linux:
1. Put the script in a separate expect script file, and use your bash script as a wrapper script. From bash, call the expect file. This will prevent the expect commands from appearing in ps.
2. Instead of hardcoding the password in the file, store the password in a separate file and protect the file so that only the authorised users can access it.
3. Instead of using a password, encode the password algorithm instead. For example your password may be month-based, e.g. mypasswdJul2010, so put the algorithm in the code to generate it.
expect is an ugly, last-resort solution for things that won't cooperate any other way, and tends to make insecure and unreliable solutions. If you think ssh can't be automated without it, you've learned the wrong lesson; there's a much better and more secure method built into ssh itself: authorized keys. It doesn't make much sense to say "my account policy says I can't automate this; therefore I'll automate it anyway, avoid the proper way since that's not allowed, and use the least secure and most contrived way imaginable instead!" Somehow I don't think that's what their security policy had in mind.
Wrong. Any binary may query the kernel about running processes. On HP-UX:
On Linux:
From the original post:
Quote:
Originally Posted by dukevn
clients are Mac OS X
It wasn't my intention to assert that every ps implementation is suid, just those that are of interest to the original poster.
From OSX 10.4.11:
From (a friend's) OSX 10.5.8:
Quote:
Originally Posted by pludi
Wrong. Any C program can lie to ps and the kernel, simply by changing it's arguments. The only restriction is that the new contents may not be larger than the original if you just overwrite it (example available on request).
I assume you mean modifying argv[]. Testing with the following code that I whipped up:
In the discussion that follows, success means that after invoking the executable with "./a.out real", ps lists it as "./a.out fake".
(Yeah, I have a lot of old machines lying around with outdated os installs )
Furthermore, in the BSD-ish cases (at least, perhaps others), the struct with the process info contains the original argv in addition to the current argv (which may differ as when deliberately modified by the process itself).
If you were referring to a different type of argv manipulation, or something altogether different, or if there's an error in my C code, I would appreciate the enlightenment.
I am writing a shell script for sql loader (just copy part of the code) :
For security reason, I have to put the below loginName and password into another separate file instead of in the same file of this script.
Anyone can give me a hand. Thanks.
Shell Script :... (12 Replies)
i have a shell script which calls a java program with username and password arguments.
#!/bin/ksh
#set some classpaths here
#finally run the command
java com.test -u $U -p $P
Now when i run it, the password shows up in the list of processes. I am not the admin on the server so cant... (3 Replies)
I want to give my long scripts to customer. The customer must not be able to read the scripts even if he has the password. The following command locks and unlocks the script but the set +x is simply ignored.
The code:
read -p 'Script: ' S && C=$S.crypt H='eval "$((dd if=$0 bs=1 skip=//|gpg... (7 Replies)
i have an expect script that runs like this:
/usr/bin/expect -f /home/skysmart/commandstoexecute.sh host2.net b$4aff Skysmart
when i run this command, and i do a ps -ef and egrep for expect, i see the exact line in the process table and it shows my password for the world to see.
how can i... (2 Replies)
Hi
I have following problem Im writing a script (in bash ) , where need to be written login & passwd for databas client .
Its need to in following form login passwd@dbhostname .
The problem is so anybody can read it so the passwd & login are visible and thats not very safety .
Can... (8 Replies)
hi all,
i run sqlplus command on unix(HP-UX)
like "sqlplus username/password@serverA @deneme.sql"
but when someone run "ps -ef | grep sqlplus", it can see my username and password :(
How can i hide username and password.
thanx. (1 Reply)
Hi,
I am writing a UNIX .ksh script and need to send the login password of the login id that is executing the script to a command that I am executing in the script. I don't want that password to be seen by anyone except whoever is executing the script.
Does anyone know how I can accomplish... (6 Replies)
All,
In my script I am calling another script.. in that script I need to enter a password. Problem is that everyone is able to see the password when I enter that. Is there any way that when i enter that password it should not display or may look like *******.
Or if there any other way that I... (1 Reply)
Hi falks,
I have the following ksh code:
echo "Enter VS Admin password:"
oldstty=`stty -g`
stty -echo intr '$-'
read password
stty $oldstty
echo
This code ask from a user to enter his password. The OS suppose to hide the entering of the... (2 Replies)
I am doing a project in C program which requires to type in password in Unix terminal. Does anybody know how to shade or not output any words typed by user in the terminal?
I use the function scan() to read typing from user. Thanks in advance. (2 Replies)