Username and Password are passed as plain text as environment variable while running a bash script from a existing process. using following command.
sudo -u someuser USERNAME=abc PASSWORD=xyz /path/to/script/bashscript argument1 argument2
Above bash script is user configurable script with username and password. the challenge i am facing above is, Environment variables are getting logged. like in auth.log which we don't want.
I am looking for ways to achieve one of the following:
To prevent it from logging(like into auth.log).
encrypt username and password in exiting process(c program) and pass as environment variable and have some way to decrypt it in bash script.
I tried looking solution for this. didn't found any which fit with my use-case. Can someone please help me with this? i will also like to know any other ways to make system more secure.
Thanks in advance.
This question is a bit off-topic, but I will answer it anyway.
IMO, the proper way is to get rid from working with plain passwords at all. I'm pretty sure there might be multiple ways of achieving this, but these are the options which popped out in my head right now:
Configure sudoers:
Create /etc/sudoers.d/user_a with following:
user_a ALL=(user_b:user_b) NOPASSWD:ALL
Then whenever user_a executes sudo -u user_b password will not be required.
Another way would be to use SSH keys and then run scripts locally via:
ssh someuser#localhost "/path/to/script arg1 arg2"
Related
I am trying to automate SSH login by using password. I can't use expect command or sshpass etc. So I am left with only option to use password directly.
Did lot of research in google and didn't get any solution... :(
Please help me with this.
The code I tried is.
#!/bin/bash
USERNAME=user1
PASSWORD=abcd1234
HOSTS="server01.mat.us"
ssh ${HOSTS} -l ${USERNAME} -p ${PASSWORD}
The OpenSSH ssh utility doesn't accept a password on the command line or on its standard input. This also applies to the scp and sftp file transfer utilities, which invoke ssh to make the SSH connection. I believe this is a deliberate decision on the part of the OpenSSH developers. You have these options available to you:
Use an SSH key for authentication, instead of a password.
Use sshpass, expect, or a similar tool to invoke ssh through a TTY and automate responding to the password prompt.
Use (abuse) the SSH_ASKPASS feature to get ssh to get the password by running another program, described here or here, or in some of the answers here.
Get the SSH server administrator to enable host-based authentication and use that. Note that host-based authentication is only suitable for certain network environments. See additional notes here and here.
Write your own ssh client using perl, python, java, or your favorite language. There are ssh client libraries available for most modern programming languages, and you'd have full control over how the client gets the password.
Download the ssh source code and build a modified version of ssh that works the way you want.
Use a different ssh client. There are other ssh clients available, both free and commercial. One of them might suit your needs better than the OpenSSH client.
I'd recommend to use ssh keys instead of password if it's possible.
This script can help you to upload your public key to desired remote machine:
https://github.com/aprey10/ssh-authorizer
I am trying to create a bat file that will run cmd as administrator, then execute net command as shown below:
runas /user:administrator cmd "net localgroup administrators mjordan /add"
The goal is to add whoever the current user is as a local administrator.
So the first part works like a charm, and asks for the admin password. Upon entering the admin PW however, I do not see said test user under the local admin group. My best guess is I made a syntax error. But oddly enough no errors show up and command-line exits as if it executed.
Also, how would I make this execute and add the current user to the local admin group (thinking in a %username% way)? Not sure I am using the proper terminology, but say the user logged on running this command is JSmith. How could I make it add without using his name so it works on any account rather than just JSmith
Do you guys notice any errors? ...I am fairly new to creating bat files, and am learning as much as I can, so i know i must have messed up somewhere. Also, any references or study help is appreciated! Thank you!
I have implemented automation through batch file to login into a remote server and run a series of commands therin. My batch file contents are as follows:
#ECHO OFF
ECHO 1 -^> Connect 2 Server
ECHO 2 -^> Quit
SET /p ID=Enter Choice :
IF "%ID%"=="1" start "" C:\work\putty.exe -load SessionName -l UserName -pw Password -m cmd.txt
IF "%ID%"=="2" exit
My cmd.txt file contains the following commands:
su superuser
password
ssh server
password
su MyID
password
The batch successfully connects to the server; but it fails to retain the session. Any tweak would be appreciated.
For my own use I verified what -m switch does for putty
The -m option performs a similar function to the ‘Remote command’ box in the SSH panel of the PuTTY configuration box (see section 4.18.1). However, the -m option expects to be given a local file name, and it will read a command from that file.
With some servers (particularly Unix systems), you can even put multiple lines in this file and execute more than one command in sequence, or a whole shell script; but this is arguably an abuse, and cannot be expected to work on all servers. In particular, it is known not to work with certain ‘embedded’ servers, such as Cisco routers.
Roughly what I guessed. I think what's happening is that your commands might be running ok, but it terminates the session when done (which is also default behaviour for ssh [command] on unix. To get around this you could try running 'bash' at the end to start a terminal as that user, which should stay running until you exit. If this doesn't work you could try running 'sleep 10' to see if the session stays running longer - should verify that's the problem we're dealing with.
Much as stackoverflow demands strictly the answer to the question, which I hope I've provided above. I feel in this case it would be remiss to not flag the serious security concerns I'd have on what you're doing. I would maintain that you shouldn't answer a question about doing something securely (with ssh and root passwords involved) without covering potential security pitfalls.
What you're doing seems like a bad idea because:
it makes a file with two unencrypted root-capable passwords to anyone who finds that file
this script is also giving you root access by default, which isn't a safe way to operate. Ever accidentally type rm -r in the wrong window?
Also, someone messing with your second hop (by say, replacing the ssh server with a script to run ssh but log passwords) would get the password to the third hop with root privileges.
SSH keys should do away with using passwords to log on. Use them.
SSH port forwarding lets you also skip sshing from the second hop - instead just tunnel through it (I'm guessing the third box isn't internet accessible), again using ssh keys lets you skip passwords.
the first 'su superuser' shouldn't be necessary unless your permissions don't allow you ssh (does an ssh_allow group exist on that box?), which might be the problem you should actually fix - not being a member of the group allowed to use SSH.
I have to use sudo to run my program:
sudo ./my_program
I am trying to run git clone from my program, but it tries to use the root user's SSH keys instead of mine.
Is there a way to execute this single command as the user who originally invoked my program?
I guess I can do:
su - original_user -c "git --version"
But how do I figure out the username of the original user? Or is there another elegant solution this?
The sudo manual shows that $SUDO_USER should give you the original user's username and $SUDO_UID gives the original user's UID.
I had this problem with Samba on a NAS while creating files from a web-application.
In this case I retrieved the running processes and determined which user was running samba.
After isolating that name, I had the correct user account. Maybe this will work for your situation as well?
In this case I imagine you need to filter through the ps output and lookup the name of your program. See if that works by testing it on bash.
Can I set a small program that I wrote as my login shell? Instead of a regular login shell like bash? I tried googling but could not find any useful information. Any pointer is appreciated.
chsh -s /usr/bin/foo someuser
Or use vipw to edit /etc/passwd (just don't edit it directly).
Yes, you can change the login shell executable with the command chsh (change shell) or by manually editing the /etc/passwd file (the last value on the line is the login shell).
Editing the /etc/password file manually is discouraged, as 1) it requires root permission 2) the user base might not be local, but distributed using NIS, LDAP etc. and thus this will not work 3) chsh should work also in the case of a distributed user base.
As the question addresses unices, Solaris does not have this command and the only way you can mimic this behavior (without root access for which you can use passwd -e) is by executing the other shell from your .profile file.
Also, keep in mind that the custom shell binary must be present in /etc/shells, otherwise it will not work.