[rancid] Can clogin prompt for a password?
rc.harrison at gmail.com
Fri Aug 5 18:33:50 UTC 2016
It's a bad idea to have secrets appear in argv, or even to have them
appear in terminal output (I've worked in several environments where all
terminal output was recorded - obviously this includes echoed input).
ssh-askpass and friends offer a convenient way to prompt for a secret
without having that secret appear in process information or terminal output.
Back when kerberos was still commonly supported on network elements it
offered a better way still...
On Aug 4, 2016 4:27 PM, "heasley" <heas at shrubbery.net> wrote:
> Thu, Aug 04, 2016 at 10:35:11AM -0500, Brandon Ewing:
> > On Thu, Aug 04, 2016 at 03:27:53PM +0000, heasley wrote:
> > >
> > > Not exactly, but you could wrap it in shell that prompts then executes
> > > *login -p $passwd
> > > unfortunately, that will appear in ps(1). you could also use include
> > > in the .cloginrc to include a file that the shell wrapper creates
> > > runtime.
> > >
> > > its not impossible to add such a feature though; it just doesnt exist
> > >
> > > of course, if you can not trust those with root ....
> > Hrm, I kind of like this approach -- environment variable passing into
> > command line. Would it be feasible to reset $0 in *login to mask the
> > in password in a process listing?
> it may be; i have not tried it. Note however that even doing that would
> leave a race, between start-up and squashing the argv index.
> Rancid-discuss mailing list
> Rancid-discuss at shrubbery.net
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Rancid-discuss