[rancid] Can clogin prompt for a password?

Russell Harrison rc.harrison at gmail.com
Fri Aug 5 18:33:50 UTC 2016


It's a bad idea to have secrets appear in argv[], or even to have them
appear in terminal output (I've worked in several environments where all
terminal output was recorded - obviously this includes echoed input).
ssh-askpass and friends offer a convenient way to prompt for a secret
without having that secret appear in process information or terminal output.

Back when kerberos was still commonly supported on network elements it
offered a better way still...

-RH

On Aug 4, 2016 4:27 PM, "heasley" <heas at shrubbery.net> wrote:

> Thu, Aug 04, 2016 at 10:35:11AM -0500, Brandon Ewing:
> > On Thu, Aug 04, 2016 at 03:27:53PM +0000, heasley wrote:
> > >
> > > Not exactly, but you could wrap it in shell that prompts then executes
> > >     *login -p $passwd
> > > unfortunately, that will appear in ps(1).  you could also use include
> > > in the .cloginrc to include a file that the shell wrapper creates
> during
> > > runtime.
> > >
> > > its not impossible to add such a feature though; it just doesnt exist
> now.
> > >
> > > of course, if you can not trust those with root ....
> >
> > Hrm, I kind of like this approach -- environment variable passing into
> > command line.  Would it be feasible to reset $0 in *login to mask the
> passed
> > in password in a process listing?
>
> it may be; i have not tried it.  Note however that even doing that would
> leave a race, between start-up and squashing the argv[] index.
>
> _______________________________________________
> Rancid-discuss mailing list
> Rancid-discuss at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo/rancid-discuss
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20160805/ec0fffe8/attachment.html>


More information about the Rancid-discuss mailing list