Bash security questions

[linx255]

Are there any security vulnerabilities when using bash scripts in terminals to store a security-sensitive string of data, such as a password, as a variable? I'm designing scripts to run on workstations that will be networked to a server and each other and the internet. Wasn't sure if this is even a concern but thought I should check since applications use Mint's keyring. Is there a more secure way to store / work with sensitive data for bash scripts? It would be nice if I can safely store a password typed by the user in a bash script that can plugin that password into any number of commands in the future without worrying about it leaking from the memory to the OS or network.

Thanks

[Habitual]

Never, ever, EVER store a password in a script.
Use ssh-keys dedicated to a sole task or user+task for connections.
This mechanism is independent of any key manager on your DE.

Code: Select all

ssh-keygen -f "$HOME"/.ssh/keyname_rsa -t rsa -N '' -q

Where keyname_rsa is indicative of the task, or user+task that needs access to remote servers.
copy contents of "$HOME"/.ssh/keyname_rsa.pub to remote hosts' <user_dir>/.ssh/authorized_keys or <user_dir>/.ssh/authorized_keys2

[linx255]

Thanks, good to know! Does the -t rsa -N '' have anything to do with RSA encryption, or is that an acronym for something else? It was recently discovered RSA has dual elliptic curve deterministic random bit generation backdoor weakness, which could be exploited by anyone with enough encryption expertise. I don't know when or if they will fix it, but RSA's CTO advised against using their algorithms, as of 9/2013, per wired.com. Can I use an algorithm other than RSA with that ssh-keygen, like AES-256-CBC? Also, I don't need public keys, just one key for the one user doing the encrypting and decrypting.

And I'm confused by what you mean by tasks, remote servers or remote hosts:

"Where keyname_rsa is indicative of the task, or user+task that needs access to remote servers.
copy contents of "$HOME"/.ssh/keyname_rsa.pub to remote hosts' <user_dir>/.ssh/authorized_keys or <user_dir>/.ssh/authorized_keys2"

Is the idea behind ssh-keygen to generate a hash value and store it in a file? If so, for now I just need one private key and it does not thus far need to be accessed by a remote host or sent to a remote server, and would just like to store it in the local machine. I just need the ability for a user to enter a password into a script, store it securely, outside the script of course, but still allow the script itself to retrieve it later. Can this be safely done?

Thanks again!

[Habitual]

Is the idea behind ssh-keygen to generate a hash value and store it in a file?

In a sense. The contents of the key.pub contents could be considered a hash value.

If so, for now I just need one private key and it does not thus far need to be accessed by a remote host or sent to a remote server, and would just like to store it in the local machine.

if you store the key file locally and do NOT send it (key.pub contents) to the remote server, then the local key is useless.

I just need the ability for a user to enter a password into a script, store it securely, outside the script of course, but still allow the script itself to retrieve it later. Can this be safely done?

No. Have I not said that passwords in script files are not Secure?
You could also use expect.

Either utilize the ssh key file mechanism, or leave the password out of the script and have the script prompt the user for the password. Or use an expect script.

Hope that helps.

[linx255]

Sorry, when I first asked the question I should given you some context. This is obviously more involved and beyond my level of expertise than I imagined it would be, and I didn't realize that I would need to be more specific...

First, I recall saying:

...I don't need public keys, just one key for the one user doing the encrypting and decrypting.

I never mentioned using paired keys or a remote server. I continued:

I just need one private key and it does not thus far need to be accessed by a remote host or sent to a remote server, and would just like to store it in the local machine.

So there are no servers and no reason for a paired key in my case. I want one key for one desktop (local) machine-- just assume it's a non-networked virtual machine. ( Am I correctly understanding the terminology: 'remote server'? I'm not sure what you meant, and I never really understood the use for paired keys unless there are multiple users; unless you are referring to the machine itself as a user. Again, this stuff is a bit out of my league. ) Basically, I would like the same or similar functionality as an openssl encryption operation using one key. For example:

Code: Select all

openssl aes-256-cbc -e -a -salt -in file -out file -k pass

If we generate a hash value and store it in a file for retrieval later with ssh, openssl, or whatever command, that's great; so far so good. When you said:

Never, ever, EVER store a password in a script.

I took this to mean that it is unsafe to store a password ( collected from the user via script ) as a bash variable, which I promise I am never going to do.

You said:

passwords in script files are not Secure...Either utilize the ssh key file mechanism, or leave the password out of the script and have the script prompt the user for the password. Or use an expect script.

To that I say: I would like to have the script prompt the user for the password-- but store it, as I said:

outside the script

.

So can this be done with a bash script or not? You suggested using expect, which installs Tcl, but if I'm going to learn a new language, I'd prefer to jump onboard with an open-source one like Falcon. ( I prefer to avoid using corporate-controlled software / programming languages when possible. )

Again, I apologize for not contextualizing my question earlier, so here is the big picture: I want to build a custom program that can:

1) run for the duration of the session
2) function as a "server" to outside applications and automate script-like operations
3) prompt the user for a password one time for the duration of the session
4) securely store the password ( one key on one local machine ) either in memory or the hard drive
5) automatically plug-in the collected password into any number of program operations
6) forget or delete the password when the program ends or is closed

From the research I did, it looks like Falcon programming language is designed to do just these things. I hope I am making better sense now. If so, I'd appreciate any further feedback you may have; this is completely new territory for me and I can use any and all advice and correction in case I am misunderstanding anything. If this can be done with a bash script, I'd prefer to just stick with that, of course, since it's simpler and familiar.

[Habitual]

Again, I apologize for not contextualizing my question earlier, so here is the big picture: I want to build a custom program that can:

1) run for the duration of the session
2) function as a "server" to outside applications and automate script-like operations
3) prompt the user for a password one time for the duration of the session
4) securely store the password ( one key on one local machine ) either in memory or the hard drive
5) automatically plug-in the collected password into any number of program operations
6) forget or delete the password when the program ends or is closed

No need to apologize, I'm sure the confusion is all mine.

I should have said that using ssh-keys is a secure alternative to any scripting variables that may be insecure.
Here's an example script I wrote to ask the user for IP, username and password for connecting to a remote Windows desktop from a linux host:

Code: Select all

#!/bin/bash

echo -n "IP...? "
read IP
for periods in "$@"
  do
   sed -e 's/\./\./' "$IP"
  done
   
echo -n "user...? "
read USER

echo -n "pass... "
read PASSWORD

rdesktop "$IP" -u "$USER" -p "$PASSWORD" -r clipboard:PRIMARYCLIPBOARD -g 80\%
PASSWORD=" "

I saved this as rdp.sh
and I run it as a bash shell script file in terminal
do stuff on remote host...
I exit the running desktop and I check for "$PASSWORD" in terminal with

Code: Select all

echo "$PASSWORD"

and nothing is returned.

Code: Select all

PASSWORD=" "

is merely good programming 101 (just in case)
I removed it from my script and re-ran the script from command-line and the "$PASSWORD" variable content is empty.

wrt:

automatically plug-in the collected password into any number of program operations

If you use

Code: Select all

read PASSWORD; export PASSWORD

then "$PASSWORD" contents become 'visible' to external routines.

So if rpd.sh was used and I wanted to pass contents of "$PASSWORD" to another shell program, I'd export it.
But that is only valid during the bash session that started it.
If you close the terminal, the exported "$PASSWORD" will not be available.

Does that help?

[linx255]

I'm still unclear what my solution should be, but before I jump into that, another important question crept up:

Never, ever, EVER store a password in a script.

Do you mean never store the password in the script file contents or don't store it in an bash variable? I ask because you later seemed much more relaxed about putting a password into $PASSWORD. At any rate, I definitely won't store the password in the script file contents.

It sounds like for the time that the password is stored in $PASSWORD it is vulnerable to interception, ergo, clearing the variable after we're done using it would only protect against an attack occurring after the variable was cleared. Again, I don't know what kind of attack this would be or how it would work or what conditions would make it possible.

I don't ever want $PASSWORD to be intercepted by an external application or silent malware script, should one exist. I'm not sure if exporting $PASSWORD to make it globally available is what I want to do or not; I don't understand what the security issues are. I suppose if a malware script was running silently behind my back then exporting a password would be a bad idea. Would normal applications have access to an exported $PASSWORD variable? Can they read the sector of the RAM containing $PASSWORD and derive its contents or otherwise convert that RAM data to readable text? Can I pass a variable on to another single script ( specified by me in my script ) without globalizing it? It seems I recall from way back that I was unable to pass a variable from a child to parent without globalizing it, too.

I think my solution depends on the answers to these questions and my general understanding of bash security vulnerabilities, which I'm still a bit fuzzy on. Thanks

[Habitual]

I'm still unclear what my solution should be, but before I jump into that, another important question crept up:

...Do you mean never store the password in the script file contents or don't store it in an bash variable? I ask because you later seemed much more relaxed about putting a password into $PASSWORD. At any rate, I definitely won't store the password in the script file contents.

I wouldn't.

It sounds like for the time that the password is stored in $PASSWORD it is vulnerable to interception, ergo, clearing the variable after we're done using it would only protect against an attack occurring after the variable was cleared.

The variable is only available to the script as it's running, or any child-process script called as an export for the duration of the script.

I'm not sure if exporting $PASSWORD to make it globally available is what I want to do or not

You don't want to do that.

Would normal applications have access to an exported $PASSWORD variable?

The variable is only available to the script as it's running, or any child-process script used as an export for the duration of the script.

All of your concerns can be avoided by using ssh-keys.

[linx255]

Well, I'm still baffled:

1) Why are there two output files ( a long file with no extension, and a short file a .pub extension ); what is the functional difference between them? I don't understand how this output would be used to solve my problem.

2) What code do I use to retrieve the password I entered using the two output files I just generated? Again, my aim here is to not have to re-type the key during the script session, so how do I now plugin the key to a command in my script?

3) The output file shows it's AES-128-CBC. Can I use AES-256-CBC instead? It doesn't look like I get a choice. Why are we specifying 'key types' but not actual encryption algorithms? In openssl I've only ever specified the algorithm.

4) Speaking of 'key types', I'm assuming the reference to RSA in the code is a reference to "Ron Rivest, Adi Shamir, and Leonard Adleman" encryption; is this accurate? I can't find any literature on ssh-keygen explaining what 'rsa' means except that it's one of several key types ( rsa1, rsa, dsa and ecdsa ). And I don't know if these 'rsa' keys have anything to with the company, RSA Security ( founded by those 3 men ), but recently many of their cryptography products were demonstrated to have a Dual_EC_DRBG backdoor weakness to which their CEO advised customers to stop using these products. I'm a noob to this kind of cryptography and I don't know if the rsa keytype used in ssh-keygen is affected, but if I end up writing software that thousands of people use RSA doesn't seem like a good choice. Comments anyone?

[Habitual]

Well, I'm still baffled:

1) Why are there two output files ( a long file with no extension, and a short file a .pub extension ); what is the functional difference between them? I don't understand how this output would be used to solve my problem.

https://en.wikipedia.org/wiki/Ssh-keygen

2) What code do I use to retrieve the password I entered using the two output files I just generated? Again, my aim here is to not have to re-type the key during the script session, so how do I now plugin the key to a command in my script?

There is no recovery of the password if you forget it. It is as Dead as dog poop.

Code: Select all

ssh -qi /home/<user>/.ssh/<keyname> user@host

3) The output file shows it's AES-128-CBC. Can I use AES-256-CBC instead? It doesn't look like I get a choice. Why are we specifying 'key types' but not actual encryption algorithms? In openssl I've only ever specified the algorithm.

I don't know what you're typing to create this output, so I can't answer this one. I use

Code: Select all

ssh-keygen -f $HOME/<keyname_rsa -t rsa -N '' -q

to create non-passworded RSA Keys.

4) Speaking of 'key types', I'm assuming the reference to RSA in the code is a reference to "Ron Rivest, Adi Shamir, and Leonard Adleman" encryption; is this accurate? I can't find any literature on ssh-keygen explaining what 'rsa' means except that it's one of several key types ( rsa1, rsa, dsa and ecdsa ). And I don't know if these 'rsa' keys have anything to with the company, RSA Security ( founded by those 3 men ), but recently many of their cryptography products were demonstrated to have a Dual_EC_DRBG backdoor weakness to which their CEO advised customers to stop using these products. I'm a noob to this kind of cryptography and I don't know if the rsa keytype used in ssh-keygen is affected, but if I end up writing software that thousands of people use RSA doesn't seem like a good choice. Comments anyone?

IF rsa keys were suspect, the entire Linux world would have an updated version ssh-keygen on their repos that wouldn't include its format in its' output, and that is not the case.

You should spend some time on Wikipedia reading up on such subjects.

They explain it much better than my feeble attempts ever could.

One or more of those article links will enlighten you on the relationship of RSA Security products and RSA keys generated by ssh-keygen.

Your questions are valid and should be answered by studying the cursory articles content (and source document links) at wikipedia.

[linx255]

Sorry to drag this out, but these topics are so vast--there must be 500 articles in that link and I definitely don't have time go them all. lol I did read the main article on ssh-keygen, from which I'm not able to derive any meaningful conclusions about its relevance to my problem. I don't think we're communicating because I have said I do not want a public key and a private key-- just one private key. I copied your code:

Code: Select all

ssh-keygen -f $HOME/<keyname_rsa -t rsa -N '' -q

into my terminal and executed. It does not let me specify a password, then it spits out two keys instead of one. And when I do:

Code: Select all

ssh -qi /home/<user>/.ssh/<keyname> user@host

there is no output. What does @host mean? Again, I need everything to happen exclusively on the local machine. We can assume this is a non-networked virtual machine. How would I use the former code to allow me to specify a password and generate one key, and then use the latter code to decode the key and plug it into a command such as openssl so I can automatically encrypt and decrypt files for a bash session without having to re-enter the keys?

Am I making sense? I'm just not sure ssh-keygen is what I need, or if it is I don't understand how to use it to my purpose.

[Habitual]

We can assume this is a non-networked virtual machine.

where you said

I'm designing scripts to run on workstations that will be networked to a server and each other and the internet.

If it is a private environment. then use

Code: Select all

echo -n "pass... "
read PASSWORD

If is a networked environment exposed to other hosts on an open network, then use ssh-keys.
2 keys in the output...

Openssl and openssh are not the same thing.
See http://security.stackexchange.com/quest ... ore-secure

I am not discounting your quest for information in this thread, I am merely trying to "teach you how to fish".
Anything I tell you should be verified and that requires reading links and posts on the subject(s) to prove with satisfaction that any answer I provide is accurate.

If you "don't have the time" then neither do I.
Sorry if that's rude, but if this was an easy subject, we'd be done by now.

https://www.openssl.org/
http://www.openssh.com/

[linx255]

Lol no worries it's understood. I was just hoping someone could break it down and summarize but I guess it's irreducible at this level.

I am developing this for eventual use in workstations but I am first trying to get it working on a single machine or VM. I'm aware of the difference between openssl and openssh. It just so happens I need to plug the passwords into unrelated openssl operations. I wasn't sure if openssl could also be used to solve this problem. Sorry for the confusion and thanks for your time.

At any rate, even when using on networked workstations I still only want to use one key, and not paired keys. How to achieve this is my next task.

[Habitual]

At any rate, even when using on networked workstations I still only want to use one key, and not paired keys. How to achieve this is my next task.

That's eas(y|ier)!
After copying contents of key.pub to any other workstation's /home/<user>/ssh/authorized_keys file, simply delete the local copy of key.pub.

If at some time you need the contents of that pub for another hosts' /home/<user>/ssh/authorized_keys, you can simple copy the key's entry from a remote machine you already have access to, to the new remote hosts' /home/<user>/ssh/authorized_keys file

Also:

Code: Select all

ssh-keygen -f ~HOME/.ssh/My_Key_Name -t rsa -N '' -q -C "Description here"

where "Description here" should be something indicative of the task and/or user using it.
Examples:

Code: Select all

ssh-keygen -f $HOME/.ssh/My_Key_Name -t rsa -N '' -q -C "This key is for automated backups"

Code: Select all

cat $HOME/.ssh/My_Key_Name.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCu544hTjGCA3TGLW8TZlXxhCrjgPYWNxxl6H/zd7KYbcmf5fYLnjOYypfsZXsDFR1AscyTAkF7HjZtY1mCP3NsGDVObB1HdvPAqadS05b7Sv4NttMS3ugO0rVct7L2SHda239aEUb7uwhtF8CjDlsSFxZXpySfAgsYTs/87Icm3BlDE9UdqYYMD2h6coI14j6S0wSjWeRyyQ4+HcyfDhe+z1RuEckskaLIi4d4Kr+k9/+O9VOYcEyFXtlqfByYNx8PXtsl7r3KrRh3asabyY954P8L12DMXKKGwbeTjlOQ2wvwCSJZYrERTFCO0Ug7R2OtRbtEPfW1mf+m+VCTaDI5 This key is for automated backups

and

Code: Select all

ssh-keygen -f $HOME/.ssh/My_Key_Name -t rsa -N '' -q -C "This key is for widget script.sh"
cat $HOME/.ssh/My_Key_Name.pub 
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCpfZHoX15BJa+JsTa7oQ15l0qD9J+GdiseDi99bLLgw0YUyeydk3E+ziiXav3/1r1rIOIlkE9mz/wHXPVbkvKdt6XrI7ZebXm80fSZs1x9RDiGgmTJlQ/j/vxCVSo87sKpOoygJpvU50iZMTKrHApOAzHeHjjGk/tWrlBlcSvO62xHj7Gg7EXteWCU/nusyAf0uZowNJSca4DbYd0xtnMtahZf0nR2Uv98s5SY4t9J3MWswqencwcs22UzdAU9pY99aPoeqdcyDIv+YxTeMwiVkhZX0DOWkPVOc/ERZm4KvM/dLXkxYeinLD/0RTKBswkAM0POrI9l/1s9/Wwv9ZIv This key is for widget script.sh

Though, there's no harm in leaving key.pub around.
Protect with your life the key, but key.pub is useless to anyone that doesn't have key.

They go together like Oreos and Milk.

Have a Great Day!

[linx255]

I find it incredibly difficult to both understand and articulate my own problem.

From what I've gathered about ssh from wikipedia and forums, the script cannot pass the password that I entered in ssh-keygen, from the resulting key file to a command. Having a key file does not solve my problem unless the password I typed in can be passed to a command. ( The idea is to not have to type the password more than once per session. )

The key file may store my password in encrypted form but there is no authority I can give the script ( or myself ) to extract the password and plug it into a command. Apparently the data in an ssh key is all that can be recovered, and that requires typing the password. The password itself cannot be recovered. Besides, I don't want a password to protect a key to later recover the key, I just want a password protected against theft but still accessible to the script.

When I first tried your suggestion to use ssh-keygen I mistakenly believed I would be able to automatically retrieve the password and feed it to as many commands as I wanted for the duration of the session. I can find no examples of such functionality with ssh-keygen or any other tool, or any article claiming this is possible. How then is an application to securely remember and apply passwords? At some point the password has to be in unencrypted form either on the disk or in the RAM.

You mentioned using expect scripts-- however, I can find no examples / explanations relevant to my problem and it appears most of the expect scripts are for connecting to remote hosts, which I think is what you originally thought I was trying to do. What I am trying to create might not exist out there, but if you understand my problem can you direct me to an expect script example that can be used for my purpose ( even if some adaptation required )?

[Habitual]

I find it incredibly difficult to both understand and articulate my own problem.

I'm certain I am not helping. But don't despair, this is part of what scripters "go through". Believe that.
It helps greatly to reduce your script logic to its' basest form and write what's called Pseudo-Code (think of a flowchart),
Pseudo-Code is done in your natural language, but English is assumed here, sorry about that.
Example from a Jell-O food product:

Code: Select all

Add 1 cup boiling water to a 3 quart glass baking dish.
Slowly stir in Jello Mix.
Stir until dissolved.
Refrigerate.

or

Code: Select all

Connect to remote host.
export database to file.sql
scp file.sql to a remote host1.
grab file2.sql from remote host2.
import into local host database.
exit

Both are, or could be considered Pseudo-Code. Real Simple and Real Basic.

From what I've gathered about ssh from wikipedia and forums, the script cannot pass the password that I entered in ssh-keygen, from the resulting key file to a command. Having a key file does not solve my problem unless the password I typed in can be passed to a command.

I don't believe it can, but I could be wrong. What I don't know could fill a warehouse.

Apparently the data in an ssh key is all that can be recovered

The only 'data' in an ssh-key is the key itself.

I just want a password protected against theft but still accessible to the script.

This is why it is stored in your /home/<user>/.ssh directory with Read Only privileges.

If you want a single key with and without a password (safety-net) here's what I would do.
Generate a key with a password, say ~HOME/.ssh/linx255 and copy that key to a removable drive and then remove the password on the removable drive's copy of the key. Put the removable drive USB device in a safe place. But this won't help in your script.

When I first tried your suggestion to use ssh-keygen I mistakenly believed I would be able to automatically retrieve the password and feed it to as many commands as I wanted for the duration of the session. I can find no examples of such functionality with ssh-keygen or any other tool, or any article claiming this is possible. How then is an application to securely remember and apply passwords? At some point the password has to be in unencrypted form either on the disk or in the RAM.

Again, the password is for physical access to the key only, a safe-guard against physical access to your /home/<user> directory. Rule Number One in Security: There is NO security without Physical Security.

What I am trying to create might not exist out there, but if you understand my problem can you direct me to an expect script example that can be used for my purpose ( even if some adaptation required )?

Some pseudo-code may help clarify this entire situation right up. It all depends on what you want this script "to do".
Once the mechanics of "what" is known, then layering in Security is usually an easy task.

As usual in Linux there are many ways to "skin a cat".

[linx255]

Thanks again!