Obscuring network proxy password in plain text files on Linux/UNIX-likes

By : Brendan
Source: Stackoverflow.com
Question!

Typically in a large network a computer needs to operate behind an authenticated proxy - any connections to the outside world require a username/password which is often the password a user uses to log into email, workstation etc.

This means having to put the network password in the apt.conf file as well as typically the http_proxy, ftp_proxy and https_proxy environment variables defined in ~/.profile

I realise that with apt.conf that you could set chmod 600 (which it isn't by default on Ubuntu/Debian!) but on our system there are people who need root priveleges .

I also realise that it is technically impossible to secure a password from someone who has root access, however I was wondering if there was a way of obscuring the password to prevent accidental discovery. Windows operates with users as admins yet somehow stores network passwords (probably stored deep in the registry obscured in some way) so that in typical use you won't stumble across it in plain text

I only ask since the other day, I entirely by accident discovered somebody elses password in this way when comparing configuration files across systems.

@monjardin - Public key authentication is not an alternative on this network I'm afraid. Plus I doubt it is supported amongst the majority of commandline tools.

@Neall - I don't mind the other users having web access, they can use my credentials to access the web, I just don't want them to happen across my password in plain text.

By : Brendan


Answers

With the following approach you never have to save your proxy password in plain text. You just have to type in a password interactively as soon as you need http/https/ftp access:

  • Use openssl to encrypt your plain text proxy password into a file, with e.g. AES256 encryption:

openssl enc -aes-256-cbc -in pw.txt -out pw.bin

  • Use a (different) password for protecting the encoded file
  • Remove plain text pw.txt
  • Create an alias in e.g. ~/.alias to set your http_proxy/https_proxy/ftp_proxy environment variables (set appropriate values for $USER/proxy/$PORT)

alias myproxy='PW=`openssl aes-256-cbc -d -in pw.bin`; PROXY="http://$USER:[email protected]:$PORT"; export http_proxy=$PROXY; export https_proxy=$PROXY; export ftp_proxy=$PROXY'

  • you should source this file into your normal shell environment (on some systems this is done automatically)
  • type 'myproxy' and enter your openssl password you used for encrypting the file
  • done.

Note: the password is available (and readable) inside the users environment for the duration of the shell session. If you want to clean it from the environment after usage you can use another alias:

alias clearproxy='export http_proxy=; export https_proxy=; export ftp_proxy='

By : lumpidu


I suppose you could create a local proxy, point these tools through that, and then have the local proxy interactively ask the user for the external proxy password which it would then apply. It could optionally remember this for a few minutes in obfuscated internal storage.

An obvious attack vector would be for a privileged user to modify this local proxy to do something else with the entered password (as they could with anything else such as an email client that requests it or the windowing system itself), but at least you'd be safe from inadvertent viewing.



we solved this problem by not asking for proxy passwords on rpm, apt or other similar updates (virus databases, windows stuff etc) That's a small whitelist of known repositories to add to the proxy.

By : Gunstick


This video can help you solving your question :)
By: admin