Safe way to secure passwords in remote desktop script?

If none of the more specific forums is the right place to ask

Safe way to secure passwords in remote desktop script?

Postby Particle » 2018-07-08 20:27

Hello-

I'm trying to safely (relatively speaking) store login credentials in bash scripts that start a remote desktop client for managing some servers. (Motivation: I want to get away from using Remmina. I don't like it.)

My first thought was to keep the passwords in an encrypted password manager, but this proved to be impracticably inconvenient after a time.

My second thought was to include the passwords in the scripts themselves but then secure the scripts in a way that might require my system password but not generally be readable or executable as a regular user. To this end, I created a script like this:

Code: Select all
HOST=<hostname>:<port>
USER=<username>
PASS=<password>
DOMAIN=<domain>
RESOLUTION="2550x1350"
sudo -uparticle xfreerdp /u:${USER} /d:"${DOMAIN}" /p:"${PASSWORD}" /rfx +compression +clipboard +fonts /size:${RESOLUTION} /cert-ignore /sec:nla /v:${HOST}

I set the owner of the script to root:root and set the permissions to 700. I use sudo to call xfreerdp itself as a regular user (particle) to reduce my attack surface. It seems unwise to run a remote desktop client as root which is what would normally happen when executing the script as root. This all works great with one exception. Normally when xfreerdp executes, if the /p (ie password) option is provided the program will somehow obfuscate the password in the process's arguments. If you look at a list of running tasks with htop or something, you'll see /p:"**********" instead of the actual password. When xfreerdp is called with sudo, however, this doesn't (or maybe can't?) happen. The password is left exposed in plain text in the process list.

Is there perhaps a change I can make to resolve this deficiency in my approach? Is this an unavoidable consequence of calling a program with sudo?
Particle
 
Posts: 19
Joined: 2018-02-03 18:59

Re: Safe way to secure passwords in remote desktop script?

Postby Dai_trying » 2018-07-08 21:08

I haven't used this, but I did find it interesting as a method for obfuscating code in bash scripts
https://stackoverflow.com/questions/642 ... binary-i-e

I cannot say whether it will work but might be worth trying.
Dai_trying
 
Posts: 567
Joined: 2016-01-07 12:25

Re: Safe way to secure passwords in remote desktop script?

Postby arzgi » 2018-07-09 08:38

Particle wrote:Hello-

I'm trying to safely (relatively speaking) store login credentials in bash scripts that start a remote desktop client for managing some servers. (Motivation: I want to get away from using Remmina. I don't like it.)

My first thought was to keep the passwords in an encrypted password manager, but this proved to be impracticably inconvenient after a time.

My second thought was to include the passwords in the scripts themselves but then secure the scripts in a way that might require my system password but not generally be readable or executable as a regular user. To this end, I created a script like this:



Perhaps ssh tunnel?
arzgi
 
Posts: 389
Joined: 2008-02-21 17:03
Location: Finland


Return to General Questions

Who is online

Users browsing this forum: No registered users and 7 guests

fashionable