Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

Safe way to secure passwords in remote desktop script?

If none of the specific sub-forums seem right for your thread, ask here.
Post Reply
Message
Author
Particle
Posts: 19
Joined: 2018-02-03 18:59

Safe way to secure passwords in remote desktop script?

#1 Post by Particle »

Hello-

I'm trying to safely (relatively speaking) store login credentials in bash scripts that start a remote desktop client for managing some servers. (Motivation: I want to get away from using Remmina. I don't like it.)

My first thought was to keep the passwords in an encrypted password manager, but this proved to be impracticably inconvenient after a time.

My second thought was to include the passwords in the scripts themselves but then secure the scripts in a way that might require my system password but not generally be readable or executable as a regular user. To this end, I created a script like this:

Code: Select all

HOST=<hostname>:<port>
USER=<username>
PASS=<password>
DOMAIN=<domain>
RESOLUTION="2550x1350"
sudo -uparticle xfreerdp /u:${USER} /d:"${DOMAIN}" /p:"${PASSWORD}" /rfx +compression +clipboard +fonts /size:${RESOLUTION} /cert-ignore /sec:nla /v:${HOST}
I set the owner of the script to root:root and set the permissions to 700. I use sudo to call xfreerdp itself as a regular user (particle) to reduce my attack surface. It seems unwise to run a remote desktop client as root which is what would normally happen when executing the script as root. This all works great with one exception. Normally when xfreerdp executes, if the /p (ie password) option is provided the program will somehow obfuscate the password in the process's arguments. If you look at a list of running tasks with htop or something, you'll see /p:"**********" instead of the actual password. When xfreerdp is called with sudo, however, this doesn't (or maybe can't?) happen. The password is left exposed in plain text in the process list.

Is there perhaps a change I can make to resolve this deficiency in my approach? Is this an unavoidable consequence of calling a program with sudo?
Top
Dai_trying
Posts: 1101
Joined: 2016-01-07 12:25
Has thanked: 6 times
Been thanked: 16 times

Re: Safe way to secure passwords in remote desktop script?

#2 Post by Dai_trying »

I haven't used this, but I did find it interesting as a method for obfuscating code in bash scripts
https://stackoverflow.com/questions/642 ... binary-i-e

I cannot say whether it will work but might be worth trying.
Top
arzgi
Posts: 1197
Joined: 2008-02-21 17:03
Location: Finland
Been thanked: 32 times

Re: Safe way to secure passwords in remote desktop script?

#3 Post by arzgi »

Particle wrote:Hello-

I'm trying to safely (relatively speaking) store login credentials in bash scripts that start a remote desktop client for managing some servers. (Motivation: I want to get away from using Remmina. I don't like it.)

My first thought was to keep the passwords in an encrypted password manager, but this proved to be impracticably inconvenient after a time.

My second thought was to include the passwords in the scripts themselves but then secure the scripts in a way that might require my system password but not generally be readable or executable as a regular user. To this end, I created a script like this:
Perhaps ssh tunnel?
Top
Post Reply

Return to “General Questions”