lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sun, 06 Feb 2011 08:21:17 -0300 From: "Zerial." <fernando@...ial.org> To: full-disclosure@...ts.grok.org.uk Subject: Re: encrypt the bash history -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 02/04/11 16:36, Erik Falor wrote: > On Fri, Feb 04, 2011 at 04:18:53PM -0300, Zerial. wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> On 02/04/11 16:13, Valdis.Kletnieks@...edu wrote: >>> On Fri, 04 Feb 2011 16:06:06 -0300, "Zerial." said: >>>> what is the best way to encrypt the bash_history file? >>>> I try using crypt/decrypt with GPG when login/logout. It works, but not >>>> safe enough. >>> >>> Explain what the threat model is, and why GPG isn't safe enough? It's kind of >>> hard to recommend "best" when we don't understand what the criteria are... >>> >> >> The "way" is not safe enough. root can login as me (su - user) and >> bash_history will be decrypted. I try to find any better way to crypt >> and make unreadable the bash_history file from any other users, >> including root. > > Not to mention the fact that your .bash_history file is unencrypted > the entire time you're logged in. This is the problem on my "way" to protect/crypt the bash_history. A better alternative, if you're > that anxious about your shell history falling into the wrong hands, is > to disable it entirely: > > unset HISTFILE > HISTSIZE=0 > > You can also tell bash to not record commands that begin with a space: > HISTCONTROL=ignorespace > > More fine-grained control can be achieved with the HISTIGNORE > variable. See the 'Shell Variables' section of the bash(1) manpage. > > Finally, I wrote these functions to toggle history recording on/off > in a shell. I like how this works, when I remember to run it beforehand: > > # turn off history recording > function offtherecord() > { > if [[ -n "$HISTFILE" ]]; then > OLDHISTFILE=$HISTFILE > unset HISTFILE > fi > if [[ -n "$HISTSIZE" ]]; then > OLDHISTSIZE=$HISTSIZE > HISTSIZE=0 > fi > } > > # turn on history recording > function ontherecord() > { > if [[ -n "$OLDHISTFILE" ]]; then > HISTFILE=$OLDHISTFILE > unset OLDHISTFILE > fi > if [[ -n "$HISTSIZE" ]]; then > HISTSIZE=$OLDHISTSIZE > unset OLDHISTSIZE > fi > } > > Once you've run offtherecord, you lose all of your history for that shell until > you log back in. > Nice tip, but this solution doesn't work for me. I don't wanna avoid logging commands nor delete the bash history nor hide the commands. I wanna "encrypt" the file. I don't wanna miss commands which I executed. Another solution may be copy and move the history file from the server to the client, saving the bash_history on client side. But ... this will not work if I connect using client as putty. thanks for the asnwer, - -- Zerial Seguridad Informatica GNU/Linux User #382319 Blog: http://blog.zerial.org Jabber: zerial@...beres.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk1OhC0ACgkQIP17Kywx9JTuSgCcC455KT3/NrSZbOXNodc/zbG8 JmcAn3QtIlyVyri5qCPxBFlaLa04C8tk =OVc7 -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists