| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 6 Feb 2011 13:55:55 +0000
From: Peter Maxwell <peter@...icient.co.uk>
To: "Zerial." <fernando@...ial.org>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: encrypt the bash history
To be honest, none of these methods will actually be effective: root can do
what he/she likes, including monitoring *everything* you do. Worrying about
shell history is not going to solve anything.
Your only choices are to trust root, or setup your own host.
Peter Maxwell
On 6 February 2011 11:21, Zerial. <fernando@...ial.org> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 02/04/11 16:36, Erik Falor wrote:
> > On Fri, Feb 04, 2011 at 04:18:53PM -0300, Zerial. wrote:
> >> -----BEGIN PGP SIGNED MESSAGE-----
> >> Hash: SHA1
> >>
> >> On 02/04/11 16:13, Valdis.Kletnieks@...edu wrote:
> >>> On Fri, 04 Feb 2011 16:06:06 -0300, "Zerial." said:
> >>>> what is the best way to encrypt the bash_history file?
> >>>> I try using crypt/decrypt with GPG when login/logout. It works, but
> not
> >>>> safe enough.
> >>>
> >>> Explain what the threat model is, and why GPG isn't safe enough? It's
> kind of
> >>> hard to recommend "best" when we don't understand what the criteria
> are...
> >>>
> >>
> >> The "way" is not safe enough. root can login as me (su - user) and
> >> bash_history will be decrypted. I try to find any better way to crypt
> >> and make unreadable the bash_history file from any other users,
> >> including root.
> >
> > Not to mention the fact that your .bash_history file is unencrypted
> > the entire time you're logged in.
>
> This is the problem on my "way" to protect/crypt the bash_history.
>
> A better alternative, if you're
> > that anxious about your shell history falling into the wrong hands, is
> > to disable it entirely:
> >
> > unset HISTFILE
> > HISTSIZE=0
> >
> > You can also tell bash to not record commands that begin with a space:
> > HISTCONTROL=ignorespace
> >
> > More fine-grained control can be achieved with the HISTIGNORE
> > variable. See the 'Shell Variables' section of the bash(1) manpage.
> >
> > Finally, I wrote these functions to toggle history recording on/off
> > in a shell. I like how this works, when I remember to run it beforehand:
> >
> > # turn off history recording
> > function offtherecord()
> > {
> > if [[ -n "$HISTFILE" ]]; then
> > OLDHISTFILE=$HISTFILE
> > unset HISTFILE
> > fi
> > if [[ -n "$HISTSIZE" ]]; then
> > OLDHISTSIZE=$HISTSIZE
> > HISTSIZE=0
> > fi
> > }
> >
> > # turn on history recording
> > function ontherecord()
> > {
> > if [[ -n "$OLDHISTFILE" ]]; then
> > HISTFILE=$OLDHISTFILE
> > unset OLDHISTFILE
> > fi
> > if [[ -n "$HISTSIZE" ]]; then
> > HISTSIZE=$OLDHISTSIZE
> > unset OLDHISTSIZE
> > fi
> > }
> >
> > Once you've run offtherecord, you lose all of your history for that shell
> until
> > you log back in.
> >
>
> Nice tip, but this solution doesn't work for me. I don't wanna avoid
> logging commands nor delete the bash history nor hide the commands. I
> wanna "encrypt" the file. I don't wanna miss commands which I executed.
>
> Another solution may be copy and move the history file from the server
> to the client, saving the bash_history on client side. But ... this will
> not work if I connect using client as putty.
>
>
> thanks for the asnwer,
>
>
>
> - --
> Zerial
> Seguridad Informatica
> GNU/Linux User #382319
> Blog: http://blog.zerial.org
> Jabber: zerial@...beres.org
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk1OhC0ACgkQIP17Kywx9JTuSgCcC455KT3/NrSZbOXNodc/zbG8
> JmcAn3QtIlyVyri5qCPxBFlaLa04C8tk
> =OVc7
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists