lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20110204193640.GC23993@gemini>
Date: Fri, 4 Feb 2011 12:36:40 -0700
From: Erik Falor <ewfalor@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: encrypt the bash history

On Fri, Feb 04, 2011 at 04:18:53PM -0300, Zerial. wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On 02/04/11 16:13, Valdis.Kletnieks@...edu wrote:
> > On Fri, 04 Feb 2011 16:06:06 -0300, "Zerial." said:
> >> what is the best way to encrypt the bash_history file?
> >> I try using crypt/decrypt with GPG when login/logout. It works, but not
> >> safe enough.
> > 
> > Explain what the threat model is, and why GPG isn't safe enough?  It's kind of
> > hard to recommend "best" when we don't understand what the criteria are...
> > 
> 
> The "way" is not safe enough. root can login as me (su - user) and
> bash_history will be decrypted. I try to find any better way to crypt
> and make unreadable the bash_history file from any other users,
> including root.

Not to mention the fact that your .bash_history file is unencrypted
the entire time you're logged in.  A better alternative, if you're
that anxious about your shell history falling into the wrong hands, is
to disable it entirely:

unset HISTFILE
HISTSIZE=0

You can also tell bash to not record commands that begin with a space:
HISTCONTROL=ignorespace

More fine-grained control can be achieved with the HISTIGNORE
variable.  See the 'Shell Variables' section of the bash(1) manpage.

Finally, I wrote these functions to toggle history recording on/off
in a shell.  I like how this works, when I remember to run it beforehand:

# turn off history recording
function offtherecord()
{
    if [[ -n "$HISTFILE" ]]; then
        OLDHISTFILE=$HISTFILE
        unset HISTFILE
    fi
    if [[ -n "$HISTSIZE" ]]; then
        OLDHISTSIZE=$HISTSIZE
        HISTSIZE=0
    fi
}

# turn on history recording
function ontherecord()
{
    if [[ -n "$OLDHISTFILE" ]]; then
        HISTFILE=$OLDHISTFILE
        unset OLDHISTFILE
    fi
    if [[ -n "$HISTSIZE" ]]; then
        HISTSIZE=$OLDHISTSIZE
        unset OLDHISTSIZE
    fi
}

Once you've run offtherecord, you lose all of your history for that shell until
you log back in.

-- 
Erik Falor
Registered Linux User #445632 http://counter.li.org

Content of type "application/pgp-signature" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ