lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <30044.1296848447@localhost>
Date: Fri, 04 Feb 2011 14:40:47 -0500
From: Valdis.Kletnieks@...edu
To: "Zerial." <fernando@...ial.org>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: encrypt the bash history

On Fri, 04 Feb 2011 16:18:53 -0300, "Zerial." said:

> The "way" is not safe enough. root can login as me (su - user) and
> bash_history will be decrypted. I try to find any better way to crypt
> and make unreadable the bash_history file from any other users,
> including root.

Agreed. GPG makes the rather rash assumption that you use it on a
system where the computing resources can be at least somewhat
trusted (i.e. it assumes you're not on a system that somebody else
may have installed a keystroke logger or similar).

1a) It may be simpler/safer to totally disable the feature so you
don't leave behind a .bash_history.

1b) If you don't trust root with your .bash_history, why do you trust
root with every single keystroke you entered while doing the commands
that created that history? (Think about that for a bit...)



Content of type "application/pgp-signature" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ