withpass - Protecting cleartext passwords at the command prompt
The "withpass" utility is useful when executing applications requiring a cleartext password
as a command line argument. "withpass" protects your password, so that it does not
appear on the terminal, on user logs (e.g. shell history) or system logs (e.g. exec-logs).
Applications that receive passwords as command line arguments are
generally frowned upon by systems administrators for (at least) four reasons:
- They lead to cleartext passwords being rendered on the terminal.
- They lead to cleartext passwords being recorded in the user's command history.
- They lead to cleartext passwords showing up on system-wide execution logs.
- They lead to cleartext passwords appearing on the process list output.
The "withpass" utility resolves issue (a) by allowing the user to supply the password to a non-echoing interactive prompt (see getpass(3)).
It also resolves issue (b) by replacing the cleartext password at the command line, with a placeholder (%P). "withpass" will execute the desired application internally with a modified set of parameters, performing all the necessary transformations of placeholders to passwords.
Issue (c) is only partially resolved by this utility. Some exec-loggers rely on LD_PRELOAD-ing their own version of the execve() wrapper into the memory of the
(dynamically linked) executed application. Such exec-loggers are unable to log execve() calls performed by statically linked executables (since these come with their own version of the wrapper code). The "withpass" utility uses this trick (i.e. static linking) to avoid echoing the password to the system-wide exec-logs. Of course, this only works for LD_PRELOAD-based loggers (like "snoopy").
Unfortunately, "withpass" can't do much about issue (d). Resolving this issue would require modifications to the code of the executed applications. Having said that, there are quite a few applications out there today that zero-out (or replace with other characters) sensitive data that
appear on the process list output (e.g. see "rdesktop").
The user of "withpass" provides the password either at the interactive prompt or as an environmental variable (WITHPASS). The environmental variable is handy for scripts but only protects the user from having the password echoed in execve() logs.
Compile "withpass" from source. Simply untar the source tar-ball and type "make" to build the "withpass" executable, like so:
$ tar -xjf withpass.tar.bz2
$ cd withpass
gcc -Wall -static -o withpass withpass.c
If you wish to use a different compiler be sure to check the Makefile. Also, make sure that the "withpass" utility ends up being statically linked. On GNU/Linux systems you can verify this with the ldd utility:
$ ldd withpass
not a dynamic executable
Finally, use the "make install" command as root, to install the "withpass" binary under
# make install
cp withpass /usr/local/bin
Example invocations of withpass:
$ withpass net rpc shutdown -t 0 -I 192.168.0.1 -Uuser%%P
$ withpass wget --http-user u1 --http-password %P http://u.rl/1
withpass (source release, version 0.2, md5sum: 402412f98f6d0f6bae13a12aa8250446)
The "withpass" utility is free software licensed under the GPLv3.