AppleScript->echo into terminal --can it be seen in logs? [closed]
Clash Royale CLAN TAG#URR8PPP
up vote
0
down vote
favorite
I don't know if this question is better off on here, or in the Apple/Mac world... but I do need a decent answer.
I am using Applescript to pull data from fields in a spreadsheet or database, and shove them directly into terminal:
echo "thisismydatastring and my saltbits" | openssl aes-256-cbc -k thisismypassword -base64
My question: is there a way one could filter thru the log files to catch this plaintext instance of the password?
Is there a better way to prevent hacking?
PS: and for the love of pete, if you're smart (or snarky) enough to offer to edit my writing, at least offer a sane answer to the question.
terminal logs
asked Dec 25 '17 at 14:00
frank ankersly
1013
closed as off-topic by Michael Mrozek♦ Dec 25 '17 at 16:26
This question appears to be off-topic. The users who voted to close gave this specific reason:
- "This question has been posted on multiple sites. Cross-posting is strongly discouraged; see the help center and community FAQ for more information." – Michael Mrozek
add a comment |Â
up vote
0
down vote
favorite
I don't know if this question is better off on here, or in the Apple/Mac world... but I do need a decent answer.
I am using Applescript to pull data from fields in a spreadsheet or database, and shove them directly into terminal:
echo "thisismydatastring and my saltbits" | openssl aes-256-cbc -k thisismypassword -base64
My question: is there a way one could filter thru the log files to catch this plaintext instance of the password?
Is there a better way to prevent hacking?
PS: and for the love of pete, if you're smart (or snarky) enough to offer to edit my writing, at least offer a sane answer to the question.
terminal logs
asked Dec 25 '17 at 14:00
frank ankersly
1013
closed as off-topic by Michael Mrozek♦ Dec 25 '17 at 16:26
This question appears to be off-topic. The users who voted to close gave this specific reason:
- "This question has been posted on multiple sites. Cross-posting is strongly discouraged; see the help center and community FAQ for more information." – Michael Mrozek
1
You could start by checking your ~/.bash_history to see which commands appear.
– multithr3at3d
Dec 25 '17 at 14:57
editing questions so that they conform to the formatting conventions used here is not "snarky". It's helping you (and it's helping other users of this site). Many people here just ignore badly formatted questions. Your friendly editor Jesse_b saved your question from that. editing questions is a valuable service for this site and can be done by people who don't know the answer to a question.
– cas
Dec 25 '17 at 15:37
thx for the ~/.bash_history nugget.. it seems the command does NOT appear there, which is encouraging.
– frank ankersly
Dec 25 '17 at 16:03
apple.stackexchange.com/questions/310068/…
– Michael Mrozek♦
Dec 25 '17 at 16:26
wasn't sure which place to put this question.. apologies for the multipost.. While this is an "Apple-ish" thing (ie., applescript), most Apple users simply don't even know what Terminal is, nevermind what it does... I figured folks here would know far more.... :)
– frank ankersly
Dec 27 '17 at 1:50
add a comment |Â
up vote
0
down vote
favorite
up vote
0
down vote
favorite
I don't know if this question is better off on here, or in the Apple/Mac world... but I do need a decent answer.
I am using Applescript to pull data from fields in a spreadsheet or database, and shove them directly into terminal:
echo "thisismydatastring and my saltbits" | openssl aes-256-cbc -k thisismypassword -base64
My question: is there a way one could filter thru the log files to catch this plaintext instance of the password?
Is there a better way to prevent hacking?
PS: and for the love of pete, if you're smart (or snarky) enough to offer to edit my writing, at least offer a sane answer to the question.
terminal logs
asked Dec 25 '17 at 14:00
frank ankersly
1013
I don't know if this question is better off on here, or in the Apple/Mac world... but I do need a decent answer.
I am using Applescript to pull data from fields in a spreadsheet or database, and shove them directly into terminal:
echo "thisismydatastring and my saltbits" | openssl aes-256-cbc -k thisismypassword -base64
My question: is there a way one could filter thru the log files to catch this plaintext instance of the password?
Is there a better way to prevent hacking?
PS: and for the love of pete, if you're smart (or snarky) enough to offer to edit my writing, at least offer a sane answer to the question.
terminal logs
asked Dec 25 '17 at 14:00
frank ankersly
1013
edited Dec 25 '17 at 14:07
asked Dec 25 '17 at 14:00
frank ankersly
1013
asked Dec 25 '17 at 14:00
frank ankersly
1013
asked Dec 25 '17 at 14:00
frank ankersly
1013
1013
closed as off-topic by Michael Mrozek♦ Dec 25 '17 at 16:26
This question appears to be off-topic. The users who voted to close gave this specific reason:
- "This question has been posted on multiple sites. Cross-posting is strongly discouraged; see the help center and community FAQ for more information." – Michael Mrozek
closed as off-topic by Michael Mrozek♦ Dec 25 '17 at 16:26
This question appears to be off-topic. The users who voted to close gave this specific reason:
- "This question has been posted on multiple sites. Cross-posting is strongly discouraged; see the help center and community FAQ for more information." – Michael Mrozek
1
You could start by checking your ~/.bash_history to see which commands appear.
– multithr3at3d
Dec 25 '17 at 14:57
editing questions so that they conform to the formatting conventions used here is not "snarky". It's helping you (and it's helping other users of this site). Many people here just ignore badly formatted questions. Your friendly editor Jesse_b saved your question from that. editing questions is a valuable service for this site and can be done by people who don't know the answer to a question.
– cas
Dec 25 '17 at 15:37
thx for the ~/.bash_history nugget.. it seems the command does NOT appear there, which is encouraging.
– frank ankersly
Dec 25 '17 at 16:03
apple.stackexchange.com/questions/310068/…
– Michael Mrozek♦
Dec 25 '17 at 16:26
wasn't sure which place to put this question.. apologies for the multipost.. While this is an "Apple-ish" thing (ie., applescript), most Apple users simply don't even know what Terminal is, nevermind what it does... I figured folks here would know far more.... :)
– frank ankersly
Dec 27 '17 at 1:50
add a comment |Â
1
You could start by checking your ~/.bash_history to see which commands appear.
– multithr3at3d
Dec 25 '17 at 14:57
editing questions so that they conform to the formatting conventions used here is not "snarky". It's helping you (and it's helping other users of this site). Many people here just ignore badly formatted questions. Your friendly editor Jesse_b saved your question from that. editing questions is a valuable service for this site and can be done by people who don't know the answer to a question.
– cas
Dec 25 '17 at 15:37
thx for the ~/.bash_history nugget.. it seems the command does NOT appear there, which is encouraging.
– frank ankersly
Dec 25 '17 at 16:03
apple.stackexchange.com/questions/310068/…
– Michael Mrozek♦
Dec 25 '17 at 16:26
wasn't sure which place to put this question.. apologies for the multipost.. While this is an "Apple-ish" thing (ie., applescript), most Apple users simply don't even know what Terminal is, nevermind what it does... I figured folks here would know far more.... :)
– frank ankersly
Dec 27 '17 at 1:50
1
1
You could start by checking your ~/.bash_history to see which commands appear.
– multithr3at3d
Dec 25 '17 at 14:57
You could start by checking your ~/.bash_history to see which commands appear.
– multithr3at3d
Dec 25 '17 at 14:57
editing questions so that they conform to the formatting conventions used here is not "snarky". It's helping you (and it's helping other users of this site). Many people here just ignore badly formatted questions. Your friendly editor Jesse_b saved your question from that. editing questions is a valuable service for this site and can be done by people who don't know the answer to a question.
– cas
Dec 25 '17 at 15:37
editing questions so that they conform to the formatting conventions used here is not "snarky". It's helping you (and it's helping other users of this site). Many people here just ignore badly formatted questions. Your friendly editor Jesse_b saved your question from that. editing questions is a valuable service for this site and can be done by people who don't know the answer to a question.
– cas
Dec 25 '17 at 15:37
thx for the ~/.bash_history nugget.. it seems the command does NOT appear there, which is encouraging.
– frank ankersly
Dec 25 '17 at 16:03
thx for the ~/.bash_history nugget.. it seems the command does NOT appear there, which is encouraging.
– frank ankersly
Dec 25 '17 at 16:03
apple.stackexchange.com/questions/310068/…
– Michael Mrozek♦
Dec 25 '17 at 16:26
apple.stackexchange.com/questions/310068/…
– Michael Mrozek♦
Dec 25 '17 at 16:26
wasn't sure which place to put this question.. apologies for the multipost.. While this is an "Apple-ish" thing (ie., applescript), most Apple users simply don't even know what Terminal is, nevermind what it does... I figured folks here would know far more.... :)
– frank ankersly
Dec 27 '17 at 1:50
wasn't sure which place to put this question.. apologies for the multipost.. While this is an "Apple-ish" thing (ie., applescript), most Apple users simply don't even know what Terminal is, nevermind what it does... I figured folks here would know far more.... :)
– frank ankersly
Dec 27 '17 at 1:50
add a comment |Â
1 Answer
1
active
oldest
votes
up vote
1
down vote
If you don't want your password in your shell history (or easily trawled from ps) then don't put the password on the command line.
One alternative is to put the password in a file, set the permissions to 600 with chmod and use $(cat passwordfile) in place of the password on the command line.
This is not safe if you don't trust root on your system, or if you think that other users on the system may be capable of acquiring root privileges.
e.g.
- edit
/.mysecretpasswordand add your password. chmod 600 ~/.mysecretpasswordrun:
echo "thisismydatastring and my saltbits" |
openssl aes-256-cbc -k "$(cat ~/.mysecretpassword)" -base64
Similarly, if "thisismydatastring and my saltbits" is sensitive, don't put that on the command line either. put it in a file and pipe it into openssl.
openssl has an option to read the password from a file descriptor. This is mostly useful if you write a wrapper script to run openssl.
#!/bin/bash
# use file descriptor 99 for no particular reason. a completely arbitrary choice,
# as long as it's not already in use (probably isn't).
exec 99< ~/.mysecretpassword
openssl aes-256-cbc -base64 -k fd:99
Save that somewhere in your $PATH, make it executable with chmod (700 is probably best if you are worried about snoopers) and you can pipe or redirect your data into it. It's probably slightly better than the $(cat ...) method because it doesn't name ~/.mysecretpassword on any command line (so that won't be saved in history or visible in ps).
This file-descriptor method is still only security-by-obscurity, so isn't safe against an untrusted root account or users who can gain root.
You can improve the security a bit by using an encrypted filesystem that you mount manually (and type in the pass-phrase manually...and hope nobody's logging your keystrokes) when you need it, and unmount when finished. Applescript implies you're using a Mac - dunno how you'd do this on OS X but on Linux, you'd use FUSE if you didn't have root on the machine.
It's generally considered a bad idea to be doing crypto stuff on a machine that you don't completely control, or that has other (potentially hostile) users on it. (for more secure crypto, don't do it on a machine connected to a network...better yet, use a un-networked machine in a faraday cage in a lead-lined room at the bottom of a 100' deep concrete bunker. transfer the base64 encrypted data by floppy - not a USB device - or via QR code...printed or display the QR on screen and scan with phone)
More simply: if you have any reason to suspect that you can't completely trust the machine you're on, and it is important that the data stays secret, then don't use it for encryption. There's lots of ways to make a mistake, and it only takes one to be completely compromised.
BTW, if you're using bash, you can remove individual lines from the ~/.bash_history before you exit that shell by hitting up-arrow until you see the line you want to remove and then typing Ctrl-U and hitting up-arrow again.
Alternatively, you can clear that shell session's entire history by running history -c before you exit that shell. This will not clear anything already saved into the .bash_history file.
If the password or other sensitive data is already saved to your .bash_history then your only option will be to delete or edit your history file when you login again. NOTE: It may already be backed up or snapshotted - i.e. too late to fix.
answered Dec 25 '17 at 16:25
cas
37.7k44394
i forgot to mention that the bunker should have a "Beware of the leopard" sign.
– cas
Dec 25 '17 at 16:36
I should've mentioned that this encryption engine is being used by AppleScript, called from within a small business program which is being published and which will be run on machines "in the wild".. so we have no control over the actual systems and how they will be used. Could anyone advise as to why the .bash_history file isn’t showing my commands, after I’ve run them? Are there instances where Applescript –to-terminal commands are NOT passed into the bash history?
– frank ankersly
Dec 27 '17 at 1:53
.bash_historyis saved when you exit bash. at that point, bash saves the history of whatever was read in from .bash_history when you started the shell followed by whatever you typed into the shell itself (subject to the limits imposed by the$HISTSIZEand$HISTFILESIZEvariables). Also, by default, bash will overwrite any existing .bash_history file but can be made to append withshopt -s histappend- this means that with histappend off, if you run two bash shells at the same time, the one that exits last will be the one that ends up with its history saved.
– cas
Dec 27 '17 at 2:01
someone said: Similarly, if "thisismydatastring and my saltbits" is sensitive, don't put that on the command line either. put it in a file and pipe it into openssl. seems to me, if I was worried about this, and I put either my datastring or my saltbit (or password) into a file, that file would still be on the HDD (and therefore vulnerable), or am I missing something?
– frank ankersly
Dec 27 '17 at 4:20
yes, that's why i said it isn't safe from root or users who can acquire root privs. also why i said using an encrypted fs can help a bit. and precisely why i pointed out that doing any kind encryption on an untrusted machine is not a good idea.
– cas
Dec 27 '17 at 4:39
add a comment |Â
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
1
down vote
If you don't want your password in your shell history (or easily trawled from ps) then don't put the password on the command line.
One alternative is to put the password in a file, set the permissions to 600 with chmod and use $(cat passwordfile) in place of the password on the command line.
This is not safe if you don't trust root on your system, or if you think that other users on the system may be capable of acquiring root privileges.
e.g.
- edit
/.mysecretpasswordand add your password. chmod 600 ~/.mysecretpasswordrun:
echo "thisismydatastring and my saltbits" |
openssl aes-256-cbc -k "$(cat ~/.mysecretpassword)" -base64
Similarly, if "thisismydatastring and my saltbits" is sensitive, don't put that on the command line either. put it in a file and pipe it into openssl.
openssl has an option to read the password from a file descriptor. This is mostly useful if you write a wrapper script to run openssl.
#!/bin/bash
# use file descriptor 99 for no particular reason. a completely arbitrary choice,
# as long as it's not already in use (probably isn't).
exec 99< ~/.mysecretpassword
openssl aes-256-cbc -base64 -k fd:99
Save that somewhere in your $PATH, make it executable with chmod (700 is probably best if you are worried about snoopers) and you can pipe or redirect your data into it. It's probably slightly better than the $(cat ...) method because it doesn't name ~/.mysecretpassword on any command line (so that won't be saved in history or visible in ps).
This file-descriptor method is still only security-by-obscurity, so isn't safe against an untrusted root account or users who can gain root.
You can improve the security a bit by using an encrypted filesystem that you mount manually (and type in the pass-phrase manually...and hope nobody's logging your keystrokes) when you need it, and unmount when finished. Applescript implies you're using a Mac - dunno how you'd do this on OS X but on Linux, you'd use FUSE if you didn't have root on the machine.
It's generally considered a bad idea to be doing crypto stuff on a machine that you don't completely control, or that has other (potentially hostile) users on it. (for more secure crypto, don't do it on a machine connected to a network...better yet, use a un-networked machine in a faraday cage in a lead-lined room at the bottom of a 100' deep concrete bunker. transfer the base64 encrypted data by floppy - not a USB device - or via QR code...printed or display the QR on screen and scan with phone)
More simply: if you have any reason to suspect that you can't completely trust the machine you're on, and it is important that the data stays secret, then don't use it for encryption. There's lots of ways to make a mistake, and it only takes one to be completely compromised.
BTW, if you're using bash, you can remove individual lines from the ~/.bash_history before you exit that shell by hitting up-arrow until you see the line you want to remove and then typing Ctrl-U and hitting up-arrow again.
Alternatively, you can clear that shell session's entire history by running history -c before you exit that shell. This will not clear anything already saved into the .bash_history file.
If the password or other sensitive data is already saved to your .bash_history then your only option will be to delete or edit your history file when you login again. NOTE: It may already be backed up or snapshotted - i.e. too late to fix.
answered Dec 25 '17 at 16:25
cas
37.7k44394
i forgot to mention that the bunker should have a "Beware of the leopard" sign.
– cas
Dec 25 '17 at 16:36
I should've mentioned that this encryption engine is being used by AppleScript, called from within a small business program which is being published and which will be run on machines "in the wild".. so we have no control over the actual systems and how they will be used. Could anyone advise as to why the .bash_history file isn’t showing my commands, after I’ve run them? Are there instances where Applescript –to-terminal commands are NOT passed into the bash history?
– frank ankersly
Dec 27 '17 at 1:53
.bash_historyis saved when you exit bash. at that point, bash saves the history of whatever was read in from .bash_history when you started the shell followed by whatever you typed into the shell itself (subject to the limits imposed by the$HISTSIZEand$HISTFILESIZEvariables). Also, by default, bash will overwrite any existing .bash_history file but can be made to append withshopt -s histappend- this means that with histappend off, if you run two bash shells at the same time, the one that exits last will be the one that ends up with its history saved.
– cas
Dec 27 '17 at 2:01
someone said: Similarly, if "thisismydatastring and my saltbits" is sensitive, don't put that on the command line either. put it in a file and pipe it into openssl. seems to me, if I was worried about this, and I put either my datastring or my saltbit (or password) into a file, that file would still be on the HDD (and therefore vulnerable), or am I missing something?
– frank ankersly
Dec 27 '17 at 4:20
yes, that's why i said it isn't safe from root or users who can acquire root privs. also why i said using an encrypted fs can help a bit. and precisely why i pointed out that doing any kind encryption on an untrusted machine is not a good idea.
– cas
Dec 27 '17 at 4:39
add a comment |Â
up vote
1
down vote
If you don't want your password in your shell history (or easily trawled from ps) then don't put the password on the command line.
One alternative is to put the password in a file, set the permissions to 600 with chmod and use $(cat passwordfile) in place of the password on the command line.
This is not safe if you don't trust root on your system, or if you think that other users on the system may be capable of acquiring root privileges.
e.g.
- edit
/.mysecretpasswordand add your password. chmod 600 ~/.mysecretpasswordrun:
echo "thisismydatastring and my saltbits" |
openssl aes-256-cbc -k "$(cat ~/.mysecretpassword)" -base64
Similarly, if "thisismydatastring and my saltbits" is sensitive, don't put that on the command line either. put it in a file and pipe it into openssl.
openssl has an option to read the password from a file descriptor. This is mostly useful if you write a wrapper script to run openssl.
#!/bin/bash
# use file descriptor 99 for no particular reason. a completely arbitrary choice,
# as long as it's not already in use (probably isn't).
exec 99< ~/.mysecretpassword
openssl aes-256-cbc -base64 -k fd:99
Save that somewhere in your $PATH, make it executable with chmod (700 is probably best if you are worried about snoopers) and you can pipe or redirect your data into it. It's probably slightly better than the $(cat ...) method because it doesn't name ~/.mysecretpassword on any command line (so that won't be saved in history or visible in ps).
This file-descriptor method is still only security-by-obscurity, so isn't safe against an untrusted root account or users who can gain root.
You can improve the security a bit by using an encrypted filesystem that you mount manually (and type in the pass-phrase manually...and hope nobody's logging your keystrokes) when you need it, and unmount when finished. Applescript implies you're using a Mac - dunno how you'd do this on OS X but on Linux, you'd use FUSE if you didn't have root on the machine.
It's generally considered a bad idea to be doing crypto stuff on a machine that you don't completely control, or that has other (potentially hostile) users on it. (for more secure crypto, don't do it on a machine connected to a network...better yet, use a un-networked machine in a faraday cage in a lead-lined room at the bottom of a 100' deep concrete bunker. transfer the base64 encrypted data by floppy - not a USB device - or via QR code...printed or display the QR on screen and scan with phone)
More simply: if you have any reason to suspect that you can't completely trust the machine you're on, and it is important that the data stays secret, then don't use it for encryption. There's lots of ways to make a mistake, and it only takes one to be completely compromised.
BTW, if you're using bash, you can remove individual lines from the ~/.bash_history before you exit that shell by hitting up-arrow until you see the line you want to remove and then typing Ctrl-U and hitting up-arrow again.
Alternatively, you can clear that shell session's entire history by running history -c before you exit that shell. This will not clear anything already saved into the .bash_history file.
If the password or other sensitive data is already saved to your .bash_history then your only option will be to delete or edit your history file when you login again. NOTE: It may already be backed up or snapshotted - i.e. too late to fix.
answered Dec 25 '17 at 16:25
cas
37.7k44394
i forgot to mention that the bunker should have a "Beware of the leopard" sign.
– cas
Dec 25 '17 at 16:36
I should've mentioned that this encryption engine is being used by AppleScript, called from within a small business program which is being published and which will be run on machines "in the wild".. so we have no control over the actual systems and how they will be used. Could anyone advise as to why the .bash_history file isn’t showing my commands, after I’ve run them? Are there instances where Applescript –to-terminal commands are NOT passed into the bash history?
– frank ankersly
Dec 27 '17 at 1:53
.bash_historyis saved when you exit bash. at that point, bash saves the history of whatever was read in from .bash_history when you started the shell followed by whatever you typed into the shell itself (subject to the limits imposed by the$HISTSIZEand$HISTFILESIZEvariables). Also, by default, bash will overwrite any existing .bash_history file but can be made to append withshopt -s histappend- this means that with histappend off, if you run two bash shells at the same time, the one that exits last will be the one that ends up with its history saved.
– cas
Dec 27 '17 at 2:01
someone said: Similarly, if "thisismydatastring and my saltbits" is sensitive, don't put that on the command line either. put it in a file and pipe it into openssl. seems to me, if I was worried about this, and I put either my datastring or my saltbit (or password) into a file, that file would still be on the HDD (and therefore vulnerable), or am I missing something?
– frank ankersly
Dec 27 '17 at 4:20
yes, that's why i said it isn't safe from root or users who can acquire root privs. also why i said using an encrypted fs can help a bit. and precisely why i pointed out that doing any kind encryption on an untrusted machine is not a good idea.
– cas
Dec 27 '17 at 4:39
add a comment |Â
up vote
1
down vote
up vote
1
down vote
If you don't want your password in your shell history (or easily trawled from ps) then don't put the password on the command line.
One alternative is to put the password in a file, set the permissions to 600 with chmod and use $(cat passwordfile) in place of the password on the command line.
This is not safe if you don't trust root on your system, or if you think that other users on the system may be capable of acquiring root privileges.
e.g.
- edit
/.mysecretpasswordand add your password. chmod 600 ~/.mysecretpasswordrun:
echo "thisismydatastring and my saltbits" |
openssl aes-256-cbc -k "$(cat ~/.mysecretpassword)" -base64
Similarly, if "thisismydatastring and my saltbits" is sensitive, don't put that on the command line either. put it in a file and pipe it into openssl.
openssl has an option to read the password from a file descriptor. This is mostly useful if you write a wrapper script to run openssl.
#!/bin/bash
# use file descriptor 99 for no particular reason. a completely arbitrary choice,
# as long as it's not already in use (probably isn't).
exec 99< ~/.mysecretpassword
openssl aes-256-cbc -base64 -k fd:99
Save that somewhere in your $PATH, make it executable with chmod (700 is probably best if you are worried about snoopers) and you can pipe or redirect your data into it. It's probably slightly better than the $(cat ...) method because it doesn't name ~/.mysecretpassword on any command line (so that won't be saved in history or visible in ps).
This file-descriptor method is still only security-by-obscurity, so isn't safe against an untrusted root account or users who can gain root.
You can improve the security a bit by using an encrypted filesystem that you mount manually (and type in the pass-phrase manually...and hope nobody's logging your keystrokes) when you need it, and unmount when finished. Applescript implies you're using a Mac - dunno how you'd do this on OS X but on Linux, you'd use FUSE if you didn't have root on the machine.
It's generally considered a bad idea to be doing crypto stuff on a machine that you don't completely control, or that has other (potentially hostile) users on it. (for more secure crypto, don't do it on a machine connected to a network...better yet, use a un-networked machine in a faraday cage in a lead-lined room at the bottom of a 100' deep concrete bunker. transfer the base64 encrypted data by floppy - not a USB device - or via QR code...printed or display the QR on screen and scan with phone)
More simply: if you have any reason to suspect that you can't completely trust the machine you're on, and it is important that the data stays secret, then don't use it for encryption. There's lots of ways to make a mistake, and it only takes one to be completely compromised.
BTW, if you're using bash, you can remove individual lines from the ~/.bash_history before you exit that shell by hitting up-arrow until you see the line you want to remove and then typing Ctrl-U and hitting up-arrow again.
Alternatively, you can clear that shell session's entire history by running history -c before you exit that shell. This will not clear anything already saved into the .bash_history file.
If the password or other sensitive data is already saved to your .bash_history then your only option will be to delete or edit your history file when you login again. NOTE: It may already be backed up or snapshotted - i.e. too late to fix.
answered Dec 25 '17 at 16:25
cas
37.7k44394
If you don't want your password in your shell history (or easily trawled from ps) then don't put the password on the command line.
One alternative is to put the password in a file, set the permissions to 600 with chmod and use $(cat passwordfile) in place of the password on the command line.
This is not safe if you don't trust root on your system, or if you think that other users on the system may be capable of acquiring root privileges.
e.g.
- edit
/.mysecretpasswordand add your password. chmod 600 ~/.mysecretpasswordrun:
echo "thisismydatastring and my saltbits" |
openssl aes-256-cbc -k "$(cat ~/.mysecretpassword)" -base64
Similarly, if "thisismydatastring and my saltbits" is sensitive, don't put that on the command line either. put it in a file and pipe it into openssl.
openssl has an option to read the password from a file descriptor. This is mostly useful if you write a wrapper script to run openssl.
#!/bin/bash
# use file descriptor 99 for no particular reason. a completely arbitrary choice,
# as long as it's not already in use (probably isn't).
exec 99< ~/.mysecretpassword
openssl aes-256-cbc -base64 -k fd:99
Save that somewhere in your $PATH, make it executable with chmod (700 is probably best if you are worried about snoopers) and you can pipe or redirect your data into it. It's probably slightly better than the $(cat ...) method because it doesn't name ~/.mysecretpassword on any command line (so that won't be saved in history or visible in ps).
This file-descriptor method is still only security-by-obscurity, so isn't safe against an untrusted root account or users who can gain root.
You can improve the security a bit by using an encrypted filesystem that you mount manually (and type in the pass-phrase manually...and hope nobody's logging your keystrokes) when you need it, and unmount when finished. Applescript implies you're using a Mac - dunno how you'd do this on OS X but on Linux, you'd use FUSE if you didn't have root on the machine.
It's generally considered a bad idea to be doing crypto stuff on a machine that you don't completely control, or that has other (potentially hostile) users on it. (for more secure crypto, don't do it on a machine connected to a network...better yet, use a un-networked machine in a faraday cage in a lead-lined room at the bottom of a 100' deep concrete bunker. transfer the base64 encrypted data by floppy - not a USB device - or via QR code...printed or display the QR on screen and scan with phone)
More simply: if you have any reason to suspect that you can't completely trust the machine you're on, and it is important that the data stays secret, then don't use it for encryption. There's lots of ways to make a mistake, and it only takes one to be completely compromised.
BTW, if you're using bash, you can remove individual lines from the ~/.bash_history before you exit that shell by hitting up-arrow until you see the line you want to remove and then typing Ctrl-U and hitting up-arrow again.
Alternatively, you can clear that shell session's entire history by running history -c before you exit that shell. This will not clear anything already saved into the .bash_history file.
If the password or other sensitive data is already saved to your .bash_history then your only option will be to delete or edit your history file when you login again. NOTE: It may already be backed up or snapshotted - i.e. too late to fix.
answered Dec 25 '17 at 16:25
cas
37.7k44394
answered Dec 25 '17 at 16:25
cas
37.7k44394
answered Dec 25 '17 at 16:25
cas
37.7k44394
answered Dec 25 '17 at 16:25
cas
37.7k44394
37.7k44394
i forgot to mention that the bunker should have a "Beware of the leopard" sign.
– cas
Dec 25 '17 at 16:36
I should've mentioned that this encryption engine is being used by AppleScript, called from within a small business program which is being published and which will be run on machines "in the wild".. so we have no control over the actual systems and how they will be used. Could anyone advise as to why the .bash_history file isn’t showing my commands, after I’ve run them? Are there instances where Applescript –to-terminal commands are NOT passed into the bash history?
– frank ankersly
Dec 27 '17 at 1:53
.bash_historyis saved when you exit bash. at that point, bash saves the history of whatever was read in from .bash_history when you started the shell followed by whatever you typed into the shell itself (subject to the limits imposed by the$HISTSIZEand$HISTFILESIZEvariables). Also, by default, bash will overwrite any existing .bash_history file but can be made to append withshopt -s histappend- this means that with histappend off, if you run two bash shells at the same time, the one that exits last will be the one that ends up with its history saved.
– cas
Dec 27 '17 at 2:01
someone said: Similarly, if "thisismydatastring and my saltbits" is sensitive, don't put that on the command line either. put it in a file and pipe it into openssl. seems to me, if I was worried about this, and I put either my datastring or my saltbit (or password) into a file, that file would still be on the HDD (and therefore vulnerable), or am I missing something?
– frank ankersly
Dec 27 '17 at 4:20
yes, that's why i said it isn't safe from root or users who can acquire root privs. also why i said using an encrypted fs can help a bit. and precisely why i pointed out that doing any kind encryption on an untrusted machine is not a good idea.
– cas
Dec 27 '17 at 4:39
add a comment |Â
i forgot to mention that the bunker should have a "Beware of the leopard" sign.
– cas
Dec 25 '17 at 16:36
I should've mentioned that this encryption engine is being used by AppleScript, called from within a small business program which is being published and which will be run on machines "in the wild".. so we have no control over the actual systems and how they will be used. Could anyone advise as to why the .bash_history file isn’t showing my commands, after I’ve run them? Are there instances where Applescript –to-terminal commands are NOT passed into the bash history?
– frank ankersly
Dec 27 '17 at 1:53
.bash_historyis saved when you exit bash. at that point, bash saves the history of whatever was read in from .bash_history when you started the shell followed by whatever you typed into the shell itself (subject to the limits imposed by the$HISTSIZEand$HISTFILESIZEvariables). Also, by default, bash will overwrite any existing .bash_history file but can be made to append withshopt -s histappend- this means that with histappend off, if you run two bash shells at the same time, the one that exits last will be the one that ends up with its history saved.
– cas
Dec 27 '17 at 2:01
someone said: Similarly, if "thisismydatastring and my saltbits" is sensitive, don't put that on the command line either. put it in a file and pipe it into openssl. seems to me, if I was worried about this, and I put either my datastring or my saltbit (or password) into a file, that file would still be on the HDD (and therefore vulnerable), or am I missing something?
– frank ankersly
Dec 27 '17 at 4:20
yes, that's why i said it isn't safe from root or users who can acquire root privs. also why i said using an encrypted fs can help a bit. and precisely why i pointed out that doing any kind encryption on an untrusted machine is not a good idea.
– cas
Dec 27 '17 at 4:39
i forgot to mention that the bunker should have a "Beware of the leopard" sign.
– cas
Dec 25 '17 at 16:36
i forgot to mention that the bunker should have a "Beware of the leopard" sign.
– cas
Dec 25 '17 at 16:36
I should've mentioned that this encryption engine is being used by AppleScript, called from within a small business program which is being published and which will be run on machines "in the wild".. so we have no control over the actual systems and how they will be used. Could anyone advise as to why the .bash_history file isn’t showing my commands, after I’ve run them? Are there instances where Applescript –to-terminal commands are NOT passed into the bash history?
– frank ankersly
Dec 27 '17 at 1:53
I should've mentioned that this encryption engine is being used by AppleScript, called from within a small business program which is being published and which will be run on machines "in the wild".. so we have no control over the actual systems and how they will be used. Could anyone advise as to why the .bash_history file isn’t showing my commands, after I’ve run them? Are there instances where Applescript –to-terminal commands are NOT passed into the bash history?
– frank ankersly
Dec 27 '17 at 1:53
.bash_history is saved when you exit bash. at that point, bash saves the history of whatever was read in from .bash_history when you started the shell followed by whatever you typed into the shell itself (subject to the limits imposed by the $HISTSIZE and $HISTFILESIZE variables). Also, by default, bash will overwrite any existing .bash_history file but can be made to append with shopt -s histappend - this means that with histappend off, if you run two bash shells at the same time, the one that exits last will be the one that ends up with its history saved.– cas
Dec 27 '17 at 2:01
.bash_history is saved when you exit bash. at that point, bash saves the history of whatever was read in from .bash_history when you started the shell followed by whatever you typed into the shell itself (subject to the limits imposed by the $HISTSIZE and $HISTFILESIZE variables). Also, by default, bash will overwrite any existing .bash_history file but can be made to append with shopt -s histappend - this means that with histappend off, if you run two bash shells at the same time, the one that exits last will be the one that ends up with its history saved.– cas
Dec 27 '17 at 2:01
someone said: Similarly, if "thisismydatastring and my saltbits" is sensitive, don't put that on the command line either. put it in a file and pipe it into openssl. seems to me, if I was worried about this, and I put either my datastring or my saltbit (or password) into a file, that file would still be on the HDD (and therefore vulnerable), or am I missing something?
– frank ankersly
Dec 27 '17 at 4:20
someone said: Similarly, if "thisismydatastring and my saltbits" is sensitive, don't put that on the command line either. put it in a file and pipe it into openssl. seems to me, if I was worried about this, and I put either my datastring or my saltbit (or password) into a file, that file would still be on the HDD (and therefore vulnerable), or am I missing something?
– frank ankersly
Dec 27 '17 at 4:20
yes, that's why i said it isn't safe from root or users who can acquire root privs. also why i said using an encrypted fs can help a bit. and precisely why i pointed out that doing any kind encryption on an untrusted machine is not a good idea.
– cas
Dec 27 '17 at 4:39
yes, that's why i said it isn't safe from root or users who can acquire root privs. also why i said using an encrypted fs can help a bit. and precisely why i pointed out that doing any kind encryption on an untrusted machine is not a good idea.
– cas
Dec 27 '17 at 4:39
add a comment |Â
1
You could start by checking your ~/.bash_history to see which commands appear.
– multithr3at3d
Dec 25 '17 at 14:57
editing questions so that they conform to the formatting conventions used here is not "snarky". It's helping you (and it's helping other users of this site). Many people here just ignore badly formatted questions. Your friendly editor Jesse_b saved your question from that. editing questions is a valuable service for this site and can be done by people who don't know the answer to a question.
– cas
Dec 25 '17 at 15:37
thx for the ~/.bash_history nugget.. it seems the command does NOT appear there, which is encouraging.
– frank ankersly
Dec 25 '17 at 16:03
apple.stackexchange.com/questions/310068/…
– Michael Mrozek♦
Dec 25 '17 at 16:26
wasn't sure which place to put this question.. apologies for the multipost.. While this is an "Apple-ish" thing (ie., applescript), most Apple users simply don't even know what Terminal is, nevermind what it does... I figured folks here would know far more.... :)
– frank ankersly
Dec 27 '17 at 1:50