Best way to encrypt a file, and keep it handy - authentication

I am using dozens of different web services, and I keep a password file in a remote Linux machine. The file contains my usernames, passwords and answers for security question.
This server happens to be offline to often, and I'm looking for a way to keep the password file on my own computer, or on a service like DropBox. Obviously, I want to keep the file encrypted, but handy - I want to be able to print its contents using one shell (or cygwin) command, perhaps using a passphrase.
Any good ideas how to do it?

You can use GPG's symmetric option to encrypt files with pass-phrases.
gpg --symmetric filename
That will result in an encrypted file named filename.gpg. To redirect the output to STDOUT instead of a .gpg file:
gpg --symmetric -o - filename
You can later decrypt the file with:
gpg --decrypt filename.gpg

I use PasswordSafe encrypted files in exactly this configuration. GUIs are available for Windows/Mac/Unix/Java. cliPSafe gives it a command line interface.
THe original code was written by Bruce Schneier, well known in the security world, but I've never used cliPSafe.

As already noted GPG solves the problem. Using the gpg command directly for encrypting text files may be a bit cumbersome though, especially as you would often decrypt the file to a seperate file, add some text (passwords in this case) and the reencrypt it (which will possibly expose your unencrypted data).
Vim has a very good plugin called gnupg for trasparently handling encrypted files using GPG. Using this plugin the unencrypted data will never be written to disc and you can just treat it as any other file (except for the passphrase question popping up of course).

Related

Encrypt, secure a .ini file for INFOMAKER

I would like to secure or at least hide my server credentials from the .ini file generated when creating an executable file from INFOMAKER. I do not think that I can do anything about the coding of the executables generated from the Infomaker.
I am not just comfortable with the credentials lying around in plain text.
Already tried different connection methods including SQL directly, and ODBC connections.
If there is a way that I can hide or get rid of the ini file entirely, that would be great.

SSH on windows without storing password in clear

What I would do is using Putty (or other solution) on Windows to connect to a SAN switch and get results from a command with ssh.
I use Powershell as scripting language and it could be done easily but i don't want to save the password in the script.
I'm looking for a solution to use Putty from command line and set the password not stored in clear in the script.
What I thought is to launch the script with \RUNAS (through a Scheduled task) and pass the actual credentials directly to Putty. (The switch would have the same password as the account used with the Runas). Is that possible?
Or is there any solution using putty with a certificate or something like this?
You may want to consider using key authentication as opposed to a password.
People will say use a password in addition to the key, but if your alternative is storing the password on your PC in a file anyway, someone with access to your machine owns you in either case.. So you just need to generate the keys. The requirement is: no-one but you has access to that key file.
http://www.linuxproblem.org/art_9.html
I'm in the same boat, have to use Windows, but for me www.mingw.org which gives you a shell, and the basic *nix tools - extremely useful for SSH, connect to remote Linux VPS, etc.. Cygwin, of course which is similar, and has an easier tool (setup.exe if I recall) to install new apps. I actually use git-bash with is mingw with git. No-GUIs. I've found this easy to just drop to the mingw shell when I need to use ssh openssl cut awk etc..
So running any remote command using SSH from the command line without third-party programs like Putty, or those with GUIs, etc.. Using the key authentication and offing password auth completely in ssh on the remote device (at least on devices where you have control) is some additional lockdown for the remote device, especially if you're the only one need access it.
Which leaves, scheduling the script. There should be a way to do that via batch file and Windows or within the command line environment.
I'll suggest following options:
use password authentication. Store the text file with password in a file with limited access (some service account) and launch your script under this account's credentials
same as above, but instead of text file use certificate file
write a small program (C#) which uses DPAPI to store the certificate or password in service account-specific store.
combine any of the above with the use of BitLocker/EFS
No options are can protect you from an attacker having admin access to the server, but implementing them will give an increasing (in order of number) headache to someone who will be trying to break it.
The script will be a weak spot in any case, though.
This is probably not the answer you're looking for, but I wouldn't use Putty for this, and would rather communicate with the SSH server directly using SSH.NET library. It's available in both source and binary form, and you could use it from PowerShell too if you like.
Examples: http://sshnet.codeplex.com/wikipage?title=Draft%20for%20Documentation%20page.
Then you'd have a lot of options to store your login credentials securely.
I recommend setting up 2-factor authentication on the ssh machine that you have to communicate with IF you can't use key authentication.
Google's 2 factor authentication can be implemented for ssh and is relatively easy to set up as long as SE linux is disabled...if it isn't disabled, you can add an exception and that would essentially help reduce the risk of compromise and increase security.

How do I mount/unlock my custom (!) ecryptfs directory on login?

I think I need to add a key from the user keyring to the kernel keyring on login for this, but let me just explain the whole thing:
I have a custom ecryptfs directory set up with a huge annoying passphrase, because Ubuntu refuses to implement support for key files:
2011: Unfortunately, we're not building ecryptfs against ssl at this time, due to license incompatibilities (as noted below). I'm going to leave this bug open, though, and try and get those sorted out.
2012: there are no plans to improve this feature in the near
term. It is a considerable amount of work, yet no developers have shown
interest in the feature.
I want to mount/'unlock' this ecryptfs directory automatically when I log in, without having to enter this annoying passphrase manually. With an encrypted home in Ubuntu (also ecryptfs) this happens with a key that is unwrapped using the login password, but this does not work for custom mounts.
For other uses (e.g. LUKS) you can simply store the key/passphrase in your user keyring. But because ecryptfs works in the kernel, this key needs to be stored in the kernel keyring, not the user keyring.
Manually, you would add the key to the kernel keyring using ecryptfs-add-passphrase or ecryptfs-manager, after which you can mount and unmount the ecryptfs directory as much as you want. But after a reboot, this key is gone again, and with good reason.
But I want it back automatically after I login with my user so I can mount/unmount the ecryptfs directory again without having to enter it's password. How can I do this?
update
On Archlinux there is this tool called ecryptfs-simple developed specifically for this purpose: ecryptfs-simple is a utility for users that want to work with eCryptfs in the simplest way possible. The idea is to make eCryptfs as easy to use as EncFS.
Apparently, you can setup automatic mounting with ecryptfs-simple -a, but this tool is not available for Ubuntu, and I don't know if this setup survives a reboot.
It sounds like you want to manipulate keys, so keyctl might be your weapon of choice. Unless you're referring to some other Ubuntu-specific keyring I'm unfamiliar with. From man keyctl I can copy a key from the root/sudo/(kernel?) keyring into my user keyring with this command, something similar should work for you:
sudo keyctl pipe (wantedkeyid#) | keyctl padd user newkeydesc #u
And maybe you've already read ArchWiki's excellent article on using eCryptfs. https://wiki.archlinux.org/index.php/System_Encryption_with_eCryptfs#Auto-mounting
It's got info on using Ubuntu tools, or eCryptfs manually, and a section on auto-mounting (with PAM). Or maybe a simple bash script to ecryptfs-add-passphrase (reading your keyfile) & mount your folder would be easier? And ecryptfs itself supports reading the passphrase from a file too with passphrase_passwd_file=, see man ecryptfs
You need to store the passphrase somewhere, and then you can mount the filesystem automatically. But it's probably a bad idea — to save the key locally.

Is it possible to restirct an ssh key to specific directories

I have an account on a server that I need to give sftp access to another person. This person however only needs access to a small subset of directories. Is it possible, without creating another user account, to restrict an ssh key to that subset of directories.
Basically the website on which these directories are located lives within the home directory of a specific user account. I would prefer not to have to create a separate user account just to lock the use down to those directories. If it is possible to lock down the access to specific directories using an ssh key that would be ideal.
It's possible, but it's sort of a hack. The much preferred, simpler way is just to only grant that user permissions to certain files and directories.
This is an answer on how to accomplish your goal using ssh rather than sftp. This has some chance of being acceptable to the OP because it still uses the ssh tool chain.
This technique is using a feature of ssh that allows ssh to run a command based on the private key presented to host machine. When the host sees that key, then it runs the associated command. For the command we will use "cat" which will dump the file.
add a line that looks like this to ~mr_user/.ssh/authorized_keys2
command="/usr/bin/cat ~/sshxfer/myfile.tar.gz.uu",no-port-forwarding ssh-dss xxxPUBLIC_KEYxxx mr_user#tgtmach
populate the file like this:
uuencode -m myfile.tar.gz /dev/stdout >~mr_user/sshxfer/myfile.tar.gz.uu
transfer the file by being on the target machine and running this:
ssh -i ~/keys/privatekey.dsa mr_user#srcmach |sed -e's/
//g' |uudecode >myfile.tar.gz
The tricky part to that command is there is a newline in the sed command to remove the newlines from the .uu file.
I did not found a way to pass in a name of a file to transfer, so I had to make a key for each file I wanted to transfer. This was okay for my use case because I only had two files I wanted to transfer.

can i generate a htpasswd from one pc, and then ftp it to another server

What crypto algorithm would I use to generate the passwords within a htpasswd file?
I'm running a Visual basic program and using an ftp server to FTP up client files. Im creating new directories for each client and want to add some password protection to each clients directory (for http access).
The server runs apache on linux.
What I've read is that apache uses a slightly modified version of MD5, as well as the systems base "crypt" method. This page: http://httpd.apache.org/docs/current/programs/htpasswd.html#security seems to say that I can use one of several algorithms. I guess at the moment I am confused as to how it chooses with encryption to use.
yes, it's possible. Apache can recognise different encryptions by the salt that preceeds it
The algorithm is chosen by the first sub-field of the password field. A typcial htpasswd file entry looks like this:
ralph:$1$abcd1234$Kx528z52Ohx1JLSzliZmw0
By field:
ralph is the user name
1 is the hash algorithm identifier. 1=md5, 5=sha-256, 6=sha-512
abcd1234 is the salt (not very salty here, usually generated via some pseudo-random technique)
Kx528z52Ohx1JLSzliZmw0 is the hash.
A one-line python command to create the hash using the password and salt as inputs is:
python -c "import crypt, getpass, pwd; print crypt.crypt('password', '\$1\$abcd1234\$')"
DISCLAIMER: This answer largely lifted from slm on another forum after <5 minutes of research.