[GTALUG] Scripting with Interactive Utilities

Tim Sattarov stimur at gmail.com
Fri Mar 27 22:13:47 UTC 2015



On 2015-03-27 16:54, Lennart Sorensen wrote:
> On Fri, Mar 27, 2015 at 03:37:03PM -0400, Tim Sattarov wrote:
>> You can just spit it to stdin of ktutil
>>
>> echo -e "add_entry -password -p alice at BLEEP.COM -k 1 -e
>> aes128-cts-hmac-sha1-96\ntest\nwkt test_srv"  | ktutil
>>
>> or if you don't want to keep passwords in shell history, put commands to
>> the file and then
> It also has the problem that it is in the command line arguments and
> hence visible in the process table to any user on the system.
Exactly because of that I suggested variant below
>> cat command_file | ktutil
>>
>> where command file is
>> ---
>> add_entry -password -p alice at BLEEP.COM -k 1 -e aes128-cts-hmac-sha1-96
>> test
>> wkt test_srv
>> ---
> Of course that means it is written to disk, unless you use a file on a
> ramdisk, which is also considered bad by sufficiently paranoid people.
>
> A file on a ramdisk is an improvement at least.
>

Seriously ? we want to avoid entering manually sensitive data and yet
for security we need to enter it manually ?

If it is so, you can once provide GPG password for
    - decryption of encrypted *sensitive data file*  kept on
    - encrypted ramdrive on
    - laptop in a safe bunker
    - transferred over SSH tunnel authenticated with 521kbit ECDSA key
(decrypted locally of course)


and run your batch off that file.

Happy Friday everyone :)

Tim


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3677 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://gtalug.org/pipermail/talk/attachments/20150327/2e5e2b27/attachment.bin>


More information about the talk mailing list