Topic "Ask user for password?"

Author Message
Skeeve
[View user's profile]

Joined: 2014-10-17
Posts: 12
I posted http://winscp.net/forum/viewtopic.php?t=14441 and found a workaround for me.

But maybe it's possible to implement something better?

Background: On my targetserver I can only log in with my personal account. There I am only allowed to do a "sudo su - TARGETUSER". This is then prompting me for the password.

The workaround I'm using is a script which is called by sudo as "SUDO_ASKPASS". That script is connecting to a fifo where, on the other end, I have an open terminal session where I enter my password. This seems to work quite good, besides the small security risk that someone could read from my fifo while I'm thinking I'm communicating with my winscp-invoked script.

What I'm thinking about is: Would it be possible to have a script on my targetserver which can communicate back with WinSCP, sending WinSCP the request to ask the user for a password? It would then get the password from WinSCP and would give it back to sudo via stdout.
Advertisements
Skeeve
[View user's profile]

Joined: 2014-10-17
Posts: 12
Hi!

I mailed Martin and he suggested that I describe the problem (a bit better?) in the forum to "see if others find it interesting."

I hope you will...

So please find the problem description here:


My problem is the following:
1) I'm only allowed to log in to our production systems with a personalized user
2) To do something as the functional user of our applications, I can only use "sudo su - functionaluser"

So the official way , when I have to copy files back and forth is to copy them into a temp location first.

Of course this is quite annoying and people tend to forget to delete files from there.

Usually I would copy my public key to the functional user's .ssh/authorized_keys, but that's not wanted.

So my only solution was to use an "askpass" script, but since I do not want to have my password in clear text in a script, I came up with the workaround shown in the forum (linked in the first thread). The idea is that I have a terminal session on my production host where I open a fifo where I send my password in. The winscp connection is starting a sudo which calls a script reading from the fifo and thus getting my password.

The ideal solution would be if a script could "tell" winscp that it wants a password and the winscp then prompts the user for it.

I imagine something like a new setting in winscp telling it: "When, in a new connection a certain string appears, ask the user for a password and send this password to the connection".

Do you think that's possible. That way a user in a similar situation as I am can simply create a script like this:

#!/bin/sh
echo -n "sudo password:"
read pass
echo $pass

best regards and thanks for winscp!
Skeeve
[View user's profile]

Joined: 2014-10-17
Posts: 12
No comment at all?
Guest




I kinda like this idea. I think there should be 3 modes of this feature...

  • Direct/built-in su/sudo support (without any extra script {or other "hacking" to make it work}, that is)
  • Support for any "custom" password prompt (or any custom prompt at all? {password or otherwise})
  • While WinSCP is connecting, if the connection "freezes" for any reason (something is reading stdin), WinSCP could show the recent startup lines (the console output) & ask the user to answer any question the server is asking.
Direct/built-in support for "su" & "sudo" should be added: that is a major use-case...ALL "root" users should login as "someuser" & then su or sudo to root.

Anytime after login/connection, WinSCP could have a "Switch Remote User" option, which would invoke either su or sudo to perform the change...but of course, there should also be a login/connection option "Immediately Switch Remote User after login"...like have 2 Username fields on the Login/Connection Info box.

Beyond that, support for a "custom" password prompt would be good too, just in case someone needs a custom script beyond the built-in su/sudo detection above.

I think this should be a WinSCP feature, mostly cuz doing this manually is convoluted: if I had this need, I would NEVER have come up with the script this guy wrote for it (I'm still not even sure I understand the explanation of the script)...I think it's just easier to make WinSCP support it, than to "invent" ways around WinSCP not supporting it. At the very least the su/sudo support should be added, since that is a common security practice of "never login directly as root".

Skeeve wrote:
No comment at all?

...sorry, but no one comes here, unless they have a problem or they "wanna check on WinSCP again".
Skeeve
[View user's profile]

Joined: 2014-10-17
Posts: 12
That sounds even better.

I hope the deature will be picked up.
brablc
[View user's profile]
Moderator
Joined: 2005-03-29
Posts: 5
Location: Praha, Czech Republic
Skeeve wrote:
I posted http://winscp.net/forum/viewtopic.php?t=14441 and found a workaround for me.

Background: On my targetserver I can only log in with my personal account. There I am only allowed to do a "sudo su - TARGETUSER". This is then prompting me for the password.



Cannot your admin allow you to sudo this command without requiring a password?
Skeeve
[View user's profile]

Joined: 2014-10-17
Posts: 12
brablc wrote:
Skeeve wrote:
I posted http://winscp.net/forum/viewtopic.php?t=14441 and found a workaround for me.

Background: On my targetserver I can only log in with my personal account. There I am only allowed to do a "sudo su - TARGETUSER". This is then prompting me for the password.



Cannot your admin allow you to sudo this command without requiring a password?


Sure he can, but he won't.
martin
[View user's profile]
Site Admin
Joined: 2002-12-10
Posts: 24530
Location: Prague, Czechia
This request has been added to the tracker:
http://winscp.net/tracker/show_bug.cgi?id=1247
Skeeve
[View user's profile]

Joined: 2014-10-17
Posts: 12
Thanks a lot!
Skeeve
[View user's profile]

Joined: 2014-10-17
Posts: 12
Any news for this?
martin
[View user's profile]
Site Admin
Joined: 2002-12-10
Posts: 24530
Location: Prague, Czechia
Not yet. It's not really high-priority, sorry.
Advertisements

You can post new topics in this forum






Search Site

What is WinSCP?

It is award-winning SFTP client, SCP client, FTPS client and FTP client integrated into one software program for file transfer to FTP server or secure SFTP server. [More]

And it's free!

Donate

About donations

$9   $19   $49   $99

About donations

Recommend

WinSCP Privacy Policy

WinSCP License