winscp askpass tipps please

Advertisement

Skeeve
Joined:
Posts:
12

winscp askpass tipps please

I want to access files on remote servers where I'm just allowed to do
sudo su - TARGETUSER
.

Unfortunately I have to enter my password for sudo.

I found out that I can use SCP as file protocol and as shell I use

SUDO_ASKPASS=./mypass sudo -A su - TARGETUSER

mypass simply contains

#!/bin/sh
echo 'My Secret Password'
This works fine except for the fact that ./mypass has to contain my password.

Does anyone here have any tipp for me, how I can provide the password to sudo without having to store it in clear text?

Note: I can't change the configuration of sudo or anything of the system.

Reply with quote

Advertisement

Skeeve
Joined:
Posts:
12

To answer my own question and maybe to raise some attention of others who might have better ideas, here is what I've come up with.

I created a script in my target host's home directory containing this:

#!/bin/sh
if [ -t 0 ] ; then # interactive
        if [ -r $0.fifo ] ; then rm $0.fifo ; fi
        mkfifo -m 600 $0.fifo
        stty -echo
        echo -n "Password for upcoming winscp session: "
        read p
        stty echo
        echo
        echo -n "Waiting for connection..."
        echo $p > $0.fifo
        echo
        echo "Connected!"
        rm $0.fifo
elif [ -r $0.fifo ] ; then # non interactive - fifo exists
        cat $0.fifo
        rm $0.fifo
fi

In my winscp settings for the host I have now this configured as shell:

SUDO_ASKPASS=mypass sudo -A su - TARGETUSER

Before I invoke the winscp session I log in to the target host starting "mypass", which will then ask me for the password and put it into a fifo. As soon as the fifo was read, I get the message "Connected" and the fifo gets removed.

But while the script is waiting for the connection, after I entered my password, I start winscp and connect to my host. The sudo command of my shell-commands starts "mypass" and notices that it's non-interactive and that a password is waiting in the fifo. It reads the password, echos it to stdout (for sudo to read) and deletes the fifo. I delete the fifo twice just to be sure that it's removed, either by the writer or by the reader.

Reply with quote

Advertisement

You can post new topics in this forum