Ask user for password?

Advertisement

Skeeve
Joined:
Posts:
12

Ask user for password?

I posted https://winscp.net/forum/viewtopic.php?t=14441 and found a workaround for me.

But maybe it's possible to implement something better?

Background: On my targetserver I can only log in with my personal account. There I am only allowed to do a "sudo su - TARGETUSER". This is then prompting me for the password.

The workaround I'm using is a script which is called by sudo as "SUDO_ASKPASS". That script is connecting to a fifo where, on the other end, I have an open terminal session where I enter my password. This seems to work quite good, besides the small security risk that someone could read from my fifo while I'm thinking I'm communicating with my winscp-invoked script.

What I'm thinking about is: Would it be possible to have a script on my targetserver which can communicate back with WinSCP, sending WinSCP the request to ask the user for a password? It would then get the password from WinSCP and would give it back to sudo via stdout.

Reply with quote

Advertisement

Skeeve
Joined:
Posts:
12

Hi!

I mailed Martin and he suggested that I describe the problem (a bit better?) in the forum to "see if others find it interesting."

I hope you will...

So please find the problem description here:


My problem is the following:
1) I'm only allowed to log in to our production systems with a personalized user
2) To do something as the functional user of our applications, I can only use "sudo su - functionaluser"

So the official way , when I have to copy files back and forth is to copy them into a temp location first.

Of course this is quite annoying and people tend to forget to delete files from there.

Usually I would copy my public key to the functional user's .ssh/authorized_keys, but that's not wanted.

So my only solution was to use an "askpass" script, but since I do not want to have my password in clear text in a script, I came up with the workaround shown in the forum (linked in the first thread). The idea is that I have a terminal session on my production host where I open a fifo where I send my password in. The winscp connection is starting a sudo which calls a script reading from the fifo and thus getting my password.

The ideal solution would be if a script could "tell" winscp that it wants a password and the winscp then prompts the user for it.

I imagine something like a new setting in winscp telling it: "When, in a new connection a certain string appears, ask the user for a password and send this password to the connection".

Do you think that's possible. That way a user in a similar situation as I am can simply create a script like this:

#!/bin/sh
echo -n "sudo password:"
read pass
echo $pass

best regards and thanks for winscp!

Reply with quote

Guest

I kinda like this idea. I think there should be 3 modes of this feature...

  • Direct/built-in su/sudo support (without any extra script {or other "hacking" to make it work}, that is)
  • Support for any "custom" password prompt (or any custom prompt at all? {password or otherwise})
  • While WinSCP is connecting, if the connection "freezes" for any reason (something is reading stdin), WinSCP could show the recent startup lines (the console output) & ask the user to answer any question the server is asking.
Direct/built-in support for "su" & "sudo" should be added: that is a major use-case...ALL "root" users should login as "someuser" & then su or sudo to root.

Anytime after login/connection, WinSCP could have a "Switch Remote User" option, which would invoke either su or sudo to perform the change...but of course, there should also be a login/connection option "Immediately Switch Remote User after login"...like have 2 Username fields on the Login/Connection Info box.

Beyond that, support for a "custom" password prompt would be good too, just in case someone needs a custom script beyond the built-in su/sudo detection above.

I think this should be a WinSCP feature, mostly cuz doing this manually is convoluted: if I had this need, I would NEVER have come up with the script this guy wrote for it (I'm still not even sure I understand the explanation of the script)...I think it's just easier to make WinSCP support it, than to "invent" ways around WinSCP not supporting it. At the very least the su/sudo support should be added, since that is a common security practice of "never login directly as root".

Skeeve wrote:

No comment at all?
...sorry, but no one comes here, unless they have a problem or they "wanna check on WinSCP again".

Reply with quote

brablc
Moderator
brablc avatar
Joined:
Posts:
5
Location:
Praha, Czech Republic

Re: Ask user for password?

Skeeve wrote:

I posted https://winscp.net/forum/viewtopic.php?t=14441 and found a workaround for me.

Background: On my targetserver I can only log in with my personal account. There I am only allowed to do a "sudo su - TARGETUSER". This is then prompting me for the password.


Cannot your admin allow you to sudo this command without requiring a password?

Reply with quote

Skeeve
Joined:
Posts:
12

Re: Ask user for password?

brablc wrote:

Skeeve wrote:

I posted https://winscp.net/forum/viewtopic.php?t=14441 and found a workaround for me.

Background: On my targetserver I can only log in with my personal account. There I am only allowed to do a "sudo su - TARGETUSER". This is then prompting me for the password.


Cannot your admin allow you to sudo this command without requiring a password?

Sure he can, but he won't.

Reply with quote

Advertisement

You can post new topics in this forum