Hi everybody,

Sorry if this isn't the correct list; I'm new to Ruby and couldn't find
an
answer to this question in the other likely places.

I'm working on a tool that wraps the Arch Linux command line password
manager
"pwsafe". It keeps your master password in memory for ten minutes so
that you
don't have to re-type it so much. Recently I found a vulnerability and
have to
re-write the function that invokes the main pwsafe program to get the
application password. It looks like this now:

def fetch_app_password
  master_password = driver.get # fetch the password from the user
  # TODO stop printing the user's master password in cleartext
  open( "| #{PWSAFE} -q -E -p #{stringified_args}", 'r+' ) do
|pwsafe_pipe|
    pwsafe_pipe.write(master_password + "\n")
    app_password = pwsafe_pipe.readline()
    if app_password == "Passphrase is incorrect"
      system 'killall pwsafe'
      raise 'Passphrase is incorrect'
    end
    return app_password
  end
  raise 'an error occurred'
end

This code invokes pwsafe and correctly returns the application password
the
user asked for; however, the entire exchange between the password safe
and the
ruby program occurs in the user's terminal - in cleartext. This is
unacceptable
because shoulder surfers are definitely part of my threat model.

I've tried a few things, including running `setty -echo` just before
opening
the pipe; none of them have prevented that master_password variable from
ending
up on the terminal. Can anyone suggest a good way to silence the master
password, or (even better) the entire conversation?

Thanks,
Dolan

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi!

just use the awesome highline gem:


require 'rubygems'
require 'highline/import'

def get_password(prompt="Enter Password")
   ask(prompt) {|q| q.echo = false}
end

thePassword = get_password()

regards, sandor
- --

On 20/07/14 23:22, Dolan Murvihill wrote:
> password. It looks like this now:
> This code invokes pwsafe and correctly returns the application
>
> Thanks, Dolan
>


- --
Viele Gr??e Sandor
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCgAGBQJTzLdvAAoJEIiuFRwovs5r+OIP/RRRTZcNdPamFcMwrZqj4Z7E
eWMJr7yppKy4eAffPfWH5/STAD/evYzQ20NiJyYTRCeieCYaTIA6P66TLqUZJEGx
sI/0mi31JBvGZPdT5W3TOv1YFXJysJ/EDIn1I6EmIl5oWzgbB4VDanW14YrFcq52
5YUBxTyJT0IxBI3doZWGRICRKrkiQS8Mep0fxYnjqfgbMHKD4u8HELJrBlmaJEih
O3rsJoW1XG7qXc35nO+cDmBjT3ru2R6LabEgWZp1aP+/NM1IzW482Xvb6SrJNteC
PXsoUFIhRbklYsJ+aGA1kdbkNXsjTyDdugFNNgqQR2OX8Uyl053fKD231iXYrsGz
QM1K9eU1kkMawwTN8ADdw4d7Sl/h9TFeXFSgEZKKFmjmOXuDdArXzVZHr3tH24gy
x6fwfXI80uLDZeec4S0xjXhlaHAOjy3a/97k45qc2/gQHOenapUWq3H6RhGfeKqq
YRvba3LiGPkcdeAztPZc54sJwmA3dlTwcfzuxFQTXJHdhH/WWRdDrYT38TQ/dnvW
5nwe9KPAKOAoLEhRDZ9+grV2eq3lUjcw2GvYAPIPgdnOXi1UuzoTvlOgpJRIK2mq
tr70zeRsoOnlrg/f+e77swk2ha3IFNVeqDkoT5d7mUX6KLh+hN+RAXBSfKGH+cYo
cn9419Z7x320iEXCGsRP
=0hVC
-----END PGP SIGNATURE-----