Hi everybody, Sorry if this isn't the correct list; I'm new to Ruby and couldn't find an answer to this question in the other likely places. I'm working on a tool that wraps the Arch Linux command line password manager "pwsafe". It keeps your master password in memory for ten minutes so that you don't have to re-type it so much. Recently I found a vulnerability and have to re-write the function that invokes the main pwsafe program to get the application password. It looks like this now: def fetch_app_password master_password = driver.get # fetch the password from the user # TODO stop printing the user's master password in cleartext open( "| #{PWSAFE} -q -E -p #{stringified_args}", 'r+' ) do |pwsafe_pipe| pwsafe_pipe.write(master_password + "\n") app_password = pwsafe_pipe.readline() if app_password == "Passphrase is incorrect" system 'killall pwsafe' raise 'Passphrase is incorrect' end return app_password end raise 'an error occurred' end This code invokes pwsafe and correctly returns the application password the user asked for; however, the entire exchange between the password safe and the ruby program occurs in the user's terminal - in cleartext. This is unacceptable because shoulder surfers are definitely part of my threat model. I've tried a few things, including running `setty -echo` just before opening the pipe; none of them have prevented that master_password variable from ending up on the terminal. Can anyone suggest a good way to silence the master password, or (even better) the entire conversation? Thanks, Dolan
on 2014-07-20 23:22

on 2014-07-21 08:47

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi! just use the awesome highline gem: require 'rubygems' require 'highline/import' def get_password(prompt="Enter Password") ask(prompt) {|q| q.echo = false} end thePassword = get_password() regards, sandor - -- On 20/07/14 23:22, Dolan Murvihill wrote: > password. It looks like this now: > This code invokes pwsafe and correctly returns the application > > Thanks, Dolan > - -- Viele Gr??e Sandor -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCgAGBQJTzLdvAAoJEIiuFRwovs5r+OIP/RRRTZcNdPamFcMwrZqj4Z7E eWMJr7yppKy4eAffPfWH5/STAD/evYzQ20NiJyYTRCeieCYaTIA6P66TLqUZJEGx sI/0mi31JBvGZPdT5W3TOv1YFXJysJ/EDIn1I6EmIl5oWzgbB4VDanW14YrFcq52 5YUBxTyJT0IxBI3doZWGRICRKrkiQS8Mep0fxYnjqfgbMHKD4u8HELJrBlmaJEih O3rsJoW1XG7qXc35nO+cDmBjT3ru2R6LabEgWZp1aP+/NM1IzW482Xvb6SrJNteC PXsoUFIhRbklYsJ+aGA1kdbkNXsjTyDdugFNNgqQR2OX8Uyl053fKD231iXYrsGz QM1K9eU1kkMawwTN8ADdw4d7Sl/h9TFeXFSgEZKKFmjmOXuDdArXzVZHr3tH24gy x6fwfXI80uLDZeec4S0xjXhlaHAOjy3a/97k45qc2/gQHOenapUWq3H6RhGfeKqq YRvba3LiGPkcdeAztPZc54sJwmA3dlTwcfzuxFQTXJHdhH/WWRdDrYT38TQ/dnvW 5nwe9KPAKOAoLEhRDZ9+grV2eq3lUjcw2GvYAPIPgdnOXi1UuzoTvlOgpJRIK2mq tr70zeRsoOnlrg/f+e77swk2ha3IFNVeqDkoT5d7mUX6KLh+hN+RAXBSfKGH+cYo cn9419Z7x320iEXCGsRP =0hVC -----END PGP SIGNATURE-----