6

I'm not sure if this question is more appropriate for Stackoverflow or SuperUser or what StackExchange site...

Basically I'm launching a third-party app from C# with Process.Start with several command line parameters. One of those command line parameters is a password.

I think I'm doing a really good job of securing that password everywhere in my app, except if you open the Processes tab in Task Manager, you can add the "Command Line" column and see all of those command line parameters.

Can anyone think of a way to launch a process that somehow has the command line params hidden? Is this possible at all?

Thank you!

EDIT:

This is a Windows Service wrapper for plink.exe (SSH/Putty stuff). It will prompt for a password if I don't specify the password in the command line, but I get this weird warning:

Plink.exe - 3/30/2013 2:40:47 PM - Attempting keyboard-interactive authentication
Plink.exe - 3/30/2013 2:40:47 PM - Server refused keyboard-interactive authentication
Plink.exe - 3/30/2013 2:40:49 PM - user@hostname.com's password:

I have specified to redirect the standard input, but perhaps I will continue looking in to that and see if I can work-around it. Also, as David Heffernan recommended, I'm going to look further into Pageant. Thank you everyone - I will post an update once I figure out a better solution!

4

2 回答 2

3

There's no way to pass a command line argument to a process, so that the process can see it, but everything else in the system cannot.

This is an obvious flaw and when programs allow passwords to be passed as arguments, it's usually done for convenience for the user that is not concerned about eavesdroppers. Well designed programs will usually provide, in addition, other secure means of authentication.

于 2013-03-30T09:00:38.050 回答
2

If you set an ACL for the new process, it should restrict who can read the command line information. An empty ACL, granting no permissions, might block access to administrators using Task Manager, though my first guess is that it will not. (Note that an empty security descriptor is not the same thing as an empty ACL. One implicitly grants permission to everyone, the other implicitly denies it.)

Of course, an administrator could always replace plink.exe with something that stores the password somewhere. So I'm not sure that worrying about what the administrator can see with Task Manager makes sense!

于 2013-03-31T07:02:16.407 回答