3

我有时会在回显输入字符的 linux 终端中错误地输入我的 su 密码。它被记录下来,~/.bash_history这让我感到不安全。有没有人有一个简短的脚本(bash one-liner?)来清除.bash_history任何纯文本密码?

使用 sed 会在 .bash_history 文件中留下自己的痕迹,但如果可以暂时禁用 readline 和/或历史服务,这可能会起作用:

sed -ir -e 's/su_password/PASSWORD_REMOVED/g' ~/.bash_history

如果密码经常用作其他短语/单词的一部分,这可能会产生额外的问题/漏洞。

理想情况下,脚本应该只仔细阅读散列密码列表 ( /etc/shadow) 来创建搜索词列表。然后它必须对它正在检查的文件的部分进行散列 ( .bash_history) 以进行比较。问题是在比较过程中知道文件中有多少文本要散列,因为密码的长度是未知的。或者,它可以在执行 grep/sed 之前以安全的方式请求密码,就像 passwd 一样。

4

4 回答 4

1

不仅仅是一个单行,而是一个函数:

eh () { history -a ; vi + ~/.bash_history ; history -r ; }

将此行添加到您的 .bashrc 或 .bash_profile。运行时

  1. 将缓冲区保存到您的 .bash_history
  2. 在 vi 中打开 .bash_history,除了文件底部的指针。
  3. 将编辑后的文件恢复到您当前的历史缓冲区

在 vi 中,您可以使用箭头键上下移动,删除一行dd并使用 [Esc] 关闭并写入文件:wq

现在你只需要eh在命令行输入并编辑你的历史

eh代表“编辑历史”

于 2012-02-14T20:30:05.177 回答
0
$ echo -n password=; stty -echo; sed -i "s/$(head -1)/PASSWORD_REMOVED/g" ~/.bash_history; stty echo
top-secret password that never appears anywhere else to make it easy to guess
$ #you have to type it in and press enter

echo你提示。这stty有助于防止人们从你的肩膀上看过去。确保你逃避任何东西(即反斜杠)。

于 2012-08-26T03:01:34.817 回答
0

我通常会做一个echo > .bash_history来清除这个。虽然您的密码可能会出现在陌生的地方,所以您可能需要先做一个sudo grep "password" -R / ,看看它是否在系统上的其他任何地方,然后清除您的历史记录。

于 2011-08-25T07:06:13.670 回答
0

由于没有任何答案对我有用,我想我会分享我目前正在使用的脚本。它当然不是单行的,甚至不是 bash ......但它确实有效。

#!/usr/bin/env python
import os
user=os.getenv('USER')
if not user:
    user='hobs'
home=os.getenv('HOME')
if not home:
  home=os.path.normpath(os.path.join(os.path.sep+'home',user))
histfile=os.getenv('HISTFILE')
if not histfile:
    histfile=os.path.join(home,'.bash_history')
from optparse import OptionParser
p = OptionParser(usage="%prog [options] password", add_help_option=True)
p.add_option('-p', '--password', '--pass', '--pw', dest='pw',
             default =None,
             help="The plaintext password string you'd like to find and replace throughout your bash history file(s)", )
p.add_option('-r', '--replacement-password', '--replacement', '--filler', '--substitution', dest='rep',
             default ='',
             help="The replacement string, passphrase identifier, tag, or filler you'd like to leave behind wherever the password was found and removed.", )
p.add_option('-f', '--bash_history', '--historyfile', '--file', '--path', '--filename', dest='hfile',
             default =histfile,
             help="The text file where your password may have been accidentally recorded and where you'd like it removed. Default = ~/.bash_history.", )
(o, a) = p.parse_args()
if a and not o.pw:
    o.pw=' '.join(a) # password can have spaces in it
    print o.pw
    print len(o.pw)
# TODO: Check if the history buffer will record the invocation of this script that includes a plaintext password
#       Alternatively, launch the search/replace task in the background to start
#       after history has had a chance to record the last command in the history buffer
if o.pw:
    import warnings
    warnings.warn("Make sure you invoked "+p.get_prog_name()+" in such a way that history won't record this command (with a plaintext password) in the history file. It would be much  better if you didn't supply the password on the command line and instead allowed this script to securely prompt you for it.",RuntimeWarning)
if not o.pw:
    import getpass
    o.pw=getpass.getpass()
if len(o.pw)<4:
    raise ValueError(p.get_prog_name() + " doesn't accept passwords shorter than 4 characters long to prevent accidental corruption of files by purging common character combinations. The password you supplied is only "+str(len(o.pw))+" characters long.")
import fileinput
for line in fileinput.FileInput(o.hfile,inplace=1):
    line = line.replace(o.pw,o.rep)
    print line,
于 2011-08-27T15:25:52.483 回答