3

I currently have the following script which works fine:

#!/bin/sh
user="$(zenity --entry --title="Username" --text="Username")"
pass="$(zenity --password --title="Password" --text="Password")"

xfreerdp /cert-ignore /f /v:farm.company.com /d:company.com /g:rds.company.com /u:${user} /gd:company.com /gu:${user} /gp:${pass} /p:${pass}

This is apparently not very secure as the username and password can easily be seen by using ps axu Is there a more secure way of creating this script?

Gilles 'SO- stop being evil'
  • 807,993
  • 194
  • 1,674
  • 2,175
oshirowanen
  • 2,571
  • 15
  • 46
  • 66
  • This would be easier to answer if you explained exactly what your script is doing. Presumably `xfreerdp` is some kind of RDP client that connects to Windows machines but does it have any other ways of getting its password? – terdon Jul 15 '14 at 11:25
  • Its recommended to keep the `/p` argument blank so that the user gets prompted for the password when attempting to log in. Not sure if your use case would want the user to know the password though. – Chirag Bhatia - chirag64 Jul 15 '14 at 11:46
  • Simply put everything into a file with an appropriate umask and call xfreerdp /path/to/file – Dani_l Jul 15 '14 at 14:53
  • @Dani_l I converted your answer to a comment as you requested but why not flesh it out, explain what should go into the file and what permissions the file should have and post a proper answer? – terdon Jul 15 '14 at 16:00
  • again, this should be a comment - turns out this is a duplicate of http://unix.stackexchange.com/questions/119880/make-freerdp-prompt-user-for-username-and-password – Dani_l Jul 15 '14 at 20:13
  • @Dani_l http://unix.stackexchange.com/questions/119880/make-freerdp-prompt-user-for-username-and-password only provides part of the answer. It shows how to get a password prompt, but not how to pass the password that was already obtained with zenity. – Gilles 'SO- stop being evil' Jul 15 '14 at 21:54
  • @Gilles still can't comment, yes it does. notice in the accepted answer, zenity is called directly in the xfreerdp invocation, fulfilling the requirement – Dani_l Jul 15 '14 at 22:04
  • @No: that code example puts the password on the command line where it can be snooped by `ps`. – Gilles 'SO- stop being evil' Jul 16 '14 at 06:43
  • @Dani_l if you are still unhappy with what happened here, please post a question on [meta] and I'll be happy to respond and explain why I deleted that answer. You can even post one requesting I be removed from my position as a mod. Just don't post an answer to an existing question, that's not how the site works. – terdon Jul 17 '14 at 13:49
  • 1
    The more popular `rdesktop` application (Debian PopCon has 56k installs for rdesktop vs 14k for freerdp-x11), which (from what I can tell) does the same thing as `xfreerdp`, can prompt you for passwords interactively on its own. Additionally, it supports `-p -` which would let you pipe the password from your second `zenity` command. – Adam Katz Feb 19 '15 at 00:25

1 Answers1

0

It's impossible with xfreerdp according to its man page. If you insist on using it, you can use gdb to adjust the argv[] array after breaking the execution in main().

Or you can mount your /proc with hidepid=2 option in Linux, so no one will be able to see your processes except you and root.

L29Ah
  • 793
  • 5
  • 19