How can I store an encrypted rdesktop password for easier sign-in?

Question

I am using rdesktop on a Fedora laptop to connect to Windows computers at work. To make it easier, I've made an alias in my .bashrc:

alias companyremote='rdesktop -u USER -p - -g 1920x1040 -K'

So I just have to type

companyremote NAME

to connect to a given computer. But I don't want to store my passwords in plaintext in my .bashrc, so I have to type the password every time in standard input. I'd rather have a clean command with no other required input that only requires me to be a certain user.

I suppose the VPN connection is the primary security layer, not the actual Windows password, but I'd rather be safe than not, and why not learn something?

How can I store an encrypted password that I can use with an alias like this?

Answer 1

A password agent (also known as a keychain/keyring or secrets store) is the tool for this. The idea is to keep all your passwords in an encrypted database protected by a master password. The agent starts when you log in, gets the master password from you, then decrypts individual passwords for other programs on request. Often the master password will be the same as your login password, in which case the agent gets the password automatically when you log in.

If you've got the Gnome-keyring password agent running, you can use the secret-tool command-line client to look up passwords and pipe them into rdesktop.

Since Gnome-keyring is designed to store a lot of passwords, it needs to tell them apart, so it stores identifying information with each password in the form of a set of attributes and values. These can be anything, but no two passwords can have the exact same set of identifiers. For remote Windows login, useful identifiers might be "user" and "domain", or "user" and "hostname". It also stores a label, which is for humans to tell the password entries apart.

$ secret-tool store --label "jander@mydomain" user "jander" domain "mydomain"
Password:

Then, you can use something like the following to start rdesktop:

$ secret-tool lookup user "jander" domain "mydomain.com" | rdesktop -d "mydomain" -u "jander" -p - remotehost.mydomain

The seahorse GUI tool is useful for inspecting your keychains, locking and unlocking them manually, and changing passwords. It's not great for adding passwords, though, since it doesn't provide any way to set identifiers.

For more technical details you might be interested in the Freedesktop.org secret storage spec, which Gnome-keyring implements.

Finally, keep in mind that when you use an agent, you are giving up security for convenience: anyone who can sit down at your laptop while you're logged in can now also log into your remote desktop without knowing the password. You'll probably want to use a locking screensaver at a minimum.

Answer 2

Sure, you can store an encrypted password, and decrypt it and pipe it to rdesktop. But where will you store the password for the encryption?

If you want to store the password on your client machine (and it might as well be the Windows password rather than a password used to decrypt the Windows password), you can use a password agent such as Gnome-keyring. The password will be either stored in a plaintext file or protected by a master password depending on how you've set up (often the master password is your login password and the keyring is automatically unlocked when you log in).