WinSCP askpass tips please :: Support Forum

Skeeve
Joined:: 2014-10-17
Posts:: 12

WinSCP askpass tips please

2014-10-17 22:31

I want to access files on remote servers where I'm just allowed to do

sudo su - TARGETUSER

Unfortunately I have to enter my password for sudo.

I found out that I can use SCP as file protocol and as shell I use

SUDO_ASKPASS=./mypass sudo -A su - TARGETUSER

The mypass simply contains

#!/bin/sh
echo 'My Secret Password'

This works fine except for the fact that ./mypass has to contain my password.

Does anyone here have any tip for me, how I can provide the password to sudo without having to store it in clear text?

Note: I can't change the configuration of sudo or anything of the system.

Reply with quote

Skeeve
Joined:: 2014-10-17
Posts:: 12

2014-10-20 07:04

To answer my own question and maybe to raise some attention of others who might have better ideas, here is what I've come up with.

I created a script in my target host's home directory containing this:

#!/bin/sh
if [ -t 0 ] ; then # interactive
        if [ -r $0.fifo ] ; then rm $0.fifo ; fi
        mkfifo -m 600 $0.fifo
        stty -echo
        echo -n "Password for upcoming winscp session: "
        read p
        stty echo
        echo
        echo -n "Waiting for connection..."
        echo $p > $0.fifo
        echo
        echo "Connected!"
        rm $0.fifo
elif [ -r $0.fifo ] ; then # non interactive - fifo exists
        cat $0.fifo
        rm $0.fifo
fi

In my WinSCP settings for the host I have now this configured as shell:

SUDO_ASKPASS=mypass sudo -A su - TARGETUSER

Before I invoke the WinSCP session I log in to the target host starting mypass, which will then ask me for the password and put it into a fifo. As soon as the fifo was read, I get the message "Connected" and the fifo gets removed.

But while the script is waiting for the connection, after I entered my password, I start WinSCP and connect to my host. The sudo command of my shell-commands starts mypass and notices that it's non-interactive and that a password is waiting in the fifo. It reads the password, echos it to stdout (for sudo to read) and deletes the fifo. I delete the fifo twice just to be sure that it's removed, either by the writer or by the reader.

Reply with quote