WinSCP askpass tips please

Advertisement

Skeeve
Joined:
Posts:
12

WinSCP askpass tips please

I want to access files on remote servers where I'm just allowed to do
sudo su - TARGETUSER
Unfortunately I have to enter my password for sudo.

I found out that I can use SCP as file protocol and as shell I use
SUDO_ASKPASS=./mypass sudo -A su - TARGETUSER
The mypass simply contains
#!/bin/sh
echo 'My Secret Password'
This works fine except for the fact that ./mypass has to contain my password.

Does anyone here have any tip for me, how I can provide the password to sudo without having to store it in clear text?

Note: I can't change the configuration of sudo or anything of the system.

Reply with quote

Advertisement

Skeeve
Joined:
Posts:
12

To answer my own question and maybe to raise some attention of others who might have better ideas, here is what I've come up with.

I created a script in my target host's home directory containing this:
#!/bin/sh
if [ -t 0 ] ; then # interactive
        if [ -r $0.fifo ] ; then rm $0.fifo ; fi
        mkfifo -m 600 $0.fifo
        stty -echo
        echo -n "Password for upcoming winscp session: "
        read p
        stty echo
        echo
        echo -n "Waiting for connection..."
        echo $p > $0.fifo
        echo
        echo "Connected!"
        rm $0.fifo
elif [ -r $0.fifo ] ; then # non interactive - fifo exists
        cat $0.fifo
        rm $0.fifo
fi
In my WinSCP settings for the host I have now this configured as shell:
SUDO_ASKPASS=mypass sudo -A su - TARGETUSER
Before I invoke the WinSCP session I log in to the target host starting mypass, which will then ask me for the password and put it into a fifo. As soon as the fifo was read, I get the message "Connected" and the fifo gets removed.

But while the script is waiting for the connection, after I entered my password, I start WinSCP and connect to my host. The sudo command of my shell-commands starts mypass and notices that it's non-interactive and that a password is waiting in the fifo. It reads the password, echos it to stdout (for sudo to read) and deletes the fifo. I delete the fifo twice just to be sure that it's removed, either by the writer or by the reader.

Reply with quote

Advertisement

You can post new topics in this forum