我有时会在回显键入字符的linux终端中错误地输入我的su密码。它记录在~/.bash_history中,这让我觉得不安全。有没有人有一个简短的脚本(bash one-liner?)来清除.bash_history任何纯文本密码?
使用sed会在.bash_history文件中留下它自己的踪迹,但如果可以暂时禁用readline和/或历史服务,则可能会有效:
sed -ir -e 's/su_password/PASSWORD_REMOVED/g' ~/.bash_history
如果密码经常被用作其他短语/单词的一部分,这可能会产生其他问题/漏洞。
理想情况下,脚本应该只使用散列密码列表(/etc/shadow)来创建搜索项列表。然后,它必须散列它正在检查的文件的部分(.bash_history)以进行比较。问题是知道在比较过程中要散列的文件中有多少文本,因为密码的长度是未知的。或者,它可以在执行grep / sed之前以安全的方式请求密码,例如passwd。
答案 0 :(得分:1)
不仅仅是一个单行,而是一个函数:
eh () { history -a ; vi + ~/.bash_history ; history -r ; }
将此行添加到.bashrc或.bash_profile。运行时
在vi中,您可以使用箭头键上下移动,使用dd删除一行并关闭并使用[Esc]写入文件:wq
现在您只需在命令行键入eh并编辑历史记录
eh代表“编辑历史记录”
答案 1 :(得分:0)
我通常会echo > .bash_history来清除这一点。虽然您的密码可以显示在陌生的地方,但您可能需要首先sudo grep "password" -R /,以查看它是否在系统的任何其他位置,然后清除您的历史记录。
答案 2 :(得分:0)
由于没有任何答案可以帮助我,我想我会分享我目前正在使用的剧本。它当然不是一个单行,甚至不是bash ......但它确实有效。
#!/usr/bin/env python
import os
user=os.getenv('USER')
if not user:
user='hobs'
home=os.getenv('HOME')
if not home:
home=os.path.normpath(os.path.join(os.path.sep+'home',user))
histfile=os.getenv('HISTFILE')
if not histfile:
histfile=os.path.join(home,'.bash_history')
from optparse import OptionParser
p = OptionParser(usage="%prog [options] password", add_help_option=True)
p.add_option('-p', '--password', '--pass', '--pw', dest='pw',
default =None,
help="The plaintext password string you'd like to find and replace throughout your bash history file(s)", )
p.add_option('-r', '--replacement-password', '--replacement', '--filler', '--substitution', dest='rep',
default ='',
help="The replacement string, passphrase identifier, tag, or filler you'd like to leave behind wherever the password was found and removed.", )
p.add_option('-f', '--bash_history', '--historyfile', '--file', '--path', '--filename', dest='hfile',
default =histfile,
help="The text file where your password may have been accidentally recorded and where you'd like it removed. Default = ~/.bash_history.", )
(o, a) = p.parse_args()
if a and not o.pw:
o.pw=' '.join(a) # password can have spaces in it
print o.pw
print len(o.pw)
# TODO: Check if the history buffer will record the invocation of this script that includes a plaintext password
# Alternatively, launch the search/replace task in the background to start
# after history has had a chance to record the last command in the history buffer
if o.pw:
import warnings
warnings.warn("Make sure you invoked "+p.get_prog_name()+" in such a way that history won't record this command (with a plaintext password) in the history file. It would be much better if you didn't supply the password on the command line and instead allowed this script to securely prompt you for it.",RuntimeWarning)
if not o.pw:
import getpass
o.pw=getpass.getpass()
if len(o.pw)<4:
raise ValueError(p.get_prog_name() + " doesn't accept passwords shorter than 4 characters long to prevent accidental corruption of files by purging common character combinations. The password you supplied is only "+str(len(o.pw))+" characters long.")
import fileinput
for line in fileinput.FileInput(o.hfile,inplace=1):
line = line.replace(o.pw,o.rep)
print line,
答案 3 :(得分:0)
$ echo -n password=; stty -echo; sed -i "s/$(head -1)/PASSWORD_REMOVED/g" ~/.bash_history; stty echo
top-secret password that never appears anywhere else to make it easy to guess
$ #you have to type it in and press enter
echo会提示您。 stty有助于防止人们盯着你的肩膀。确保你逃脱任何事情(即反斜杠)。