Full Disclosure mailing list archives
Re: encrypt the bash history
From: Peter Maxwell <peter () allicient co uk>
Date: Sun, 6 Feb 2011 13:55:55 +0000
To be honest, none of these methods will actually be effective: root can do what he/she likes, including monitoring *everything* you do. Worrying about shell history is not going to solve anything. Your only choices are to trust root, or setup your own host. Peter Maxwell On 6 February 2011 11:21, Zerial. <fernando () zerial org> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 02/04/11 16:36, Erik Falor wrote:On Fri, Feb 04, 2011 at 04:18:53PM -0300, Zerial. wrote:-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 02/04/11 16:13, Valdis.Kletnieks () vt edu wrote:On Fri, 04 Feb 2011 16:06:06 -0300, "Zerial." said:what is the best way to encrypt the bash_history file? I try using crypt/decrypt with GPG when login/logout. It works, butnotsafe enough.Explain what the threat model is, and why GPG isn't safe enough? It'skind ofhard to recommend "best" when we don't understand what the criteriaare...The "way" is not safe enough. root can login as me (su - user) and bash_history will be decrypted. I try to find any better way to crypt and make unreadable the bash_history file from any other users, including root.Not to mention the fact that your .bash_history file is unencrypted the entire time you're logged in.This is the problem on my "way" to protect/crypt the bash_history. A better alternative, if you'rethat anxious about your shell history falling into the wrong hands, is to disable it entirely: unset HISTFILE HISTSIZE=0 You can also tell bash to not record commands that begin with a space: HISTCONTROL=ignorespace More fine-grained control can be achieved with the HISTIGNORE variable. See the 'Shell Variables' section of the bash(1) manpage. Finally, I wrote these functions to toggle history recording on/off in a shell. I like how this works, when I remember to run it beforehand: # turn off history recording function offtherecord() { if [[ -n "$HISTFILE" ]]; then OLDHISTFILE=$HISTFILE unset HISTFILE fi if [[ -n "$HISTSIZE" ]]; then OLDHISTSIZE=$HISTSIZE HISTSIZE=0 fi } # turn on history recording function ontherecord() { if [[ -n "$OLDHISTFILE" ]]; then HISTFILE=$OLDHISTFILE unset OLDHISTFILE fi if [[ -n "$HISTSIZE" ]]; then HISTSIZE=$OLDHISTSIZE unset OLDHISTSIZE fi } Once you've run offtherecord, you lose all of your history for that shelluntilyou log back in.Nice tip, but this solution doesn't work for me. I don't wanna avoid logging commands nor delete the bash history nor hide the commands. I wanna "encrypt" the file. I don't wanna miss commands which I executed. Another solution may be copy and move the history file from the server to the client, saving the bash_history on client side. But ... this will not work if I connect using client as putty. thanks for the asnwer, - -- Zerial Seguridad Informatica GNU/Linux User #382319 Blog: http://blog.zerial.org Jabber: zerial () jabberes org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk1OhC0ACgkQIP17Kywx9JTuSgCcC455KT3/NrSZbOXNodc/zbG8 JmcAn3QtIlyVyri5qCPxBFlaLa04C8tk =OVc7 -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- encrypt the bash history Zerial. (Feb 04)
- Re: encrypt the bash history Valdis . Kletnieks (Feb 04)
- Re: encrypt the bash history Zerial. (Feb 04)
- Re: encrypt the bash history Erik Falor (Feb 04)
- Re: encrypt the bash history Zerial. (Feb 06)
- Re: encrypt the bash history Rodrigo Rubira Branco (BSDaemon) (Feb 06)
- Re: encrypt the bash history Peter Maxwell (Feb 06)
- Re: encrypt the bash history Emanuel dos Reis Rodrigues (Feb 06)
- Re: encrypt the bash history Zerial. (Feb 04)
- Re: encrypt the bash history Valdis . Kletnieks (Feb 04)
- Re: encrypt the bash history Valdis . Kletnieks (Feb 04)
- <Possible follow-ups>
- Re: encrypt the bash history Zach C. (Feb 06)
- Re: encrypt the bash history Cal Leeming [Simplicity Media Ltd] (Feb 06)
- Re: encrypt the bash history Champ Clark III [Softwink] (Feb 08)