tags:

views:

86

answers:

3
Q: 

How do I ensure that a username/password combination is not read from memory

How do I ensure that a username/password combination is not read from memory while my application is in use.

My program is a GUI wrapper for some CYGWIN tools, including SSH and SCP. I need to ensure single sign-on capabilities to a variety of hosts.

A: 

Use a public/private key pair with authorized_keys.

Jeremy Stein  2009-11-03 15:10:36
This is not a problem for asymmetric cryptography, you have to trust your self!
Rook  2009-11-05 01:02:16
Since he accepted your answer, that must be what he was getting at. I knew it wasn't possible, but I thought perhaps he was just worried about protecting the PASSWORD, not access.
Jeremy Stein  2009-11-05 02:42:50
+1  A: 

With the SSH key pair using ssh-agent, but is there any other way? The problem is that you need to get the public key out to the remote host, which can be done in a simple string but still requires a login. So the initial setup of the key pairs with passphrase and the adding of the key to the remote host requires many passwords to be entered. After the initial setup it all works well.

ideas?

GIDDION  2009-11-04 05:45:24
@ GIDDION Please add your comment as a comment on Jeremey's response. Stackoverflow makes a distinction between answers and general comments. Where you have entered your comment that is normally reserved for answers.
Ankur  2009-11-04 05:47:00
+1  A: 

An attacker will try to obtain passwords from memory using a Debugger while the application is running. The use of any encryption can be bypassed because the password must be in plain text at the time of use. Any time memory is used it can also be observed with a debugger.

The answer lies in anti-debugging: http://www.codeproject.com/KB/security/Intro_To_Win_Anti_Debug.aspx

More advanced windows Anti-Debugging:

http://www.veracode.com/blog/2008/12/anti-debugging-series-part-i/

http://www.veracode.com/blog/2008/12/anti-debugging-series-part-ii/

http://www.veracode.com/blog/2009/01/anti-debugging-series-part-iii/

http://www.veracode.com/blog/2009/02/anti-debugging-series-part-iv/

Rook  2009-11-04 07:34:43

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security