ansaurus

Question

Answer 1

A:

Not allowing them to know the location of the private key file isn't much of a security feature - they really shouldn't have read access to it anyway so it doesn't matter if they know where it is or not. In general, if you have control over the source of the application, you can overwrite the memory location holding the command line arguments, so you could modify them to something "innocuous".

1800 INFORMATION 2009-04-07 08:11:58

Answer 2

+1 A:

On Linux, you can do something like

strncpy(argv[0], "mynewcmdlinehere", strlen(argv[0]));

Don't know about other Unices, sorry.

Mihai Limbășan 2009-04-07 08:13:26

Answer 3

+3 A:

Hiding command line would require a script, so it's Catch-22, because other ppl having same user will have access to that script.

The solution is quite simple: Use key with pass-phrase. (howto)

vartec 2009-04-07 08:14:19

Even when using a key with a pass-phrase, another process running as the same user could read the pass-phrase and/or decrypted key out of your ssh-agent or ssh process. There is no security against processes running with the same uid.

ephemient 2009-04-10 20:11:01

Answer 4

+6 A:

If they're logged in as you, there's basically little you can do to stop them from learning that information. If you're on Linux they'll have access to your /proc entries and can learn this information easily.

They can also:

delete all your files.
send mail in your name to insult the CEO of your company.
access all your files and command line history, if any.
myriad other things.

This is not a viable way to protect yourself. You need to sort out the identical user problem first.

paxdiablo 2009-04-07 08:16:29

Answer 5

A:

From the back of my memory, I remember doing somthing similar a long time ago

First, create a shell script, called ps which runs ps and will grep all lines except those containing ssh (or something matching) and put this in a safe location (~/bin/ps)

Add ~/bin/ to your path as the first location to search.

of course, they could still use /usr/bin/ps (or wherever its location is) explicitly

As a caveat, this is all from memory and I don't have a Unix box to test it on... sorry

Xetius 2009-04-07 08:28:41

This does nothing to prevent other "users" (who are using the same uid, for unknown bad reasons) from using the original "ps" directly -- nor is it possible to prevent.

ephemient 2009-04-10 20:12:08

Answer 6

+1 A:

Even if you hide the command line, the user can run lsof to see all the files that your ssh process has open - which will include the identity file. If obscuring the command line is truly the ultimate goal, though, you could start a key agent, load the identity into the agent, and then ssh using that agent. The path to the socket that the agent uses is controleld by an environment variable.

This is by no means security, though. Pax is right - the "logged in as the same user" issue is what really should be solved here. Stop using someone else's account. ;)

dannysauer 2009-04-10 15:30:54

Answer 7

A:

You can setup your private key via your ~/.ssh/config file which is secured by 0700. Here is example of ~/.ssh/config:

Host myhost.com
  IdentityFile /home/maxcohan/.ssh/github.com.id_rsa

kzing 2009-04-14 03:54:33

ansaurus

tags:

views:

answers:

Hide arguments from ps

related questions