Where we work we need to remember about 10 long passwords which need to change every so often. I would like to create a utility which can potentially save these passwords in an encrypted file so that we can keep track of them.
I can think of some sort of dictionary passwd = {'host1':'pass1', 'host2':'pass2'}, etc, but I don't know what to do about encryption (absolutely zero experience in the topic).
So, my question is really two questions:
Is there a Linux-based utility which lets you do that?
If you were to program it in Python, how would you go about it?
A perk of approach two, would be for the software to update the ssh public keys after the password has been changed (you know the pain of updating ~15 tokens once you change your password).
As it can be expected, I have zero control over the actual network configuration and the management of scp keys. I can only hope to provide a simple utility to me an my very few coworkers so that, if we need to, we can retrieve a password on demand.
Cheers.
Answers to your questions:
Yes. Take a look at KeePass.
I wouldn't program a utility like this in Python, because there are available open source tools already. Furthermore, I would have concerns about protecting the unencrypted passwords as they were processed by a Python program.
Hope that helps.
You might want to checkout ecryptfs. It should be available for any Linux OS.
On Ubuntu, setting it up is as easy as
sudo apt-get install ecryptfs-utils
ecryptfs-setup-private
This creates a directory for encrypted files, typically called ~/.Private.
To use it:
mount -t ecryptfs ~/.Private ~/Private
This mounts the encrypted files from ~/.Private at the mount point ~/Private.
You can read/write the plain text files in ~/Private.
umount ~/Private
updates the encrypted files in ~/.Private and removes ~/Private.
See these links
home page
linux journal
tutorial
another tutorial
for more information.
On first i think you can change passwords on md5 of this passwords..
it will give more safety.
You could use TrueCrypt or AxCrypt -- both are Open Source solutions. I'll echo Mox's concerns about the unencrypted PWs.
Of course you could also follow Bruce Schneier's advice about password protection...
Related
I recently managed to restore an old COLX wallet by importing a mobile backup file into colx-qt core %appdata folder.
After resyncing the blockchain I changed the rpcpassword and the wallet's encryption password, tested both of these and everything was in good order.
For testing purposes, I had decided to dump another encrypted backup file (wallet.dat) into the %appdata folder without removing the restored one first, resynced the blockchain, tried the passwords and noted they were now both incorrect.
I've removed both backups,resynced the blockchain anew, set rpcpassword and wallet unlock password to those associated with the first backup, imported said backup again but noticed that both passwords were now incorrect therefore losing my access to that mobile backup while at it.
Since I happen to have an older wallet.json file containing multiple addresses, several pubkeys and ckeys as well as the mkey (in the format {nID=1; encrypted_key:"the encrypted key"; nDerivationIterations:"62116 or some similar number"; version:""; etc etc}), could I use this information to restore my access to the wallet?
If YES, how exactly must I go about doing it?
Thank you in advance for your assistance!
I haven't tried anything else so far because I am trying to understand how this happened, what caused the change and how will I need to fix it before I'd just go ahead adding even more muddy details to the issue.
I am reading the other process memory from python script by just opening /proc/pid/mem:
reader = open(f'/proc/{pid}/mem', 'rb')
and then reading from the random places:
reader.seek(address, 0)
memory_content = reader.read(length)
Everything is fine, but the fact, that to open /proc/pid/mem I have to sudo the whole python script. Of course, for the sake of sanity, I don't want to do that. What are my options?
If I understand correctly, I can not sudo chmod /proc/pid/mem to allow everybody to read from that process memory (please, correct me, if I am wrong)
I can not open some single file with root privileges from the non-root python script (once again, please, correct me if I am wrong)
Maybe I can create some kind of hard link to the /proc/pid/mem, which would look like a file that does not require to have root access to read from?
Or maybe the easiest way would be to create a proxy program, that would be run from the actual python script with root privileges, that would read from /proc/pid/mem and with which I would somehow cross-process interact?
You need the proxy.
Your hard link method doesn't work as the permissions remain the same.
Even if you could give everybody read access to proc/mem, what exactly would you gain with that? From security perspective it would be better to make your whole script run as root and hope you've got it right. There is at least a change for that. By opening memory for everybody to read you would allow anybody harvest secrets from memory making it free for all. So definitely not this one.
If you end up doing the proxy, if you want to do it in Python, you of course need sudo to run that but that will work. I have written such helpers in C and made them suid root - but this is a matter of preference.
So I made a python phonebook program which allows the user to add contacts, change contact info, delete contacts, etc. and write this data to a text file which I can read from every time the program is opened again and get existing contact data. However, in my program, I write to the text file in a very specific manner so I know what the format is and I can set it up to be read very easily. Since it is all formatted in a very specific manner, I want to prevent the user from opening the file and accidentally messing the data up with even just a simple space. How can I do this?
I want to prevent the user from opening the file and accidentally messing the data up...
I will advise you not to prevent users from accessing their own files. Messing with file permissions might result in some rogue files that the user won't be able to get rid of. Trust your user. If they delete or edit a sensitive file, it is their fault. Think of it this way - you have plenty of software installed on your own computer, but how often do you open them in an editor and make some damaging changes? Even if you do edit these files, does the application developer prevent you from doing so?
If you do intent to allow users to change/modify that file give them a good documentation on how to do it. This is the most apt thing to do. Also, make a backup file during run-time (see tempfile below) as an added layer of safety. Backups are almost always a good idea.
However, you can take some precautions to hide that data, so that users can't accidentally open them in an editor by double-clicking on it. There are plenty of options to do this including
Creating a binary file in a custom format
Zipping the text file using zipfile module.
Using tempfile module to create a temporary file, and zipping it using the previous option. (easy to discard if no changes needs to be saved)
Encryption
Everything from here on is not about preventing access, but about hiding the contents of your file
Note that all the above options doesn't have to be mutually exclusive. The advantages of using a zip file is that it will save some space, and it is not easy to read and edit in a text editor (binary data). It can be easily manipulated in your Python Script:
with ZipFile('spam.zip') as myzip:
with myzip.open('eggs.txt') as myfile:
print(myfile.read())
It is as simple as that! A temp file on the other hand, is a volatile (delete=True/False) file and can be discarded once you are done with it. You can easily copy its contents to another file or zip it before you close it as mentioned above.
with open tempfile.NamedTemporaryFile() as temp:
temp.write(b"Binary Data")
Again, another easy process. However, you must zip or encrypt it to achieve the final result. Now, moving on to encryption. The easiest way is an XOR cipher. Since we are simply trying to prevent 'readability' and not concerned about security, you can do the following:
recommended solution (XOR cipher):
from itertools import cycle
def xorcize(data, key):
"""Return a string of xor mutated data."""
return "".join(chr(ord(a)^ord(b)) for a, b in zip(data, cycle(key)))
data = "Something came in the mail today"
key = "Deez Nuts"
encdata = xorcize(data, key)
decdata = xorcize(encdata, key)
print(data, encdata, decdata, sep="\n")
Notice how small that function is? It is quite convenient to include it in any of your scripts. All your data can be encrypted before writing them to a file, and save it using a file extension such as ".dat" or ".contacts" or any custom name you choose. Make sure it is not opened in an editor by default (such as ".txt", ".nfo").
It is difficult to prevent user access to your data storage completely. However, you can either make it more difficult for the user to access your data or actually make it easier not to break it. In the second case, your intention would be to make it clear to the user what the rules are hope that not destroying the data is in the user's own best interest. Some examples:
Using a well established, human-readable serialization format, e.g. JSON. This is often the best solution as it actually allows an experienced user to easily inspect the data, or even modify it. Inexperienced users are unlikely to mess with the data anyways, and an experienced user knowing the format will follow the rules. At the same time, your parser will detect inconsistencies in the file structure.
Using a non-human readable, binary format, such as Pickle. Those files are likely to be left alone by the user as it is pretty clear that they are not meant to be modified outside the program.
Using a database, such as MySQL. Databases provide special protocols for data access which can be used to ensure data consistency and also make it easier to prevent unwanted access.
Assuming that you file format has a comment character, or can be modified to have one, add these lines to the top of your text file:
# Do not edit this file. This file was automatically generated.
# Any change, no matter how slight, may corrupt this file beyond repair.
The contact file belongs to your user, not to you. The best you can do is to inform the user. The best you can hope for is that the user will make intelligent use of your product.
I think the best thing to do in your case is just to choose a new file extension for your format.
It obviously doesn't prevent editing, but it clearly states for user that it has some specific format and probably shouldn't be edited manually. And GUI won't open it by default probably (it will ask what to edit it with).
And that would be enough for any case I can imagine if what you're worrying about is user messing up their own data. I don't think you can win with user who actively tries to mess up their data. Also I doubt any program does anything more. The usual "contract" is that user's data is, well, user's so it can be destroyed by the user.
If you actually won't to prevent editing you could change permissions to forbid editing with os.chmod for example. User would still be able to lift them manually and there will be some time window when you are actually writing, so it will be neither clean nor significantly more effective. And I would expect more trouble than benefit from such a solution.
If you want to actually make it impossible for a user to read/edit a file you can run your process from a different user (or use some heavier like SELinux or other MAC mechanism) and so you could make it really impossible to damage the data (with user's permissions). But it is not worth the effort if it is only about protecting the user from the not-so-catastophic effects of being careless.
I want to design an application that reads some a folder of text files and shows the user its contents. Three problems arise: I need the folder containing the text files to be encrypted which I don't know how to do, two, I need a way to read the encrypted files without revealing the key in the python code, so I guess C would be the best way to do that even if I don't like that way(any suggestions are welcome,using python if possible), and three, I need a way to add files to the folder and then send the encrypted folder along with the program.
Is there any way to do those things without ever revealing the key or giving the user the possibility to read the folder except using my program?
Thanks in advance for any help!
EDIT: Also, is there a way to use C to encrypt and decrypt files so that I can put the key in the compiled file and distribute that with my program?
I think the best thing to do would be to encrypt the individual text files using GPG, one of the strongest encryption systems available(and for free!) You can get several python libraries to do this, and I recommend python-gnupg. Also, you can probably just reference the file where the key is located and distribute it along with the application? If you want to include a preset key and not have your users be able to see where that key is, you are going to have a very hard time. How about using a key on a server you control that somehow only accepts requests for the key from copies of your application? I don't know how you'd make this secure though through Python.
About adding files to the folder and sending it along with the program, perhaps you aren't thinking of the most optimal solution? There are plenty of python data structures that can be serialized and accomplish most of the things you are talking about in your post.
How can i change password of ubuntu root user by python script? Thanks.
There are two main ways to go about this -
One is calling the passwd command line tool from python (such as via stdlib's subprocess module). If your script isn't running as root, you'll need to wrap using the "su" or "sudo" commands in order to elevate to root privledge. Writing the expected data to stdin should be sufficient, but if you find you need to perform different actions based on exactly what the sudo/passwd prompts say, the pexpect module may be helpful.
The second is writing directly to the /etc/shadow file where the password hashes are stored. This will definitely require your script to run as root, in order to have read/write perms on /etc/shadow. Stdlib offers the spwd module for accessing /etc/shadow, but it's read-only, so you'll have to roll your own reader/writer... the csv module might be useful, /etc/shadow is close to being a csv file with a ":" separator, but with some minor differences.
If you choose the second route, you'll need to be able to generate new hashes of replacement password, and insert them into the shadow file. The fastest way on linux is to use the stdlib crypt module, but you'll have to take care of salt generation, and setting the appropriate password hash prefix ("$5$", "$6$" etc). Alternately, the host_context object in the Passlib library can take care of most of that for you (disclaimer: I'm the author of that library).
In general, I'd recommend the first route if possible - modifying /etc/shadow directly is fraught with danger - if you mess up the /etc/shadow file, you won't be able to log in. If you go this route, back up the file a lot.
You can modify /etc/passwd (/etc/shadow) with Python script which will need root permissions sudo python modify.py /etc/passwd (where modify.py is your script that will change password)
You can use the commands module to pipe output to the terminal.
x = commands.getstatusoutput("passwd root")
However, you'll have to get creative trying to enter the values for "Old Password:" and "New Password:." The variable x wont be assigned until the command is finished, and the command won't finish until the old and new passwords are entered. If you just use the command module a second time, then it will simply spawn a new subprocess. So, like others have said, just write to /etc/shadow using the open function.