Full Disclosure mailing list archives
Re: encrypt the bash history
From: Erik Falor <ewfalor () gmail com>
Date: Fri, 4 Feb 2011 12:36:40 -0700
On Fri, Feb 04, 2011 at 04:18:53PM -0300, Zerial. wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 02/04/11 16:13, Valdis.Kletnieks () vt edu wrote:On Fri, 04 Feb 2011 16:06:06 -0300, "Zerial." said:what is the best way to encrypt the bash_history file? I try using crypt/decrypt with GPG when login/logout. It works, but not safe enough.Explain what the threat model is, and why GPG isn't safe enough? It's kind of hard to recommend "best" when we don't understand what the criteria are...The "way" is not safe enough. root can login as me (su - user) and bash_history will be decrypted. I try to find any better way to crypt and make unreadable the bash_history file from any other users, including root.
Not to mention the fact that your .bash_history file is unencrypted the entire time you're logged in. A better alternative, if you're that anxious about your shell history falling into the wrong hands, is to disable it entirely: unset HISTFILE HISTSIZE=0 You can also tell bash to not record commands that begin with a space: HISTCONTROL=ignorespace More fine-grained control can be achieved with the HISTIGNORE variable. See the 'Shell Variables' section of the bash(1) manpage. Finally, I wrote these functions to toggle history recording on/off in a shell. I like how this works, when I remember to run it beforehand: # turn off history recording function offtherecord() { if [[ -n "$HISTFILE" ]]; then OLDHISTFILE=$HISTFILE unset HISTFILE fi if [[ -n "$HISTSIZE" ]]; then OLDHISTSIZE=$HISTSIZE HISTSIZE=0 fi } # turn on history recording function ontherecord() { if [[ -n "$OLDHISTFILE" ]]; then HISTFILE=$OLDHISTFILE unset OLDHISTFILE fi if [[ -n "$HISTSIZE" ]]; then HISTSIZE=$OLDHISTSIZE unset OLDHISTSIZE fi } Once you've run offtherecord, you lose all of your history for that shell until you log back in. -- Erik Falor Registered Linux User #445632 http://counter.li.org
Attachment:
_bin
Description:
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- encrypt the bash history Zerial. (Feb 04)
- Re: encrypt the bash history Valdis . Kletnieks (Feb 04)
- Re: encrypt the bash history Zerial. (Feb 04)
- Re: encrypt the bash history Erik Falor (Feb 04)
- Re: encrypt the bash history Zerial. (Feb 06)
- Re: encrypt the bash history Rodrigo Rubira Branco (BSDaemon) (Feb 06)
- Re: encrypt the bash history Peter Maxwell (Feb 06)
- Re: encrypt the bash history Emanuel dos Reis Rodrigues (Feb 06)
- Re: encrypt the bash history Zerial. (Feb 04)
- Re: encrypt the bash history Valdis . Kletnieks (Feb 04)
- Re: encrypt the bash history Valdis . Kletnieks (Feb 04)
- <Possible follow-ups>
- Re: encrypt the bash history Zach C. (Feb 06)
- Re: encrypt the bash history Cal Leeming [Simplicity Media Ltd] (Feb 06)
- Re: encrypt the bash history Champ Clark III [Softwink] (Feb 08)