Obscuring network proxy password in plain text files on Linux/UNIX-likes

Question

Typically in a large network a computer needs to operate behind an authenticated proxy - any connections to the outside world require a username/password which is often the password a user uses to log into email, workstation etc.

This means having to put the network password in the apt.conf file as well as typically the http_proxy, ftp_proxy and https_proxy environment variables defined in ~/.profile

I realise that with apt.conf that you could set chmod 600 (which it isn't by default on Ubuntu/Debian!) but on our system there are people who need root priveleges .

I also realise that it is technically impossible to secure a password from someone who has root access, however I was wondering if there was a way of obscuring the password to prevent accidental discovery. Windows operates with users as admins yet somehow stores network passwords (probably stored deep in the registry obscured in some way) so that in typical use you won't stumble across it in plain text

I only ask since the other day, I entirely by accident discovered somebody elses password in this way when comparing configuration files across systems.

@monjardin - Public key authentication is not an alternative on this network I'm afraid. Plus I doubt it is supported amongst the majority of commandline tools.

@Neall - I don't mind the other users having web access, they can use my credentials to access the web, I just don't want them to happen across my password in plain text.

Answer 1

With the following approach you never have to save your proxy password in plain text. You just have to type in a password interactively as soon as you need http/https/ftp access:

• Use openssl to encrypt your plain text proxy password into a file, with e.g. AES256 encryption:

openssl enc -aes-256-cbc -in pw.txt -out pw.bin

• Use a (different) password for protecting the encoded file
• Remove plain text pw.txt
• Create an alias in e.g. ~/.alias to set your http_proxy/https_proxy/ftp_proxy environment variables (set appropriate values for $USER/proxy/$PORT)

alias myproxy='PW=`openssl aes-256-cbc -d -in pw.bin`; PROXY="http://$USER:$PW@proxy:$PORT"; export http_proxy=$PROXY; export https_proxy=$PROXY; export ftp_proxy=$PROXY'

• you should source this file into your normal shell environment (on some systems this is done automatically)
• type 'myproxy' and enter your openssl password you used for encrypting the file
• done.

Note: the password is available (and readable) inside the users environment for the duration of the shell session. If you want to clean it from the environment after usage you can use another alias:

alias clearproxy='export http_proxy=; export https_proxy=; export ftp_proxy='

Answer 2

I did a modified solution:

edit /etc/bash.bashrc and add following lines:

alias myproxy='read -p "Username: " USER;read -s -p "Password: " PW
PROXY="$USER:[email protected]:80";
export http_proxy=http://$PROXY;export Proxy=$http_proxy;export https_proxy=https://$PROXY;export ftp_proxy=ftp://$PROXY'

From next logon enter myproxy and input your user/password combination! Now work with sudo -E

-E, --preserve-env Indicates to the security policy that the user wishes to reserve their existing environment variables.

e.g. sudo -E apt-get update

Remark: proxy settings only valid during shell session