Re: [dev] [ii] exposed password on process monitoring

From: Ivan Kanakarakis <>
Date: Thu, 14 Jun 2012 01:27:42 +0300

On 13 June 2012 16:25, Edgaras <> wrote:

> I was thinking about password handling for such programs as ii, jj, ji and
> how
> to not store it anywhere, except maybe in program itself in case of needed
> reconnect. So I was playing a little with ji and it reads pw from stdin
> like "ji
> -j jid_AT_sev < pw_file". Also recently I was reading about terminal
> options, and
> stty command, after thinkgin about for a while I have come up to something
> like:
> stty -echo; cat | ji -j jid_AT_server ; stty echo; fg
> Though it is not fully refined, and since I failed to connect to gtalk,
> thus did
> not have any usage of ji yet, the idea seems promising. Disable echo so
> that
> noone could peek over shoulder, enter pw, press ctrl-d couple of times and
> pass
> it to the client, then enable echo again in case it is needed. So mabe such
> solution could work with ii too. Or maybe im missing something and pw still
> could be seen somehow even when using this way?
ii doesn't read anything from stdin. as long as it gets the
passwd as an argument, the passwd will be exposed.
not echoing the passwd maybe wanted by people, but
that doesn't mean that it can't leak in other ways.

  stty -echo echonl
  printf "Enter password: "
  read -r passwd
  stty echo
  ii -n foo -k "$passwd" -.. &
  printf "ii runs with pid: %s\n" "$!"

then try
  $ ps -opid,cmd -p <pid>

*Ivan c00kiemon5ter V Kanakarakis*  >:3
Received on Thu Jun 14 2012 - 00:27:42 CEST

This archive was generated by hypermail 2.3.0 : Thu Jun 14 2012 - 00:36:07 CEST