我有时会在linux终端中错误地键入su密码,因为该终端会回显键入的字符。它被记录在~/.bash_history中,这让我感到不安全。有人有一个简短的脚本(bash one liner?(来清除.bash_history中的任何纯文本密码吗?
使用sed会在.bash_history文件中留下自己的跟踪,但如果可以暂时禁用readline和/或历史记录服务,这可能会起作用:
sed -ir -e 's/su_password/PASSWORD_REMOVED/g' ~/.bash_history
如果密码经常被用作其他短语/单词的一部分,这可能会造成额外的问题/漏洞。
理想情况下,脚本应该只仔细阅读散列密码列表(/etc/shadow(来创建一个搜索词列表。然后,它必须对正在检查的文件(.bash_history(的部分进行散列以进行比较。问题是,由于密码的长度未知,因此在比较过程中要知道文件中有多少文本要散列。或者,它可以像passwd一样,在执行grep/sed之前以安全的方式请求密码。
不仅仅是一个线性函数,而是一个函数:
eh () { history -a ; vi + ~/.bash_history ; history -r ; }
将这一行添加到.bashrc或.bash_profile中。当运行时
- 将缓冲区保存到.bash_history
- 在vi中打开.bash_history,但指针位于文件底部的情况除外
- 将编辑后的文件恢复到当前历史缓冲区
在vi中,您可以使用箭头键上下移动,使用dd删除一行,然后使用[Esc]:wq 关闭并写入文件
现在您只需要在命令行中键入eh并编辑您的历史
eh代表"编辑历史">
我通常会执行echo > .bash_history来清除此问题。尽管你的密码可能会出现在奇怪的地方,所以你可能想先做一个sudo grep "password" -R /,看看它是否在系统上的其他地方,然后清除你的历史记录。
由于没有任何答案对我有用,我想我应该分享我目前使用的脚本。这当然不是一句俏皮话,甚至不是抨击。。。但它是有效的。
#!/usr/bin/env python
import os
user=os.getenv('USER')
if not user:
user='hobs'
home=os.getenv('HOME')
if not home:
home=os.path.normpath(os.path.join(os.path.sep+'home',user))
histfile=os.getenv('HISTFILE')
if not histfile:
histfile=os.path.join(home,'.bash_history')
from optparse import OptionParser
p = OptionParser(usage="%prog [options] password", add_help_option=True)
p.add_option('-p', '--password', '--pass', '--pw', dest='pw',
default =None,
help="The plaintext password string you'd like to find and replace throughout your bash history file(s)", )
p.add_option('-r', '--replacement-password', '--replacement', '--filler', '--substitution', dest='rep',
default ='',
help="The replacement string, passphrase identifier, tag, or filler you'd like to leave behind wherever the password was found and removed.", )
p.add_option('-f', '--bash_history', '--historyfile', '--file', '--path', '--filename', dest='hfile',
default =histfile,
help="The text file where your password may have been accidentally recorded and where you'd like it removed. Default = ~/.bash_history.", )
(o, a) = p.parse_args()
if a and not o.pw:
o.pw=' '.join(a) # password can have spaces in it
print o.pw
print len(o.pw)
# TODO: Check if the history buffer will record the invocation of this script that includes a plaintext password
# Alternatively, launch the search/replace task in the background to start
# after history has had a chance to record the last command in the history buffer
if o.pw:
import warnings
warnings.warn("Make sure you invoked "+p.get_prog_name()+" in such a way that history won't record this command (with a plaintext password) in the history file. It would be much better if you didn't supply the password on the command line and instead allowed this script to securely prompt you for it.",RuntimeWarning)
if not o.pw:
import getpass
o.pw=getpass.getpass()
if len(o.pw)<4:
raise ValueError(p.get_prog_name() + " doesn't accept passwords shorter than 4 characters long to prevent accidental corruption of files by purging common character combinations. The password you supplied is only "+str(len(o.pw))+" characters long.")
import fileinput
for line in fileinput.FileInput(o.hfile,inplace=1):
line = line.replace(o.pw,o.rep)
print line,
$ echo -n password=; stty -echo; sed -i "s/$(head -1)/PASSWORD_REMOVED/g" ~/.bash_history; stty echo
top-secret password that never appears anywhere else to make it easy to guess
$ #you have to type it in and press enter
echo会提示您。stty有助于防止人们回头看你。请确保对任何内容进行转义(即反斜杠(。