Saving password feature for net rpc console utils.

andrux0id adriano32.gnu at gmail.com
Tue Jan 31 07:19:14 MST 2012


Hello, samba-technical!

i need your advices and some kind of consultation.
i often use different net rpc commands from linux console to make 
certain things at windows pc's: monitoring launched services, checking 
registry entries and so on.
it is embarrassing as for me to enter password for each command 
separately, but i dont want to pass passwords as command line option 
(when it possible), because it is unacceptable from security reasons 
(every can see parametres through the /proc).

so i want to have some convinience: to be able to save user's login and 
their password for certain windows host at the linux pc in the ram for 
single net rpc session and execute the series of a commands to remote 
host just entering logon cridentials only once — at the net rpc 
launching and till quit command or ^D.

So my questions are:

1. Maybe this feature (like it works in `net shell' for limited 
functions) already exists and i dont know about it simply. If it exists, 
please point me to this opportunity.

2. Is protocol, that is used for net rpc authentification, enough 
UNsecure to dont worry about obfuscation password which is stored in the 
memory?
For example, basing on libpurple developers explanation about why does 
they store saved passwords in plainttext config file 
(http://developer.pidgin.im/wiki/PlainTextPasswords) and Sherri 
Davidoff's exploration of Linux utilities which handles password in the 
memory in unsecure way 
(http://philosecurity.org/pubs/davidoff-clearmem-linux.pdf) this idea 
approaches to not so secure protocols (like ICQ maybe) with a leak 
authentification which can be simply compromised by sniffing packet on 
the wire and decrypting sniffed so storing encrypted password is 
unnecessary because of password can be stolen after decrypting at 
another stage.

3. And the final question: what is your opinion about implementation of 
this feature:
a) these feature is under development
b) it will be useful, patches are welcome
c) it is unnecessary for samba console tools for now and if i need i 
should implement some kind of a wrapper by myself
d) this feature is incompatible with authentification protocol or 
principles in some way

Thank you in advance for comments, advices, RTFM's and pointings to the 
samba code which i should look to understand if my questions were stupid :)


More information about the samba-technical mailing list