Home / ubuntu / Questions / 375344
Accepted
jobin
Asked: 2013-11-12 00:54:47 +0800 CST

Is there a secure way to pass authentication parameters for proxy to applications?

  • 772

I am behind a proxy server and need to specify authentication parameters to access the internet. For this, I have exported my username, password, host and port_no in my /home/$USER/.bashrc file and in /etc/apt/apt.conf file, which are human readable.
for Example 

Acquire::http::proxy "http://<username>:<password>@172.16.0.2:8080";
Acquire::ftp::proxy "ftp://<username>:<password>@172.16.0.2:8080/";
Acquire::https::proxy "https://<username>:<password>@172.16.0.2:8080/";

This causes my password to be openly visible to anyone who has read access to these files.

Is there a secure way of passing these parameters to the applications that need proxy authentication parameters without having to write in such human readable form?

Note: It would be good to know of permanent methods. I know I can do this temporarily by exporting each time I open a new session. But I will have to do this everytime I open a new session, which I want to avoid.

security

1 Answers

  1. Best Answer

    Sorry for writing long answer, but apt.conf is very sensitive issue of system. So it it necessary to clear all the aspects.

    As far as I know ~/.bashrc and /etc/apt/apt.conf accept your proxy settings only if it is given it in human readable form, at most you can force them to read from a different files. I am going to exploit this. I will keep the proxy credentials to files that are not accessible to anyone but root/sudoer user. But one has to unveil the proxy settings to apt-get and/or software-center before use them every time.

    Secure way to supply proxy to shell environment

    Cut all the contents that you put into your ~/.bashrc in order to supply proxy settings in shell environment and paste to a file say ~/.mybashproxy. Change ~/.mybashproxy ownership to root and strip off the read write permission for group and other, so that only sudoers can access them.

    sudo chown root:root ~/.mybashproxy
sudo chmod go-rw ~/.mybashproxy

    Make the following alias in ~/.bashrc or in ~/.bash_aliases, I would prefer to use the latter.

    alias begin_proxy='sudo cat .mybashproxy > .tmp; source .tmp; rm .tmp'

    Usage

    You have to enable proxy in your shell environment by begin_proxy command from terminal providing your sudo password. In this way nobody will know your proxy credentials. But after using begin_proxy if you allow someone to access the same terminal, he might be able to see your credentials using env | grep proxy command in terminal. To be secure do not allow anyone to use the same terminal where you used begin_proxy.

    Secure way to supply proxy to apt-get

    apt-get and software-center use the file /etc/apt.conf to preserve proxy settings . Create a file /etc/apt/myproxy.txt and put content of your /etc/apt/apt.conf in it from terminal by opening it as,

    sudo gedit /etc/apt/myproxy.txt

    next copy the desired content and save the file. Remove read write permission of /etc/apt/myproxy.txt for group and other as shown above using chmod.

    Create a temporary file named say tmproxy.txt at /etc/apt/ and give read-write permission for all to it as follows,

    sudo touch /etc/apt/tmproxy.txt
sudo chmod go+rw /etc/apt/tmproxy.txt

    I am going to supply proxy settings to apt-get and software-center from it when necessary. Add the following line in /etc/apt/apt.conf to read proxy settings from /etc/apt/tmproxy.txt.

    #inclued /etc/apt/tmproxy.txt;

    except the above line /etc/apt/apt.conf should contain nothing. Now create the following aliases in ~/.bash_aliases

    alias able_apt='sudo cat /etc/apt/myproxy.txt > /etc/apt/tmproxy.txt'
alias disable_apt='echo "0;" > /etc/apt/tmproxy.txt'

    Usage

    Before using apt-get and/or software-center you have to use the command able_apt providing your sudo password. Then all your proxy credentials will be stored in /etc/apt/tmproxy.txt and apt-get and/or software-center will be able to use it. After closing software-center or after using apt-get to wipe out proxy credentials from /etc/apt/tmproxy.txt, use command disable_apt. In this process also no one could see your proxy credentials unless you leave them in /etc/apt/tmproxy.txt by forgetting to use disable_apt

    Notes and Summary

    1. In the alias disable_apt the semicolon (;) after zero is important otherwise you will get errors "Extra junk at end of file" A red error icon can also appear on top right panel.
    2. If you don't have ~/.bash_aliases, create one. And source ~/.bashrc afer making sure that ~/.bashrc contains the following lines,
       if [ -f ~/.bash_aliases ]; then
    . ~/.bash_aliases
    fi
    1. Immediately after doing the above settings to enable aliases either you have to logout and login once or you can use source ~/.bash_aliases in terminal.

    2. At the end of the story you have three aliases to use:

      • begin_proxy - to start proxy in shell environment. Lasts until terminal is open.
      • able_apt - to enable apt-get and/or softwere-center and to store proxy credentials in /etc/apt/tmproxy.txt
      • disable_apt - to disable apt-get and/or softwere-center and to wipe out proxy credentials from /etc/apt/tmproxy.txt

    Hope this will be helpful.

    • 0