Fork me on GitHub
#beginners
<
2024-03-19
>
jjttjj19:03:15

Not sure the best place to ask this I have some code that calls (.readPassword (System/console)) to ask for a password. The problem is this wont work on a remote socket repl connection, presumably by design. I'm considering allowing the use of a "less secure" option like just calling read-line after a prompt instead, but trying to fully understand the security implications of that. From what I understand .readPassword mainly just prevents echo output of the text while typing. And I guess it also assumes access to the real system console. My access to this repl is always via an SSH tunnel. My current clojure workflow detects a prompt with the text "password" and prevents echoing the text of the next line of input. I imagine this is more precarious than the proper .readPassword, it probably requires trusting more tooling, and depends on that particular tooling setup. Are there any other security implications I should consider here?

hiredman19:03:04

System/console depends on having access to the console the process is attached to, so not usable remotely

hiredman19:03:35

I would follow something like ssh's lead, get a challenge from the server on connect, sign a response to the challenge with a local private key (maybe protected by password based crypto, getting the password then is entirely local) the server checks the signature is from a trusted key

jjttjj19:03:57

Thanks, so just to confirm, even assuming I'm always using a socket repl via an ssh tunnel (with the same auth setup as I currently use to access the console), and I understand/accept the no-echo text input in my local repl is imperfect, you would still suggest building something to allow the password to be input locally?

hiredman20:03:02

it depends what you are doing, if you are just trying to authenticate the repl session, then something key based seems superior

hiredman20:03:36

if you are trying to require a password to do stuff in the repl, I think that is a waste of time

jjttjj20:03:41

It's to decrypt some sensitive data on the server (eg credentials)

hiredman20:03:21

echo/non-echo is a feature of the local terminal, not of the stream of bytes being sent back and forth over the socket, so if you want to support it, you will need to add additional control messages to your protocol instead of just shoveling the raw bytes back and forth over the socket

👍 1
hiredman20:03:13

presumably the credentials are required by the program to do stuff, in which case if I had repl access I would just get the credentials the same way programs do instead of doing the password thing

jjttjj20:03:43

Yeah that makes sense, thanks

Patrix01:03:29

I had this code in a CLI app that reads a password, but also wanted to use it at the REPL during dev (and didn't care if the pw was echoed during dev)

;;; based on 
(defn read-password
  ([] (read-password nil))
  ([prompt]
   (if-let [console (System/console)]
     (do
       ;; only available when running as an  app e.g. with java -jar...
       (when prompt (print prompt) (flush))
       (String. (.readPassword console)))
     (do
       (println "[WARN] No secure console available, reading via plaintext.")
       (when prompt (print prompt) (flush))
       (read-line)))))