4

I am behind a proxy server and need to specify authentication parameters to access the internet. For this, I have exported my username, password, host and port_no in my /home/$USER/.bashrc file and in /etc/apt/apt.conf file, which are human readable.
for Example 

Acquire::http::proxy "http://<username>:<password>@172.16.0.2:8080";
Acquire::ftp::proxy "ftp://<username>:<password>@172.16.0.2:8080/";
Acquire::https::proxy "https://<username>:<password>@172.16.0.2:8080/";

This causes my password to be openly visible to anyone who has read access to these files.

Is there a secure way of passing these parameters to the applications that need proxy authentication parameters without having to write in such human readable form?

Note: It would be good to know of permanent methods. I know I can do this temporarily by exporting each time I open a new session. But I will have to do this everytime I open a new session, which I want to avoid.

jobin
  • 27,708

1 Answers1

0

Sorry for writing long answer, but apt.conf is very sensitive issue of system. So it it necessary to clear all the aspects.

As far as I know ~/.bashrc and /etc/apt/apt.conf accept your proxy settings only if it is given it in human readable form, at most you can force them to read from a different files. I am going to exploit this. I will keep the proxy credentials to files that are not accessible to anyone but root/sudoer user. But one has to unveil the proxy settings to apt-get and/or software-center before use them every time.

Secure way to supply proxy to shell environment

Cut all the contents that you put into your ~/.bashrc in order to supply proxy settings in shell environment and paste to a file say ~/.mybashproxy. Change ~/.mybashproxy ownership to root and strip off the read write permission for group and other, so that only sudoers can access them.

sudo chown root:root ~/.mybashproxy
sudo chmod go-rw ~/.mybashproxy

Make the following alias in ~/.bashrc or in ~/.bash_aliases, I would prefer to use the latter.

alias begin_proxy='sudo cat .mybashproxy > .tmp; source .tmp; rm .tmp'

Usage

You have to enable proxy in your shell environment by begin_proxy command from terminal providing your sudo password. In this way nobody will know your proxy credentials. But after using begin_proxy if you allow someone to access the same terminal, he might be able to see your credentials using env | grep proxy command in terminal. To be secure do not allow anyone to use the same terminal where you used begin_proxy.

Secure way to supply proxy to apt-get

apt-get and software-center use the file /etc/apt.conf to preserve proxy settings . Create a file /etc/apt/myproxy.txt and put content of your /etc/apt/apt.conf in it from terminal by opening it as,

sudo gedit /etc/apt/myproxy.txt

next copy the desired content and save the file. Remove read write permission of /etc/apt/myproxy.txt for group and other as shown above using chmod.

Create a temporary file named say tmproxy.txt at /etc/apt/ and give read-write permission for all to it as follows,

sudo touch /etc/apt/tmproxy.txt
sudo chmod go+rw /etc/apt/tmproxy.txt

I am going to supply proxy settings to apt-get and software-center from it when necessary. Add the following line in /etc/apt/apt.conf to read proxy settings from /etc/apt/tmproxy.txt.

#inclued /etc/apt/tmproxy.txt;

except the above line /etc/apt/apt.conf should contain nothing. Now create the following aliases in ~/.bash_aliases

alias able_apt='sudo cat /etc/apt/myproxy.txt > /etc/apt/tmproxy.txt'
alias disable_apt='echo "0;" > /etc/apt/tmproxy.txt'

Usage

Before using apt-get and/or software-center you have to use the command able_apt providing your sudo password. Then all your proxy credentials will be stored in /etc/apt/tmproxy.txt and apt-get and/or software-center will be able to use it. After closing software-center or after using apt-get to wipe out proxy credentials from /etc/apt/tmproxy.txt, use command disable_apt. In this process also no one could see your proxy credentials unless you leave them in /etc/apt/tmproxy.txt by forgetting to use disable_apt

Notes and Summary

  1. In the alias disable_apt the semicolon (;) after zero is important otherwise you will get errors "Extra junk at end of file" A red error icon can also appear on top right panel.
  2. If you don't have ~/.bash_aliases, create one. And source ~/.bashrc afer making sure that ~/.bashrc contains the following lines,
   if [ -f ~/.bash_aliases ]; then
    . ~/.bash_aliases
    fi
  1. Immediately after doing the above settings to enable aliases either you have to logout and login once or you can use source ~/.bash_aliases in terminal.

  2. At the end of the story you have three aliases to use:

    • begin_proxy - to start proxy in shell environment. Lasts until terminal is open.
    • able_apt - to enable apt-get and/or softwere-center and to store proxy credentials in /etc/apt/tmproxy.txt
    • disable_apt - to disable apt-get and/or softwere-center and to wipe out proxy credentials from /etc/apt/tmproxy.txt

Hope this will be helpful.

Community
  • 1
sourav c.
  • 44,715
  • +1 for a clever and hacky way! But as I use proxy all the time in my college, I'll have to do this everytime I reboot my machine, that's alright, I'll run it as a cron job at reboot, but yet the file /etc/apt/tmproxy.txt reveals password without sudo rights, which is an issue. Also I did not understand the role of /etc/apt/tmproxy.txt, when I can directly write the contents of etc/apt/myproxy.txt to /etc/apt/apt.conf. Can you explain this? – jobin Jan 07 '14 at 03:57
  • Let me clarify the problem. You can not strip off the read permission for group and others from neither /etc/apt/apt.conf or a file it is pointing (here /etc/apt/tmproxy.txt, and it must be there all the time unlike .tmp for bash case). In case if you do otherwise, it will give you error and Software center will not open without sudo. But we need to hide the credentials. So I proposed this. Feel free to discuss. – sourav c. Jan 07 '14 at 08:08
  • And plz use alias disable_apt to purge info from /etc/apt/tmproxy.txt while you are away. This hack needs quite effort from user but at the same time does its job nicely. – sourav c. Jan 07 '14 at 08:16