From 1efc1337dff73fb3e7611a1507e288a043df427b Mon Sep 17 00:00:00 2001 From: Russ Magee Date: Fri, 14 Sep 2018 00:40:20 -0700 Subject: [PATCH] -TODO items; scrub authCookie after use --- TODO.txt | 9 ++++++++- hkexsh/hkexsh.go | 5 +++++ 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/TODO.txt b/TODO.txt index 5b3a087..c9a0df3 100644 --- a/TODO.txt +++ b/TODO.txt @@ -11,11 +11,18 @@ Architecture (DONE) - Move hkexnet components other than key exchange into a proper hkex package (ie., hkexsh imports hkex) - hkex should be usable for other client/svr utils, ala 'hkex-netcat') + (parts split out into hkexnet/*, hkexsession.go) - Make KEx fully-pluggable: isolate all code to do with Herradura into a KEx-neutral pkg so it can be swapped out for other methods (eg., DH etc.) Features -- Support for hkcp (hkex-cp) - secure file copy protocol +(DONE) - Support for hkcp (hkex-cp) - secure file copy protocol +- (IN PROGRESS) auth tokens to allow scripted hkexsh/hkexcp use + * ~/.hkexsh_id file with multiple (host:token) entries + (Currently only one supported - need to support multiple lines for + multiple dest servers; also consider client sending host/ip used + to connect to server, so it can ensure the auth token matches that + used as servers can potentially be reached by multiple hostnames/IPs) - hktun - tunnelling - multiple tunnel sessions co-existing w/shell sessions Alternate transports for hkexsh.Conn - HTTP-mimicking traffic, ICMP, ... ? diff --git a/hkexsh/hkexsh.go b/hkexsh/hkexsh.go index 1a1517b..bb026eb 100755 --- a/hkexsh/hkexsh.go +++ b/hkexsh/hkexsh.go @@ -519,6 +519,7 @@ func main() { } if len(authCookie) == 0 { + //No auth token, prompt for password fmt.Printf("Gimme cookie:") ab, err := hkexsh.ReadPassword(int(os.Stdin.Fd())) fmt.Printf("\r\n") @@ -541,6 +542,10 @@ func main() { _, err = conn.Write(rec.Cmd()) _, err = conn.Write(rec.AuthCookie(true)) + //Security scrub + authCookie = nil + runtime.GC() + // Read auth reply from server authReply := make([]byte, 1) // bool: 0 = fail, 1 = pass _, err = conn.Read(authReply)