I'm using a bash script to start a java program/process. The bash script prompts for username and password and should supply these to the java process. I don't want to supply these as parameters for the java program so they can be seen as clear text using the shell "ps" command. So I don't want any of the following:
- java MyClass <clearTextPassword>
- java -Dpass=<clearTextPassword>
Are there any recommended ways to supply the password to the java process from a shell script?
Thanks in advance for any suggestions.
Best regards Trym
if you have coded the program yourself, its better to design your program such that it promts the user for password and use Console class's readPassword() to read the password from the command line
In this cases I create a file on disk (encrypted or not depending on your level of security need). I modify the permission so that only controlled user can read it when executing the program
You could store the password in a properties file (you have different options when it comes to securing it. You can also forgo a password entirely and use a public Key
You could pass a hashed version of the password. For example, provide a timestamp, and a MD5 of timestamp and password concatenated together. This is of course if you have control over the process code and can work with an hashed version.
Related
Working with Unix server... My requirement is to read the name of the file that is there at /a/b/c/node01/d.ear location on a Unix server and I have do the same through a java program. The problem is that the directory a is a restricted directory and is accessible only to certain users. On the Unix side, I first issue a become command like become a, then supply the password and then using cd command, I reach the d.ear directory and then get to see the name of the file.
How do I do all of this via a Java program?
I don't mind if my Java program calls a shell script that accesses the restricted directory and then reach d.ear and fetch the name of the file and returns the same to the java program. Do we have a way of doing this? Maybe issuing the become command inside the script which is called from the Java program and the password which is asked after become command is supplied as a parameter while calling the script???
Is this approach doable? I am very new to Unix commands and JSch library. Kindly provide the code or any other alternate solutions...
Thanks!!!
As I have suggested you already, your become command seems to behave the same way (from an interface/API point of view) as common *nix su or sudo.
So, use the same solution as for those. There are many questions on Stack Overflow covering use of su/sudo with JSch.
There's even an official JSch example Sudo.java:
http://www.jcraft.com/jsch/examples/Sudo.java.html
In short:
Execute become command
Feed a password to its input
Assuming the become starts a new shell (as su or sudo do), you feed the commands to be executed in the elevated environment to become input (the same was as the password).
To get the name of the current user in a Java program, you can simply fetch the value of the user.name system property:
System.getProperty("user.name");
But how secure is that? Can a user executing the program easily set this property to an arbitrary value (using a command-line argument of the JVM, for example) for common runtime environments? Can a user easily spoof this user name?
I ask because I am writing a command-line program that can be run by anyone, but allows some privileged operations only if the user is a special administrative user.
Note that since Java 11 the user.name property is effectively read only once the program starts, so malicious program code can not spoof it.
Yes this value can be 'spoofed' and cannot be relied upon if the user is free to start the application.
Simply starting the app with the JVM arg -Duser.name=someothername will cause System.getProperty("user.name") to return that value.
For anyone possible landing on this ever again:
Using the cmd-command whoami and reading the input using this post should be a more secure way of using the username as "validation".
Except, this can be spoofed as well, which might be harder for a cmd-command than for a JVM argument...
I am able to run commands on remote machine using java jsch library.
Scenario is when I am executing a particular command from putty it is prompting for password and a reason to execute this command(for some security purpose).
Now I want to do the same executing that command and passing password and reason on propmt using java program only.
How can I achieve this?
"There is nothing code specific actually. I am executing a pbrun command in unix using putty with command "/opt/bin/pbrun username". which on entering prompt me for password and reason to login. As I am accessing it thorough putty I am able to pass values. I want to pass those value using java program."
Basically you cannot do that this way, SSH does not permit to pipe the password because of security reasons.
However, what you can do is (roughly) to generate a public/private keypair with ssh-keygen and place it to the host's .ssh/authorized_keys. Then you can SSH without a password, that is my usual solution for the problem (however, I'd love to hear any alternatives). There are plenty of tutorials on the topic, simply search for the "passwordless ssh" expressions.
It may sound trivial, but believe me, you will spend hours on configuring it :-). The ssh -x will be your friend (for one you'll need exact privileges on the key files and stuff like that).
Till now, i have been creating a file (txt/excel) using buffered Writer for creating a text file and JExcel API for creating a Excel file. These files i have been creating using Java only.
Now i want to make the file password protected in both the cases, that to something like, the file can be accessed by number of people, but only selected may access it using there own login ids/password.
Is it possible to do so?..
Thanks
The answer completely depends on what way you want to open your protected files.
If it is opened by your (java) program or an application, then you can simply simply encrypt it with a password upon saving, and decrypt it with something the user provides,
and use some checksum or header to see if the result is valid - or some garbage due to bad password,
some crypto APIs will do it for you right out of the box.
Second option - if you meant encrypting files with a program (like a notepad file, or something), and you expect windows or notepad to ask you for the password, then it depends on the format of the file you use. Some can be password protected, some can not -like text files usually associated with notepad). In this case password protection works as described in the format's own documentation, and you have to research a bit, I guess it will be too much work
we can do password protection of zip files with the core Java API.
Yes, it is possible to do that, you would have to write your own encryption and decryption tool or write a plugin for excel to do the decryption.
Usually the best approach is to use the security of the OS and specify which users can read or read/write the document. This is transparent to the user and doesn't require a encryption/decryption tool.
yes it is possible. You can use either AES or DES encryption. password is nothing but the key using which the file can be be encrypted or decrypted. you can create your own listener which will prompt you for password. If you enter the password then it will take the password and try to decrypt the file
Scenerio: I'd like to run commands on remote machines from a Java program over ssh (I am using OpenSSH on my development machine). I'd also like to make the ssh connection by passing the password rather than setting up keys as I would with 'expect'.
Problem: When trying to do the 'expect' like password login the Process that is created with ProcessBuilder cannot seem to see the password prompt. When running regular non-ssh commands (e.g 'ls') I can get the streams and interact with them just fine. I am combining standard error and standard out into one stream with redirectErrorStream(true); so I am not missing it in standard error...When I run ssh with the '-v' option, I see all of the logging in the stream but I do not see the prompt. This is my first time trying to use ProcessBuilder for something like this. I know it would be easier to use Python, Perl or good ol' expect but my boss wants to utilize what we are trying to get back (remote log files and running scripts) within an existing Java program so I am kind of stuck.
Thanks in advance for the help!
The prompt might only be shown when ssh is connected to a TTY, which it isn't in the case of Java.
There's probably a way to supply the password on the command-line in your ssh application. That will be the way to get past the prompt.
Alternately, consider connecting directly to the host server from native Java code rather than running an external application. There's a million libraries that will do this.
Rather than using an external ssh program, why not use a Java ssh library:
Trilead
JTA
Are two I found with google - that'll avoid the problem that openssh will be working very hard to prevent entering the password on stdin - it'll be opening the terminal directly. expect has to work very hard to simulate a tty in order to work.
Why not use a Java ssh client? This one is BSD-licensed, and there are more clients listed here.
Most security minded programs don't use stdin/stdout for capturing passwords, they capture the TTY or some equivalent method.
Echoing others' suggestion to use a Java SSH library. But wanted to comment on Cohen's response. Sending your password over the command line when establishing the connection is insecure and also not permitted by many sshd servers (based on configuration).
You might want to look into setting up keys for this, so you can perform ssh commands between the machines without a password.
Basic steps
- use openssh to create a keypair (I've done RSA but I know there's a better method now)
- create a .ssh directory in your home folder on the SOURCE machine
- create a .ssh directory in your home folder on the TARGET machine
- keep your private key in your source machine's .ssh folder
- copy your public key into a file called authorized_keys in the target's .ssh folder
Some instructions can be found here
You can run commands using edtFTPj/PRO, as well as performing file transfers via SFTP. It's Java.