I connect to a ftp server with vim and netrc. I don't have the password stored in .netrc because of security.
So when I connect to my server I have to enter the password, which is cooland it works. But if I change the directory, open a file etc. I have to re-enter my password after every action.
Is there a way to have it remember it after entering it once?
I think if you don’t use .netrc, that will work. It will prompt you for your login name as well as the password, though.
If you want to keep your .netrc for other purposes and just not use it in Vim, use
:let g:netrw_ignorenetrc = 1
A better solution, of course, would be to switch to some SSH-based access method. Then you can make use of the SSH agent to evade the whole issue entirely.
Related
I frequently have to connect to vpn for work. So rather than typing the whole cmd, i want to type something like vpn in terminal and it picks up the password from somewhere and the vpn gets connected.
The process I do now is..
sudo openvpn --config <configfile.ovpn>
I'll be prompted to type the password and when i do that it gets connected.
For the same I explored alias but I suppose alias is for much simpler task. Any solutions, how to pass password automatically when terminal ask for it?
You can create an alias and use it .
In your .bashrc, you can create an alias
alias vpn=« Your command »
Then you will just type the command vpn.
Here a link that can help you
When the password is asked interactively the best options is add the --askpass argument and send the password through a file.
openvpn --config <configfile.ovpn> --askpass <file with cred>
You can also add automatically the password using expect or similar, but the best option is using the own openvpn.
--askpass [file]
Get certificate password from console or file before we daemonize.
For the extremely security conscious, it is possible to protect your private key with a password. Of course this means that every time the OpenVPN daemon is started you must be there to
type the password. The --askpass option allows you to start OpenVPN from the command line. It will query you for a password before it daemonizes. To protect a private key with a password
you should omit the -nodes option when you use the openssl command line tool to manage certificates and private keys.
If file is specified, read the password from the first line of file. Keep in mind that storing your password in a file to a certain extent invalidates the extra security provided by using
an encrypted key.
You can put the password into a file and point your OpenVPN client configuration to it.
It is obviously a bad idea for security to store passwords in plain text on your hard drive!
If you still want to do it, put your user name and password in a plain text file on two lines, like so:
username
password
Add a line
auth-user-pass passwordfile
to your OpenVPN client configuration where passwordfile is the name of the file.
Note this only works in OpenVPN 2 and is no longer supported in version 3. See this blog post about it: https://openvpn.net/blog/openvpn-3-linux-and-auth-user-pass/
I'm trying to use Vim as a substitute for DreamWeavers nice FTP-client sidebar. But I would like for Vim to 'remember' my logins, - so I don't need to get the FTP-address, the username and the password, every time I need to connect to a remote server, to make some changes.
I've made it as far as to figure out, that one can setup a .netrc-file, where you can save login-credentials (and possibly encrypt it using GPG, which I will look into, after I've goten this to work). I can find endless manuals and tutorials about how to setup the .netrc-file, - but no information on how to actually use this .netrc-file.
So if my .netrc-file looks like this:
machine <hostname1>
login <login1>
password <password1>
machine <hostname2>
login <login2>
password <password2>
Then how to I for instance connect to <hostname2>? Do I write vim <hostname2> - and if so, then what if I have several different remote servers on the same host (where the user and password-credentials vary)?
Ideally, I would like to just be able to write something along the lines of
vim ftp://MY_OWN_NICKNAME_FOR_A_REMOTE_SERVER
Whereafter Vim will find the credentials in the .netrc-file and connect me to the given server. How do I do this?
The .netrc file supplies vim with usernames and passwords of remote servers. On the command line, when vim is supplied with a hostname that matches a machine name defined in .netrc, it plugs in the username and password into the url. For example, if I wanted to connect to ftp.server1.com and automatically login I would need to do set up the following in my .netrc file:
$ < .netrc
machine ftp.server1.com login username password "secretpassword"
$ vim ftp://ftp.server1.com/
If I wanted multiple hostnames setup in my .netrc, I would just add a new entry:
$ < .netrc
machine ftp.server1.com login username password "secret password"
machine ftp.server2.com login username password "secretpassword1"
machine ftp.server3.com login different_username password "secretpassword2"
What may be confusing is that you can not alias the hostname. When I first starting using this feature, I thought machine was a variable I could supply -- but this is not the case. That said, a shell aliases will fill-in for vim's lack:
$alias server1=ftp://ftp.server1.com/
$vim $server1
Note: you need that trailing / on the urls to tell vim you're browsing. Also note there are further complications when using a windows os as detailed in :help netrw.
I'm trying to edit some files on a remote server with Vim. I've managed this on other servers without trouble in the past, but in this case when I type:
$ vim ftp://username#xxxxxx.com/
I'm prompted for a password, I type it in and I see this:
Name (notixvalet.com:george): User cannot log in.
Please login with USER and PASS.
Please login with USER and PASS.
Please login with USER and PASS.
ftp: Login failed
'george' is my username on my local machine (Mac OS X 10.8.) Vim seems to be ignoring the username I give it and trying to log on as 'george', no matter what I do. To test this I created a new account on my MacBook with the same username as the username on the server I'm trying to log in as, then from that account I can log in fine. This is obviously a VERY hacky solution - how can I connect using the right username from my regular account?
(Incidentally, the username and password I'm using are 100% definitely right - I can use them to connect to the server through an FTP client such as FileZilla.)
The plugin you are using to edit the remote files is netrw, as noted by Ingo in the comments. You can read the plugin help file through :h netrw. In special:
NETRC *netrw-netrc*
The <.netrc> file, typically located in your home directory, contains lines
therein which map a hostname (machine name) to the user id and password you
prefer to use with it.
The typical syntax for lines in a <.netrc> file is given as shown below.
Ftp under Unix usually supports <.netrc>; ftp under Windows usually doesn't.
>
machine {full machine name} login {user-id} password "{password}"
default login {user-id} password "{password}"
Your ftp client must handle the use of <.netrc> on its own, but if the
<.netrc> file exists, an ftp transfer will not ask for the user-id or
password.
Note:
Since this file contains passwords, make very sure nobody else can
read this file! Most programs will refuse to use a .netrc that is
readable for others. Don't forget that the system administrator can
still read the file! Ie. for Linux/Unix: chmod 600 .netrc
Is there any chance that you forgot to copy the ~/.netrc file from the other servers where you can connect without problems? Or it has incorrect permissions, as mentioned on the last paragraph?
I have a remote server to which I login using ssh. Is there a way to be notified through email (using a bash script) when someone changes the user password using passwd including the new password?
I am guessing it has to do with /etc/pam/passwd, but not entirely sure what the trigger and flags should be.
This would be useful if for example I give my access to a "friend" and they decide to lock me out of my account. Of course I could create a new account for them etc, but this is more of a "it should be possible" task rather than a practical one.
First, a Dope Slap
There's a rule that this question reminds me of... What is it? Oh yeah...
NEVER SHARE YOUR PASSWORDS WITH ANYONE!
Which also goes well with the rule.
NEVER SEND SOMETHING SECRET THROUGH EMAIL!
Sorry for the shouting. There's a rule in security that the likelihood a secret will get out is the square of the number of people who know it. My corollary is:
if ( people_who_know_secret > 1 ) {
It ain't a secret any more
}
In Unix, even the system administrator, the all powerful root, doesn't know your password.
Even worse, you want to email your password. Email is far from secure. It's normally just plain text sent over the Aether where anyone who's a wee bit curious can peek at it.
Method One: Allowing Users to use SSH without Knowing Your Password
Since you're using SSH, you should know that SSH has an alternate mechanism for verifying a user called Private/Public keys. It varies from system to system, but what you do is create a public/private key pair. You share your public key with the system you want to log into, but keep your private key private.
Once the remote machine has your public key, you can log into that system via ssh without knowing the password of that system.
The exact mechanism varies from machine to machine and it doesn't help that there are two different ssh protocols, so getting it to work will vary from system to system. On Linux and Macs, you generate your public/private key pair through the ssh-keygen command.
By default, ssh-keygen will produce a file called $HOME/.ssh/id_rsa.pub and $HOME/.ssh/id_rsa. The first one is your public key. You run ssh-keygen on both your machine and the machine you want to log into.
On the machine you're logging into, create a file called $HOME/.ssh/authorized_keys, and copy and paste your public key into this file. Have your friend also send you his public key, and paste that into the file too. Each public key will take up one line in the file.
If everything works, both you and your friend can use ssh to log into that remote machine without being asked for a password. This is very secure since your public key has to match your corresponding private key. If it doesn't you can't log in. That means even if other popel find your public key, they won't be able to log into that remote system.
Both you and your friend can log into that system without worrying about sharing a password.
Method Two: A Better Solution: Using SUDO
The other way to do this is to use sudo to allow your friend to act as you in certain respects. Sudo has a few advantages over actually sharing the account:
All use of SUDO is logged, so you have traceability. If something goes wrong, you know who to blame.
You can limit what people can do as SUDO. For example, your friend has to run a particular command as you, and nothing else. In this case, you can specify in the /etc/sudoers file that your friend can only run that one particular command. You can even specify if your friend can simply run the command, or require your friend to enter their password in order to run that command.
On Ubuntu Linux and on Macintoshes, the root password is locked, so you cannot log in as root. If you need to do something as root, you set yourself up as an administrator (I believe by putting yourself in the wheel group) and then using sudo to run required administrator functions.
The big disadvantage of Sudo is that it's more complex to setup and requires administrator access on the machine.
Try setting up public/private keys using SSH. It might take some tweaking to get it to work, but once it works, it's beautiful. Even better, you can run remote commands and use sep to copy files from one machine to the other -- all without the password prompt. This means that you can write shell scripts to do your work for you.
By the way, a sneaky trick is to set your remote shell to /bin/false. That way, you can't log into that system -- even using ssh, but you can run remote commands using ssh and use sep to copy files back and forth between systems.
Personal passwords are only supposed to be known by the user themselves. Not even the root user is supposed to know them, which is why they are stored encrypted. Of course, the root user has sufficient access to decrypt them, but the principle is the same.
If you are giving your "friend" access, them assign them proper privileges! Do not make them a root user, and you shouldn't be a root user either. Then you're "friend" won't have access to change your password, let along muck about in areas they aren't supposed to be in.
If you absolutely must monitor the passwd and shadow files, install iwatch. Then set it to watch the /etc/passwd and /etc/shadow files. If they change, it runs a script that decrypts the file and emails someone. If you keep a copy to diff against, you'll even know who changed. You should probably also gpg the email, so that it does not go over the internet in plain text, since it has everyone's password in it. Please note that any other users on the system will be upset by the dystopian world they find themselves in.
Just because root is the law of the land does not mean we want to be living in 1984.
Try some kind of:
alias passwd='passwd && echo 'Alert! Alert! Alert!' | mail -s 'pass change' alert#example.com'
Should be enough for you:)
Another possible solutions for those, who think, that alias is too mainstream)) :
1) You could make a cron job, that will be checking your /etc/shadow file every, for example, minute, and when the file changes, it will send you an alert-email. The easiest way here, I think, will be making md5 checksum
2) You can move /usr/bin/passwd to /usr/bin/passwd.sys and make a script with /usr/bin/passwd.sys && echo 'Alert! Alert! Alert!' | mail -s 'pass change' on it's place. And yes, this way is also could be discovered be the user and scrubed round:)
I have been just connecting to one server via .netrc and it worked fine but now I need to be able to connect the original server and a new account. When I add new account information (machine, login, password) it just signs into the original account that comes first in the .netrc file.
So right now my VIM .netrc file looks like this:
machine oldsite.com
login old_username
password oldpassword
machine newsite.com
login new_username
password new_password
How can I make VIM/.netrc ask me which account I want to sign into?
I realized that my problem was not in the .netrc file but in my .vimrc file. What I had to do was create a new mapping to ftp to newsite.com. So this is what I have in my .vimrc to get it working
map <silent> ;n :e ftp.newsite.com/public_html/<CR>
map <silent> ;o :e ftp.oldsite.com/public_html/<CR>
The reason for my trouble was that I forgot all about the shortcut ';o' being assigned just to oldsite.com. To be more clear, I had basically forgotten exactly how it all worked. Only by back tracking through all relevant files did I figure it out.