Add -pwfile option, a more secure version of -pw.

Similarly to cmdgen's passphrase options, this replaces the password on the command line with a filename to read the password out of, which means it can't show up in 'ps' or the Windows task manager.
2025-01-09 17:38:00 +00:00 · 2021-09-28 18:04:15 +01:00 · 2021-09-28 18:04:15 +01:00 · 44ee7b9e76
commit 44ee7b9e76
parent d489c64f48
10 changed files with 63 additions and 15 deletions
--- a/cmdline.c
+++ b/cmdline.c
@ -584,6 +584,32 @@ int cmdline_process_param(const char *p, char *value,
        }
    }

+    if (!strcmp(p, "-pwfile")) {
+        RETURN(2);
+        UNAVAILABLE_IN(TOOLTYPE_NONNETWORK);
+        SAVEABLE(1);
+        /* We delay evaluating this until after the protocol is decided,
+         * so that we can warn if it's of no use with the selected protocol */
+        if (conf_get_int(conf, CONF_protocol) != PROT_SSH)
+            cmdline_error("the -pwfile option can only be used with the "
+                          "SSH protocol");
+        else {
+            Filename *fn = filename_from_str(value);
+            FILE *fp = f_open(fn, "r", false);
+            if (!fp) {
+                cmdline_error("unable to open password file '%s'", value);
+            } else {
+                cmdline_password = chomp(fgetline(fp));
+                if (!cmdline_password) {
+                    cmdline_error("unable to read a password from file '%s'",
+                                  value);
+                }
+                fclose(fp);
+            }
+            filename_free(fn);
+        }
+    }
+
    if (!strcmp(p, "-agent") || !strcmp(p, "-pagent") ||
        !strcmp(p, "-pageant")) {
        RETURN(1);
--- a/doc/index.but
+++ b/doc/index.but
@ -245,6 +245,7 @@ saved sessions from
 \IM{-m} \c{-m} command-line option
 \IM{-P-upper} \c{-P} command-line option
 \IM{-pw} \c{-pw} command-line option
+\IM{-pwfile} \c{-pwfile} command-line option
 \IM{-A-upper} \c{-A} command-line option
 \IM{-a} \c{-a} command-line option
 \IM{-X-upper} \c{-X} command-line option
--- a/doc/man-plink.but
+++ b/doc/man-plink.but
@ -114,11 +114,16 @@ sequences. These options override Plink's default behaviour to enable
 or disabling such filtering on the standard error and standard output
 channels.

+\dt \cw{-pwfile} \e{filename}
+
+\dd Open the specified file, and use the first line of text read from
+it as the remote password.
+
 \dt \cw{-pw} \e{password}

 \dd Set remote password to \e{password}. \e{CAUTION:} this will likely
 make the password visible to other users of the local machine (via
-commands such as \q{\c{w}}).
+commands such as \q{\c{ps}} or \q{\c{w}}). Use \cw{-pwfile} instead.

 \dt \cw{\-L} \cw{[}\e{srcaddr}\cw{:]}\e{srcport}\cw{:}\e{desthost}\cw{:}\e{destport}

--- a/doc/man-pscp.but
+++ b/doc/man-pscp.but
@ -101,11 +101,16 @@ channel from the server, to prevent remote processes sending confusing
 escape sequences. This option forces the standard error channel to not be
 filtered.

+\dt \cw{-pwfile} \e{filename}
+
+\dd Open the specified file, and use the first line of text read from
+it as the remote password.
+
 \dt \cw{-pw} \e{password}

 \dd Set remote password to \e{password}. \e{CAUTION:} this will likely
 make the password visible to other users of the local machine (via
-commands such as \q{\c{w}}).
+commands such as \q{\c{ps}} or \q{\c{w}}). Use \cw{-pwfile} instead.

 \dt \cw{-1}

--- a/doc/man-psftp.but
+++ b/doc/man-psftp.but
@ -89,11 +89,16 @@ channel from the server, to prevent remote processes sending confusing
 escape sequences. This option forces the standard error channel to not be
 filtered.

+\dt \cw{-pwfile} \e{filename}
+
+\dd Open the specified file, and use the first line of text read from
+it as the remote password.
+
 \dt \cw{-pw} \e{password}

 \dd Set remote password to \e{password}. \e{CAUTION:} this will likely
 make the password visible to other users of the local machine (via
-commands such as \q{\c{w}}).
+commands such as \q{\c{ps}} or \q{\c{w}}). Use \cw{-pwfile} instead.

 \dt \cw{-1}

--- a/doc/using.but
+++ b/doc/using.but
@ -838,17 +838,23 @@ any case.)
 This option is equivalent to the port number control in the Session
 panel of the PuTTY configuration box (see \k{config-hostname}).

-\S2{using-cmdline-pw} \i\c{-pw}: specify a \i{password}
+\S2{using-cmdline-pw} \i\c{-pwfile} and \i\c{-pw}: specify a \i{password}

 A simple way to automate a remote login is to supply your password
-on the command line. This is \e{not recommended} for reasons of
-security. If you possibly can, we recommend you set up public-key
-authentication instead. See \k{pubkey} for details.
+on the command line.

-Note that the \c{-pw} option only works when you are using the SSH
-protocol. Due to fundamental limitations of Telnet, Rlogin, and
-SUPDUP, these protocols do not support automated password
-authentication.
+The \c{-pwfile} option takes a file name as an argument. The first
+line of text in that file will be used as your password.
+
+The \c{-pw} option takes the password itself as an argument. This is
+\s{NOT SECURE} if anybody else uses the same computer, because the
+whole command line (including the password) is likely to show up if
+another user lists the running processes. \c{-pw} is retained for
+backwards compatibility only; you should use \c{-pwfile} instead.
+
+Note that these options only work when you are using the SSH protocol.
+Due to fundamental limitations of Telnet, Rlogin, and SUPDUP, these
+protocols do not support automated password authentication.

 \S2{using-cmdline-agentauth} \i\c{-agent} and \i\c{-noagent}:
 control use of Pageant for authentication
--- a/pscp.c
+++ b/pscp.c
@ -2201,7 +2201,7 @@ static void usage(void)
    printf("  -load sessname  Load settings from saved session\n");
    printf("  -P port   connect to specified port\n");
    printf("  -l user   connect with specified username\n");
-    printf("  -pw passw login with specified password\n");
+    printf("  -pwfile file   login with password read from specified file\n");
    printf("  -1 -2     force use of particular SSH protocol version\n");
    printf("  -ssh -ssh-connection\n");
    printf("            force use of particular SSH protocol variant\n");
--- a/psftp.c
+++ b/psftp.c
@ -2535,7 +2535,7 @@ static void usage(void)
    printf("  -load sessname  Load settings from saved session\n");
    printf("  -l user   connect with specified username\n");
    printf("  -P port   connect to specified port\n");
-    printf("  -pw passw login with specified password\n");
+    printf("  -pwfile file   login with password read from specified file\n");
    printf("  -1 -2     force use of particular SSH protocol version\n");
    printf("  -ssh -ssh-connection\n");
    printf("            force use of particular SSH protocol variant\n");
--- a/unix/plink.c
+++ b/unix/plink.c
@ -516,7 +516,7 @@ static void usage(void)
    printf("  -sercfg configuration-string (e.g. 19200,8,n,1,X)\n");
    printf("            Specify the serial configuration (serial only)\n");
    printf("The following options only apply to SSH connections:\n");
-    printf("  -pw passw login with specified password\n");
+    printf("  -pwfile file   login with password read from specified file\n");
    printf("  -D [listen-IP:]listen-port\n");
    printf("            Dynamic SOCKS-based port forwarding\n");
    printf("  -L [listen-IP:]listen-port:host:port\n");
--- a/windows/plink.c
+++ b/windows/plink.c
@ -138,7 +138,7 @@ static void usage(void)
    printf("  -sercfg configuration-string (e.g. 19200,8,n,1,X)\n");
    printf("            Specify the serial configuration (serial only)\n");
    printf("The following options only apply to SSH connections:\n");
-    printf("  -pw passw login with specified password\n");
+    printf("  -pwfile file   login with password read from specified file\n");
    printf("  -D [listen-IP:]listen-port\n");
    printf("            Dynamic SOCKS-based port forwarding\n");
    printf("  -L [listen-IP:]listen-port:host:port\n");