Linux – Removing Previously Typed Commands on Remote Server

linuxpassword-managementpasswordsSecurityUbuntu

I am ssh'ing into a remote server and then su'ing to root.

The problem is that sometimes, I have not paid enough attention to the console message, and I have accidentally typed in the root password at the command prompt (when for example, I had failed to provide the root password correctly the first time – so su prompt went away).

I remember reading somewhere that a history of commands typed at the console is kept somewhere.

I have 3 sub questions

Where (which folder) is the file stored?
Can I edit that file and remove the root password from it?
Being the paranoid person that I am, I wonder if there is a more secure way of logging into my server – other than ssh (or am I being TOO paranoid?)

My server is running a headless Ubuntu 10.0.4

Best Answer

If you are using bash, the history is in ~/.bash_history, yes, you can edit it.

But there's nothing that will prevent you from entering your password in the wrong place, short of paying attention.

Related Solutions

Linux – Denyhosts keeps adding the IP address to hosts.deny

Check files in /var/lib/denyhosts/ as your IP is stored there too. For the future, add your IP to /etc/hosts.allow:

ALL: xx.xx.xx.xx

Word – How to “unlock” sudo for 15 mins after login

Could be done by having pam_exec run a command that creates the necessary timestamps in /var/lib/sudo.

Append the following to /etc/pam.d/sshd and/or /etc/pam.d/login (but not common-session or anything like that):

session optional pam_exec.so /usr/lib/sudo-auth

The script could be:

#!/bin/sh

# Depends on your distro. May be /var/db/sudo, /var/spool/sudo, etc.
root="/var/lib/sudo"

if [ "$PAM_USER" ]; then
    dir="$root/$PAM_USER/"
    if [ "$PAM_TYPE" = open_session ]; then
        mkdir -p "$dir" && touch "$dir"
    fi
else
    echo "Must be run from PAM." >&2
fi

Requires the tty_tickets option to be disabled in sudoers, due to the way SSH (and opensshd in particular) work with ttys.

This could be modified to only authenticate specified remote hosts, either by putting pam_access above pam_exec in the PAM stack, or by just comparing $PAM_RHOST in the script. (Such checks wouldn't work with mobile clients, however.)

Best Answer

Related Solutions

Linux – Denyhosts keeps adding the IP address to hosts.deny

Word – How to “unlock” sudo for 15 mins after login

Related Question