Secure Methods to Pass Passwords via Command Line Without Exposing in History or Processes


2 views

When working with cryptocurrency daemons like darkcoind or bitcoind, we often face a critical security dilemma: how to securely pass sensitive credentials through command-line arguments without exposing them in:

  • Shell history (.bash_history)
  • Process lists (ps, top)
  • System logs (/var/log)
  • Process information (/proc)

The typical workarounds have significant limitations:

# Bad practice - visible in history
$ darkcoind masternode start MySuperSecret123!

# Doesn't work - throws error
$ darkcoind masternode start

Method 1: Environment Variables

The most reliable approach that prevents exposure in all monitoring systems:

# Set the password temporarily
$ export MN_PASS=$(read -s -p "Password: " pass; echo $pass)

# Use it without exposure
$ darkcoind masternode start "$MN_PASS"

# Immediately unset
$ unset MN_PASS

Key advantages:

  • Never appears in shell history
  • Not visible in ps/top output
  • Not logged in /proc/[pid]/cmdline

Method 2: Named Pipes (For Advanced Users)

For maximum security on headless servers:

# Create a secure pipe
$ mkfifo /tmp/mnpipe

# In one terminal:
$ cat > /tmp/mnpipe
(Enter password, then Ctrl+D)

# In another terminal:
$ darkcoind masternode start "$(cat /tmp/mnpipe)"

# Clean up
$ rm /tmp/mnpipe

Method 3: Python Wrapper Script

Create a secure helper script:

#!/usr/bin/env python3
import getpass
import subprocess

password = getpass.getpass("Masternode password: ")
subprocess.run(["darkcoind", "masternode", "start", password], check=True)

Shell History Control

Add these to your ~/.bashrc:

# Don't record commands starting with space
export HISTCONTROL=ignorespace

# Or disable history entirely for sensitive operations
$ unset HISTFILE

Process Monitoring Prevention

For systems where you suspect monitoring:

# Using gdb to obscure arguments
$ gdb -ex 'call execvp("darkcoind", {"darkcoind", "masternode", "start", "pass", NULL})' -ex quit

For bitcoin-core and derivatives, consider these alternatives:

  1. Setup password-protected RPC with SSL
  2. Use cookie authentication (~/.bitcoin/.cookie)
  3. Implement IP whitelisting in bitcoin.conf

Example bitcoin.conf snippet:

rpcuser=secureusername
rpcpassword=$(openssl rand -hex 32)
rpcallowip=127.0.0.1
rpcssl=1

When dealing with daemon processes like darkcoind that require password authentication via command line, we face multiple security vectors:

$ darkcoind masternode start superSecretPassword123
# This leaves traces in:
# 1. ~/.bash_history
# 2. Process environment (visible via /proc)
# 3. System logs

Contrary to initial assumptions, the ps output shows only the main process:

$ ps aux | grep darkcoin
user 21626 0.6 0.3 1849716 130292 ? SLl May02 6:48 darkcoind -daemon

However, the real vulnerability lies in:

  • Shell history files (~/.bash_history, ~/.zsh_history)
  • Temporary files in /tmp
  • System auth logs (/var/log/auth.log)

Method 1: Using Environment Variables

$ export MN_PASS="superSecretPassword123"
$ darkcoind masternode start "$MN_PASS"
$ unset MN_PASS

Note: Still vulnerable via /proc/$PID/environ during execution.

Method 2: Input Redirection

$ darkcoind masternode start $(<passfile.txt)
# Or using process substitution:
$ darkcoind masternode start <(echo "password")

Method 3: Using Expect Scripts

#!/usr/bin/expect
spawn darkcoind masternode start
expect "Enter passphrase:"
send "actual_password\r"
expect eof

Method 4: Custom Wrapper with FIFO

#!/bin/bash
mkfifo /tmp/passfifo
chmod 600 /tmp/passfifo
echo "password" > /tmp/passfifo &
darkcoind masternode start $(cat /tmp/passfifo)
rm /tmp/passfifo

For production systems, consider this robust solution combining multiple techniques:

#!/bin/bash
# Secure password prompt wrapper
read -s -p "Enter MN Passphrase: " MN_PASS <<< "$(&2
MN_PASS=${MN_PASS//[^[:print:]]/}  # Sanitize input
HISTCONTROL=ignorespace darkcoind masternode start "$MN_PASS"
unset MN_PASS

Key security features:

  • read -s prevents terminal echo
  • HISTCONTROL=ignorespace prevents history logging
  • Input sanitization against special characters
  • Immediate unset of variable

For enterprise environments:

# Configure shell history to ignore commands with passwords
echo 'export HISTCONTROL=ignorespace' >> ~/.bashrc
echo 'setopt HIST_IGNORE_SPACE' >> ~/.zshrc  # For zsh users

# Secure history file permissions
chmod 600 ~/.bash_history
chattr +a ~/.bash_history  # Prevent deletion (Linux only)