No password in config file

2016-04-18 23:03:13 +09:00
parent b02b7c9081
commit 4d28de17b4
10 changed files with 117 additions and 34 deletions
--- a/commands/cmdutil.go
+++ b/commands/cmdutil.go
@@ -0,0 +1,21 @@
+package commands
+
+import (
+	"fmt"
+
+	"github.com/howeyc/gopass"
+)
+
+func getPasswd(prompt string) (string, error) {
+	for {
+		fmt.Print(prompt)
+		pass, err := gopass.GetPasswdMasked()
+		if err != nil {
+			return "", fmt.Errorf("Failed to read password")
+		}
+		if 0 < len(pass) {
+			return string(pass[:]), nil
+		}
+	}
+
+}
--- a/commands/discover.go
+++ b/commands/discover.go
@@ -111,9 +111,7 @@ subjectPrefix = "[vuls]"
 [default]
 #port        = "22"
 #user        = "username"
-#password    = "password"
 #keyPath     = "/home/username/.ssh/id_rsa"
-#keyPassword = "password"

 [servers]
 {{- $names:=  .Names}}
@@ -122,9 +120,7 @@ subjectPrefix = "[vuls]"
 host         = "{{$ip}}"
 #port        = "22"
 #user        = "root"
-#password    = "password"
 #keyPath     = "/home/username/.ssh/id_rsa"
-#keyPassword = "password"
 #cpeNames = [
 #  "cpe:/a:rubyonrails:ruby_on_rails:4.2.1",
 #]
--- a/commands/prepare.go
+++ b/commands/prepare.go
@@ -34,6 +34,9 @@ type PrepareCmd struct {
 	debug      bool
 	configPath string

+	askSudoPassword bool
+	askKeyPassword  bool
+
 	useUnattendedUpgrades bool
 }

@@ -55,7 +58,10 @@ func (*PrepareCmd) Synopsis() string {
 // Usage return usage
 func (*PrepareCmd) Usage() string {
 	return `prepare:
-	prepare [-config=/path/to/config.toml] [-debug]
+	prepare
+			[-config=/path/to/config.toml] [-debug]
+			[-ask-sudo-password]
+			[-ask-key-password]

 `
 }
@@ -68,6 +74,20 @@ func (p *PrepareCmd) SetFlags(f *flag.FlagSet) {
 	defaultConfPath := os.Getenv("PWD") + "/config.toml"
 	f.StringVar(&p.configPath, "config", defaultConfPath, "/path/to/toml")

+	f.BoolVar(
+		&p.askKeyPassword,
+		"ask-key-password",
+		false,
+		"Ask ssh privatekey password of target servers before scanning",
+	)
+
+	f.BoolVar(
+		&p.askSudoPassword,
+		"ask-sudo-password",
+		false,
+		"Ask sudo password of target servers before scanning",
+	)
+
 	f.BoolVar(
 		&p.useUnattendedUpgrades,
 		"use-unattended-upgrades",
@@ -78,14 +98,30 @@ func (p *PrepareCmd) SetFlags(f *flag.FlagSet) {

 // Execute execute
 func (p *PrepareCmd) Execute(_ context.Context, f *flag.FlagSet, _ ...interface{}) subcommands.ExitStatus {
-	logrus.Infof("Start Preparing (config: %s)", p.configPath)
+	var keyPass, sudoPass string
+	var err error
+	if p.askKeyPassword {
+		prompt := "SSH key password: "
+		if keyPass, err = getPasswd(prompt); err != nil {
+			logrus.Error(err)
+			return subcommands.ExitFailure
+		}
+	}
+	if p.askSudoPassword {
+		prompt := "sudo password: "
+		if sudoPass, err = getPasswd(prompt); err != nil {
+			logrus.Error(err)
+			return subcommands.ExitFailure
+		}
+	}

-	err := c.Load(p.configPath)
+	err = c.Load(p.configPath, keyPass, sudoPass)
 	if err != nil {
 		logrus.Errorf("Error loading %s, %s", p.configPath, err)
 		return subcommands.ExitUsageError
 	}

+	logrus.Infof("Start Preparing (config: %s)", p.configPath)
 	target := make(map[string]c.ServerInfo)
 	for _, arg := range f.Args() {
 		found := false
--- a/commands/scan.go
+++ b/commands/scan.go
@@ -45,12 +45,15 @@ type ScanCmd struct {
 	cvssScoreOver    float64
 	httpProxy        string

-	useYumPluginSecurity  bool
-	useUnattendedUpgrades bool
-
 	// reporting
 	reportSlack bool
 	reportMail  bool
+
+	askSudoPassword bool
+	askKeyPassword  bool
+
+	useYumPluginSecurity  bool
+	useUnattendedUpgrades bool
 }

 // Name return subcommand name
@@ -71,6 +74,8 @@ func (*ScanCmd) Usage() string {
 		[-report-slack]
 		[-report-mail]
 		[-http-proxy=http://192.168.0.1:8080]
+		[-ask-sudo-password]
+		[-ask-key-password]
 		[-debug]
 		[-debug-sql]
 `
@@ -111,6 +116,20 @@ func (p *ScanCmd) SetFlags(f *flag.FlagSet) {
 	f.BoolVar(&p.reportSlack, "report-slack", false, "Slack report")
 	f.BoolVar(&p.reportMail, "report-mail", false, "Email report")

+	f.BoolVar(
+		&p.askSudoPassword,
+		"ask-sudo-password",
+		false,
+		"Ask sudo password of target servers before scanning",
+	)
+
+	f.BoolVar(
+		&p.askKeyPassword,
+		"ask-key-password",
+		false,
+		"Ask ssh privatekey password of target servers before scanning",
+	)
+
 	f.BoolVar(
 		&p.useYumPluginSecurity,
 		"use-yum-plugin-security",
@@ -129,14 +148,30 @@ func (p *ScanCmd) SetFlags(f *flag.FlagSet) {

 // Execute execute
 func (p *ScanCmd) Execute(_ context.Context, f *flag.FlagSet, _ ...interface{}) subcommands.ExitStatus {
+	var keyPass, sudoPass string
+	var err error
+	if p.askKeyPassword {
+		prompt := "SSH key password: "
+		if keyPass, err = getPasswd(prompt); err != nil {
+			logrus.Error(err)
+			return subcommands.ExitFailure
+		}
+	}
+	if p.askSudoPassword {
+		prompt := "sudo password: "
+		if sudoPass, err = getPasswd(prompt); err != nil {
+			logrus.Error(err)
+			return subcommands.ExitFailure
+		}
+	}

-	logrus.Infof("Start scanning (config: %s)", p.configPath)
-	err := c.Load(p.configPath)
+	err = c.Load(p.configPath, keyPass, sudoPass)
 	if err != nil {
 		logrus.Errorf("Error loading %s, %s", p.configPath, err)
 		return subcommands.ExitUsageError
 	}

+	logrus.Infof("Start scanning (config: %s)", p.configPath)
 	target := make(map[string]c.ServerInfo)
 	for _, arg := range f.Args() {
 		found := false