Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: clear-text passwords in shell/perl scripts

from [Paul Johnston] Network Security [Permanent Link]
Subject: Re: clear-text passwords in shell/perl scripts
Date: Wed, 23 Mar 2005 09:45:07 +0000 
Hi,

This is a classic problem. One thing I've noticed is that storing the password in a separate file is definitely better than in the source code, keeping the secret stuff in one place. Aside from that, I can think of a couple of potential approaches, although I've not tried either:

1) Use an authentication mode that is based on the OS users that calls the database, not passwords. Most databases do support such a mode, although only for local connections.

2) I believe some operating systems support a per-user encrypted area, based on the user's password. This would at least protect the password on the disk, although manual intervention is required on reboot.

Regards,

Paul



Jeff Robertson wrote:

Say that a perl script needs access to a database, and access to this
database requires a password. The script needs to run automatically with no
human intervention, so it is not possible to prompt a user to enter the
password at run time. This means that the password must either be in the
script itself or in a file readable by the script.

I have been asked what can be done to protect this password from falling
into the wrong eyes. My recommendation is to tightly control read
permissions to the script and/or the file that contains the password. Make
the file owned by a special-purpose user who only exists to run this script,
and chmod it to 600. That sort of thing.

It has been suggested to encrypt the password. Since the script needs to get
the clear text of the passwords in order to use them, this will need to be
symmetric encryption and the script will need to have the key available,
presumably stored in yet another file. As there would be no way to keep the
key from being stolen other than to use the file permissions that were being
relied on previously, you've just increased the complexity of the system
without actually making it any more secure. This is bad. You'd be better off
sticking with the simpler solution, since the security is the same either
way.

Can anyone either refute or provide further points in support of my stance
on this?

Jeff Robertson
Manager of Web Application Security
Digital Insight





--
Paul Johnston, GSEC
Internet Security Specialist
Westpoint Limited
Albion Wharf, 19 Albion Street,
Manchester, M1 5LN
England
Tel: +44 (0)161 237 1028
Fax: +44 (0)161 237 1031
email: paul@westpoint.ltd.uk
web: www.westpoint.ltd.uk

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Web security breach changes the lives of 119 people, Peter Conrad
Next by Date:  Antwort: Re: clear-text passwords in shell/perl scripts, Carsten Kuckuk
Previous by Thread:  Re: clear-text passwords in shell/perl scripts, Liran Cohen
Next by Thread:  RE: clear-text passwords in shell/perl scripts, Griffiths, Ian
Indexes:  [Date] [Thread] [Top] [All Lists]