Re: script credentials

On 2010-03-02 Wimpie du Plessis wrote:
On 02 Mar 2010, at 12:37 AM, Ansgar Wiechers wrote:
On 2010-03-01 jason.gerfen@xxxxxxxxx wrote:
If your working with perl and are worried about exposing your password
through a config file (which you could limit access through with the
proper permissions), or as noted above in regards to exposing the
username, password information through arguments then you might want
to utilize an encrypted version of the password within the config
file. Take a look at the mcrypt perl module as it would handle it
easily for you:

What exactly is that supposed to solve? The OP's script would need to
decrypt the credentials in order to authenticate against the database.
Meaning that he'd need *another* password/key to do that. Which would
have to be stored somewhere as well.

Have a look at the following product. we are busy implementing it and
second phase will be to get rid of clear text password stored in
scripts etc.

How exactly is that supposed to get you around the bootstrapping

If stored credentials are encrypted you *must* decrypt them somehow, so
that a script can pass them to the requesting application. Meaning that
you have to somehow supply *another* password or key for the decryption
process. Which has to be stored somewhere if that's supposed to happen

Wrapping the problem in additional layers of code (which most likely
will contain vulnerabilities of their own) is not going to magically
make the issue go away.

Ansgar Wiechers
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq

Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.;4175;25;1371;0;5;946;e13b6be442f727d1