Re: script credentials



On 2010-03-02 Wimpie du Plessis wrote:
On 02 Mar 2010, at 12:37 AM, Ansgar Wiechers wrote:
On 2010-03-01 jason.gerfen@xxxxxxxxx wrote:
If your working with perl and are worried about exposing your password
through a config file (which you could limit access through with the
proper permissions), or as noted above in regards to exposing the
username, password information through arguments then you might want
to utilize an encrypted version of the password within the config
file. Take a look at the mcrypt perl module as it would handle it
easily for you: http://search.cpan.org/dist/MCrypt/MCrypt.pm

What exactly is that supposed to solve? The OP's script would need to
decrypt the credentials in order to authenticate against the database.
Meaning that he'd need *another* password/key to do that. Which would
have to be stored somewhere as well.

Have a look at the following product. we are busy implementing it and
second phase will be to get rid of clear text password stored in
scripts etc.
http://www.e-dmzsecurity.com/tpam-apm.html

How exactly is that supposed to get you around the bootstrapping
problem?

If stored credentials are encrypted you *must* decrypt them somehow, so
that a script can pass them to the requesting application. Meaning that
you have to somehow supply *another* password or key for the decryption
process. Which has to be stored somewhere if that's supposed to happen
automatically.

Wrapping the problem in additional layers of code (which most likely
will contain vulnerabilities of their own) is not going to magically
make the issue go away.

Regards
Ansgar Wiechers
--
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------



Relevant Pages

  • Re: Analysis Services Command line
    ... You will see that there is a switch to supply a config file. ... variable and then have the DDL task take the script from the variable. ... I am learning to use the DTEXEC. ... >> Within an IS package there is a new task called Execute Analysis Services ...
    (microsoft.public.sqlserver.olap)
  • Re: Why not XML based configurationfiles?
    ... >>I still have yet to see your working shell script that can parse XML ... Sure one might need to parse a config file in a shell script "for ... the XML file directly or make heavy use of cfg-tool. ...
    (comp.os.linux.misc)
  • Re: Whereis Kernel? & Why Debian "KDE" freezing?
    ... > There is no config file in. ... Thats not a Script, thats the kernel. ... your KDE is unstable. ...
    (alt.linux)
  • Re: Bash/Shell scripting practices/conventions
    ... I just finished my first bigger bash script and I want to upload it to ... To check whether a command (here 'fold') is executable, ... If a config file exists at the default position, ...
    (comp.unix.shell)
  • loadtimes script
    ... Here is the script and a sample config file. ... # parts of the process the transition was between. ... TransitionFromProcessRef (VARCHAR) "%s" ...
    (comp.programming)