Beefy Boxes and Bandwidth Generously Provided by pair Networks
Clear questions and runnable code
get the best and fastest answer
 
PerlMonks  

PPM behind firewall - security concern

by pg (Canon)
on Jan 14, 2004 at 05:02 UTC ( #321190=perlquestion: print w/ replies, xml ) Need Help??
pg has asked for the wisdom of the Perl Monks concerning the following question:

Today I tried to install DBI in my company PC thru PPM. At beginning it didn't work, as I was behind the firewall. After read some document, I figured it out. In order to use PPM behind firewall, I have to set three environment variables. One of them is HTTP_proxy_pass.

I feel really uncomfortable to put my password in an environment variable. Now anyone sitting in front of PC can find it out.

I did a little bit investigation, and now I think the piece of code that uses those environment variables is PPM::Repository, and that's where the UserAgent is created and credential is encoded.

I am thinking of modify that module a little bit. Instead of using environment variable, just ask for credential on fly.

Before I go ahead, I want to make sure that I am doing the right thing. Is there a more secure way of using PPM behind firewall that I don't know? If I go modify it, I probably will use Tk (not change the entire application to Tk, but just pop up a dialog box asking for credential.), any other suggestion?

Comment on PPM behind firewall - security concern
•Re: PPM behind firewall - security concern
by merlyn (Sage) on Jan 14, 2004 at 05:07 UTC
    I'm hoping that your "HTTP firewall proxy" password has nothing to do with any other password for you, because it can be sniffed trivially anyway, unless you only do SSL connections.

    If you aren't doing SSL, locking your HTTP password in to your box is no less secure than typing it directly.

    And I really don't understand why net admins set up firewalls that require firewall passwords, unless all the traffic is encrypted. Oh well.

    -- Randal L. Schwartz, Perl hacker
    Be sure to read my standard disclaimer if this is a reply.

      I really don't understand why net admins set up firewalls that require firewall passwords

      Do not use common sense. This is not really for security, but to controll who is allowed to go through the firewall. The bigger a company the more hierarchies and privileges are to be considered. And allowed internet access is a kind of stripe on your shoulder. Another similar thing are mail atttachements, nothing, only pictures, documents, archives, etc. So these firewalls' purpose is more to secure the internet against the employees ;-)

      Nevertheless, it makes sense to allow only those user groups internet access, who need it. Others can go to the company's internet caffee for safe private access. This lowers the risk of external damage done to the internal network. BTW we are a bank with a software department.

      Update: fixed typo

      And it came to pass that in time the Great God Om spake unto Brutha, the Chosen One: "Psst!"
      (Terry Pratchett, Small Gods)

          This is not really for security, but to controll who is allowed to go through the firewall. The bigger a company the more hierarchies and privileges are to be considered. And allowed internet access is a kind of stripe on your shoulder. Another similar thing are mail atttachements, nothing, only pictures, documents, archives, etc. So these firewalls' purpose is more to secure the internet against the employees ;-)
        In fairness, both these measures, proxy passwords and limiting outbound attachments, can help to isolate system compromises inside your corporate network. Once your network is compromised, measures like these can help stop the infected systems from turning on systems on the outside of your network to infect them.
Re: PPM behind firewall - security concern
by Roger (Parson) on Jan 14, 2004 at 05:12 UTC
    Hi pg I thought you could fetch the package binary with a browser and install it locally with PPM?

        Yes, good idea. Of course, this isn't any more secure (and his problem was one of security), since his password to the proxy has already been sniffed :)

        Seeing security is already weak, I'd just permanently set the http_proxy_password variable in the Windows settings (right click on "My Computer") and not worry about it.

Re: PPM behind firewall - security concern
by Daruma (Curate) on Jan 14, 2004 at 07:06 UTC
    Greetings!

    I found the same scenario in my workplace. Unfortunately, I think this is pretty common.

    I usually open a DOS (CMD) Window and

    set HTTP_proxy_pass=firewallpassword
    before kicking off ppm within the same window. Note that I already have HTTP_proxy and HTTP_proxy_user set up in my environment. I felt uncomfortable putting any password in a file like this. I agree that a quick Perl/Tk application to prompt the user and kick off PPM would work nicely in this situation.

    Daruma
Re: PPM behind firewall - security concern
by inman (Curate) on Jan 14, 2004 at 09:19 UTC
    PPM is run from a batch file (on Windows at least). You can edit this file to set the relavent variables. Just add the proxy related variables e.g. SET HTTP_proxy=http://myproxy:8080 lines at the beginning of the ppm batch file. The variable is only set for the batch file.
Re: PPM behind firewall - security concern
by tachyon (Chancellor) on Jan 14, 2004 at 12:43 UTC

    Why on earth use Tk? You are at the command line typing already so why would you not just insert....

    print "Firewall Password "; chomp(my $password = <>);

    cheers

    tachyon

      Or if you don't want to read your password on the screen use:
      use Term::ReadKey; print "Enter PASSWORD: "; ReadMode 'noecho'; my $line = <STDIN>; chomp($line); ReadMode 'normal'; print "\n";
      This works even on a windoze console.

      And it came to pass that in time the Great God Om spake unto Brutha, the Chosen One: "Psst!"
      (Terry Pratchett, Small Gods)

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: perlquestion [id://321190]
Approved by Roger
Front-paged by ysth
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others examining the Monastery: (9)
As of 2014-12-20 02:31 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    Is guessing a good strategy for surviving in the IT business?





    Results (95 votes), past polls