|P is for Practical|
Storing credentials in a cross-platform binary file?by Anonymous Monk
|on Sep 11, 2008 at 19:48 UTC||Need Help??|
Anonymous Monk has asked for the
wisdom of the Perl Monks concerning the following question:
Looking for some wisdom here: I have a mandate (due to SOx and other audit requirements) to get DB, LDAP, web service, and other usernames/passwords out of my code and into a local file. Essentially if my code needs a set of credentials to access some service, those credentials should be stored in a separate file not subject to version control and not in the path of the web server. Further, those credentials should be encrypted in such a way that the calling script(s) can read them, but should the file fall into the wrong hands the passwords aren't easily recoverable.
Here is the difficulty: I need to be able to share this file across a linux server, two Windows Server 2003 servers, and two Solaris 8 servers without having to manually generate it on each architecture (which eliminates DBM). For futher difficulty I do not have access to compilers on the Solaris servers, so using a XML solution is right out as I can't compile Expat and do not have root access to install sun freeware packages. Additionally, I'd like the files to be binary to discourage casual browsing/modification from other team members who might fiddle with the file with good intentions but not understanding what they're doing.
So here are my current thoughts: Create a module to wrap around an SQLite DB. SQLite is available on all of the platforms, and the DB file itself is guaranteed to be portable (according to SQLite docs). I can add new credentials to the DB on one server and distribute the DB file to the others without having to modify it. I can use an encryption module to store the password before it goes in the DB file, so that meets the encryption requirement. However I can't help but think an SQL engine is overkill for this.
Next option would be similar to above but wrap around an SDM_File instead. Gotchas here would be the length restriction of the DBM files, and is SDM_File always going to be portable across environments? And is it reliable?
There are obviously plenty of other options, such as rolling my own binary file format or using some sort of obfuscated text or ini-file format.. But again with text I'm afraid others with access to the server might be tempted to tinker with the file.
Does anyone know of solutions for this that might already exist in CPAN? The closest I can find is DBIx::Password, but as far as I can tell the credentials are stored in plain text in perl modules, and this would not help for web services, LDAP, etc.