Beefy Boxes and Bandwidth Generously Provided by pair Networks
laziness, impatience, and hubris

Re: How can a script use a password without making the password visible?

by shmem (Chancellor)
on Mar 01, 2017 at 13:45 UTC ( #1183282=note: print w/replies, xml ) Need Help??

in reply to How can a script use a password without making the password visible?

I'm sure this is a solved problem, but I can't think what the solution is.

Maybe it is, but I'm not aware of a reusable implementation of that solution...

Can the script request a password from another place without a coder who is editing the script being able to view the password?

In the near future I will have to implement something like that, my ideas so far:

  • script opens a secure connection to a secure password server (protocol irrelevant, ssl/http, ssl/soap, ssh, whatever) and keeps the connection open waiting for a response
  • server process opens a ssh connection to the machine of the supplicant, with pubkey authentication
  • server checks client process, uid, script checksum, open file descriptors etc to be sure this client is the right one to be answered - and that nobody tampers with or traces it
  • if checks are positive (checks are done against database entries on the server) the server emits the password to the client and closes the connection

That way it is the password server's duty to make sure it deals out credentials only to authorized clients. Every change to the client script, i.e. its checksum must be propagated to the server. While it is not impossible for a third party to get the password on the client's machine (which is always compromised in the view of the password server), it is much more difficult than reading a configuration file or the scripts source code.

Security stands and falls with the ability of the granting part to verify the integrity of the requesting part, which might be impossible. But any attempt is better than nothing. There's no limit to "paranoia" ;-)

perl -le'print map{pack c,($-++?1:13)+ord}split//,ESEL'
  • Comment on Re: How can a script use a password without making the password visible?

Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://1183282]
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others scrutinizing the Monastery: (3)
As of 2019-04-20 09:07 GMT
Find Nodes?
    Voting Booth?
    I am most likely to install a new module from CPAN if:

    Results (108 votes). Check out past polls.

    • (Sep 10, 2018 at 22:53 UTC) Welcome new users!