Beefy Boxes and Bandwidth Generously Provided by pair Networks
The stupid question is the question not asked
 
PerlMonks  

comment on

( #3333=superdoc: print w/replies, xml ) Need Help??
I'm sure this is a solved problem, but I can't think what the solution is.

Maybe it is, but I'm not aware of a reusable implementation of that solution...

Can the script request a password from another place without a coder who is editing the script being able to view the password?

In the near future I will have to implement something like that, my ideas so far:

  • script opens a secure connection to a secure password server (protocol irrelevant, ssl/http, ssl/soap, ssh, whatever) and keeps the connection open waiting for a response
  • server process opens a ssh connection to the machine of the supplicant, with pubkey authentication
  • server checks client process, uid, script checksum, open file descriptors etc to be sure this client is the right one to be answered - and that nobody tampers with or traces it
  • if checks are positive (checks are done against database entries on the server) the server emits the password to the client and closes the connection

That way it is the password server's duty to make sure it deals out credentials only to authorized clients. Every change to the client script, i.e. its checksum must be propagated to the server. While it is not impossible for a third party to get the password on the client's machine (which is always compromised in the view of the password server), it is much more difficult than reading a configuration file or the scripts source code.

Security stands and falls with the ability of the granting part to verify the integrity of the requesting part, which might be impossible. But any attempt is better than nothing. There's no limit to "paranoia" ;-)

perl -le'print map{pack c,($-++?1:13)+ord}split//,ESEL'

In reply to Re: How can a script use a password without making the password visible? by shmem
in thread How can a script use a password without making the password visible? by Cody Fendant

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post; it's "PerlMonks-approved HTML":



  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.
  • Log In?
    Username:
    Password:

    What's my password?
    Create A New User
    Chatterbox?
    and the web crawler heard nothing...

    How do I use this? | Other CB clients
    Other Users?
    Others examining the Monastery: (6)
    As of 2019-04-20 02:13 GMT
    Sections?
    Information?
    Find Nodes?
    Leftovers?
      Voting Booth?
      I am most likely to install a new module from CPAN if:
















      Results (108 votes). Check out past polls.

      Notices?
      • (Sep 10, 2018 at 22:53 UTC) Welcome new users!