How can I encrypt or hide passwords in a Perl scri

2019-03-26 14:33发布

问题:

I am working on Perl script that uses Expect to login via telnet to remote machines (don't ask, gotta use telnet). I also do perforce p4 login operations as necessary and use expect to pipe in the correct passwords. For now I just read passwords from clear text environment variable, i.e. export PASSWORD=password, which I know is no good security wise.

What's the best way to store passwords for scripts like these that need a lot of passwords for multiple systems? Encrypted in a text file somehow? Or something else?

Keep in mind I can't easily change the existing systems, like for example I can't really install SSH or anything like that.

回答1:

Probably your best way is to put the passwords in a separate file, and lock the security for that file down so only you have read access. Unfortunately, if you store an encrypted password in your script, you'll also have to store the decryption method, so an attacker can run the decryption and recover your password.



回答2:

There was a very similar question earlier, see my answer to it.

In short, a human has to kick off the chain of trust. Everything else is obfuscation.



回答3:

Why worry about the passwords in the script if you're using telnet? A presumptive attacker is going to find it as easy or easier to capture the data off the wire than off the remote machine, and there really isn't anything you could do about it in any case.

This sounds like a case of trying to put bars in the window and leaving the door swinging open.



回答4:

Since you're already using expect, you should look into being able to redirect a gpg -d on an encrypted file that contains your passwords. Storing passwords in a system environment variable is just plain wrong. The password that would be used to decrypt the gpg file would be entered on start then load all passwords from the file and run your stuff. Then you're done, so the passwords only exist in plaintext while the application is running.

Edit just as a side note, putting any passwords in a script is badness; remember that the script is just a plaintext file which makes seeing that password easy as anything. Likewise even applications that you compile can be reversed with "strings" which can look for strings that are contained in the code (usually passwords).



回答5:

On the off chance that you're using Mac OS X, I found this nifty way to grab usernames and passwords from your Keychain.

Update: The link seems to be broken as of July 22, 2013. The following bash code snippet shows how I use the technique (to download iTunes sales data):

domain="itunesconnect.apple.com"
user="user@example.com"
pass=$(security find-internet-password -ws $domain -a $user)


回答6:

I like the solution mentioned already of putting passwords in a separate file. In addition you could hash the actual passwords, much like whats done in /etc/passwd. Although you might use the same hash key for all of them depending on how your application. Obviously the drawback to this is someone has to enter the hashkey in order to run your script and thats not gonna work in a batch environment.

One place to start learning something about hashing is from this stackoverflow question