views:

3088

answers:

5

I am working on Perl script that uses Expect to login via telnet to remote machines (don't ask, gotta use telnet). I also do perforce p4 login operations as necessary and use expect to pipe in the correct passwords. For now I just read passwords from clear text environment variable, i.e. export PASSWORD=password, which I know is no good security wise.

What's the best way to store passwords for scripts like these that need a lot of passwords for multiple systems? Encrypted in a text file somehow? Or something else?

Keep in mind I can't easily change the existing systems, like for example I can't really install SSH or anything like that.

+2  A: 

Since you're already using expect, you should look into being able to redirect a gpg -d on an encrypted file that contains your passwords. Storing passwords in a system environment variable is just plain wrong. The password that would be used to decrypt the gpg file would be entered on start then load all passwords from the file and run your stuff. Then you're done, so the passwords only exist in plaintext while the application is running.

Edit just as a side note, putting any passwords in a script is badness; remember that the script is just a plaintext file which makes seeing that password easy as anything. Likewise even applications that you compile can be reversed with "strings" which can look for strings that are contained in the code (usually passwords).

Suroot
So I assume you mean "GNU Privacy Guard", it doesn't look to exist on our boxes, as far as you know will gpg compile on HPUX and Solaris no problem?
Ville M
I'm not sure if GPG has Solaris and HPUX, however if they are *nix based boxes then I'm sure that there is a source for it.
Suroot
+7  A: 

Probably your best way is to put the passwords in a separate file, and lock the security for that file down so only you have read access. Unfortunately, if you store an encrypted password in your script, you'll also have to store the decryption method, so an attacker can run the decryption and recover your password.

lacqui
+1 It's the only logical solution unless you want to go with the "security through obscurity" route.
Outlaw Programmer
@lacqui - you could write the (en|de)cryption code in XS and compile it, and interface to it through Perl and (for security) not distribute the XS source with the standard module distribution. But even this isn't perfect.
Chris Lutz
+5  A: 

Why worry about the passwords in the script if you're using telnet? A presumptive attacker is going to find it as easy or easier to capture the data off the wire than off the remote machine, and there really isn't anything you could do about it in any case.

This sounds like a case of trying to put bars in the window and leaving the door swinging open.

MarkusQ
That is a very good point, I realize usage of telnet is bad idea, not mine ofcourse, but did not quite think in those terms. So are you really serious that I shouldnt' care? I guess I have to care because of code reviews etc, but interesting thought nonetheless.
Ville M
Document the reason in the code, push for a change in process, and document that in the code as well. Encrypting the password and then sending the clear text over telnet from a script is like using a code to write down your PIN number then just shouting across a room full of people you don't know.
MarkusQ
While I agree about telnet, just because the lock on the front door is broken doesn't mean you remove the locks on all the windows. What happens when you finally fix that front door lock?
Schwern
There is of course a balance. It sound to me like a shop with systemic bad practices trying to sprinkle a little pixie dust on the problem and call it done. That's why I advocate _documenting_ the problems, and making their interrelationship explicit. Only then can you fix them.
MarkusQ
To assess the scope the problem read into sniffing passwords in a segmented switched network. Not trivial, so I think encrypting passwords used in scripts still helps some. I did upvote your answer, it certainly got me thinking.Removing all telnet could be very expensive undertaking(millions).
Ville M
However, I should add, moving to SSH is happening here, just not overnight for all machines.
Ville M
+6  A: 

There was a very similar question earlier, see my answer to it.

In short, a human has to kick off the chain of trust. Everything else is obfuscation.

Schwern
A: 

I like the solution mentioned already of putting passwords in a separate file. In addition you could hash the actual passwords, much like whats done in /etc/passwd. Although you might use the same hash key for all of them depending on how your application. Obviously the drawback to this is someone has to enter the hashkey in order to run your script and thats not gonna work in a batch environment.

One place to start learning something about hashing is from this stackoverflow question

Eric Johnson