views:

63

answers:

3

I'm looking at scripting parts of my workflow, which involves interacting with some web-services via SOAP and XML-RPC queries. I'm scripting using bash and python.

I need to authenticate against these web services, and I'd ideally like to do so

  • without having to type in my password for every request (typing it once per login would be fine)
  • without hardcoding it in my scripts
  • without storing it in plain text anywhere on disk
  • in a way which isn't specific to one flavour of Unix

The OS X keychain (via the 'security' command) is one possible solution for the Mac OS X case, but there are issues with using it from a script as noted in a related question, and I'm hoping for a more general solution.

A: 

Maybe a technique like ssh-agent.

nicerobot
Yeah that's the sort of technique I'm looking for. I'm hoping there are some existing tools that work in a similar way to ssh-agent, but for decrypting files or text.
mattbh
+1  A: 

I'll have a go at answering my own question.

I could do either or these, or a combination of both:

  1. Store the password in a file with 600 permissions on an encrypted partition
  2. Store the password in a file encrypted with a passphrase, and read that passphrase into an environment variable interactively, once for every shell I'll be calling the script from

Combining these approaches seems sufficiently paranoid.

mattbh
A: 

I'm trying to wrap my head around your architecture, so I'm not sure which thing you are trying to authenticate. Are you trying to: - check the web service caller - check the web service provider - both

And is the thing being authenticated a human using a program or the server itself?

And do you have to pass the service calls around and authenticate them at multiple points or is this strictly point to point?

And what is your assessment of risk? What bad stuff is the authentication preventing?

If you do your proposed #1, your authentication problem moves from the message to the server - if your server is physically protected and your authetication credentials to the OS are "strong enough" you're probably decently protected in where you've stored the password.

I'm confused on #2 - if you are reading in the passphrase interactively, why not read in the password interactively and not store the password at all? If the passphrase unlocks the password, handling the passphrase should be as careful as if you are handling the password.

The bigger concern with any password is where is it going, and how is it protected along the way. Using passwords within the web service will be risky if you are sending your web service messages in the clear. Also where are passwords checked on the other end, and how are they distributed to the server for storage for #1 and #2? This is just stuff to consider for any password based authentication mechanism.

Also - how often should passwords be changed and do you have a procedure for it?

And how much do you repeat the password? If you have exactly one password shared across every machine, the risk is much higher than a different password for each server/script or user, since you can disable them one at a time.

bethlakshmi
Thanks.It's point to point and low risk--my trusted dev machine to a trusted server via SSL.Trying to replace some daily browser based tasks with shell scripts, i.e. me -> script -(XML/RPC/SSL)-> JIRA. Yes, #2 doesn't help if done without #1--no better than reading the password in directly. I'll probably read the password in interactively into an shell variable at login -- seems okay for a trusted environment. I have to trust whatever I execute from that shell (which sees the environment). I don't think I can avoid this without involving signed applications (overkill for this case).
mattbh
So - mostly you're trying to be obstructive enough to keep non-privileged stuff from calling your interfaces, right? Mostly to keep the nuisance level down - not so much heavy duty data protection... then you are probably fine with what you've got.
bethlakshmi
Yeah that's absolutely right. Just want to make things more convenient without opening up any security holes on my own machine. Thanks again.
mattbh