Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Cisco: VOIP

OT: storing passwords securely in unix scripts

  

 
Cisco voip RSS feed   Index | Next | Previous | View Threaded


lelio at uoguelph

Mar 2, 2012, 2:09 PM

Post #1 of 8 (697 views)
Permalink
OT: storing passwords securely in unix scripts
this group is a smart bunch of cookies. anyone have any idea how to securely store passwords on unix/linux so that i can run scripts that require passwords?

until Cisco builds SSH key pair recognition (or is it there already? ;), this seems like the only option.

i don't want to be storing passwords in plain text regardless of how secure the directory might be. or at least avoid it if at all possible.

thoughts?

---
Lelio Fulgenzi, B.A.
Senior Analyst (CCS) * University of Guelph * Guelph, Ontario N1G 2W1
(519) 824-4120 x56354 (519) 767-1060 FAX (ANNU)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Cooking with unix is easy. You just sed it and forget it.
- LFJ (with apologies to Mr. Popeil)


MLoraditch at heliontechnologies

Mar 2, 2012, 2:45 PM

Post #2 of 8 (669 views)
Permalink
Re: OT: storing passwords securely in unix scripts [In reply to]
I may be thinking about this wrong, but if they aren't in plain text how is your script going to be able to use them? As far as I know you'd have to supply them back to the device in plain text which means they'd need to be some sort of decryptable encryption anyway which just puts you into security by obscurity mode. That may be enough for you but seems redundant to me and an extra step if the file the script is using is properly secured file permission wise.


Matthew G. Loraditch - CCVP, CCNA, CCDA

1965 Greenspring Drive
Timonium, MD 21093

voice. 410.252.8830
fax. 410.252.9284

Twitter<http://twitter.com/heliontech> | Facebook<http://www.facebook.com/#!/pages/Helion/252157915296> | Website<http://www.heliontechnologies.com/> | Email Support<mailto:support [at] heliontechnologies?subject=Technical%20Support%20Request>
________________________________
From: cisco-voip-bounces [at] puck [cisco-voip-bounces [at] puck] on behalf of Lelio Fulgenzi [lelio [at] uoguelph]
Sent: Friday, March 02, 2012 5:09 PM
To: cisco-voip
Subject: [cisco-voip] OT: storing passwords securely in unix scripts

this group is a smart bunch of cookies. anyone have any idea how to securely store passwords on unix/linux so that i can run scripts that require passwords?

until Cisco builds SSH key pair recognition (or is it there already? ;), this seems like the only option.

i don't want to be storing passwords in plain text regardless of how secure the directory might be. or at least avoid it if at all possible.

thoughts?

---
Lelio Fulgenzi, B.A.
Senior Analyst (CCS) * University of Guelph * Guelph, Ontario N1G 2W1
(519) 824-4120 x56354 (519) 767-1060 FAX (ANNU)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Cooking with unix is easy. You just sed it and forget it.
- LFJ (with apologies to Mr. Popeil)


ewellnitzvoip at gmail

Mar 2, 2012, 3:05 PM

Post #3 of 8 (673 views)
Permalink
Re: OT: storing passwords securely in unix scripts [In reply to]
It depends.

Basic CUCM user/password combos are in a base 64 encoding so you could store that somewhere but I'm not sure how secure that would be.

You could also look into encryption algorithms where your script could decode the stored value.

Problem with either one lies in the fact anyone with access to your code could easily figure out the user/password combination. That is the downfall of scripts instead of a language which compiles a nebulous .exe

On Mar 2, 2012, at 4:45 PM, Matthew Loraditch <MLoraditch [at] heliontechnologies> wrote:

> I may be thinking about this wrong, but if they aren't in plain text how is your script going to be able to use them? As far as I know you'd have to supply them back to the device in plain text which means they'd need to be some sort of decryptable encryption anyway which just puts you into security by obscurity mode. That may be enough for you but seems redundant to me and an extra step if the file the script is using is properly secured file permission wise.
>
>
>
> Matthew G. Loraditch - CCVP, CCNA, CCDA
>
> 1965 Greenspring Drive
> Timonium, MD 21093
>
> voice. 410.252.8830
> fax. 410.252.9284
>
> Twitter | Facebook | Website | Email Support
> From: cisco-voip-bounces [at] puck [cisco-voip-bounces [at] puck] on behalf of Lelio Fulgenzi [lelio [at] uoguelph]
> Sent: Friday, March 02, 2012 5:09 PM
> To: cisco-voip
> Subject: [cisco-voip] OT: storing passwords securely in unix scripts
>
> this group is a smart bunch of cookies. anyone have any idea how to securely store passwords on unix/linux so that i can run scripts that require passwords?
>
> until Cisco builds SSH key pair recognition (or is it there already? ;), this seems like the only option.
>
> i don't want to be storing passwords in plain text regardless of how secure the directory might be. or at least avoid it if at all possible.
>
> thoughts?
>
> ---
> Lelio Fulgenzi, B.A.
> Senior Analyst (CCS) * University of Guelph * Guelph, Ontario N1G 2W1
> (519) 824-4120 x56354 (519) 767-1060 FAX (ANNU)
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> Cooking with unix is easy. You just sed it and forget it.
> - LFJ (with apologies to Mr. Popeil)
>
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip [at] puck
> https://puck.nether.net/mailman/listinfo/cisco-voip


lelio at uoguelph

Mar 2, 2012, 3:07 PM

Post #4 of 8 (672 views)
Permalink
Re: OT: storing passwords securely in unix scripts [In reply to]
honestly, i never thought that far ahead. i was hoping i could write the script and then somehow convert it to a binary or encrypted file itself so you couldn't read it, but you could still execute it .

---
Lelio Fulgenzi, B.A.
Senior Analyst (CCS) * University of Guelph * Guelph, Ontario N1G 2W1
(519) 824-4120 x56354 (519) 767-1060 FAX (ANNU)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Cooking with unix is easy. You just sed it and forget it.
- LFJ (with apologies to Mr. Popeil)


----- Original Message -----
From: "Matthew Loraditch" <MLoraditch [at] heliontechnologies>
To: "Lelio Fulgenzi" <lelio [at] uoguelph>, "cisco-voip" <cisco-voip [at] puck>
Sent: Friday, March 2, 2012 5:45:27 PM
Subject: RE: [cisco-voip] OT: storing passwords securely in unix scripts




I may be thinking about this wrong, but if they aren't in plain text how is your script going to be able to use them? As far as I know you'd have to supply them back to the device in plain text which means they'd need to be some sort of decryptable encryption anyway which just puts you into security by obscurity mode. That may be enough for you but seems redundant to me and an extra step if the file the script is using is properly secured file permission wise.






Matthew G. Loraditch - CCVP, CCNA, CCDA

1965 Greenspring Drive
Timonium, MD 21093

voice. 410.252.8830
fax. 410.252.9284

Twitter | Facebook | Website | Email Support


From: cisco-voip-bounces [at] puck [cisco-voip-bounces [at] puck] on behalf of Lelio Fulgenzi [lelio [at] uoguelph]
Sent: Friday, March 02, 2012 5:09 PM
To: cisco-voip
Subject: [cisco-voip] OT: storing passwords securely in unix scripts




this group is a smart bunch of cookies. anyone have any idea how to securely store passwords on unix/linux so that i can run scripts that require passwords?

until Cisco builds SSH key pair recognition (or is it there already? ;), this seems like the only option.

i don't want to be storing passwords in plain text regardless of how secure the directory might be. or at least avoid it if at all possible.

thoughts?

---
Lelio Fulgenzi, B.A.
Senior Analyst (CCS) * University of Guelph * Guelph, Ontario N1G 2W1
(519) 824-4120 x56354 (519) 767-1060 FAX (ANNU)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Cooking with unix is easy. You just sed it and forget it.
- LFJ (with apologies to Mr. Popeil)


lelio at uoguelph

Mar 2, 2012, 3:09 PM

Post #5 of 8 (671 views)
Permalink
Re: OT: storing passwords securely in unix scripts [In reply to]
i'd settle for a nebulous .exe file.

i'm searching for compilers of scripts to see what i get. i shudder at the thought of writing something in C--.

---
Lelio Fulgenzi, B.A.
Senior Analyst (CCS) * University of Guelph * Guelph, Ontario N1G 2W1
(519) 824-4120 x56354 (519) 767-1060 FAX (ANNU)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Cooking with unix is easy. You just sed it and forget it.
- LFJ (with apologies to Mr. Popeil)


----- Original Message -----
From: "Erick" <ewellnitzvoip [at] gmail>
To: "Matthew Loraditch" <MLoraditch [at] heliontechnologies>
Cc: "Lelio Fulgenzi" <lelio [at] uoguelph>, "cisco-voip" <cisco-voip [at] puck>
Sent: Friday, March 2, 2012 6:05:04 PM
Subject: Re: [cisco-voip] OT: storing passwords securely in unix scripts


It depends.


Basic CUCM user/password combos are in a base 64 encoding so you could store that somewhere but I'm not sure how secure that would be.


You could also look into encryption algorithms where your script could decode the stored value.


Problem with either one lies in the fact anyone with access to your code could easily figure out the user/password combination. That is the downfall of scripts instead of a language which compiles a nebulous .exe

On Mar 2, 2012, at 4:45 PM, Matthew Loraditch < MLoraditch [at] heliontechnologies > wrote:








I may be thinking about this wrong, but if they aren't in plain text how is your script going to be able to use them? As far as I know you'd have to supply them back to the device in plain text which means they'd need to be some sort of decryptable encryption anyway which just puts you into security by obscurity mode. That may be enough for you but seems redundant to me and an extra step if the file the script is using is properly secured file permission wise.






Matthew G. Loraditch - CCVP, CCNA, CCDA

1965 Greenspring Drive
Timonium, MD 21093

voice. 410.252.8830
fax. 410.252.9284

Twitter | Facebook | Website | Email Support


From: cisco-voip-bounces [at] puck [ cisco-voip-bounces [at] puck ] on behalf of Lelio Fulgenzi [ lelio [at] uoguelph ]
Sent: Friday, March 02, 2012 5:09 PM
To: cisco-voip
Subject: [cisco-voip] OT: storing passwords securely in unix scripts




this group is a smart bunch of cookies. anyone have any idea how to securely store passwords on unix/linux so that i can run scripts that require passwords?

until Cisco builds SSH key pair recognition (or is it there already? ;), this seems like the only option.

i don't want to be storing passwords in plain text regardless of how secure the directory might be. or at least avoid it if at all possible.

thoughts?

---
Lelio Fulgenzi, B.A.
Senior Analyst (CCS) * University of Guelph * Guelph, Ontario N1G 2W1
(519) 824-4120 x56354 (519) 767-1060 FAX (ANNU)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Cooking with unix is easy. You just sed it and forget it.
- LFJ (with apologies to Mr. Popeil)

_______________________________________________
cisco-voip mailing list
cisco-voip [at] puck
https://puck.nether.net/mailman/listinfo/cisco-voip


lelio at uoguelph

Mar 2, 2012, 3:14 PM

Post #6 of 8 (671 views)
Permalink
Re: OT: storing passwords securely in unix scripts [In reply to]
you know it's time to go home when you want to read more about this unix utility called 'shc' that is supposed to compile these scripts for you and the the first hit on google for shc is....

Spontaneous human combustion - Wikipedia, the free encyclopedia



---
Lelio Fulgenzi, B.A.
Senior Analyst (CCS) * University of Guelph * Guelph, Ontario N1G 2W1
(519) 824-4120 x56354 (519) 767-1060 FAX (ANNU)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Cooking with unix is easy. You just sed it and forget it.
- LFJ (with apologies to Mr. Popeil)


----- Original Message -----
From: "Lelio Fulgenzi" <lelio [at] uoguelph>
To: "Erick" <ewellnitzvoip [at] gmail>
Cc: "cisco-voip" <cisco-voip [at] puck>, "Matthew Loraditch" <MLoraditch [at] heliontechnologies>
Sent: Friday, March 2, 2012 6:09:09 PM
Subject: Re: [cisco-voip] OT: storing passwords securely in unix scripts


i'd settle for a nebulous .exe file.

i'm searching for compilers of scripts to see what i get. i shudder at the thought of writing something in C--.

---
Lelio Fulgenzi, B.A.
Senior Analyst (CCS) * University of Guelph * Guelph, Ontario N1G 2W1
(519) 824-4120 x56354 (519) 767-1060 FAX (ANNU)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Cooking with unix is easy. You just sed it and forget it.
- LFJ (with apologies to Mr. Popeil)


----- Original Message -----
From: "Erick" <ewellnitzvoip [at] gmail>
To: "Matthew Loraditch" <MLoraditch [at] heliontechnologies>
Cc: "Lelio Fulgenzi" <lelio [at] uoguelph>, "cisco-voip" <cisco-voip [at] puck>
Sent: Friday, March 2, 2012 6:05:04 PM
Subject: Re: [cisco-voip] OT: storing passwords securely in unix scripts


It depends.


Basic CUCM user/password combos are in a base 64 encoding so you could store that somewhere but I'm not sure how secure that would be.


You could also look into encryption algorithms where your script could decode the stored value.


Problem with either one lies in the fact anyone with access to your code could easily figure out the user/password combination. That is the downfall of scripts instead of a language which compiles a nebulous .exe

On Mar 2, 2012, at 4:45 PM, Matthew Loraditch < MLoraditch [at] heliontechnologies > wrote:








I may be thinking about this wrong, but if they aren't in plain text how is your script going to be able to use them? As far as I know you'd have to supply them back to the device in plain text which means they'd need to be some sort of decryptable encryption anyway which just puts you into security by obscurity mode. That may be enough for you but seems redundant to me and an extra step if the file the script is using is properly secured file permission wise.






Matthew G. Loraditch - CCVP, CCNA, CCDA

1965 Greenspring Drive
Timonium, MD 21093

voice. 410.252.8830
fax. 410.252.9284

Twitter | Facebook | Website | Email Support


From: cisco-voip-bounces [at] puck [ cisco-voip-bounces [at] puck ] on behalf of Lelio Fulgenzi [ lelio [at] uoguelph ]
Sent: Friday, March 02, 2012 5:09 PM
To: cisco-voip
Subject: [cisco-voip] OT: storing passwords securely in unix scripts




this group is a smart bunch of cookies. anyone have any idea how to securely store passwords on unix/linux so that i can run scripts that require passwords?

until Cisco builds SSH key pair recognition (or is it there already? ;), this seems like the only option.

i don't want to be storing passwords in plain text regardless of how secure the directory might be. or at least avoid it if at all possible.

thoughts?

---
Lelio Fulgenzi, B.A.
Senior Analyst (CCS) * University of Guelph * Guelph, Ontario N1G 2W1
(519) 824-4120 x56354 (519) 767-1060 FAX (ANNU)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Cooking with unix is easy. You just sed it and forget it.
- LFJ (with apologies to Mr. Popeil)

_______________________________________________
cisco-voip mailing list
cisco-voip [at] puck
https://puck.nether.net/mailman/listinfo/cisco-voip


Eric.Butcher at cdw

Mar 2, 2012, 6:28 PM

Post #7 of 8 (679 views)
Permalink
Re: OT: storing passwords securely in unix scripts [In reply to]
Store them with reversible encryption in a 3rd party database with a web app that responds to requests from the UCCX environment. Set the web app up so it only responds to the UCCX server address.

Use an http request from the script to request the username and password, have the script reverse the encryption (JAVA?) after it receives it from the web response, and then use that to log on to the UCCX repository.

I realize this is absurd, but UCCX doesn't have MLA, which is also absurd. If it did have MLA, and the script had a special string type "Password" that at least masked the password in the box in a half way secure way, you could have repository manager roles and you could store the credentials to that user role in the script semi-secure.

Or, even better, they could just make uploads to repositories directly from scripts being run on the local box NOT require authentication at all.

There are a million ways for the BU / Developers to fix this. Until then you pretty much have to backflip through flaming hoops or just store the password in plain text. :)



Eric Butcher

Cisco Unified Communications Engineer
CDW Professional Services

11711 N Meridian, Ste 225

Carmel, IN 46032
( 317.569.4282 ¡V Single Number Reach
¡¯ eric.butcher [at] cdw<mailto:eric.butcher [at] cdw>

http://www.cdw.com/



From: Matthew Loraditch <MLoraditch [at] heliontechnologies<mailto:MLoraditch [at] heliontechnologies>>
Date: Fri, 2 Mar 2012 22:45:27 +0000
To: "lelio [at] uoguelph<mailto:lelio [at] uoguelph>" <lelio [at] uoguelph<mailto:lelio [at] uoguelph>>, cisco-voip <cisco-voip [at] puck<mailto:cisco-voip [at] puck>>
Subject: Re: [cisco-voip] OT: storing passwords securely in unix scripts


I may be thinking about this wrong, but if they aren't in plain text how is your script going to be able to use them? As far as I know you'd have to supply them back to the device in plain text which means they'd need to be some sort of decryptable encryption anyway which just puts you into security by obscurity mode. That may be enough for you but seems redundant to me and an extra step if the file the script is using is properly secured file permission wise.


Matthew G. Loraditch - CCVP, CCNA, CCDA

1965 Greenspring Drive
Timonium, MD 21093

voice. 410.252.8830
fax. 410.252.9284

Twitter<http://twitter.com/heliontech> | Facebook<http://www.facebook.com/#!/pages/Helion/252157915296> | Website<http://www.heliontechnologies.com/> | Email Support<mailto:support [at] heliontechnologies?subject=Technical%20Support%20Request>
________________________________
From: cisco-voip-bounces [at] puck<mailto:cisco-voip-bounces [at] puck> [cisco-voip-bounces [at] puck<mailto:cisco-voip-bounces [at] puck>] on behalf of Lelio Fulgenzi [lelio [at] uoguelph<mailto:lelio [at] uoguelph>]
Sent: Friday, March 02, 2012 5:09 PM
To: cisco-voip
Subject: [cisco-voip] OT: storing passwords securely in unix scripts

this group is a smart bunch of cookies. anyone have any idea how to securely store passwords on unix/linux so that i can run scripts that require passwords?

until Cisco builds SSH key pair recognition (or is it there already? ;), this seems like the only option.

i don't want to be storing passwords in plain text regardless of how secure the directory might be. or at least avoid it if at all possible.

thoughts?

---
Lelio Fulgenzi, B.A.
Senior Analyst (CCS) * University of Guelph * Guelph, Ontario N1G 2W1
(519) 824-4120 x56354 (519) 767-1060 FAX (ANNU)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Cooking with unix is easy. You just sed it and forget it.
- LFJ (with apologies to Mr. Popeil)


_______________________________________________ cisco-voip mailing list cisco-voip [at] puck<mailto:cisco-voip [at] puck> https://puck.nether.net/mailman/listinfo/cisco-voip


wsisk at cisco

Mar 4, 2012, 7:28 AM

Post #8 of 8 (672 views)
Permalink
Re: OT: storing passwords securely in unix scripts [In reply to]
Agreed, this is a pain. I've tried many things, none of which are very elegant. Your phraseology triggered a new idea though -
store the password in a file that is only accessible with a key. This could be a disk image or an ssh session to a location that has the information where ssh authentication uses key pairs.

it's still not pretty but it's possibly less ugly.

/wes

On Mar 2, 2012, at 5:09 PM, Lelio Fulgenzi wrote:

this group is a smart bunch of cookies. anyone have any idea how to securely store passwords on unix/linux so that i can run scripts that require passwords?

until Cisco builds SSH key pair recognition (or is it there already? ;), this seems like the only option.

i don't want to be storing passwords in plain text regardless of how secure the directory might be. or at least avoid it if at all possible.

thoughts?

---
Lelio Fulgenzi, B.A.
Senior Analyst (CCS) * University of Guelph * Guelph, Ontario N1G 2W1
(519) 824-4120 x56354 (519) 767-1060 FAX (ANNU)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Cooking with unix is easy. You just sed it and forget it.
- LFJ (with apologies to Mr. Popeil)


_______________________________________________
cisco-voip mailing list
cisco-voip [at] puck
https://puck.nether.net/mailman/listinfo/cisco-voip

Cisco voip RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.