[1066] in linux-net channel archive
Re: Rewrite DIP-337n-inaky to handle script file encryption
daemon@ATHENA.MIT.EDU (Steven P. Crain)
Thu Sep 7 01:58:14 1995
Date: Wed, 6 Sep 1995 13:06:31 -0400 (EDT)
From: "Steven P. Crain" <scrain@goddard.shore.net>
To: raju@xgroup.ernet.in
cc: linux-net@vger.rutgers.edu, linux-apps@vger.rutgers.edu
In-Reply-To: <m0spQmC-000CBSC@gratis.xgroup.ernet.in>
On Mon, 4 Sep 1995, Raj Mathur wrote:
> DIP is very nice except for minor irritant -- I hate to see
> unencrypted passwords lying around in script files. I agree that the
> user can be prompted to enter the login and password once the
> connection is made, but that won't work for an unattended shell script
> or cron job. To take care of this problem I'm proposing to do a bit of
> rewriting which allows DIP to handle encrypted script files, with the
> pass{word,phrase} to be given once by the user (perhaps as an
> environment variable). Subsequently when DIP starts up (with the new
> -d option?) it uses this password to decrypt the script file and runs
> it.
>
> Going through the source code the easiest method seemed to be to
> modify do_command so that it reads commands from memory rather than a
> file (is anyone really worried about loading a whole script file into
> memory?). Then the calling routine (main, I think) can be fixed so
> that it decrypts and loads the script into memory if decryption is
> required, otherwise it can just open the file and mmap it.
>
> Some issues which have arisen out of my preliminary thoughts on this
> topic are:
>
> - Has anyobody already done this?
>
> - Is anybody except me really interested in such a feature?
>
> - Passing the password as an environment variable will work OK for
> running DIP through an unattended shell script (give the password once
> at startup). Can an equally easy method of handling it through cron
> jobs be devised?
>
> - I had envisaged PGP encryption for the script file. Is this a Good
> Idea? What are the alternatives?
>
> - (Asked earlier) Does anyone use scripts so large that loading them
> completely into memory could become an issue?
>
> Feedback welcome; flames > /dev/null.
>
> -- Raju
> --
> Raj Mathur The X Group New Delhi India
> PGP: Fingerprint: F2 D4 4A 21 27 B0 63 FF 15 97 9D AE 9D 40 BC B8
> 2.6.i Key: finger raju@arbornet.org
> It is the mind that moves.
>
I wonder if you can come up with a way to do this that can be used more
generally, perhaps with most programs that access security-important files.
Steven P. Crain scrain@goddard.shore.net
------------------------------------------------------------------------------
Assistant for Library Automation
Goddard Library http://www.shore.net/~goddard
Gordon-Conwell Theological Seminary gopher://gopher.shore.net/members/anderson
------------------------------------------------------------------------------
I am Colonel Klemmens Lothar Wenzel Friedrich Conrad,
Freiherr von Uegelpflaetz.
I am Pondering Owl, or Steve{,n,n P.} {,Crain}.
But I am definitely *not* Mr. Crain.
