[1072] in linux-net channel archive
Re: Rewrite DIP-337n-inaky to handle script file encryption
daemon@ATHENA.MIT.EDU (Alec Muffett)
Sun Sep 10 04:18:30 1995
Date: Thu, 7 Sep 1995 14:10:05 +0100
From: Alec.Muffett@UK.Sun.COM (Alec Muffett)
To: raju@xgroup.ernet.in, scrain@goddard.shore.net
Cc: linux-net@vger.rutgers.edu, linux-apps@vger.rutgers.edu
>> - Passing the password as an environment variable will work OK for
>> running DIP through an unattended shell script (give the password once
>> at startup).
Bad idea: "ps -auxwwe"
^--- dump env variables option
Passwords should *only* be transmitted between processes through file
I/O operations (read/write) - and one should take cate that they don't
hang around in memory buffers in case a core dump is taken, and the
secret leaks out that way.
>>Can an equally easy method of handling it through cron
>> jobs be devised?
Not really - it's not recommended.
>> - I had envisaged PGP encryption for the script file. Is this a Good
>> Idea? What are the alternatives?
There aren't really any that I can see that are worth a damn; at best
you're obfuscating the text of the password so that it can't be
casually glimpsed.
There isn't really a neat solution to the problem of leaving a password
(or other sensitive file) around in the filestore, on the grounds that
if you encrypt it, for an automatic process to work, you must leave the
encryption key around on the filestore too.
Catch 22.
Same thing goes for PGP et al, if you think about it.
- alec
