John M Church
john.m.church at lmco.com
Fri Apr 7 21:56:05 CEST 2006
Not sure if "mask the passphrase in a non-obvious way" does justice to
encrypting it with a filter and strong algorithm - ref.
<http://search.cpan.org/~beatnik/Filter-CBC-0.09/CBC.pm>. Were you
thinking I was only hiding it in clear text?
In any event, I agree with you - access to my script should be extremely
limited both from a permissions standpoint and location (firewall).
>-----BEGIN PGP SIGNED MESSAGE-----
>On 04/07/2006 04:16 PM, John M Church wrote:
>>I think it's simplistic to just brush-off this request as a user who
>>wants convenience. There are very valid reasons for automated
>>decryption. I'm working a similar project (and have my own issue - see
>>"Automated Decryption via Script Running Setuid" written 4/5/06). Seems
>>to me if you protect your script and you are behind a firewall you're
>>not 'trading security for convenience'.
>>You can even encrypt the passphrase in your script if you're afraid
>>someone with sudo or root priveldges could open your script.
>If you encrypt the passphrase in your script you still need a secure way
>to provide the key to decrypt it, same problem as providing the passphrase.
>Instead, if you meant "mask the passphrase in a non obvious way",
>this solution offer no additional security, since that could be easily
>reversed having access to the script.
>ICQ UIN: 301825501
>OpenPGP key ID: 0x58D14EB3
>Key fingerprint: 00B9 3E17 630F F2A7 FF96 DA6B AEE0 EC27 58D1 4EB3
>Check fingerprints before trusting a key!
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v184.108.40.206 (GNU/Linux)
>-----END PGP SIGNATURE-----
>Gnupg-users mailing list
>Gnupg-users at gnupg.org
More information about the Gnupg-users