Automated processes

John M Church john.m.church at lmco.com
Fri Apr 7 21:56:05 CEST 2006


Qed,
Not sure if "mask the passphrase in a non-obvious way" does justice to 
encrypting it with a filter and strong algorithm - ref. 
<http://search.cpan.org/~beatnik/Filter-CBC-0.09/CBC.pm>.  Were you 
thinking I was only hiding it in clear text? 

In any event, I agree with you - access to my script should be extremely 
limited both from a permissions standpoint and location (firewall).

John_inDenver












Qed wrote:

>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: RIPEMD160
>
>On 04/07/2006 04:16 PM, John M Church wrote:
>  
>
>>I think it's simplistic to just brush-off this request as a user who
>>wants convenience.  There are very valid reasons for automated
>>decryption.  I'm working a similar project (and have my own issue - see
>>"Automated Decryption via Script Running Setuid" written 4/5/06).  Seems
>>to me if you protect your script and you are behind a firewall you're
>>not 'trading security for convenience'.
>>You can even encrypt the passphrase in your script if you're afraid
>>someone with sudo or root priveldges could open your script.
>>    
>>
>???
>If you encrypt the passphrase in your script you still need a secure way
>to provide the key to decrypt it, same problem as providing the passphrase.
>Instead, if you meant "mask the passphrase in a non obvious way",
>this solution offer no additional security, since that could be easily
>reversed having access to the script.
>- --
>
>  Q.E.D.
>
>ICQ UIN: 301825501
>OpenPGP key ID: 0x58D14EB3
>Key fingerprint: 00B9 3E17 630F F2A7 FF96  DA6B AEE0 EC27 58D1 4EB3
>Check fingerprints before trusting a key!
>
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.4.2.2 (GNU/Linux)
>
>iD8DBQFENpdgH+Dh0Dl5XacRAzugAJ4pW92ux9VYNp/wg8fYcWBdfcBVnACgib6v
>euCOOtD4KGRXjSjPmf5h0f0=
>=gVPv
>-----END PGP SIGNATURE-----
>
>
>_______________________________________________
>Gnupg-users mailing list
>Gnupg-users at gnupg.org
>http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
>  
>



More information about the Gnupg-users mailing list