[Omaha.pm] cisco vpn script
Jay Hannah
jay at jays.net
Tue Nov 9 11:56:55 CST 2004
On Nov 8, 2004, at 11:35 PM, Terry wrote:
> <<BRAINDUMP;
> One could argue about storing your VPN password in a script
> file....wonder if you could store it differently.....has to be passed
> to vpnclient in the clear.....can't reverse a hash....mmm...
> BRAINDUMP
>
>
> #!/usr/bin/perl
>
> use Expect;
>
> $username = 'terry';
> $password = 'password';
Ahh, Expect.pm. I have a soft spot for it. -sniff!- -grin-
Our passwords are in the clear in our source code too. I don't know how
to really get around that. Sure, you can obfuscate the heck out of it,
but you can't really make it unbreakable or you won't be able to use
it. -grin-
chmod your source unreadable by untrusted accounts, and I guess you're
as OK as you can be.
A vendor of ours forced us to start using a commercial version of PGP a
few years ago. It's a real pain to install, use, and fix (thank
goodness it is stable once running). You can't just run commands
command line and have the PGP engine do its thing, you have to have a
pgp daemon running and jump through a bunch of hoops to get anything
done. At the end of the day the data's on disk somewhere, unreadable by
untrusted users. Sure, it's obfuscated to the nth degree so even if you
were root it would probably be hard to break, but if you know what
you're doing I can't imagine it would be any harder than brute forcing
/etc/shadow...
So much security stuff strikes me as existing solely for its own sake.
Yes, I'm agitated by the entire registrar "certificate of authority"
universe too. -grin-
</rant>
j
More information about the Omaha-pm
mailing list