[Omaha.pm] cisco vpn script

Miller, Scott L (Omaha Networks) scott.l.miller at hp.com
Tue Nov 9 12:54:13 CST 2004 

Yeah, I've done quite a bit in expect as well, but my current
implementation is using the native TCL expect was originally
developed under.  But those scripts are called from perl which
collects status codes and creates the "task reports".

Anyway, the best solution I've come across to the password issue
is to store the passwords in a read only file, under a read only
directory for only that one user account that actually runs that
code. (The directory part is optional, but a separate directory
dedicated for keeping only password files helps make sure the
permissions are set, and kept, correctly). That way you don't care
if anyone else can read or attempt to run the script(s), the script
itself won't be able to read the password data file if run by anyone
else.  Of course this also means no fooling with the Effective UID's
or anything like that.

  Syntax error, Jay: You're missing a begin <rant> block :)

-Scott

-----Original Message-----
From: omaha-pm-bounces at mail.pm.org
[mailto:omaha-pm-bounces at mail.pm.org]On Behalf Of Jay Hannah
Sent: Tuesday, November 09, 2004 11:57 AM
To: Perl Mongers of Omaha, Nebraska USA
Subject: Re: [Omaha.pm] cisco vpn script



On Nov 8, 2004, at 11:35 PM, Terry wrote:
> <<BRAINDUMP;
> One could argue about storing your VPN password in a script
> file....wonder if you could store it differently.....has to be passed
> to vpnclient in the clear.....can't reverse a hash....mmm...
> BRAINDUMP
>
>
> #!/usr/bin/perl
>
> use Expect;
>
> $username = 'terry';
> $password = 'password';

Ahh, Expect.pm. I have a soft spot for it. -sniff!- -grin-

Our passwords are in the clear in our source code too. I don't know how 
to really get around that. Sure, you can obfuscate the heck out of it, 
but you can't really make it unbreakable or you won't be able to use 
it. -grin-

chmod your source unreadable by untrusted accounts, and I guess you're 
as OK as you can be.

A vendor of ours forced us to start using a commercial version of PGP a 
few years ago. It's a real pain to install, use, and fix (thank 
goodness it is stable once running). You can't just run commands 
command line and have the PGP engine do its thing, you have to have a 
pgp daemon running and jump through a bunch of hoops to get anything 
done. At the end of the day the data's on disk somewhere, unreadable by 
untrusted users. Sure, it's obfuscated to the nth degree so even if you 
were root it would probably be hard to break, but if you know what 
you're doing I can't imagine it would be any harder than brute forcing 
/etc/shadow...

So much security stuff strikes me as existing solely for its own sake. 
Yes, I'm agitated by the entire registrar "certificate of authority" 
universe too. -grin-

</rant>

j

_______________________________________________
Omaha-pm mailing list
Omaha-pm at mail.pm.org
http://www.pm.org/mailman/listinfo/omaha-pm

More information about the Omaha-pm mailing list