Sensitive data in scripts

[J Krugman]

This question is so naive I am almost embarrassed to post it. I
want to write a Perl script for myself that uses several sensitive
passwords. If someone broke into my account it would be bad, but
if someone read this script, they could easily clean me out
financially. What are ways that programmers use to protect sensitive
data that is required for a program to run?

Thanks!

-Jill

[Barry Margolin]

In article <bfmiso$i49$1@reader1.panix.com>,
J Krugman <jill_krugman@yahoo.com> wrote:

>This question is so naive I am almost embarrassed to post it. I
>want to write a Perl script for myself that uses several sensitive
>passwords. If someone broke into my account it would be bad, but
>if someone read this script, they could easily clean me out
>financially. What are ways that programmers use to protect sensitive
>data that is required for a program to run?

Make the user type the password when they run the program.

If the program needs several passwords, and you don't want him to have to
enter them all, you could put them in an encrypted file, and just have him
enter the key to decrypt that file.

--
Barry Margolin, [email]barry.margolin@level3.com[/email]
Level(3), Woburn, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.

[Marc Rochkind]

On Wed, 23 Jul 2003 18:07:20 +0000 (UTC), J Krugman
<jill_krugman@yahoo.com> wrote:

>
>
> This question is so naive I am almost embarrassed to post it. I
> want to write a Perl script for myself that uses several sensitive
> passwords. If someone broke into my account it would be bad, but
> if someone read this script, they could easily clean me out
> financially. What are ways that programmers use to protect sensitive
> data that is required for a program to run?
>
> Thanks!
>
> -Jill
>
>

There's really nothing at all you can do. All of the passwords will have to
be in the clear. But, don't worry, there's really nothing at all that can
go wrong, so go ahead and put all your money into these accounts.

If you like, I'd be happy to check your work after all the money is
deposited to make sure you've done it right. Please email me the URLs and
logins for the accounts.

[Just kidding! The other respondents have you on the right track...]

--Marc

[David Schwartz]

"J Krugman" <jill_krugman@yahoo.com> wrote in message
news:bfmiso$i49$1@reader1.panix.com...

> This question is so naive I am almost embarrassed to post it. I
> want to write a Perl script for myself that uses several sensitive
> passwords. If someone broke into my account it would be bad, but
> if someone read this script, they could easily clean me out
> financially. What are ways that programmers use to protect sensitive
> data that is required for a program to run?

I wouldn't advise any approach other than splitting the passwords. Have
on password that the script uses that only has permission to do what the
script is allowed to do. The other password, that can clean you out
financially, goes in your brain only.

Any other mechanism requires a high level of expertise to implement
reliably.

DS

[Ralf Fassel]

* [email]phil-news-nospam@ipal.net[/email]
| OpenSSH has a way to deal with that in a fair compromise. You start
| running a special daemon, which can decrypted the encrypted private
| keys (you would do this with passwords if you emulate the same
| thing, as the private keys are as exposing as passwords).

I assume you're talking about ssh-agent here?

man ssh-agent:
A unix-domain socket is created (/tmp/ssh-XXXXXXXX/agent.<pid>,) and
the name of this socket is stored in the SSH_AUTH_SOCK environment
variable. The socket is made accessible only to the current user.
This method is easily abused by root or another instance of the same
user.

So, if one is concerned about root misusing its powers, or a breakin
while I'm away from keyboard, this might not be a solution.

R'

[kynn]

In <TmATa.352$0z4.287@news.level3.com> Barry Margolin <barry.margolin@level3.com> writes:

>In article <bfmiso$i49$1@reader1.panix.com>,
>J Krugman <jill_krugman@yahoo.com> wrote:

>>This question is so naive I am almost embarrassed to post it. I
>>want to write a Perl script for myself that uses several sensitive
>>passwords. If someone broke into my account it would be bad, but
>>if someone read this script, they could easily clean me out
>>financially. What are ways that programmers use to protect sensitive
>>data that is required for a program to run?

>Make the user type the password when they run the program.

>If the program needs several passwords, and you don't want him to have to
>enter them all, you could put them in an encrypted file, and just have him
>enter the key to decrypt that file.

This is the part I need help with. Can you suggest any software/libraries
that I can use to program this password-based encryption and decryption?

TIA,

-Jill

[Sam Zoghaib]

kynn wrote in article <bfojoo$930$1@reader1.panix.com> on Thursday 24 July
2003 14:34 in comp.unix.programmer:

> This is the part I need help with. Can you suggest any software/libraries
> that I can use to program this password-based encryption and decryption?
>

There's a libcrypt-gpg-perl library which provides an interface to GnuPG for
perl.

Sam
--
"If sharing a thing in no way diminishes it, it is not rightly owned if it is
not shared."

- St Augustine

[J Krugman]

In <bfnlld0mf5@enews3.newsguy.com> [email]phil-news-nospam@ipal.net[/email] writes:

>A command is used
>to give the daemon the text key (passphrase) to decrypt the key and
>it then stores the key in its virtual memory in a way that is not
>supposed to be swapped out to hard swap space.

How does one control swapping from within a program?