Best way to store passwords for a LAN tool?

Question

I am making an app in Python for linux as a front end to the router (to automate some tasks).

But I need to log in to the router before I can do any operations on it and since it uses a http-auth I need to send it the clear text password and hence the clear text password need to be stored on the system.

What is the best way to do this ? I mean, if I just hard code the password, anyone can simple look at the source code to obtain them. Should I store it in a database ? Or should I encrypt it and then use a master password to unlock it (Not preferred) ?

score 1 · Answer 1 · answered Dec 26 '13 at 13:03

1

It depends on who you want to protect that password from. Given that you're going to transmit that in cleartext over the network, you're granting trust to locatl administrators.

If that is accurate,, you can place that password in a data file that is restricted to the local root users through the OS ACL. That way, anyone who acn gain access to it would be able to gain access to the password anyway.

answered Dec 26 '13 at 13:03

Stephane

18,557
3
61
70

In this case, the local administrator is using the app hence trusted. – Grim Reaper Dec 26 '13 at 13:11
You could put the password in a data file owned by an user to which the binary is suid-ed – miniBill Dec 27 '13 at 19:26

jamiescott · Answer 2 · 2013-12-26T23:05:11.437

What is the best way to do this ?

As always, it depends. The most secure way to do this is to use a specialized tool which will handle the encryption of the password, store it in a password vault and that would also allow this password to be automatically changed on a schedule by the password vault independently of your script. If you don't have a password vault tool available then that may be a bigger project than you need right now. The actual mechanism used by these tools to do encryption and handle the key is to use a random key and incorporate some hardware info into the key - also the vault will typically also allow a lock by IP address so only that server can retrieve the password.

I mean, if I just hard code the password, anyone can simple look at the source code to obtain them.

Yes and there are other problems to this approach too. Will this script be committed to a source code repository? If so, then the password is there too. It may also become a pain to update this script every time the password needs to be changed.

Should I store it in a database ?

This isn't much better than keeping it in the script except now at least it won't go to the source code repository. You could rely on database level encryption to avoid worrying about encryption keys but DBAs would still have access.

Or should I encrypt it and then use a master password to unlock it (Not preferred) ?

This is no different than just asking for the actual password at runtime except that would be a lot less work.

A password vault is a tool designed specifically to store passwords securely (encrypted), control access, audit usage and change them automatically against devices. Mostly commercial tools such as Thycotic Secret Server and others. — jamiescott, Dec 27 '13 at 22:01

score 1 · Answer 3 · answered Dec 27 '13 at 04:26

There are times when it's not within practical feasibility to not hardcode plaintext passwords, especially if the project is small, and you don't have access to a password vault. When you're faced with a situation like this, it is best to approach the problem from the perspective of limiting the exposure.

One of the approaches that you can use is permissioning, assuming you trust the people who use the script. Since it's on Linux, you can chmod the file to 700, which means that only that particular user can read, write, or execute the file (assuming other users don't have root permissions, of course).

However, this approach can get tricky if the administrator turns rogue, or someone figures out a way to escalate their privileges. In such instances, it is better to increase the difficulty of finding such a password. A good way to do this might be to use Python Freeze or Pyinstaller to create a binary out of your script. Someone reversing the script can still get the password out, but it is a much harder effort, and hopefully discourages someone who is after the low hanging fruit (and potentially protects you from rogue admins). I wish I could go into details of how this could be done, but I've only seen people do it; I've never actually used these tools myself. But this gives you a chance to make a distributable binary that you can use, thus not having to deal with passing around a credential all over the place.

Creating a binary from your script will not necessarily protect any embedded passwords. Something like strings can be run to easily dump all the strings from the binary which will typically reveal the password. http://en.wikipedia.org/wiki/Strings_(Unix) — jamiescott, Dec 28 '13 at 17:03
@jamiescott you're correct. I didn't think of strings for some reason, I was thinking only along the lines of decompilation. I guess binary + permissions might be the best way to deal with this then... — Karthik Rangarajan, Dec 28 '13 at 20:19

Best way to store passwords for a LAN tool?

3 Answers3