Re: encoding scripts (so that user can't see passwords easily)?
On Tue, 06 Dec 2005 20:36:07 +0100, Tomasz Chmielewski wrote: It is to be a measure to prevent an accidental viewing of usernames/passwords rather than some military grade tool which takes 100 years to break on a supercomputer. [I think this discussion is off topic for cygwin] Here are 2 simple bash scripts that do what you want. Both are filters (i.e. read standard input, write to standard output). The first one just obscures the input to all numeric string. The second one uses gpg, so you can do real strong encryption, with encryption done by anyone while decryption done by the privileged user. Ehud #! /bin/bash -e # simple conversion to all numeric and back # -- OP=$1# requested operation (--encrypt/--decrypt) INP=`cat` # input to encrypt/decrypt LEN=${#INP}# Length of input OUT= # output (almost final) case $OP in --encrypt ) while [ $INP != ] do CH=${INP:0:1} # 1st char of input INP=${INP:1:$LEN} # rest of input OCT=`echo $CH | od -An -to1 -N1` # convert to octal EON=`expr 789 - $OCT` # not too obvious OUT=$OUT$EON done;; # OUT ready --decrypt ) while [ $INP != ] do EON=${INP:0:3} # 1st inverted octal of input INP=${INP:3:$LEN}# rest of input OCT=`expr 789 - $EON`# octal OUT=$OUT'\'$OCT # add \ for decoding octals ' done;; # OUT ready * ) echo OP (1st arg) is |$OP|. should be --encrypt or --decrypt exit 1 ;; esac echo -e $OUT # echo encrypted/decrypted to USER ## end of simple-crypt.sh ## #! /bin/bash -e # gpg encryption/decryption, must have gpg keys (public private) # KEY=$1 # gpg key, should be in pubring.gpg/secring.gpg OP=$2 # requested operation (--encrypt/--decrypt) PSP=$3 # passphrase (needed for --decrypt only) or empty GPGOPT=--default-recipient-self --batch --no-tty --always-trust --no-options --output - if [ $PSP != ] ; then # do only when passphrase given exec 30 # trick, save stdin stream echo ${PSP | ( exec 40 ; # set fd 4 to read from echo exec 03 ; # restore original stdin (for gpg input) gpg --default-key $KEY $GPGOPT --passphrase-fd 4 $OP ) else gpg --default-key $KEY $GPGOPT $OP fi ## end of gpg-crypt.sh ## -- Ehud Karni Tel: +972-3-7966-561 /\ Mivtach - Simon Fax: +972-3-7966-667 \ / ASCII Ribbon Campaign Insurance agencies (USA) voice mail and X Against HTML Mail http://www.mvs.co.il FAX: 1-815-5509341 / \ GnuPG: 98EA398D http://www.keyserver.net/Better Safe Than Sorry -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
RE: encoding scripts (so that user can't see passwords easily)?
Ehud Karni wrote: On Tue, 06 Dec 2005 20:36:07 +0100, Tomasz Chmielewski wrote: It is to be a measure to prevent an accidental viewing of usernames/passwords rather than some military grade tool which takes 100 years to break on a supercomputer. [I think this discussion is off topic for cygwin] Here are 2 simple bash scripts that do what you want. Both are filters (i.e. read standard input, write to standard output). The first one just obscures the input to all numeric string. The second one uses gpg, so you can do real strong encryption, with encryption done by anyone while decryption done by the privileged user. Ehud #! /bin/bash -e # simple conversion to all numeric and back # -- OP=$1# requested operation (--encrypt/--decrypt) INP=`cat` # input to encrypt/decrypt LEN=${#INP}# Length of input OUT= # output (almost final) case $OP in --encrypt ) while [ $INP != ] do CH=${INP:0:1} # 1st char of input INP=${INP:1:$LEN} # rest of input OCT=`echo $CH | od -An -to1 -N1` # convert to octal EON=`expr 789 - $OCT` # not too obvious OUT=$OUT$EON done;; # OUT ready --decrypt ) while [ $INP != ] do EON=${INP:0:3} # 1st inverted octal of input INP=${INP:3:$LEN}# rest of input OCT=`expr 789 - $EON`# octal OUT=$OUT'\'$OCT # add \ for decoding octals ' done;; # OUT ready * ) echo OP (1st arg) is |$OP|. should be --encrypt or --decrypt exit 1 ;; esac echo -e $OUT # echo encrypted/decrypted to USER ## end of simple-crypt.sh ## #! /bin/bash -e # gpg encryption/decryption, must have gpg keys (public private) # KEY=$1 # gpg key, should be in pubring.gpg/secring.gpg OP=$2 # requested operation (--encrypt/--decrypt) PSP=$3 # passphrase (needed for --decrypt only) or empty GPGOPT=--default-recipient-self --batch --no-tty --always-trust --no-options --output - if [ $PSP != ] ; then # do only when passphrase given exec 30 # trick, save stdin stream echo ${PSP | ( exec 40 ; # set fd 4 to read from echo exec 03 ; # restore original stdin (for gpg input) gpg --default-key $KEY $GPGOPT --passphrase-fd 4 $OP ) else gpg --default-key $KEY $GPGOPT $OP fi ## end of gpg-crypt.sh ## Are we forgetting the classic? As long as we don't care how strong the encryption is, what about rot13? #!/bin/sh tr 'A-Za-z' 'N-ZA-Mn-za-m' (Maybe I should ITP rot13.) And there's always uuencode/uudecode. :-) - Barry -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
RE: encoding scripts (so that user can't see passwords easily)?
Ehud Karni wrote: [I think this discussion is off topic for cygwin] Agreed, which is why I didn't elucidate earlier. If I were inclined to do something like your second script and override normal passphrase security, I'd probably use another mechanism (maybe an environment variable?) to avoid the passphrase appearing in the process list. But as we both said, this discussion is really OT for this list. gsw -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
Re: encoding scripts (so that user can't see passwords easily)?
On 12/4/05, nidhog [EMAIL PROTECTED] wrote: On 12/4/05, Christopher Faylor [EMAIL PROTECTED] wrote: On Sun, Dec 04, 2005 at 12:20:57PM +0100, Tomasz Chmielewski wrote: I have a little open-source project, which eases Windows administration a bit. In some of the scripts, I use usernames and passwords (to get to a password-protected network share etc.). Because they are scripts, username and password is in plain. Although the script files are only readable by SYSTEM and Administrators, if a disk is stolen, someone could easily get the passwords by doing simple grep -r password ./*. Do you know some tool which could encode scripts? instead of storing them plaintext, why don't you try encoding them via cryptographic hashes - md5, sha1, tiger and the like. How is the script going to get the plaintext password if all it has is a one way hash? while it's still vulnerable to bruteforce if they get your hashed passwords, you can mitigate the risk by requiring longer/more complex passwords. at least it's not as easy as grep'ping for the plaintext password left alone naked all out in the open. -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
Re: encoding scripts (so that user can't see passwords easily)?
Svend Sorensen schrieb: On 12/4/05, nidhog [EMAIL PROTECTED] wrote: On 12/4/05, Christopher Faylor [EMAIL PROTECTED] wrote: On Sun, Dec 04, 2005 at 12:20:57PM +0100, Tomasz Chmielewski wrote: I have a little open-source project, which eases Windows administration a bit. In some of the scripts, I use usernames and passwords (to get to a password-protected network share etc.). Because they are scripts, username and password is in plain. Although the script files are only readable by SYSTEM and Administrators, if a disk is stolen, someone could easily get the passwords by doing simple grep -r password ./*. Do you know some tool which could encode scripts? instead of storing them plaintext, why don't you try encoding them via cryptographic hashes - md5, sha1, tiger and the like. How is the script going to get the plaintext password if all it has is a one way hash? I don't really care, perhaps it won't be any one way hash anyway. It is to be a measure to prevent an accidental viewing of usernames/passwords rather than some military grade tool which takes 100 years to break on a supercomputer. -- Tomek http://wpkg.org WPKG - software deployment and upgrades with Samba -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
Re: encoding scripts (so that user can't see passwords easily)?
On Tue, Dec 06, 2005 at 08:36:07PM +0100, Tomasz Chmielewski wrote: Svend Sorensen schrieb: On 12/4/05, nidhog [EMAIL PROTECTED] wrote: On 12/4/05, Christopher Faylor [EMAIL PROTECTED] wrote: On Sun, Dec 04, 2005 at 12:20:57PM +0100, Tomasz Chmielewski wrote: I have a little open-source project, which eases Windows administration a bit. In some of the scripts, I use usernames and passwords (to get to a password-protected network share etc.). Because they are scripts, username and password is in plain. Although the script files are only readable by SYSTEM and Administrators, if a disk is stolen, someone could easily get the passwords by doing simple grep -r password ./*. Do you know some tool which could encode scripts? instead of storing them plaintext, why don't you try encoding them via cryptographic hashes - md5, sha1, tiger and the like. How is the script going to get the plaintext password if all it has is a one way hash? I don't really care, perhaps it won't be any one way hash anyway. It is to be a measure to prevent an accidental viewing of usernames/passwords rather than some military grade tool which takes 100 years to break on a supercomputer. So, in that case, someone has already made a suggestion: http://cygwin.com/ml/cygwin/2005-12/msg00181.html -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
Re: encoding scripts (so that user can't see passwords easily)?
Don't put the user names or passwords in the script put them in a file only readable by SYSTEM On 12/6/05, Tomasz Chmielewski [EMAIL PROTECTED] wrote: Svend Sorensen schrieb: On 12/4/05, nidhog [EMAIL PROTECTED] wrote: On 12/4/05, Christopher Faylor [EMAIL PROTECTED] wrote: On Sun, Dec 04, 2005 at 12:20:57PM +0100, Tomasz Chmielewski wrote: I have a little open-source project, which eases Windows administration a bit. In some of the scripts, I use usernames and passwords (to get to a password-protected network share etc.). Because they are scripts, username and password is in plain. Although the script files are only readable by SYSTEM and Administrators, if a disk is stolen, someone could easily get the passwords by doing simple grep -r password ./*. Do you know some tool which could encode scripts? instead of storing them plaintext, why don't you try encoding them via cryptographic hashes - md5, sha1, tiger and the like. How is the script going to get the plaintext password if all it has is a one way hash? I don't really care, perhaps it won't be any one way hash anyway. It is to be a measure to prevent an accidental viewing of usernames/passwords rather than some military grade tool which takes 100 years to break on a supercomputer. -- Tomek http://wpkg.org WPKG - software deployment and upgrades with Samba -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/ -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
Re: encoding scripts (so that user can't see passwords easily)?
that would not solve the requirement of protecting the passwords if the disk was stolen. The scripts are supposedly already readable by system and admin only. On Tue, Dec 06, 2005 at 02:58:15PM -0500, Jim Drash wrote: Don't put the user names or passwords in the script put them in a file only readable by SYSTEM On 12/6/05, Tomasz Chmielewski [EMAIL PROTECTED] wrote: Svend Sorensen schrieb: On 12/4/05, nidhog [EMAIL PROTECTED] wrote: On 12/4/05, Christopher Faylor [EMAIL PROTECTED] wrote: On Sun, Dec 04, 2005 at 12:20:57PM +0100, Tomasz Chmielewski wrote: I have a little open-source project, which eases Windows administration a bit. In some of the scripts, I use usernames and passwords (to get to a password-protected network share etc.). Because they are scripts, username and password is in plain. Although the script files are only readable by SYSTEM and Administrators, if a disk is stolen, someone could easily get the passwords by doing simple grep -r password ./*. Do you know some tool which could encode scripts? instead of storing them plaintext, why don't you try encoding them via cryptographic hashes - md5, sha1, tiger and the like. How is the script going to get the plaintext password if all it has is a one way hash? I don't really care, perhaps it won't be any one way hash anyway. It is to be a measure to prevent an accidental viewing of usernames/passwords rather than some military grade tool which takes 100 years to break on a supercomputer. -- Tomek http://wpkg.org WPKG - software deployment and upgrades with Samba -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/ -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/ -- Slowly and surely the unix crept up on the Nintendo user ... Wayne Willcox I will not eat green eggs and ham [EMAIL PROTECTED] I will not eat them Sam I Am!! A wise person makes his own decisions, a weak one obeys public opinion. -- Chinese proverb -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
Re: encoding scripts (so that user can't see passwords easily)?
Wayne Willcox schrieb: On Tue, Dec 06, 2005 at 02:58:15PM -0500, Jim Drash wrote: Don't put the user names or passwords in the script put them in a file only readable by SYSTEM that would not solve the requirement of protecting the passwords if the disk was stolen. The scripts are supposedly already readable by system and admin only. That's exactly what I mean (they are already readable by SYSTEM and admins only). If the disk is stolen, it would add some extra time before the password is compromised. Someone gave a clue here: http://cygwin.com/ml/cygwin/2005-12/msg00181.html instead of storing them plaintext, why don't you try encoding them via cryptographic hashes - md5, sha1, tiger and the like. But I don't really know where to start (which tool should I use for it?) -- Tomek http://wpkg.org WPKG - software deployment and upgrades with Samba -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
Re: encoding scripts (so that user can't see passwords easily)?
Tomasz Chmielewski wrote: That's exactly what I mean (they are already readable by SYSTEM and admins only). If the disk is stolen, it would add some extra time before the password is compromised. Someone gave a clue here: http://cygwin.com/ml/cygwin/2005-12/msg00181.html instead of storing them plaintext, why don't you try encoding them via cryptographic hashes - md5, sha1, tiger and the like. But I don't really know where to start (which tool should I use for it?) Let's step back a minute. If your script is storing passwords so that it can *supply* them to windows, then you can't store hashes. That only works if your script accepts passwords itself and then verifies them *itself* against the stored hashes. Now, assuming you need to store passwords in plaintext: Without some sort of external storage, there is absolutely nothing you can do to prevent someone that stole the drive from being able to read the plaintext passwords. You can encrypt them up the wazoo, it doesn't matter. To encrypt you have to use a key of some kind, and unless you store that key in a location off of the hard drive, then all the attacker has to do is take the key and use it to decrypt. Put another way, the attacker can do whatever the PC does to access the passwords. So if the PC can access the passwords without data from elsewhere, so can the thief. So, unless you're planning on setting up something where a passphrase not stored on the disk is entered on the keyboard, retrieved from a floppy, etc. then you're wasting your time. If you just want to encrypt to say that you've encrypted, then there are tons of utilities to do this. Try man openssl or man enc for starters. But again, if you store the encrypted file next along with the key on the disk then you've accomplished absolutely nothing from a security standpoint. (This is assuming you use a key without a passphrase. But if you do that you are essentially no longer storing the key on the disk, since it will require some keyboard input to function.) Brian -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
Re: encoding scripts (so that user can't see passwords easily)?
On Tue, 6 Dec 2005, Tomasz Chmielewski wrote: Wayne Willcox schrieb: On Tue, Dec 06, 2005 at 02:58:15PM -0500, Jim Drash wrote: Don't put the user names or passwords in the script put them in a file only readable by SYSTEM that would not solve the requirement of protecting the passwords if the disk was stolen. The scripts are supposedly already readable by system and admin only. That's exactly what I mean (they are already readable by SYSTEM and admins only). If the disk is stolen, it would add some extra time before the password is compromised. Someone gave a clue here: http://cygwin.com/ml/cygwin/2005-12/msg00181.html instead of storing them plaintext, why don't you try encoding them via cryptographic hashes - md5, sha1, tiger and the like. But I don't really know where to start (which tool should I use for it?) Umm, crypt? As in stored_password=42wlq4L2SDUdw echo -n Enter your password: ; stty -echo; read password; stty echo if [ x`crypt 42 $password` = x$stored_password ]; then echo Access granted else echo Invalid password fi (the '42' above is the salt -- see man crypt). HTH, Igor -- http://cs.nyu.edu/~pechtcha/ |\ _,,,---,,_[EMAIL PROTECTED] ZZZzz /,`.-'`'-. ;-;;,_[EMAIL PROTECTED] |,4- ) )-,_. ,\ ( `'-' Igor Pechtchanski, Ph.D. '---''(_/--' `-'\_) fL a.k.a JaguaR-R-R-r-r-r-.-.-. Meow! If there's any real truth it's that the entire multidimensional infinity of the Universe is almost certainly being run by a bunch of maniacs. /DA -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
Re: encoding scripts (so that user can't see passwords easily)?
If someone can get physical access to the disk, then there is not a single thing you can do to stop someone who is: 1) Knowledgeable 2) Determined 3) has time 4) is a criminal Nothing can stop them, The best you can do is slow them down, know that it is happening maybe while it is happening or worst case shortly thereafter. Security is not a thing it is a process that balances risk / reward, cost / benefit -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
Re: encoding scripts (so that user can't see passwords easily)?
Jim Drash schrieb: If someone can get physical access to the disk, then there is not a single thing you can do to stop someone who is: 1) Knowledgeable 2) Determined 3) has time 4) is a criminal But I could certainly stop someone who is *not* knowledgeable nor determined, and his criminal cracking gnowledge ends when he presses Enter after typing grep -r password /. Why do you think mail clients, web browsers and other software don't store the passwords in plain? -- Tomek http://wpkg.org WPKG - software deployment and upgrades with Samba -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
Re: encoding scripts (so that user can't see passwords easily)?
I view disk data encryption sort of like locking your car doors. If they want your car all they really need is a pickup truck and a car tow kit. If someone really wants to get to your data they will. The question is how badly do they want that data? How much effort will the expend to get it? Lastly if you catch them and take them to court can you prove that you did everything resonable to try and prevent the thift? On Tue, Dec 06, 2005 at 10:27:46PM +0100, Tomasz Chmielewski wrote: Jim Drash schrieb: If someone can get physical access to the disk, then there is not a single thing you can do to stop someone who is: 1) Knowledgeable 2) Determined 3) has time 4) is a criminal But I could certainly stop someone who is *not* knowledgeable nor determined, and his criminal cracking gnowledge ends when he presses Enter after typing grep -r password /. Why do you think mail clients, web browsers and other software don't store the passwords in plain? -- Tomek http://wpkg.org WPKG - software deployment and upgrades with Samba -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/ -- Slowly and surely the unix crept up on the Nintendo user ... Wayne Willcox I will not eat green eggs and ham [EMAIL PROTECTED] I will not eat them Sam I Am!! A wise person makes his own decisions, a weak one obeys public opinion. -- Chinese proverb -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
Re: encoding scripts (so that user can't see passwords easily)?
Can you make it harder? Yes. I can think of lots of ways to make it harder. The easiest is to prompt them for the userid and passwords that they need when they need them and don't store them at all. On 12/6/05, Tomasz Chmielewski [EMAIL PROTECTED] wrote: Jim Drash schrieb: If someone can get physical access to the disk, then there is not a single thing you can do to stop someone who is: 1) Knowledgeable 2) Determined 3) has time 4) is a criminal But I could certainly stop someone who is *not* knowledgeable nor determined, and his criminal cracking gnowledge ends when he presses Enter after typing grep -r password /. Why do you think mail clients, web browsers and other software don't store the passwords in plain? -- Tomek http://wpkg.org WPKG - software deployment and upgrades with Samba -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
RE: encoding scripts (so that user can't see passwords easily)?
Igor Pechtchanski wrote: On Tue, 6 Dec 2005, Tomasz Chmielewski wrote: But I don't really know where to start (which tool should I use for it?) Umm, crypt? Or better yet, ccrypt. Check its manpage. gsw -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
Re: encoding scripts (so that user can't see passwords easily)?
Christopher Faylor schrieb: On Sun, Dec 04, 2005 at 12:20:57PM +0100, Tomasz Chmielewski wrote: I have a little open-source project, which eases Windows administration a bit. In some of the scripts, I use usernames and passwords (to get to a password-protected network share etc.). Because they are scripts, username and password is in plain. Although the script files are only readable by SYSTEM and Administrators, if a disk is stolen, someone could easily get the passwords by doing simple grep -r password ./*. Do you know some tool which could encode scripts? One of such similar tools is Microsoft Script Encoder, but perhaps it's licensing wouldn't allow me to distribute it along with my files. That's actually how I discovered Cygwin - I had to replace srvany.exe, (which I couldn't distribute), and I found cygrunsrv :) Just to be sure: you do realize that you can't distribute cygrunsrv without also including the sources to cygrunsrv and cygwin1.dll (assuming that you're including that file), right? This is a GPL project. Yeah I know, my project is GPL licensed as well. So, as we know the legal stuff, does anyone have the answer to my question (encoding/encrypting scripts)? -- Tomek http://wpkg.org WPKG - software deployment and upgrades with Samba -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
Re: encoding scripts (so that user can't see passwords easily)?
On Sun, Dec 04, 2005 at 12:20:57PM +0100, Tomasz Chmielewski wrote: I have a little open-source project, which eases Windows administration a bit. In some of the scripts, I use usernames and passwords (to get to a password-protected network share etc.). Because they are scripts, username and password is in plain. Although the script files are only readable by SYSTEM and Administrators, if a disk is stolen, someone could easily get the passwords by doing simple grep -r password ./*. Do you know some tool which could encode scripts? One of such similar tools is Microsoft Script Encoder, but perhaps it's licensing wouldn't allow me to distribute it along with my files. That's actually how I discovered Cygwin - I had to replace srvany.exe, (which I couldn't distribute), and I found cygrunsrv :) Just to be sure: you do realize that you can't distribute cygrunsrv without also including the sources to cygrunsrv and cygwin1.dll (assuming that you're including that file), right? This is a GPL project. -- Christopher Faylor spammer? - [EMAIL PROTECTED] Cygwin Co-Project Leader[EMAIL PROTECTED] TimeSys, Inc. -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
Re: encoding scripts (so that user can't see passwords easily)?
On 12/4/05, Christopher Faylor [EMAIL PROTECTED] wrote: On Sun, Dec 04, 2005 at 12:20:57PM +0100, Tomasz Chmielewski wrote: I have a little open-source project, which eases Windows administration a bit. In some of the scripts, I use usernames and passwords (to get to a password-protected network share etc.). Because they are scripts, username and password is in plain. Although the script files are only readable by SYSTEM and Administrators, if a disk is stolen, someone could easily get the passwords by doing simple grep -r password ./*. Do you know some tool which could encode scripts? instead of storing them plaintext, why don't you try encoding them via cryptographic hashes - md5, sha1, tiger and the like. while it's still vulnerable to bruteforce if they get your hashed passwords, you can mitigate the risk by requiring longer/more complex passwords. at least it's not as easy as grep'ping for the plaintext password left alone naked all out in the open. -- /nh -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/