Re: [Discuss] Passwords in Source Code?? Or, How to secure interprocess communications?

[markw]

This is a common problem and there are some common guidelines that allow
you to run your program almost anywhere.

Store your passwords in an external file.
The passwords must be encrypted using at least 1024 bit encryption with
some sort of salt. AES is probably your best bet.
The file must be readable *only* by the administrator.
Do NOT roll your own encryption, use openssl.


> Related to my previous database questions...
>
> Normally I think of a program as trusting itself, having some integrity,
> maybe not even having gaping bugs or security holes. But what if I the
> program I am writing is talking to another, such as Postgres? Postgres
> has the ability to do passwords, so do I just put a password in my
> program source? Set Postgres to only accept local connections, and hope
> for the best? Seems wrong. Do I try to put both in a chroot or something?
>
> My program already has to hope that its program files are secured by the
> hosting OS, but at least if it isn't opening up a network port it stays
> a rather contained problem.
>
> (I want multiple programs talking to the database, so no, I can't just
> link in Sqlite.)
>
> Seems a general problem of securing interprocess communications.
>
> Thoughts?
>
> Thanks,
>
> -kb, the Kent who knows that people Google for passwords, search github
> for passwords, and get a lot of juicy results.
> ___
> Discuss mailing list
> Discuss@blu.org
> http://lists.blu.org/mailman/listinfo/discuss
>


___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss

Re: [Discuss] Passwords in Source Code?? Or, How to secure interprocess communications?

[Edward Ned Harvey (blu)]

> From: Kent Borg [mailto:kentb...@borg.org]
> 
> On 01/31/2015 06:03 PM, Edward Ned Harvey (blu) wrote:
> > Depends on a lot of stuff. What language? Running on a system you own,
> > or deployed to someone else, etc?
> 
> Daemons, written in Python, on a machine I fully control.

The best you can do is put the passwords into a config file with locked-down 
permissions.  Make sure the passwords are randomly generated, and securely 
communicated with the server - SSL or whatever.

Although it doesn't provide real security, it does no harm to use some 
obfuscation - Encrypt with a key that's hard-coded into the application.
___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss

Re: [Discuss] Passwords in Source Code?? Or, How to secure interprocess communications?

[Richard Pieri]

On 1/31/2015 6:25 PM, Kent Borg wrote:

Daemons, written in Python, on a machine I fully control.


If you fully control it then you don't need authentication.



Because this is only used to communicate within the machine, no one
else cares whether it changes. A file with narrow permissions is
safer than trusting "localhost" restrictions.


Not really. For example, attacker exploits a vulnerability to briefly 
acquire root shell access. Attacker uses this to do two things: read the 
password and run "chattr +i ${file}". Now your attacker has the current 
password and has taken a step to prevent it from being changed.


--
Rich P.
___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss

Re: [Discuss] Passwords in Source Code?? Or, How to secure interprocess communications?

[Kent Borg]

On 01/31/2015 06:30 PM, Gordon Marx wrote:

None of that matters.


Huh?


Code goes in version control. Secrets that you want to keep secret don't. 
Therefore, you can't put secrets into your code.


Yes, that's why I brought up the question. We agree.


Write the username and password into a configuration file,


That is my current approach.


get the username and password from the environment, or use a non-password auth 
mechanism like an SSL certificate.


Even more non-standard, make up a new one every time the OS boots, set 
the postgres password then, too.


Because this is only used to communicate within the machine, no one else 
cares whether it changes. A file with narrow permissions is safer than 
trusting "localhost" restrictions.


-kb

___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss

Re: [Discuss] Passwords in Source Code?? Or, How to secure interprocess communications?

[Gordon Marx]

None of that matters. Code goes in version control. Secrets that you want to 
keep secret don't. Therefore, you can't put secrets into your code.

Write the username and password into a configuration file, get the username and 
password from the environment, or use a non-password auth mechanism like an SSL 
certificate.

Sent from my iPhone

> On Jan 31, 2015, at 6:25 PM, Kent Borg  wrote:
> 
>> On 01/31/2015 06:03 PM, Edward Ned Harvey (blu) wrote:
>> Depends on a lot of stuff. What language? Running on a system you own, or 
>> deployed to someone else, etc? 
> 
> Daemons, written in Python, on a machine I fully control.
> 
> -kb
> 
> ___
> Discuss mailing list
> Discuss@blu.org
> http://lists.blu.org/mailman/listinfo/discuss
___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss

Re: [Discuss] Passwords in Source Code?? Or, How to secure interprocess communications?

[Kent Borg]

On 01/31/2015 06:03 PM, Edward Ned Harvey (blu) wrote:
Depends on a lot of stuff. What language? Running on a system you own, 
or deployed to someone else, etc? 


Daemons, written in Python, on a machine I fully control.

-kb

___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss

Re: [Discuss] Passwords in Source Code?? Or, How to secure interprocess communications?

[Edward Ned Harvey (blu)]

> From: Discuss [mailto:discuss-bounces+blu=nedharvey@blu.org] On
> Behalf Of Kent Borg
> 
> My program already has to hope that its program files are secured by the
> hosting OS, but at least if it isn't opening up a network port it stays
> a rather contained problem.

Depends on a lot of stuff.  What language?  Running on a system you own, or 
deployed to someone else, etc?  

Normally, passwords that your app needs in order to connect to some other thing 
should be stored in a config file.  Ideally, it should be an OS-encrypted 
store, for example in C# I would use ProtectedData.  This encrypts the file on 
disk using a complex set of login stuff to derive a key specific to the logged 
in user - or in mono, the mono MRE generates random keys and stores them in a 
protected subdir in the users' home dir, so once again it's protected to the 
logged in user.


___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss

Re: [Discuss] Passwords in Source Code?? Or, How to secure interprocess communications?

[Richard Pieri]

On 1/31/2015 1:53 PM, Kent Borg wrote:

How about this: Give every boot, of every box running the code, its own
unique password.


If Postgres reads the random password before the password randomizer 
finishes then Postgress will have the previous boot's password or an 
incomplete password from a partially-written file. Nothing can 
authenticate as a result. You could embed the randomizer in the Postgres 
startup code so it runs sequentially but now you have another piece of 
code that you have to maintain. If at a later date you have to split the 
database engine and the application between different servers then the 
whole thing falls apart and you're back to square 1. So no, not really 
as simple as it might seem at first.


Put the effort into implementing a standard, secure authentication 
system instead of a hack. It's more work up front but it avoids on-going 
hassles over the life of the system. Use your existing authentication 
infrastructure if you have one and let whoever runs it deal with key 
management. That's their job.


--
Rich P.
___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss

Re: [Discuss] Passwords in Source Code?? Or, How to secure interprocess communications?

[Kent Borg]

All I am doing is connecting the server with the client code, on the 
same machine. I don't care what the password is, only that the two 
agree, on any given box.


How about this: Give every boot, of every box running the code, its own 
unique password.


At every boot, create a new password in a boot script (read a UUID out 
of /proc/sys/kernel/random/uuid). Give it to Postgres and put it in a 
config file with reasonable ownership restrictions appropriate to be 
read by the client code.


Seems pretty simple.

-kb

P.S. Also turn off all but loopback access to the server process.
___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss

Re: [Discuss] Passwords in Source Code?? Or, How to secure interprocess communications?

[Richard Pieri]

Rather than password authentication you should look at other mechanisms 
like SSH's public key authentication or Kerberos keytabs. What's 
probably better is to use a role-based access control mechanism where 
only processes with the requisite roles can access the secure system.


--
Rich P.
___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss

Re: [Discuss] Passwords in Source Code?? Or, How to secure interprocess communications?

[Matthew Gillen]

Set up postgres to only allow connections from the loopback.  Put the db
credentials in a file, then rely on file-system permissions and/or
SElinux to prevent access to that file from other processes on the
system.  This is the sort of thing SELinux is really designed for.

Matt

On 1/31/2015 10:56 AM, Eric Chadbourne wrote:
> FWIW, in PHP you often put the PostgreSQL user credentials in the code.  
> Usually a config file somewhere.  You can also place sensitive files outside 
> of your web root with proper permissions.  If all running on a local box I 
> don’t open the ports or set the db config to allow other connections.  It 
> seems reasonably secure.
> 
> I am curious as to what others do.
> 
> The PostgreSQL docs have a ton of great info.
> 
> - Eric
> 
> 
> 
>> On Jan 31, 2015, at 10:28 AM, Kent Borg  wrote:
>>
>> Related to my previous database questions...
>>
>> Normally I think of a program as trusting itself, having some integrity, 
>> maybe not even having gaping bugs or security holes. But what if I the 
>> program I am writing is talking to another, such as Postgres? Postgres has 
>> the ability to do passwords, so do I just put a password in my program 
>> source? Set Postgres to only accept local connections, and hope for the 
>> best? Seems wrong. Do I try to put both in a chroot or something?
>>
>> My program already has to hope that its program files are secured by the 
>> hosting OS, but at least if it isn't opening up a network port it stays a 
>> rather contained problem.
>>
>> (I want multiple programs talking to the database, so no, I can't just link 
>> in Sqlite.)
>>
>> Seems a general problem of securing interprocess communications.
>>
>> Thoughts?
>>
>> Thanks,
>>
>> -kb, the Kent who knows that people Google for passwords, search github for 
>> passwords, and get a lot of juicy results.
>> ___
>> Discuss mailing list
>> Discuss@blu.org
>> http://lists.blu.org/mailman/listinfo/discuss
> 
> ___
> Discuss mailing list
> Discuss@blu.org
> http://lists.blu.org/mailman/listinfo/discuss
> 

___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss

Re: [Discuss] Passwords in Source Code?? Or, How to secure interprocess communications?

[Eric Chadbourne]

FWIW, in PHP you often put the PostgreSQL user credentials in the code.  
Usually a config file somewhere.  You can also place sensitive files outside of 
your web root with proper permissions.  If all running on a local box I don’t 
open the ports or set the db config to allow other connections.  It seems 
reasonably secure.

I am curious as to what others do.

The PostgreSQL docs have a ton of great info.

- Eric



> On Jan 31, 2015, at 10:28 AM, Kent Borg  wrote:
> 
> Related to my previous database questions...
> 
> Normally I think of a program as trusting itself, having some integrity, 
> maybe not even having gaping bugs or security holes. But what if I the 
> program I am writing is talking to another, such as Postgres? Postgres has 
> the ability to do passwords, so do I just put a password in my program 
> source? Set Postgres to only accept local connections, and hope for the best? 
> Seems wrong. Do I try to put both in a chroot or something?
> 
> My program already has to hope that its program files are secured by the 
> hosting OS, but at least if it isn't opening up a network port it stays a 
> rather contained problem.
> 
> (I want multiple programs talking to the database, so no, I can't just link 
> in Sqlite.)
> 
> Seems a general problem of securing interprocess communications.
> 
> Thoughts?
> 
> Thanks,
> 
> -kb, the Kent who knows that people Google for passwords, search github for 
> passwords, and get a lot of juicy results.
> ___
> Discuss mailing list
> Discuss@blu.org
> http://lists.blu.org/mailman/listinfo/discuss

___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss

[Discuss] Passwords in Source Code?? Or, How to secure interprocess communications?

[Kent Borg]

Related to my previous database questions...

Normally I think of a program as trusting itself, having some integrity, 
maybe not even having gaping bugs or security holes. But what if I the 
program I am writing is talking to another, such as Postgres? Postgres 
has the ability to do passwords, so do I just put a password in my 
program source? Set Postgres to only accept local connections, and hope 
for the best? Seems wrong. Do I try to put both in a chroot or something?


My program already has to hope that its program files are secured by the 
hosting OS, but at least if it isn't opening up a network port it stays 
a rather contained problem.


(I want multiple programs talking to the database, so no, I can't just 
link in Sqlite.)


Seems a general problem of securing interprocess communications.

Thoughts?

Thanks,

-kb, the Kent who knows that people Google for passwords, search github 
for passwords, and get a lot of juicy results.

___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss