storing passwords

[Steve George]

You _really_ don't want to store passwords unless you are in some ultra-clean
environment where you know you'll never get cracked - that is there is
_no_ external access (and even then!)

1)  Using telnet means you are in the clear so your passwords are at risk
on the system and in transit.  In additon you have no protection against
someone stealing your session - hunt will do this for example.  So an
attacker has a good chance to grab your password or just wait for
authentication and then steal the connection.

Use Ssh instead of telnet if you can.

2)  Whichever way you cut it you will risk passwords or authentication
info on the client when you are not in attendance.

a)  If you have to use Ssh public keys

b) If it's information you are grabbing why not write one script on the
server which ftps the information to a drop-box (some ftp space).  Then
write a client program which logs in and grabs the info.  By using a
drop-box at least you are only giving the attacker access to a
non-interactive login - using http/ssl password protected area is better.

Steve

In article <mailman.979457595.1335.python-list at python.org>, "Moshe Zadka"
<moshez at zadka.site.co.il> wrote:

> On Sun, 14 Jan 2001, "Brian Waskiewicz" <bwaskiew at indiana.edu> wrote:
> 
>> I have a Python script that makes a Telnet connectio to a remote server
>> and right now I have the password just stored within my code.  I'd
>> don't like the idea of leaving the password available like that (the
>> script runs automatically every night, so I can't prompt the user for
>> it), so is there any other way to store the password in some kind of
>> encrypted fashion??
> 
> Read the fetchmail FAQ on ESR's site to see why this does not afford any
> kind of protection.
> (Hint: If you encrypt it, where would you put the key?)
>