Storing Passwords

[Paul Rubin]

"Eric Wertman" <ewertman at gmail.com> writes:
> I whipped up something using base64 and pickle, to keep them in
> a dictionary and at least prevent them from being plain text, but it
> seems a bit insecure all the same.   Any ideas, much appreciated.

If you want people other than yourself to be able to run the scripts
without knowing any passwords, or if you want the scripts to work on
an unattended machine, this is traditionally quite a difficult
problem, solved by special purpose hardware in more serious
deployments.  If you don't mind requiring a special master passphrase
to access the stored passwords, one approach might be:

   - encrypt the passwords under some master key M, derived from a passphrase

   - have a background process that holds M in ram, i.e. you start the
     process and type the passphrase into it at the start of your work session.
     The background process then takes requests from client processes that
     are running on the same machine (not over the internet).

   - Your scripts connect to the process to access the decrypted
     passwords.  The background operates over a local socket and
     checks that any connecting process is running under your login
     credentials.  AF_UNIX sockets under Linux support these
     operations but I think the standard Python socket module
     currently doesn't implement them.  I sort of remember seeing a
     patch in the bug tracker for the purpose, but maybe I'm thinking
     wishfully.

The ssh-agent program (part of openssh) supports storing a secret key in
a local socket listener.  Maybe there is some way to use that program
to get at your passwords.  A module for this would make a nice Python recipe.