[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Censoring configuration files
From: |
Phil |
Subject: |
Re: Censoring configuration files |
Date: |
Tue, 22 Jan 2002 17:01:10 +0100 (CET) |
On 22 Jan 2002, Ronan KERYELL wrote:
> A meta-problem about using tools such as cfengine, FAI, JumpStart,... : many
> people
> ask me my configuration files but they contain of course many passwords, PPP
> accounts, etc. :-(
>
> So I'm looking for a good way to automate the publication of my config
> file AND censoring sensitive information...
>
> Any idea for an elegant way ?
>
> To add some mark-up in config files ? But not always safe for the
> application ?
>
> To add an abstract description of each file describing what to overide ?
>
> < Insert your good idea here :-) >
What about a script that we'll call getpasswd that will look in a password
base (that will be as secure as the config files..).
They could be either plain text or crypted, as needed.
Possible implementation :
-------------------8<--------[getpasswd]-------
#! /bin/bash
BASE=/tmp/pwdbase
awk "/^$1[ \t]/ {print \$2}" < $BASE
-------------------8<--------------------------
-------------------8<--------[pwdbase]---------
rootmd5 4e8492ec9f7136f948fe129f5d6430ac
rootdes 17/Ep09Pgb6ZA
ppppap password
-------------------8<--------------------------
So that the config files only contain things like that :
PASSWD=`getpasswd ppppap`
Moreover, if one passwd must be given in more than one place, you only
need to modify it at this centralised place to change it evrywhere.
And if theidentifiers are clear enough, this is a good point for config
files to be published.
(I hope the weather is good in Brest :))
--
Philippe Biondi <biondi@ cartel-securite.fr> Cartel Sécurité
Security Consultant/R&D http://www.cartel-securite.fr
Phone: +33 1 44 06 97 94 Fax: +33 1 44 06 97 99
PGP KeyID:3D9A43E2 FingerPrint:C40A772533730E39330DC0985EE8FF5F3D9A43E2