[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Censoring configuration files

From: Phil
Subject: Re: Censoring configuration files
Date: Tue, 22 Jan 2002 17:01:10 +0100 (CET)

On 22 Jan 2002, Ronan KERYELL wrote:

> A meta-problem about using tools such as cfengine, FAI, JumpStart,... : many 
> people
> ask me my configuration files but they contain of course many passwords, PPP
> accounts, etc. :-(
> So I'm looking for a good way to automate the publication of my config
> file AND censoring sensitive information...
> Any idea for an elegant way ?
> To add some mark-up in config files ? But not always safe for the
> application ?
> To add an abstract description of each file describing what to overide ?
> < Insert your good idea here :-) >

What about a script that we'll call getpasswd that will look in a password
base (that will be as secure as the config files..).
They could be either plain text or crypted, as needed.

Possible implementation :

#! /bin/bash
awk "/^$1[ \t]/ {print \$2}" < $BASE

rootmd5         4e8492ec9f7136f948fe129f5d6430ac
rootdes         17/Ep09Pgb6ZA
ppppap          password

So that the config files only contain things like that :
PASSWD=`getpasswd ppppap`

Moreover, if one passwd must be given in more than one place, you only
need to modify it at this centralised place to change it evrywhere.
And if theidentifiers are clear enough, this is a good point for config
files to be published.

(I hope the weather is good in Brest :))
Philippe Biondi <biondi@> Cartel Sécurité
Security Consultant/R&D            
Phone: +33 1 44 06 97 94                     Fax: +33 1 44 06 97 99
PGP KeyID:3D9A43E2  FingerPrint:C40A772533730E39330DC0985EE8FF5F3D9A43E2

reply via email to

[Prev in Thread] Current Thread [Next in Thread]