Re: Censoring configuration files

[Phil]

On 22 Jan 2002, Ronan KERYELL wrote:

> A meta-problem about using tools such as cfengine, FAI, JumpStart,... : many 
> people
> ask me my configuration files but they contain of course many passwords, PPP
> accounts, etc. :-(
>
> So I'm looking for a good way to automate the publication of my config
> file AND censoring sensitive information...
>
> Any idea for an elegant way ?
>
> To add some mark-up in config files ? But not always safe for the
> application ?
>
> To add an abstract description of each file describing what to overide ?
>
> < Insert your good idea here :-) >

What about a script that we'll call getpasswd that will look in a password
base (that will be as secure as the config files..).
They could be either plain text or crypted, as needed.

Possible implementation :


-------------------8<--------[getpasswd]-------
#! /bin/bash
BASE=/tmp/pwdbase
awk "/^$1[ \t]/ {print \$2}" < $BASE
-------------------8<--------------------------


-------------------8<--------[pwdbase]---------
rootmd5         4e8492ec9f7136f948fe129f5d6430ac
rootdes         17/Ep09Pgb6ZA
ppppap          password
-------------------8<--------------------------

So that the config files only contain things like that :
PASSWD=`getpasswd ppppap`

Moreover, if one passwd must be given in more than one place, you only
need to modify it at this centralised place to change it evrywhere.
And if theidentifiers are clear enough, this is a good point for config
files to be published.


(I hope the weather is good in Brest :))
-- 
Philippe Biondi <biondi@ cartel-securite.fr> Cartel Sécurité
Security Consultant/R&D                      http://www.cartel-securite.fr
Phone: +33 1 44 06 97 94                     Fax: +33 1 44 06 97 99
PGP KeyID:3D9A43E2  FingerPrint:C40A772533730E39330DC0985EE8FF5F3D9A43E2