存储linux守护进程所需的密码 [英] Store passwords required by a linux daemon

问题描述

问：什么是存储这些密码的最佳地点和方法。

我不能存储哈希值，因为我需要原始的url / uid / pwd连接到
远程服务。

我只能看到两个选项：

a）gnome-keyring-daemon

尽可能告诉，这需要登录的用户/会话。我尝试从我的守护进程（作为root）启动它，收集返回的环境变量并尝试连接到它。到目前为止，这已经失败了。

b）root拥有的只读文件。

这也可以使用（例如）hostid进行加密，但底部的
这个方法是这种方法依赖于晦涩和根访问。

I have written a linux daemon that will be (and must be) running as root. When it runs, there will not necessarily be anyone logged in as it is started by cron. That daemon needs to store some urls, uids and passwords as it connects to other servers (such as dropbox, google, windows servers etc).

Q: What is the best place and method to store those passwords.

I can't store hashes as I need the original url/uid/pwd to connect to the remote services.

There are only two options that I can see:

a) gnome-keyring-daemon
As far as I can tell, this requires a logged in user/session. I have experimented with starting it from my daemon (as root), collecting the returned environment variables and attempting to connect to it. So far this has failed.
b) a read-only file owned by root.
This could also be encrypted using (for example) the hostid, but the bottom line is that this approach relies on obscurity and root access.

是否有其他选项？

非常感谢。

Are there other options?
Many thanks.

推荐答案

我遇到这个问题有几次是因为人们经常感到困惑与企业安全建议。

I faced this problem several times cause because people often gets confused with enterprise security recommendations.

为了实现SSL的客户端证书身份验证，人们通常会感到困惑，并阅读不允许签署的自签名证书，因为您有自己的CA证书由任何外部授权人签名不会添加任何东西。

People usually gets confused when having to implement a client certificate authentication for SSL and read the NO SELF-SIGNED CERTIFICATES ALLOWED because having the your own CA certificate signed by any external authority would not add anything.

人们还会对建议使用一个SALTED HASH算法来存储使用者的建议感到困惑，需要存储守护进程的凭据来访问数据库服务器或消息代理。

People also gets confused with the recommendation to STORE USERS CREDENTIAL USING A SALTED HASH ALGORITHM with the need to store credentials for a daemon to access services like database servers or message brokers.

我总是看到天真的解决方案来加密凭证，密码存储在软件中其他地方的纯文本中，这只会给系统管理员带来问题，不是为了入侵者。有一段时间，我看到一个软件开发人员需要哈希生成的密钥，将该哈希存储在文本文件中，并使用该哈希字符串作为加密/解密包含凭据的文件的密钥，建筑师不满意，直到实际的密钥为字符串看起来像一个散列密码。你可以相信吗？

I always see the naïve solution to encrypt credentials with the password for the key being stored in plain text anywhere else in the software, which will only cause problems for system administrator but not for an invasor. Some time back I saw a software developer required to hash a generated key, store that hash in a text file and use that hash string as the key to encrypt/decrypt the file containing the credentials, the architect was unhappy until the actual key was a string that looked like a hashed password. Can you believe that?

您不能依赖密钥环/钥匙串进行守护进程，因为守护进程不应该代表用户进行身份验证，如果他们假冒他们应该是代理的用户并且应该使用每个操作系统环境中可用的密钥环/钥匙串。

You cannot rely on keyring/keychains for daemons, cause daemons should not be authentication on behalf of users, if they are impersonating users they should be agents and should use a keyring/keychain available on each OS environment.

这篇关于存储linux守护进程所需的密码的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！