Qed,
Not sure if "mask the passphrase in a non-obvious way" does justice to
encrypting it with a filter and strong algorithm - ref.
<http://search.cpan.org/~beatnik/Filter-CBC-0.09/CBC.pm>. Were you
thinking I was only hiding it in clear text?
In any event, I agree with you - access to my script should be extremely
limited both from a permissions standpoint and location (firewall).
John_inDenver
Qed wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160
On 04/07/2006 04:16 PM, John M Church wrote:
I think it's simplistic to just brush-off this request as a user who
wants convenience. There are very valid reasons for automated
decryption. I'm working a similar project (and have my own issue - see
"Automated Decryption via Script Running Setuid" written 4/5/06). Seems
to me if you protect your script and you are behind a firewall you're
not 'trading security for convenience'.
You can even encrypt the passphrase in your script if you're afraid
someone with sudo or root priveldges could open your script.
???
If you encrypt the passphrase in your script you still need a secure way
to provide the key to decrypt it, same problem as providing the passphrase.
Instead, if you meant "mask the passphrase in a non obvious way",
this solution offer no additional security, since that could be easily
reversed having access to the script.
- --
Q.E.D.
ICQ UIN: 301825501
OpenPGP key ID: 0x58D14EB3
Key fingerprint: 00B9 3E17 630F F2A7 FF96 DA6B AEE0 EC27 58D1 4EB3
Check fingerprints before trusting a key!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
iD8DBQFENpdgH+Dh0Dl5XacRAzugAJ4pW92ux9VYNp/wg8fYcWBdfcBVnACgib6v
euCOOtD4KGRXjSjPmf5h0f0=
=gVPv
-----END PGP SIGNATURE-----
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
