All geek questions in one place

Password Encryption or Hashing

My situation is not very commo, or very comm for someone. I need to save some passwords in a database. Let me explain what I really need.

I have several servers that I need to access 3 times a day, every day, for a year, is a kind of non-stop service, the SSH service works in each of them, and I also have software that requests access to each of servers 3 times a day. Well, everything works fine as I want, the problem is PASSWORD! How to manage all passwords!

Today I have all the server passwords in the script (the same script that actually runs the SSH services), since I use SSH2 PHP Functions ssh2_auth_password() for authentication on the servers, but this is plain text.

how about this ssh2_ auth_ pubkey_ file() function? How do i use this?

Is it safe to store a password in my own scripts? I do not think so..

Then what to do in this case? If I save the password in the database, I will need to get a password for each request to the server (it is executed by cron), and if it is a hash, I can compare it with another hash in my script and return the plain text for my authenticate function, as before plain text .. (but I think this is not the best solution yet!).

EnCrypt passwords, then decrypt passwords every server request? maybe maybe ..

Does anyone have any ideas what is best to do in this situation?

I'm in the pool!

Thanks in advance for any light!

[EDITED]

My Arch is the Linux 2.6 kernel, most of which, the SaaS application runs on an external (neutral server) and CronJobs regularly work 3 times a day, all automatically on the command line, without human interaction.

[EDITED ONCE MORE]

Where should I generate a key pair? Is only one key pair enough for all my servers, including the SaaS APP server? or do i need to generate one at a time? A bit confused.

  CRON JOBS (fire servers) 3x/day ------------ | SaaS APP |________________________ ________------------_______ | | | | | | | | | ----------- ----------- ----------- | | SERVER1 | | SERVER2 | | SERVER3 | .... SERVER4 .... ----------- ----------- -----------

Thanks again!

+4
source share
3 answers

You are on the right track with ssh2_auth_pubkey_file() .

  • Create a public / private key pair via ssh-keygen .
  • Add the public key to ~/.ssh/authorized_keys on each server.
  • Copy the public and private keys to client computers and make them available only to the accounts that should use them.

  • Change your client authentication code something like this:

     $ssh_conn = ssh2_connect('my.server.addr', 22, array('hostkey'=>'ssh-rsa')); if (ssh2_auth_pubkey_file( $ssh_conn, 'sshuser', '/path/to/id_rsa.pub', '/path/to/id_rsa', 'key_passphrase' )) { echo "Success"; } else { echo "Failure"; }
+1
source

If you are doing in-server communication via ssh then definitely use publicickeys. If you just use password-based authentication, the password can be broken if the target server is hacked or the SSL tracker is configured. The problem is that you have to specify a password every time (well, you can use patches without a password, but better not). To overcome this difficulty, you can use public keys and an ssh agent that stores your auth passwords, so you only need to enter these passwords only once for each reboot.

Tutorial for Ubuntu for debian

+4
source

You can store your password encrypted in the database / file using the mcrypt_encrypt PHP function and automatically decrypt this password before each connection. Of course, you need another password to encrypt SSH passwords, this one can be saved in another file or, as mentioned earlier, promt for this password after each reboot and store it only in memory.

Example:

 <?php $output = mcrypt_encrypt(MCRYPT_TWOFISH, $key, $plaintextPassword, MCRYPT_MODE_ECB); //encode to base64 for easier manipulation $stored = base64_encode($output); ... $b64encoded = base64_decode($encryptedPassword); mcrypt_decrypt(MCRYPT_TWOFISH, $key, $b64encoded, MCRYPT_MODE_ECB) ?>
+1
source

Source: https://habr.com/ru/post/1387413/

More articles:


All Articles