[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Fab-user] Encrypting passwords
|
From: |
Jeff Forcier |
|
Subject: |
Re: [Fab-user] Encrypting passwords |
|
Date: |
Fri, 27 Apr 2012 14:31:18 -0700 |
In that situation, one best practice is still to use SSH key auth, to
make that the *only* method of logging into the server (i.e. disallow
password auth), and then to set up one or more passwordless sudo
accounts.
Opinions on this vary but the idea is that key-only auth + otherwise
tight security is sufficient to protect shell access, and at that
point, passwordless sudo is an acceptable tradeoff to make scripting
easier.
If you must use passwordful sudo and want the passwords stored in an
encrypted fashion local to your fabfile, then I personally have no
suggestions other than "it's just Python" :) There's lots of crypto
libs out there with Python clients, so it comes down to what works
best for your use case re: encrypting and then decrypting the
password.
All that Fabric cares about is that at the time it's executing
`sudo()`, `env.password` is a plaintext value it can echo back to the
server's password prompt.
Best,
Jeff
On Fri, Apr 27, 2012 at 2:14 PM, JA <address@hidden> wrote:
> Hi Jeff;
>
> The issue is that I need to have a method to store sudo passwords that
> are encrypted. SSH keys will not get around this.
>
> Any ideas would be greatly appreciated!
>
>
> On Fri, Apr 27, 2012 at 3:22 PM, Jeff Forcier <address@hidden> wrote:
>> Hi J,
>>
>> env.password is a "lowest common denominator" method of preserving
>> passwords you'd otherwise enter by hand. It's not designed for
>> anything greater.
>>
>> If you want to start getting security conscious, the best practice is
>> to use SSH private key authentication. Then you simply stop using
>> env.password entirely and rely on distributing SSH keypair(s) to your
>> users/servers.
>>
>> Fabric will load SSH agents and private keys stored in user home
>> directories by default, and can be told to load additional keys with
>> the -i flag or the env.key_filename settings -- check the docs for
>> details.
>>
>> Best,
>> Jeff
>>
>> On Fri, Apr 27, 2012 at 9:46 AM, JA <address@hidden> wrote:
>>> Hi Everyone;
>>>
>>> I am looking for suggestions for the best way to handle passwords in
>>> fabfiles. Specifically, I woud like to be able to generate a password
>>> has of the user's sudo password and store this in the fabfile
>>> (env.password)
>>>
>>> Has anyone done this? Any suggestions? :)
>>>
>>> Thanks!
>>> J
>>>
>>> _______________________________________________
>>> Fab-user mailing list
>>> address@hidden
>>> https://lists.nongnu.org/mailman/listinfo/fab-user
>>
>>
>>
>> --
>> Jeff Forcier
>> Unix sysadmin; Python/Ruby engineer
>> http://bitprophet.org
--
Jeff Forcier
Unix sysadmin; Python/Ruby engineer
http://bitprophet.org