"Eric Wertman" <ew******@gmail.comwrites:
I whipped up something using base64 and pickle, to keep them in
a dictionary and at least prevent them from being plain text, but it
seems a bit insecure all the same. Any ideas, much appreciated.
If you want people other than yourself to be able to run the scripts
without knowing any passwords, or if you want the scripts to work on
an unattended machine, this is traditionally quite a difficult
problem, solved by special purpose hardware in more serious
deployments. If you don't mind requiring a special master passphrase
to access the stored passwords, one approach might be:
- encrypt the passwords under some master key M, derived from a passphrase
- have a background process that holds M in ram, i.e. you start the
process and type the passphrase into it at the start of your work session.
The background process then takes requests from client processes that
are running on the same machine (not over the internet).
- Your scripts connect to the process to access the decrypted
passwords. The background operates over a local socket and
checks that any connecting process is running under your login
credentials. AF_UNIX sockets under Linux support these
operations but I think the standard Python socket module
currently doesn't implement them. I sort of remember seeing a
patch in the bug tracker for the purpose, but maybe I'm thinking
wishfully.
The ssh-agent program (part of openssh) supports storing a secret key in
a local socket listener. Maybe there is some way to use that program
to get at your passwords. A module for this would make a nice Python recipe.
