The password is write in the file bird.conf in plain text. So any people who read the file have the password and can change the configuration. I would like to know if it's possible to encrypte the password in the configuration file PR ----- Mail Original ----- De: "Martin Kraus" <martin.kraus@wujiman.net> À: "Pierre Rivenez" <pierre.rivenez@celeste.fr> Cc: bird-users@network.cz Envoyé: Jeudi 12 Mai 2011 16h33:40 GMT +01:00 Amsterdam / Berlin / Berne / Rome / Stockholm / Vienne Objet: Re: password encryption On Thu, May 12, 2011 at 04:18:47PM +0200, Pierre Rivenez wrote:
I use bird for the ospf I would like to use encryption. So I use a password for the ospf session, but the password is write in clear test in the file bird.conf Is it a solution to encrypt this password in the configuration file.
I guess the problem is that you'd have to have the key to the encryption in plain somewhere on the computer as well which kind of defeats the purpose of password encryption in the configuration file. mk
There are three solutions to that problem: 1) Change the file permissions to 600 or similar, and therefore preventing the whole world from reading it. 2) Generate the password using a call within the script. 3) Encrypt the configuration file with "gpg" or similar, then alter the init.d script to unencrypt it on launch, wait until it's fully parsed then delete the temporary file. If you're that worried about people knowing the OSPF password on that machine, those people should not have access to that machine, IMO. M On 12 May 2011 16:15, Pierre Rivenez <pierre.rivenez@celeste.fr> wrote:
The password is write in the file bird.conf in plain text. So any people who read the file have the password and can change the configuration. I would like to know if it's possible to encrypte the password in the configuration file
PR
----- Mail Original ----- De: "Martin Kraus" <martin.kraus@wujiman.net> À: "Pierre Rivenez" <pierre.rivenez@celeste.fr> Cc: bird-users@network.cz Envoyé: Jeudi 12 Mai 2011 16h33:40 GMT +01:00 Amsterdam / Berlin / Berne / Rome / Stockholm / Vienne Objet: Re: password encryption
On Thu, May 12, 2011 at 04:18:47PM +0200, Pierre Rivenez wrote:
I use bird for the ospf I would like to use encryption. So I use a password for the ospf session, but the password is write in clear test in the file bird.conf Is it a solution to encrypt this password in the configuration file.
I guess the problem is that you'd have to have the key to the encryption in plain somewhere on the computer as well which kind of defeats the purpose of password encryption in the configuration file.
mk
Make your bird.conf readable just for proper users (bird daemon and admin) There is hardly any way to "encrypt" password, because bird daemon must decrypt it (ok, you can have separate file with encryption key, but you are in the same situation with key file) Pierre Rivenez píše v Čt 12. 05. 2011 v 17:15 +0200:
The password is write in the file bird.conf in plain text. So any people who read the file have the password and can change the configuration. I would like to know if it's possible to encrypte the password in the configuration file
PR
----- Mail Original ----- De: "Martin Kraus" <martin.kraus@wujiman.net> À: "Pierre Rivenez" <pierre.rivenez@celeste.fr> Cc: bird-users@network.cz Envoyé: Jeudi 12 Mai 2011 16h33:40 GMT +01:00 Amsterdam / Berlin / Berne / Rome / Stockholm / Vienne Objet: Re: password encryption
On Thu, May 12, 2011 at 04:18:47PM +0200, Pierre Rivenez wrote:
I use bird for the ospf I would like to use encryption. So I use a password for the ospf session, but the password is write in clear test in the file bird.conf Is it a solution to encrypt this password in the configuration file.
I guess the problem is that you'd have to have the key to the encryption in plain somewhere on the computer as well which kind of defeats the purpose of password encryption in the configuration file.
mk
On Thu, May 12, 2011 at 05:22:50PM +0200, David Rohleder wrote:
Make your bird.conf readable just for proper users (bird daemon and admin)
There is hardly any way to "encrypt" password, because bird daemon must decrypt it (ok, you can have separate file with encryption key, but you are in the same situation with key file)
well the only interesting application might be allowing users on the router access to the bird configuration. can't think of any real world example and I hardly think developers are going to implement it just because cisco has some kind of password obuscation in their config. mk
On Thu, May 12, 2011 at 05:15:15PM +0200, Pierre Rivenez wrote:
The password is write in the file bird.conf in plain text. So any people who read the file have the password and can change the configuration.
As other people wrote, the password have to be in plain text (or somewhat decodable without knowledge of any other secret, which is equivalent to plain text), because BIRD needs to know it. Also note that the password cannot be used by other people to change the configuration, as it is only used to 'sign' OSPF sessions. -- Elen sila lumenn' omentielvo Ondrej 'SanTiago' Zajicek (email: santiago@crfreenet.org) OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net) "To err is human -- to blame it on a computer is even more so."
participants (5)
-
David Rohleder -
Martin Kraus -
Matthew Walster -
Ondrej Zajicek -
Pierre Rivenez