Skip Menu |
 

This queue is for tickets about the Net-SSH-Perl CPAN distribution.

Report information
The Basics
Id: 14175
Status: resolved
Priority: 0/
Queue: Net-SSH-Perl

People
Owner: Nobody in particular
Requestors: craig [...] lucent.com
Cc:
AdminCc:

Bug Information
Severity: Important
Broken in: 1.28
Fixed in: (no value)



Subject: Password stored in plaintext
Download (untitled) / with headers
text/plain 338b
You can see the plaintext password for a user by using the following perl commands: use Data::Dumper ... $ssh->login($user, $passwd); print Dumper($ssh); I would recommend that the Net::SSH::Perl module store the password as encrypted text in its internal data structure. This will help protect the user from malicious users a bit more.
Download (untitled) / with headers
text/plain 518b
[guest - Mon Aug 15 16:47:57 2005]: Show quoted text
> I would recommend that the Net::SSH::Perl module > store the password as encrypted text in its internal > data structure.
You can't, not usefully. Encryption requires a key to encrypt and decrypt. Net::SSH::Perl must know that key. It has to store it somewhere in plaintext so someone can read the key and decrypt your password (and they can read the Net::SSH::Perl source code to figure out how its encrypted). You can encrypt the key, but then you need a key for that...
Download (untitled) / with headers
text/plain 1.3k
Actually, the Crypt::Simple perl module does a pretty good job at this, and it's simple to use: use Crypt::Simple; use Term::ReadKey; print "Password: "; ReadMode('noecho'); my $pw = encrypt(ReadLine(0)); ReadMode('restore'); print "\nencrypted: $pw\n"; print "decrypted: ", decrypt($pw), "\n"; It dynamically generates the key, based on the module name you're using. If you need other modules to be able to decrypt this, simply pass a pointer to the decrypt routine from the module where you encrypted it in. Or, if you want to specify the key, you can generate it yourself. This is not meant to thwart serious crackers. It is simply one step up from allowing a password from being printed in plaintext when you do a structure dumps during debugging other problems. Having hardcopy printouts of plaintext passwords is a bad thing. [MSCHWERN - Mon Sep 19 02:06:44 2005]: Show quoted text
> [guest - Mon Aug 15 16:47:57 2005]:
> > I would recommend that the Net::SSH::Perl module > > store the password as encrypted text in its internal > > data structure.
> > You can't, not usefully. Encryption requires a key to encrypt and > decrypt. Net::SSH::Perl must know that key. It has to store it > somewhere in plaintext so someone can read the key and decrypt your > password (and they can read the Net::SSH::Perl source code to figure > out > how its encrypted). > > You can encrypt the key, but then you need a key for that...
Download (untitled) / with headers
text/plain 143b
I'd take a patch, although it would have to skip the encryption if Crypt::Simple is not installed, but I'm not going to make the change myself.


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.