Joe Martin wrote:
For testing, I have been inputting some various user credentials into a
database. The passwords are hashed (digested) with the SHA1 algorithm.
I have a script set up to read these passwords, and use them for
credentials for connecting to other machines to perform actions on each.
As you can imagine, passwords in clear-text connect just fine, but I'm
wondering if its possible to force the host to verify the digested
password, and allow the connection if the password matches the host's
stored password.
No. If you were able to do this, then the "digested" password would
become equivalent to a clear-text password. That is, anyone who stole
the "digested" password would be able to use it to login, so it's just
another password.
You could store the plaintext passwords two-way encrypted in your
database - i.e. so that you can unencrypt them when you need to use
them. Of course, whoever has access to both the database and the
decryption key can still get them. You could reduce this risk by not
storing the decryption key on disk, but instead prompting for the
decryption passphrase when your application starts. The downside is that
if the machine reboots, the application won't be able to run until the
passphrase has been entered again.
Now, you can also use SSH keys for authentication as has already been
mentioned, and this is a much better solution. Anyone who steals both
the private key and the key passphrase (or just the private key, if you
created it with no passphrase) will be able to use it to login. But you
can minimise the risks by:
1. Prompting for the passphrase when your application starts and keeping
it in RAM
2. Configuring the access at the server side so that this particular key
only has access to the specific commands it needs to be able to run,
and/or is only acceptable from certain source IP addresses. See
"AUTHORIZED_KEYS FILE FORMAT" in 'man sshd'
Another benefit of ssh key authentication is that the same key can be
used to login to hundreds of hosts. You can change the passphrase on the
key locally as often as you like, and don't need to make any changes on
those hosts.
···
--
Posted via http://www.ruby-forum.com/\.