使用 ssh 密钥加密和解密密码
我的 python 脚本(Python 2.6,在 Debian Linux 上)要求用户输入密码,然后将其保存在用户主目录中。
因为我不想将密码保护为纯文本,所以我想以某种方式对其进行加密。所以我想也许我可以使用用户的(私有)ssh 密钥来加密和解密文件中保存的密码,这样只有有权访问私有 ssh 密钥的人才能解密保存的密码。
为此使用私有 ssh 密钥是个好主意吗?我如何使用密钥来加密Python中的字符串?
(顺便说一句,我不想使用密钥环和类似的东西)
编辑
好吧,我明白使用用户的 ssh 密钥来做类似的事情是一个坏主意。 相反,我现在只使用 base64 编码,如下所述: 如何是否可以使用 Python 对字符串进行编码和解码以在 URL 中使用? 当然,当有人读我的 python 脚本时,它不会保存。但这对我来说已经足够了,不必将密码保存为纯文本。
My python-script (Python 2.6, on Debian Linux) asks the user for a password, wich is then saved in the users home directory.
Because i don't want to safe the password as plain text, i want to encrypt it somehow. So i thought that maybe i could use the (private) ssh-key of the user to encrypt and decrypt the password thats saved in the file, so that only one with access to the private ssh key can decrypt the saved password.
Is it a good idea to use the private ssh key for this? How can i use the key to encrypt a string in python?
(btw i don't want to use keyring and stuff like that)
EDIT
Okay i understand its a bad idea to use the users ssh key for stuff like that.
Instead i'm now just using base64 encoding, like described here:
How does one encode and decode a string with Python for use in a URL?
of course its not save, when someone reads my python script. But its enough for me, not having to save the password as plain text.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
唯一绝对值得做的事情就是存储只有用户可以读取的文件。
您使用 ssh 密钥的论点似乎如下所示:
如果您将加密的密码存储在只有用户可以读取的文件中,您将获得与使用 ssh 密钥相同的好处,而无需费心读取用户的 ssh 密钥。
我同意不以纯文本形式存储密码有一些好处,可以防止有人以
root身份登录:获取密码,但请记住,在 Python 脚本中很容易找到这样的行: :
并添加以下行:
类似
os.fchown()可以起到保护文件的作用,就像首先使用正确的权限创建文件一样。您可以对密码进行
base64编码,使其不是纯文本,但是如果我们假设攻击者可以读取和编辑您的脚本,那么唯一可以保护用户的是攻击者无法读取包含加密密码的文件。如果您确实担心这一点,只需在用户每次运行脚本时提示用户输入密码即可。
The only thing that's definitely worth doing is storing the file that only the user can read.
Your argument for using the ssh key seems to be something like the following:
If you store the encrypted password in a file only the user can read you get the same benefit as using the ssh key without having to bother with reading the users ssh keys at all.
I agree there's some benefit to not storing the password in plain text to prevent someone logged in as
rootjust doing:to get the password but remember it would be easy to find the line in your Python script which said:
and add the following line:
Something like
os.fchown()would do the trick to protect the file, as would just creating the file with the correct permissions in the first place.You could
base64encode the password so it is not plain text, but if we assume an attacker can read and edit your script the only thing which will protect the user is the attacker not being able to read the file containing the encrypted password.If you're really worried about this, just prompt the user for the password each time they run the script.
为此使用私有 ssh 密钥是个好主意吗?否:
您似乎还混淆了术语。当我假设您指的是
加密和时,您已经使用了。编码、解码和散列>解密正如 Dave Webb 指出的那样,您的前提是私钥文件对用户来说是只读的,并且本身并未加密。您将从“受文件系统用户只读保护”变为“受用户只读不同文件保护”。
Is it a good idea to use the private ssh key for this?No:
You also seem to be mixing up your terminology. You've used
encoding,decodingandhashingwhen I'd assume you'd meanencryptinganddecrypting.As Dave Webb points out, your premise that the private key file is read-only to the user and not itself encrypted. You'd be going from "protected by filesystem user-read-only" to "protected by a different file that is user-read-only".