Perl: the Markov chain saw | |
PerlMonks |
comment on |
( [id://3333]=superdoc: print w/replies, xml ) | Need Help?? |
Said program stores password in memory for whenever connecting to DB. Someone (root) does a memory dump of the running process and the password is in there (somewhere). If the password was encrypted somehow then the key will be in the memory dump too (unless it is read from a file etc. but that could prove risky AND expensive). So, the program does not contain the password but when it is run, it must store the password in program memory. How to encrypt that? What do people do in such cases? See also Hide DBI password in scripts. Ultimately, the password has to leave the perl process to be passed to the database. That usually happens in plaintext, and usually using network functions. So all that is needed to get the password is strace. Theoretically, databases could implement Challenge–response authentication, so that the password is never transmitted, neither in plaintext nor encrypted. I've never seen that implemented AND used. I guessed that recent versions of PostgreSQL could have some implementation, and I was right: Pg 10 and 11 have scram-sha-256, but it requires recent client libraries: scram-sha-256 More details in Salted Challenge Response Authentication Mechanism. Note that SCRAM-SHA-256 has to be configured at the server side, the client can't choose the authentication mechanism. For other databases, RTFM. Alexander
-- Today I will gladly share my knowledge and experience, for there are no sweeter words than "I told you so". ;-) In reply to Re^7: use of already eval()ed module (from string)
by afoken
|
|