Re: How about a module for "passwords"?

i have that in ugly code that really needs cleaning. it seemed quite useful at the time. the client uses Kerberos to request passwords from the server. all the passwords are returned in an Tie::Encrypted::Hash (or maybe it's Tie::Hash::Encrypted ;) along with a key. that part is slightly mushed together with a (i beg forgiveness for the following...) Passport (cough) like part that will store the encrypted hash somewhere locally.

the end effect is roughly thus:

if you have Kerberos, a valid ticket, and the server is working... you can get your passwords without having to type anything.
otherwise, you'll be prompted for a key and thereafter you'll be asked for a password only the first time it's needed, it will live in the encrypted hash and saved on DESTROY. the next time around you just have to type your key.

it needs: error checking, logging, all the good stuff. but it did work quite well. the application was webified removing the need for the user to keep track of the passwords.

if there's any interest i can put it up somewhere after removing incriminating evidence.

Comment on Re: How about a module for "passwords"?

Replies are listed 'Best First'.
Re: Re: How about a module for "passwords"? by John M. Dlugosz (Monsignor) on Jan 27, 2003 at 06:25 UTC
if there's any interest... Yes, I'd love to hear more. I never thought about Kerberos for anything other than OS logins! I suppose it has a general interface to hang onto anything you want, though, right? So if I understand, Kerberos is used to say "I already validated that Foo is logged in, so I'll let him access this stuff that only Foo should know." Otherwise, the user has to type the passphrase. After that, it behaves identically, using the key it obtained on a encrypted hash. Is that right? —John	[reply]
Re to the three: How about a module for "passwords"? by zengargoyle (Deacon) on Jan 27, 2003 at 10:16 UTC
i commented out the Kerberos part of this, but you got the basic idea. if you have a valid ticket you can connect to the server and the server can check you against its list of valid users. the server then sends the encrypted hash (with the __password and __cipher preset) back to the client to use as desired. the Kerberos parts are much uglier. i'll need to poke around them some more before posting. package Keystore; use strict; use warnings; use Tie::EncryptedHash; use Term::ReadKey; use Data::Dumper; my $default_keyfile = "$ENV{HOME}/.Q/keystore"; my $default_secret = 'notverysecret'; my $default_cipher = 'Blowfish'; sub _get_secret { my $prompt = shift; my $secret; print STDERR "$prompt: "; ReadMode 'noecho'; $secret = ReadLine 0; chomp $secret; ReadMode 'normal'; print STDERR "\n"; return $secret; } sub pw { my ($self,$password,$newval) = @_; my $keystore = $self->{keystore}; return undef unless (defined($password) and length $password); my $encpass = "_$password"; # Tie::Encrypted uses _ for the +encrypted keys if (exists($keystore->{$encpass})) { return $keystore->{$encpass} \|\| ''; } elsif (defined($newval) and length $newval) { $keystore->{$encpass} = $newval; return $keystore->{$encpass} \|\| ''; } else { $keystore->{$encpass} = _get_secret($password); return $keystore->{$encpass} \|\| ''; } return undef; } sub new { my ($c,%param) = @_; =begin comment # this was the Kerberos part, instead of reading from a file i +t # would connect to a Kerberos server (using your credentials). # if all went well it would recieve the encrypted hash from th +e # server and would leave the keyfile 'undef' so it wouldn't be # saved on DESTROY. if the server chat failed it failed to the # file based method below. my $kks = KKS::keystore; if (ref $kks) { my $self = { keystore => $kks, keyfile => undef }; return bless $self, $c; } =cut $param{keyfile} \|\|= $default_keyfile; if (-f $param{keyfile} && !-r _) { $param{secret} = $default_s +ecret; } $param{secret} \|\|= _get_secret('secret'); my (%s,%sold); if (-f _ && -r _) { open(F,"<$param{keyfile}") or warn "open\n"; my ($cfgstr,$passwords); {local $/ = undef; $cfgstr = <F>; } eval "$cfgstr"; # ewwww!! would not do this this +way now... %sold = (%$passwords); } tie %s, 'Tie::EncryptedHash'; %s = (%sold); $s{__password} = $param{secret}; $s{__cipher} = $param{cipher} \|\| $default_cipher; my $self = { keystore => \%s, keyfile => $param{keyfile} }; return bless $self, $c; } sub DESTROY { my ($s) = @_; my ($k,$f) = ($s->{keystore}, $s->{keyfile}); { local $^W = 0; no warnings; delete $k->{__password}; } return unless defined $f; open(F,">$f") or return; print F Data::Dumper->Dump([$k],['passwords']); close(F); } 1; =head1 NAME Keystore - Perl extension for a password keystore. =head1 SYNOPSIS use Keystore; $ks = new Keystore; $passwd = $ks->pw('cisco_console'); $passwd2 = $ks->pw('cisco_enable'); # do something query_rtr('rtr-foo',$passwd,$passwd2); # clean up if you're paranoid $passwd = $passwd2 = undef; =head1 DESCRIPTION Try it: $ mkdir $HOME/.Q # type the following on a single line so you can up-arrow and do it a +gain. $ perl -e 'use Keystore;$ks=new Keystore; \ for(qw( testpass anotherpass foopass)) { \ print $ks->pw($_),"\n";}' # type a secret, it will be used to encrypt your passwords. # since it doesn't know these passwords, it will ask. secret: testpass: foo anotherpass: lala foopass: zig # do it again, type the same secret as before. # it knows them now, doesn't need to ask. secret: foo lala zig $ cat $HOME/.Q/keystore $passwords = { '_testpass' => 'Blowfish rL0Y20zC+Fzt72VPzMSk2A 52616e646f6d4956fde +2cd4cc69fb 4ab6888532e6b2aac86', '_foopass' => 'Blowfish I4uNgfsODwP+rVYTtSNLdA 52616e646f6d49567073 +d91467ce68 e7d45d91ad73b75cc7', '_anotherpass' => 'Blowfish LjgXKT/CddvudL1xzm6wVg 52616e646f6d4956 +2070a13f37 a38f8dcd55403f697a6661' }; To delete a password, just delete the line. To completely disable the + encrypted saving of passwords: chmod -rw $HOME/.Q/keystore If it can't read the + file it will prompt for passwords when needed (but still only once per sess +ion). If it can't write the file they won't get saved. =head2 EXPORT None by default. =head1 AUTHOR =head1 SEE ALSO L<Tie::EncryptedHash>. =cut [download]	[reply] [d/l]