pg has asked for the wisdom of the Perl Monks concerning the following question:

Today I tried to install DBI in my company PC thru PPM. At beginning it didn't work, as I was behind the firewall. After read some document, I figured it out. In order to use PPM behind firewall, I have to set three environment variables. One of them is HTTP_proxy_pass.

I feel really uncomfortable to put my password in an environment variable. Now anyone sitting in front of PC can find it out.

I did a little bit investigation, and now I think the piece of code that uses those environment variables is PPM::Repository, and that's where the UserAgent is created and credential is encoded.

I am thinking of modify that module a little bit. Instead of using environment variable, just ask for credential on fly.

Before I go ahead, I want to make sure that I am doing the right thing. Is there a more secure way of using PPM behind firewall that I don't know? If I go modify it, I probably will use Tk (not change the entire application to Tk, but just pop up a dialog box asking for credential.), any other suggestion?

Replies are listed 'Best First'.
•Re: PPM behind firewall - security concern
by merlyn (Sage) on Jan 14, 2004 at 05:07 UTC
    I'm hoping that your "HTTP firewall proxy" password has nothing to do with any other password for you, because it can be sniffed trivially anyway, unless you only do SSL connections.

    If you aren't doing SSL, locking your HTTP password in to your box is no less secure than typing it directly.

    And I really don't understand why net admins set up firewalls that require firewall passwords, unless all the traffic is encrypted. Oh well.

    -- Randal L. Schwartz, Perl hacker
    Be sure to read my standard disclaimer if this is a reply.

[reply]
      I really don't understand why net admins set up firewalls that require firewall passwords

      Do not use common sense. This is not really for security, but to controll who is allowed to go through the firewall. The bigger a company the more hierarchies and privileges are to be considered. And allowed internet access is a kind of stripe on your shoulder. Another similar thing are mail atttachements, nothing, only pictures, documents, archives, etc. So these firewalls' purpose is more to secure the internet against the employees ;-)

      Nevertheless, it makes sense to allow only those user groups internet access, who need it. Others can go to the company's internet caffee for safe private access. This lowers the risk of external damage done to the internal network. BTW we are a bank with a software department.

      Update: fixed typo

      And it came to pass that in time the Great God Om spake unto Brutha, the Chosen One: "Psst!"
      (Terry Pratchett, Small Gods)

[reply]
          This is not really for security, but to controll who is allowed to go through the firewall. The bigger a company the more hierarchies and privileges are to be considered. And allowed internet access is a kind of stripe on your shoulder. Another similar thing are mail atttachements, nothing, only pictures, documents, archives, etc. So these firewalls' purpose is more to secure the internet against the employees ;-)
         In fairness, both these measures, proxy passwords and limiting outbound attachments, can help to isolate system compromises inside your corporate network. Once your network is compromised, measures like these can help stop the infected systems from turning on systems on the outside of your network to infect them.
[reply]
Re: PPM behind firewall - security concern
by Daruma (Curate) on Jan 14, 2004 at 07:06 UTC
    Greetings!

    I found the same scenario in my workplace. Unfortunately, I think this is pretty common.

    I usually open a DOS (CMD) Window and

    set HTTP_proxy_pass=firewallpassword

    [download]
    before kicking off ppm within the same window. Note that I already have HTTP_proxy and HTTP_proxy_user set up in my environment. I felt uncomfortable putting any password in a file like this. I agree that a quick Perl/Tk application to prompt the user and kick off PPM would work nicely in this situation.

    Daruma
[reply]
[d/l]
[select]
Re: PPM behind firewall - security concern
by Roger (Parson) on Jan 14, 2004 at 05:12 UTC
    Hi pg I thought you could fetch the package binary with a browser and install it locally with PPM?

[reply]
[reply]
        Yes, good idea. Of course, this isn't any more secure (and his problem was one of security), since his password to the proxy has already been sniffed :)

        Seeing security is already weak, I'd just permanently set the http_proxy_password variable in the Windows settings (right click on "My Computer") and not worry about it.

[reply]
Re: PPM behind firewall - security concern
by tachyon (Chancellor) on Jan 14, 2004 at 12:43 UTC

    Why on earth use Tk? You are at the command line typing already so why would you not just insert.... 

    print "Firewall Password ";
chomp(my $password  = <>);

    [download]

    cheers

    tachyon

[reply]
[d/l]
      Or if you don't want to read your password on the screen use: 
      use Term::ReadKey;

print "Enter PASSWORD: ";
ReadMode 'noecho';
my $line = <STDIN>; chomp($line);
ReadMode 'normal';
print "\n";

      [download]
      This works even on a windoze console.

      And it came to pass that in time the Great God Om spake unto Brutha, the Chosen One: "Psst!"
      (Terry Pratchett, Small Gods)

[reply]
[d/l]
Re: PPM behind firewall - security concern
by inman (Curate) on Jan 14, 2004 at 09:19 UTC
    PPM is run from a batch file (on Windows at least). You can edit this file to set the relavent variables. Just add the proxy related variables e.g. SET HTTP_proxy=http://myproxy:8080 lines at the beginning of the ppm batch file. The variable is only set for the batch file.
[reply]
[d/l]

Back to Seekers of Perl Wisdom