Python:在脚本中保护敏感变量内容
[英]Python: securing sensitive variable contents within a script
问题描述
I need the user to input their password into my script so that I can then use that password to perform an LDAP operation on their account. 
我需要用户在我的脚本中输入他们的密码,以便随后我可以使用该密码对他们的帐户执行LDAP操作。 It's very simple: 很简单:
password = getpass.getpass()
ldapconn.simple_bind_s(binddn, password)
Even though the password is never leaving the script and is never displayed in plain text, isn't it still vulnerable to something like a memory dump? 即使密码永远不会离开脚本,也永远不会以纯文本形式显示,它是否仍然容易受到内存转储之类的攻击? What's the best way to secure this password within the script, but still make use of it? 在脚本中保护此密码的最佳方法是什么,但仍然可以使用呢?
This post is interesting: https://security.stackexchange.com/questions/29019/are-passwords-stored-in-memory-safe 这篇文章很有趣: https : //security.stackexchange.com/questions/29019/are-passwords-stored-in-memory-safe
Primarily because the answers confirm my suspicion that passwords stored in RAM are not safe. 主要是因为答案证实了我对存储在RAM中的密码不安全的怀疑。 My question is, how is one supposed to do work that requires that sensitive information be stored in RAM? 我的问题是,应该如何执行一项要求将敏感信息存储在RAM中的工作? No one on that post really posts a practical real-world solution, just a lot of a confirmation and details as to why RAM is not safe. 该帖子上没有人真正发布过实用的实际解决方案,只是对RAM为什么不安全的很多确认和细节。 Using my short example of an LDAP connection above, what concrete changes could you make to better secure the password variable? 使用上面的LDAP连接的简短示例,您可以进行哪些具体更改以更好地保护密码变量?
1 个解决方案
解决方案1
0 2015-10-02 22:30:35
Using my short example of an LDAP connection above, what concrete changes could you make to better secure the password variable?
None. 没有。 You either: 您要么:
- Need to have the plain text to send to the LDAP API, 需要纯文本发送到LDAP API,
- In which case you need to have the plain text, which an attacker could get 在这种情况下,您需要使用纯文本,攻击者可能会得到
- Or you need encrypted text which you decrypt, which an attacker could get after you decrypt it 或者您需要解密的加密文本,攻击者在解密后可能会得到该文本
- In which case you need to have the plain text, which an attacker could get
- Need a password hash to send to the LDAP API 需要密码哈希值才能发送到LDAP API
- Then the attacker could get the hash and use it. 然后,攻击者可以获取哈希并使用它。 It's effectively a plain password at that point. 在那时,它实际上是一个普通密码。
- Then the attacker could get the hash and use it.
The solutions which exist are to have a design which does not involve prompting the user for their password at all, and does not involve sending plain text passwords to other services. 存在的解决方案将具有一种设计,该设计完全不涉及提示用户输入其密码,并且不涉及将纯文本密码发送给其他服务。
eg you have a properly working Kerberos environment with synchronised time, users getting Kerberos tickets at first login, and those tickets being used to authenticate with services without password prompts. 例如,您有一个运行时间同步的Kerberos环境,用户在首次登录时获得Kerberos票证,并且这些票证用于在没有密码提示的情况下通过服务进行身份验证。 Tickets have a limited lifetime and Kerberos replay detection is built in, so that if they are taken from memory they are much less useful than a password. 票证的生存期有限,并且内置了Kerberos重放检测功能,因此,如果从内存中取出票证,则它们的用途远不如密码。
So the user hits a password prompt once for the entire environment, not once per script they run or service they access, and that password is handled by one centralized, well reviewed, low level OS process. 因此,用户在整个环境中都单击一次密码提示,而不是在他们运行或访问的每个脚本中都点击一次密码提示,并且该密码由一个集中的,经过良好检查的低级操作系统进程处理。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.