如何在Linux上用Python可逆存储密码?
[英]How To Reversibly Store Password With Python On Linux?
问题描述
First, my question is not about password hashing, but password encryption.
首先,我的问题不是密码散列,而是密码加密。 I'm building a desktop application that needs to authentificate the user to a third party service.我正在构建一个需要向第三方服务验证用户身份的桌面应用程序。 To speed up the login process, I want to give the user the option to save his credentials.为了加快登录过程,我想为用户提供保存其凭据的选项。 Since I need the password to authentificate him to the service, it can't be hashed.由于我需要密码来验证他的服务身份,因此无法对其进行哈希处理。
I thought of using the pyCrypto module and its Blowfish or AES implementation to encrypt the credentials.我想到了使用 pyCrypto 模块及其 Blowfish 或 AES 实现来加密凭据。 The problem is where to store the key.问题是在哪里存储密钥。 I know some applications store the key directly in the source code, but since I am coding an open source application, this doesn't seem like a very efficient solution.我知道有些应用程序将密钥直接存储在源代码中,但由于我编写的是开源应用程序,这似乎不是一个非常有效的解决方案。
So I was wondering how, on Linux, you would implement user specific or system specific keys to increase password storing security.所以我想知道,在 Linux 上,您将如何实施用户特定或系统特定的密钥来提高密码存储的安全性。
If you have a better solution to this problem than using pyCrypto and system/user specific keys, don't hesitate to share it.如果您有比使用 pyCrypto 和系统/用户特定密钥更好的解决此问题的方法,请不要犹豫,分享它。 As I said before, hashing is not a solution and I know password encryption is vulnerable, but I want to give the option to the user.正如我之前所说,散列不是解决方案,我知道密码加密容易受到攻击,但我想将选择权提供给用户。 Using Gnome-Keyring is not an option either, since a lot of people (including myself) don't use it.使用 Gnome-Keyring 也不是一个选择,因为很多人(包括我自己)不使用它。
3 个解决方案
解决方案1
5 2009-06-16 14:20:28
Try using PAM .尝试使用PAM 。 You can make a module that automatically un-encrypts the key when the user logs in. This is internally how GNOME-Keyring works (if possible).您可以制作一个模块,在用户登录时自动解密密钥。这就是 GNOME-Keyring 内部的工作方式(如果可能)。 You can even write PAM modules in Python with pam_python .您甚至可以使用pam_python在 Python 中编写 PAM 模块。
解决方案2
5 已采纳 2009-06-16 14:24:46
Encrypting the passwords doesn't really buy you a whole lot more protection than storing in plaintext.加密密码并不能真正为您提供比以明文存储更多的保护。 Anyone capable of accessing the database probably also has full access to your webserver machines.任何能够访问数据库的人可能也可以完全访问您的网络服务器机器。
However, if the loss of security is acceptable, and you really need this, I'd generate a new keyfile (from a good source of random data) as part of the installation process and use this.但是,如果安全损失是可以接受的,并且您确实需要它,我会在安装过程中生成一个新的密钥文件(来自良好的随机数据源)并使用它。 Obviously store this key as securely as possible (locked down file permissions etc).显然尽可能安全地存储此密钥(锁定文件权限等)。 Using a single key embedded in the source is not a good idea - there's no reason why seperate installations should have the same keys.使用嵌入在源代码中的单个密钥不是一个好主意 - 没有理由单独安装应该具有相同的密钥。
解决方案3
0 2009-06-16 14:15:39
Password Safe is designed by Bruce Schneier and open source. Password Safe 由 Bruce Schneier 设计并开源。 It's for Windows, but you should be able to see what they are doing and possibly reuse it.它适用于 Windows,但您应该能够看到他们在做什么并可能重新使用它。
http://www.schneier.com/passsafe.html http://www.schneier.com/passsafe.html
http://passwordsafe.sourceforge.net/ http://passwordsafe.sourceforge.net/
Read this: If you type AES into your code, you're doing it wrong.请阅读: 如果您在代码中输入 AES,那您就错了。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.