stackoom
  简体   繁体   中英

Safely storing of Redis password

 原文  2015-10-08 17:34:58       python/ security/ redis/ passwords

Question

I'm creating (in Python) desktop application which should use Redis database. The app will connect to the local database and I need protected access to the Redis. I know that I can set a password in /etc/redis/redis.conf inserting line requirepass pswd but this configuration file can be read by unauthorized users. What is the way to ensure safety in this situation? I know that using Redis at the remote server can resolve this problem but what if there are only a local database?

2 answers

solution1
 0  2015-10-08 17:44:21

you cant really safely store the password ... you can do various things to try and hide it ... but ultimately there is no way to securely store things in python such that the access is really protected ... some things you can do are break the password up into parts ... and apply some transformation 

p1="Hello"
p2="world15"

mypassword = hashlib.sha1(p1+p2).digest()

print mypassword  #use whatever prints here as your redis password if you cannot change the password redis is using you can use other simillar techniques to obscure the password

after that you can compile it into a pyc or package it into a binary ... but really if someone wants it they can find it

I think there is a new pep proposed to handle security tokens ... but I have no idea when or if they will implement it

solution2
 0  2016-05-16 19:54:03

You can secure the redis config file just as any other file on linux. Here I'm testing it on Debian, so I'm using the defaults (redis user name, ...) from their package.

  1. So at first go to the directory: cd /etc/redis
  2. If you ls -l here it should look similar to this:
    -rw-r--r-- 1 root root 10K Mon 01 12:30 redis.conf
  3. So you see the file is owned by root. You also see root has r/w access, which is okay and the user group has r access, which is what you want for redis. So get out the usergroup of the user Redis uses (on Debian each user has its own group ) and set it as the group of that file: sudo chown root:redis redis.conf
  4. Finally all other users still have read access. Just prohibit read access for them: sudo chmod 640 redis.conf

In the end your redis.conf file should look like this:
-rw-r----- 1 root redis 10K Mon 01 12:30 redis.conf

You can now restart redis ( sudo service redis-server restart ) and everything should work.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Updating Redis hash safely Safely storing encrypted credentials in django redis, python and a storing information Storing gzipped data in redis Redis - Username, password and db? Redis and redis-py: Storing abstract objects Storing keys with prefix that expire in redis Password storing in Python Storing a custom Python object in Redis Storing user and password in a database
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM