passwordless saceserver? (for scripted access)

Ed Griffiths edgrif at sanger.ac.uk
Wed Sep 5 03:54:24 EST 2001



> Ed Griffiths  <edgrif at sanger.ac.uk> wrote:
> >happy to add code to saceclient to allow the userid/passwd to be specified on
> >the command line using  "-userid your_userid -passwd  your_passwd". I saw Tims
> >fix to the code which I will check and add to our source code, but I think the
> >command line options is a cleaner solution.
> 
> It's insecure that way; the complete command line (including userid and
> password) is then visible to any user on the system using ps.  It's far
> preferable from a security point of view to be able to supply the user
> ID and/or password on standard input.
> 
> Of course, if you add the command line options and my patch, users have
> the choice to use either method (which is what, for example, the isql
> client for Sybase does).

Your patch is in the code.

I agree with you about the security stuff, I had forgotten that its possible to
get ps to print out the full command string.

An alternative would be for the saceclient to accept the userid and hashed
userid/passwd as command line arguments, this way only encrypted stuff would
appear on the command line. I already supply a utility to do the hashing and I
could make this more friendly as required. That way scripts that use saceclient
via a pipe could just use my utility to create the hash and bobs your uncle.

Those interested please reply and let me know what you think....

cheers Ed

 ------------------------------------------------------------------------
| Ed Griffiths, Acedb development, Informatics Group,                    |
|               The Sanger Centre, Wellcome Trust Genome Campus,         |
|               Hinxton, Cambridge CB10 1SA, UK                          |
|                                                                        |
| email: edgrif at sanger.ac.uk  Tel: +44-1223-494780  Fax: +44-1223-494919 |
 ------------------------------------------------------------------------





More information about the Acedb mailing list