1

Is there any secure local service that one should use for storing and retrieving organization wide application passwords? Most of the time we need authentication information in our scripts to run some service.

Therefore I need some way to dynamically retrieve a password from my secure store/bucket and pass it as variable in authentication information , instead of hard-coding it in my scripts.

Improve this question
2
  • Could you just use ssh public-private keypairs instead? Commented Dec 29, 2015 at 14:03
  • Ok , to be precise , my python script triggers a remote Jenkins job , and Jenkins needs authentication with user-name and password as a part of this process , so how can ssh and key pairs help here? I am already using https , thats not a problem, but still user-name and password is needed by Jenkins to trigger a particular job. Commented Dec 29, 2015 at 14:11

2 Answers 2

Reset to default
2

Short answer, no. The problem is that at some point your script will need to go get a password from that central store. How does it do that? Most password storage systems use a master password to secure the whole store. Your script would need that master password in order to get its app password. You haven't solved the issue you've just changed it.

The approach I take to this is that if your script needs specific access to an application setup a user that can only do the specific thing that your script needs to do. Then you can store that password with the script itself. If the server that's hosting the script gets compromised the attacker will only be able to do exactly what you've given the script permission to do. Also, you can revoke the attackers access by changing that user's password. Since the only thing using that user was the script in question, nothing else is broken.

Improve this answer
1
  • First , most of the time our scripts reside on git-hub with public access so we cant store passwords in them. I don’t need a master password because i can use puppet to deploy that application password in some file and my script read from that local file , wherever it is needed. But the same old question , is there any such secure service from which puppet can read passwords and deploy it on client machines , where scripts run. Commented Dec 29, 2015 at 13:51
1

Maybe you can setup oauth?

http://oauth.net/

There is also implementation for python(as i saw python in the tags): https://github.com/joestump/python-oauth2

For the rest, If i could I would vote down this question as there is not enough information provided. But ye I assume that you need something like what I've just suggest you

Improve this answer
3
  • hi , thanks , what other information is missing in the question? you can ask in the comment. i have just asked about a central password management solution , from which we can get the stored passwords and use them in our bash and python code. Commented Dec 29, 2015 at 11:48
  • Hello, what I suggested you is even better because you don;t need a single password to access your "password vault". The information I was looking for is what kind of passwrods are stored and for what they are used for. Is it some server root/admin passwords. Or user passwords, or password you need to access some application etc.. So if you give us more information about what you have, and what you would like to have maybe more solutions will pop up. Cheers! Commented Dec 29, 2015 at 12:21
  • yes , just the passwords for service accounts , for example a custom user account for running some application. May be , i want puppet to deploy those passwords to the machines where those scripts will run , and the scripts will access the passwords from some local file. But i dont want to store them in puppet, puppet should have access to the password store i am asking about. do you get my point? Commented Dec 29, 2015 at 12:36

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.