Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: zeno (bugtraq_at_cgisecurity.net)
Date: Sat Aug 24 2002 - 14:00:29 CDT
These may be of interest.
> Hi everybody,
> On the secprog list is started an interesting discussion about a secure
> approach to store passwords and keys on a shared web server.
> I'm sure this topic has been already discussed here, but I would like to
> know some news from you guru :).
> An approach I have exposed, that can be useful if you have small
> resource, but system access, follow (quoted):
> First of all, I need a secure way to keep database passwords secure, so
> I have to keep them separate from the main server. The right approach
> could be using a small java bean application that run as normal user
> (not tomcat, so it is not shared with other web services or, worst, the
> nobody user), that has no shell login, but has a default home directory
> or a place where it can hold passwords and keys.
> The web application could then open an ssl connection (could be done in
> the init method at server startup) to get database passwords. The small
> bean could check via code signature/rmi/whatever else that the source
> is the right one, and handle all the database connections, or give the
> db connection/password to the main web application.
> In this way, we solve the problem of keeping the keys and passwords in
> shared directories, and also, an attacker should get root/bean user
> account to read data. This is not perfect, and works only if your
> provider gives the opportunity to configure a separated java
> application (that means, really, another server running in the
> Suggestion are always welcomed,
> Mario Torre
> Please avoid sending me Word or PowerPoint attachments.
> See http://www.fsf.org/philosophy/no-word-attachments.html