Re: [opensuse] NO PROBLEM. zypper does not use proxy settings?
On 1/9/07, Mark Goldstein
On 1/9/07, Mark Goldstein
wrote: On 1/9/07, Dinar Valeev
wrote: Set a proxy URL rug set proxy-url url_path
Hi Dinar,
I defined proxy in Yast2 and rug works fine, so it looks like rug now uses proxy setting from /etc/sysconfig/proxy (I remember that in 10.0 rug -- then part of Red Carpet -- used its own settings.
But zypper fails. I'll re-check though.
Hmmm, it was something else. Maybe temporary unaccessible repository. Now zypper works fine. BTW, it uses proxy user and password from /root/.curlrc. This file, though readable by root only, contains password in plain test. I think it's not a good idea. Anyone with an access to Linux machine can use another system (e.g. Knoppix, or Windows on dual boot machine) and read it, unless /root is stored on encrypted FS. I actually asked the same question on Novell forum regarding the Red Carpet (about a year ago), since rug had also stored unencrypted proxy password in the plain file, but have not got reasonable answer. -- Mark Goldstein -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Tue, Jan 09, 2007 at 04:24:48PM +0200, Mark Goldstein wrote:
On 1/9/07, Mark Goldstein
wrote: On 1/9/07, Mark Goldstein
wrote: On 1/9/07, Dinar Valeev
wrote: Set a proxy URL rug set proxy-url url_path
Hi Dinar,
I defined proxy in Yast2 and rug works fine, so it looks like rug now uses proxy setting from /etc/sysconfig/proxy (I remember that in 10.0 rug -- then part of Red Carpet -- used its own settings.
But zypper fails. I'll re-check though.
Hmmm, it was something else. Maybe temporary unaccessible repository. Now zypper works fine.
BTW, it uses proxy user and password from /root/.curlrc. This file, though readable by root only, contains password in plain test. I think it's not a good idea. Anyone with an access to Linux machine can use another system (e.g. Knoppix, or Windows on dual boot machine) and read it, unless /root is stored on encrypted FS.
I actually asked the same question on Novell forum regarding the Red Carpet (about a year ago), since rug had also stored unencrypted proxy password in the plain file, but have not got reasonable answer.
If you can read those files than you have root access and break this system in any other imaginable way too. Protecting such files further is not really necessary in light of this. Ciao, Marcus -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On 1/9/07, Marcus Meissner
On Tue, Jan 09, 2007 at 04:24:48PM +0200, Mark Goldstein wrote:
BTW, it uses proxy user and password from /root/.curlrc. This file, though readable by root only, contains password in plain test. I think it's not a good idea. Anyone with an access to Linux machine can use another system (e.g. Knoppix, or Windows on dual boot machine) and read it, unless /root is stored on encrypted FS.
I actually asked the same question on Novell forum regarding the Red Carpet (about a year ago), since rug had also stored unencrypted proxy password in the plain file, but have not got reasonable answer.
If you can read those files than you have root access and break this system in any other imaginable way too.
Not necessarily. If I have physical access to it, I can insert CD with Knoppix, for example, and read this file without having root access to it. E.g. user have a profile for the office, so proxy user and password are these for her company proxy. If the laptop is stolen or lost, someone will be able to easily find these data. OK, I understand it's impossible to fully protect it. If someone wants better protection, he will need to store all such data on encrypted FS. But still storing these data in plain text sounds too "inviting". After all, user may even not know what files contain his/her/company sensitive data. Maybe it could be stored in kwallet or something like that (or at least suggest such option to the user when configuring the proxy)? -- Mark Goldstein -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On 09-01-2007 at 16:24, "Mark Goldstein"
wrote: On 1/9/07, Mark Goldstein wrote: On 1/9/07, Mark Goldstein wrote: On 1/9/07, Dinar Valeev wrote: Set a proxy URL rug set proxy-url url_path
Hi Dinar,
I defined proxy in Yast2 and rug works fine, so it looks like rug now uses proxy setting from /etc/sysconfig/proxy (I remember that in 10.0 rug -- then part of Red Carpet -- used its own settings.
But zypper fails. I'll re-check though.
Hmmm, it was something else. Maybe temporary unaccessible repository. Now zypper works fine.
BTW, it uses proxy user and password from /root/.curlrc. This file, though readable by root only, contains password in plain test. I think it's not a good idea. Anyone with an access to Linux machine can use another system (e.g. Knoppix, or Windows on dual boot machine) and read it, unless /root is stored on encrypted FS.
I actually asked the same question on Novell forum regarding the Red Carpet (about a year ago), since rug had also stored unencrypted proxy password in the plain file, but have not got reasonable answer.
It's already bad if somebody get's so far in your computer, but if he did, you have small chances to protect this file (except HD encryption). The password is stored to create some action without user intervention (ie. without the user having to type his password), and as such the algorithm of storing these passwords has to be reversible -> and thus, however you encrypt it, using the source code of the program reading the file, there will NEVER be a problem getting the password. so indeed: even if it would be liked to have these files protected: it won't be possible. It would only be a small additional burden. Faked security to be precise. Dominique -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On 1/9/07, Dominique Leuenberger
The password is stored to create some action without user intervention (ie. without the user having to type his password), and as such the algorithm of storing these passwords has to be reversible -> and thus, however you encrypt it, using the source code of the program reading the file, there will NEVER be a problem getting the password.
so indeed: even if it would be liked to have these files protected: it won't be possible. It would only be a small additional burden. Faked security to be precise.
I understand and agree with that. I just thought that something kwallet-style could work. I mean, I would agree to enter long pass-phrase and to get an access to my sensitive data for some time. Someone who stole my laptop will still need to brute-force kwallet encryption. -- Mark Goldstein -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On 2007-01-09 08:37, Dominique Leuenberger wrote:
<snip> It's already bad if somebody get's so far in your computer, but if he did, you have small chances to protect this file (except HD encryption).
One wonders, then, why bother to encrypt all the users' system passwords?
-- The best way to accelerate a computer running Windows is at 9.81 m/s² -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On 10-01-2007 at 03:46, Darryl Gregorash
wrote: On 2007-01-09 08:37, Dominique Leuenberger wrote: <snip> It's already bad if somebody get's so far in your computer, but if he did, you have small chances to protect this file (except HD encryption). One wonders, then, why bother to encrypt all the users' system passwords?
Ha.. that's easy... for shadow, there is either ssha or md5 used. Both are hashing algorithms, which are not reversable. This works in this case, as you do: Make user input a password Encrypt password Verify encrpted password with stored encrypted If they are the same, he very likely gave the wrong plain password. But in no way can you get from the hash to the password. For the case with .curlrc (as the OP mentions), the intent is to make curl use this password without the user typing it, so you need a reversable encryption. And there you go with the problem. So, not exactly the same use case. Dominique -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (4)
-
Darryl Gregorash
-
Dominique Leuenberger
-
Marcus Meissner
-
Mark Goldstein