FW: [UMN_MAPSERVER-DEV] Encryption of Oracle connection passwords in mapfiles

Ned Harding nharding at EXTENDTHEREACH.COM
Sat Mar 18 10:42:35 EST 2006 

Sorry, I meant to post to the list... 

-----Original Message-----
From: Ned Harding 
Sent: Saturday, March 18, 2006 7:53 AM
To: 'Daniel Morissette'
Subject: RE: [UMN_MAPSERVER-DEV] Encryption of Oracle connection
passwords in mapfiles

I'm not sure how this works with an open source product.  The MapServer
code has to have the key to use it and the key has to be in open code,
so anyone who wants to decrypt it can.  While it might produce the
illusion of security, all it really does is obfuscate the password.

One alternative is to keep the MAP file as an encrypted file in the file
system which is more secure (and less work).  The best alternative is to
make sure the user/password is only enabled for the specific rights that
MapServer needs so there isn't much value in stealing it.

Ned.

-----Original Message-----
From: UMN MapServer Developers List [mailto:MAPSERVER-DEV at LISTS.UMN.EDU]
On Behalf Of Daniel Morissette
Sent: Friday, March 17, 2006 12:05 PM
To: MAPSERVER-DEV at LISTS.UMN.EDU
Subject: [UMN_MAPSERVER-DEV] Encryption of Oracle connection passwords
in mapfiles

We have a need to encrypt (or protect somehow) the Oracle connection
passwords in map files to avoid having them as plain text. I will look
into this some more and write a RFC, but before getting too far I wanted
to gather feedback, in case anyone already had their own ideas on this.

What I'm thinking of doing is creating a utility to encrypt a password,
that the developer would then copy/paste into the connection string in
the mapfile, possibly with some special delimiter to indicate that it's
encrypted. MapServer would decrypt the password internally and use the
decrypted password for the connection.

Unfortunately this requires the use of reversible encryption which is
not really that safe, especially when the decryption function is open
source, but at least makes it harder to figure the password than just
using plain text.

I would also like to setup a mechanism that will work for all other DB
CONNECTIONs so I am interested in comments from all the DB connection
maintainers.

Daniel
--
Daniel Morissette
http://www.mapgears.com/

More information about the mapserver-dev mailing list