RFC-18: Encryption of passwords in mapfiles

Stephen Woodbridge woodbri at SWOODBRIDGE.COM
Mon May 29 20:42:37 EDT 2006 

Daniel Morissette wrote:
> I have created RFC-18 that proposes a mechanism to encrypt database 
> connection information (mostly passwords) in mapfiles:
> 
>   http://mapserver.gis.umn.edu/development/rfc/ms-rfc-18
> 
> Other than trying to figure out how to use OpenSSL, this is a relatively 
> simple addition that shouldn't have much impact on MapServer.
> 
> Before we vote on this, I would be interested in feedback from the 
> various database connection maintainers since I want this to work for at 
> least PostGIS, Oracle Spatial, SDE and OGR.
> 
> Also, if anyone has experience with OpenSSL or pointers to sample code 
> that uses it to do a similar task then I would be very interested 
> (Unfortunately the OpenSSL documentation seems to be quite poor). I'm 
> also interested if you know of better/simpler alternatives that could be 
> used instead of OpenSSL for the encryption functions.
> 
> Daniel

Hi Daniel,

So just to be clear on my understanding of this, any one that can get 
TEA, read the mykey.txt file and write a trivial program can decrypt the 
password. If mykey.txt is in the mapfile then I'm mostly home free, if I 
can install a trivial php script that can read MS_ENCRYPTION_KEY then I 
can open the file and read the contents and I can also probably read the 
mapfile and read its contents and then decrypt it online or offline.

The problem with this is that there is no real way to secure mykey.txt 
because it has to be readable by the webserver process so anyone that 
can add php script can access it.

I can't think of a better way to do this, but I think it should be made 
VERY clear in the documentation that this is just simple obfuscation and 
is by NO means secure and that users should NOT place VALUABLE passwords 
in mapfiles encrypted or not.

So, I guess I'm +1 for this unless I can think of something better. If 
you haven't read through some of these, it might be worth your effort to 
take a quick glance.

http://www.google.com/search?hl=en&q=database+password+security+for+web+servers&btnG=Google+Search

-Steve

More information about the mapserver-dev mailing list