RFC-18: Encryption of passwords in mapfiles

Umberto Nicoletti umberto.nicoletti at GMAIL.COM
Tue May 30 02:52:24 EDT 2006

I am +0 on this issue: it does not make storing passwords in map files
any safer as encription is reversible,  and could actually trick users
to store valuable passwords (DBA, privileged users with delete or
update provileges in the case of the dbs) in the map file because of
the false perception of security.
A prominent note should be added to the documentation along with the
suggestion (if it's not there already, I haven't checked) not to use
privileged user/password in map file ANYWAY.

As of mapscript I think it could be useful to expose the functionality
through it: for example think of someone who wanted to create a map
file on the fly and encrypt the connection string.


On 5/26/06, Daniel Morissette <dmorissette at mapgears.com> wrote:
> I have created RFC-18 that proposes a mechanism to encrypt database
> connection information (mostly passwords) in mapfiles:
>    http://mapserver.gis.umn.edu/development/rfc/ms-rfc-18
> Other than trying to figure out how to use OpenSSL, this is a relatively
> simple addition that shouldn't have much impact on MapServer.
> Before we vote on this, I would be interested in feedback from the
> various database connection maintainers since I want this to work for at
> least PostGIS, Oracle Spatial, SDE and OGR.
> Also, if anyone has experience with OpenSSL or pointers to sample code
> that uses it to do a similar task then I would be very interested
> (Unfortunately the OpenSSL documentation seems to be quite poor). I'm
> also interested if you know of better/simpler alternatives that could be
> used instead of OpenSSL for the encryption functions.
> Daniel
> --
> Daniel Morissette
> http://www.mapgears.com/

More information about the mapserver-dev mailing list