On Sat, 20 Nov 2010, Daniel Ruggeri wrote:
In mod_ssl there is a very handy option of making an exec callout for
SSLPassPhraseDialog rather than to put a password for your private key in the
conf file. The obvious benefit here is that one can then design a solution to
meet any arbitrary number of security challenges before allowing that
password to be delivered.
One of my TODO patches is to add this same functionality in other places. The
first that comes to mind (and something that has pestered me in the past) is
AuthLDAPBindPassword (mod_authnz_ldap). Would anyone like to suggest other
potential places this should be done before I put together a bug report and
send in a patch?
Company policies that require passphrases not to be stored in plaintext
are not that uncommon. Therefore I agree that having a generic
functionality to be used by modules is a good thing.
But IMHO the documentation should be much clearer that this is only
security by obscurity and improves security only in some very limited
areas.
An attacker who is root on the machine that is running HTTPD can still get
the ssl keys. Either by creating a core dump and extracting the keys from
that (there are tools that do this), or, if the passphrase dialog yields
the passphrases without human interaction, by starting HTTPD under
strace/truss.
The only valid use case I see for this feature is to prevent unencrypted
ssl keys from going into the normal backup (if the file with the
passphrases is excluded and is instead backed up on paper). Are there more
valid use cases?
