On 5/5/05, Bob Miller <[EMAIL PROTECTED]> wrote: > timothy wrote: > > > If you use the above as a command wouldn't the password be in > > history. On ocassion I have to go through my history file and > > delete things when I make a misstake. Or is it like SSH where it > > asks for the password? I didn't know you could do that thanks for > > showing us how to do it. > > Yes, it would be in the history. If you're doing this interactively, > it's much better to leave off the -pass pass:xyzzy arguments. Then openssl > will prompt you for the passwords and you type them with no echo > and with no record left behind (unless there's a keystroke logger > on your system... ) See the openssl man page for all the options > for passwords. > > I had assumed Fred wanted automatic backups.
doing automated backups securely is very difficult task to set up the alternatives all leave something to be desired. best version I've seen is to set up ssh-agent on one machine to start at boot time (requires the admin to login and enter the pass-phrase) and have that machine run all the backups everywhere via ssh commands and supply passphrases etc. to the other machines. most setups I've seen either: 1. did backups over a local subnet using trust relationships of one sort or another 2. had an unencrypted private key or passphrase somewhere on the system 1 can be vulnerable to various flavours of spoofing, and 2 can be locked down in various ways to minimise the damage if the unencrypted key were compromised both of those setups are less than ideal. A book I'm reading "Mastering FreeBSD and OpenBSD security" (i'll post a fuller review later) describes the use of m of n cryptography for locking down valuable corporate resources and describes a system in use at one bank where any 3 of 8 VPs are needed to provide their passphrases (at the console) to unlock the banks root certificates (and the secure webserver can't be started until they have done so) which provides some definite incentive to keep the systems up and running. feeding a passphrase to a keyserver on reboot seems much less of a hassle by comparison (especially if you can do so remotely). -- http://Zoneverte.org -- information explained Do you know what your IT infrastructure does? _______________________________________________ EUGLUG mailing list [email protected] http://www.euglug.org/mailman/listinfo/euglug
