Encrypt password or prompt for one?

Get help, report and discuss bugs.
antdude
Posts: 18
Joined: 06 Feb 2009, 21:03
Location: An Ant Farm
Contact:

Encrypt password or prompt for one?

Post by antdude » 10 Feb 2009, 01:37

Hi!

I don't like the idea of having my nzbget config be having password in raw text. Is it possible to encrypt it or have the program ask me for it when I run nzbget?

Thank you in advance. :)

KaraokeStu
Posts: 39
Joined: 17 Sep 2008, 20:01

Re: Encrypt password or prompt for one?

Post by KaraokeStu » 10 Feb 2009, 15:12

I guess it may be possible to enable a config option for example, you would leave the password blank and have the following:

Code: Select all

MD5Password=b05a1df962c7a8ba330b33de3b64e07f
Which happens to be the MD5 hash of "nzbget"

This basically is one-way encryption, so you would encrypt your password first and store it in the config file.
Then NZBGet will MD5 your input and check against the hash stored in the config file.

If they match, then its obviously the right password, if not then it's wrong.

The problem you have is if you forget your password with this method.

I also don't see the problem in storing the password within the file as it is not accessible by anyone else (or shouldn't be, if you have your security setup correctly)

Is it more you are worried about it being available via NZBGetWeb ?

antdude
Posts: 18
Joined: 06 Feb 2009, 21:03
Location: An Ant Farm
Contact:

Re: Encrypt password or prompt for one?

Post by antdude » 10 Feb 2009, 15:26

KaraokeStu wrote:I guess it may be possible to enable a config option for example, you would leave the password blank and have the following:

Code: Select all

MD5Password=b05a1df962c7a8ba330b33de3b64e07f
Which happens to be the MD5 hash of "nzbget"

This basically is one-way encryption, so you would encrypt your password first and store it in the config file.
Then NZBGet will MD5 your input and check against the hash stored in the config file.

If they match, then its obviously the right password, if not then it's wrong.

The problem you have is if you forget your password with this method.

I also don't see the problem in storing the password within the file as it is not accessible by anyone else (or shouldn't be, if you have your security setup correctly)

Is it more you are worried about it being available via NZBGetWeb ?
Well, the config is in share location like /etc.

KaraokeStu
Posts: 39
Joined: 17 Sep 2008, 20:01

Re: Encrypt password or prompt for one?

Post by KaraokeStu » 10 Feb 2009, 15:33

But surely the only people that would have access to /etc would be people that have direct access to your linux machine?

As far as I'm aware /etc is never shared by default on SAMBA or CIFS, so nobody outside of your box would have access to it.
Also, if they have access to your box, they could just change the password themselves anyway?

antdude
Posts: 18
Joined: 06 Feb 2009, 21:03
Location: An Ant Farm
Contact:

Re: Encrypt password or prompt for one?

Post by antdude » 10 Feb 2009, 15:45

KaraokeStu wrote:But surely the only people that would have access to /etc would be people that have direct access to your linux machine?

As far as I'm aware /etc is never shared by default on SAMBA or CIFS, so nobody outside of your box would have access to it.
Also, if they have access to your box, they could just change the password themselves anyway?
I do have a few people using my box via SSH. /etc is viewable to them without sudo/root.

KaraokeStu
Posts: 39
Joined: 17 Sep 2008, 20:01

Re: Encrypt password or prompt for one?

Post by KaraokeStu » 10 Feb 2009, 15:55

Gotcha....

Well you could move the config file somewhere they cant access?

You can use NZBGet -c [configfile] to load it that way?

antdude
Posts: 18
Joined: 06 Feb 2009, 21:03
Location: An Ant Farm
Contact:

Re: Encrypt password or prompt for one?

Post by antdude » 10 Feb 2009, 17:17

KaraokeStu wrote:Gotcha....

Well you could move the config file somewhere they cant access?

You can use NZBGet -c [configfile] to load it that way?
Yes, I guess. I was hoping to share the access. :(

hugbug
Developer & Admin
Posts: 7645
Joined: 09 Sep 2008, 11:58
Location: Germany

Re: Encrypt password or prompt for one?

Post by hugbug » 10 Feb 2009, 18:34

If passwords are enctrypted in config file the program should know the master password. So it must be built into executable. Since a built-in password can be easily read from source code that kind of encryption would be not secure.

The idea with typing of password each time is better in this respect, but it doesn't work very well with nzbget being a server (daemon).

In your case I recommend you to write a start-script which should:
1) copy the config file into a temporary location;
2) ask you for password;
3) set option ServerX.password in temp-config with your password;
4) start nzbget with temp-config;
5) delete temp-config.

P.S. even if "/etc" is viewable for all you can change permissions for "nzbget.conf" separately.

DrChair
Posts: 11
Joined: 09 Feb 2009, 21:50

Re: Encrypt password or prompt for one?

Post by DrChair » 10 Feb 2009, 22:14

hugbug wrote:If passwords are enctrypted in config file the program should know the master password. So it must be built into executable. Since a built-in password can be easily read from source code that kind of encryption would be not secure.
You could store the md5 hash of the password in the config-file. And let the nzbget compare the md5 hash of the user supplied password, with the hash in the config-file. If they match, the password should be oke. (amule webinterface is using this principle)

Still not 100% safe, but better than plain text.

hugbug
Developer & Admin
Posts: 7645
Joined: 09 Sep 2008, 11:58
Location: Germany

Re: Encrypt password or prompt for one?

Post by hugbug » 10 Feb 2009, 22:22

Why compare at all? If user must type something, the inputted text can be used directly :)

Post Reply

Who is online

Users browsing this forum: No registered users and 46 guests