3

I have an Ubuntu server that runs certain scripts and should ssh into windows server to execute data. I am developing using python and using paramiko for ssh.

Currently, the windows login ssh password is provided plain text.

What good ways are available to store/retrieve password such that if anyone reads the code, they aren't able to easily get the password?

Jakuje
  • 9,715
  • 2
  • 42
  • 45
Syntax_Error
  • 131
  • 2

1 Answers1

8

Best practice is NOT to use password. You should always use the keys to authenticate.

But you are not able to prevent the usage of the password or the key if it is written as plaintext in some code. Though you can limit the usage of the key quite good. In authorized_keys on server, you can simply specify the allowed command to execute by the key, which will prevent anyone who posses the key from shell access.

Example of line in ~/.ssh/authorized_keys:

no-port-forwarding,no-pty,no-X11-forwarding,command="your_limited_command" ssh-rsa AAAA[...]==

More verbose description of the options can be found in manual page for sshd.

Jakuje
  • 9,715
  • 2
  • 42
  • 45
  • 3
    slight clarification: The command parameter will specify's which command will be run automatically following auth. Not just defining that it's allowed. – Paul Jan 10 '16 at 14:49
  • @Paul Yes. You are right. But as an consequence it boils down to that only this command is *allowed*. – Jakuje Jan 10 '16 at 14:55
  • 3
    I'd add client IP restriction in the key - that way, it doesn't matter if someone gets hold of it, it can't be used from another machine anyway. See e.g. http://serverfault.com/questions/507878/limited-ssh-access-for-log-retrieval/507899?s=11|0.5264#507899 – Jenny D Jan 10 '16 at 15:54
  • @JennyD, this is also good point. I was thinking about that. – Jakuje Jan 10 '16 at 16:23