Alec Kloss wrote:
> On 2009-10-02 14:08, Bob Archer wrote:
> [chop]
>> Some of this stuff also depends on what you are storing. Perhaps going another way would be better. For example, use NT Authentication to access your SQL servers rather than username/password. This way, the password isn't in the configuration file. I am sure there are similar LDAP type ways to deal with this for other technologies also.
>>
> [chop]
>
> Seconded. Passwords for services are a relic from the 80s.
> Buildbots and so on should have a collection of keys that are used
> to build things. Between GSSAPI, NTLM, PKI, and ssh public keys,
> there shouldn't be too many technologies left that need a
> clear-text password. Your source-controlled configuration files
> should tell you which accounts should do what and you should have
> encryption keys on the side accessable only by the accounts that
> need them, and a rotation policy in place to ensure you don't find
> yourself using a 512 bit PKI key you generated 10 years ago.
OK, so how do you connect an assortment of perl/java/php services to an
assortment of mysql/postgresql/sql server databases without something in
the configurations that would be reusable if you can get a copy?
--
Les Mikesell
lesmikesell_at_gmail.com
------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=2403039
To unsubscribe from this discussion, e-mail: [users-unsubscribe_at_subversion.tigris.org].
Received on 2009-10-02 20:58:44 CEST