Geek Answers Handbook

Msmtp and smtp account password - how to obfuscate

I configured msmtp with my gmail account. I obviously want to avoid writing the password in clear text format in the configuration file. Fortunately, msmtp offers the passwordeval option, which can be used to get the password from the output of the executable file.

Question: how to use it?

I found the following sentence here : passwordeval gpg -d /some/path/to/.msmtp.password.gpg

This does not matter much to me: if someone can access my configuration file, he will certainly be able to run such a command and get the password from gpg.

So, I believe that I have the only option for obfuscating the password in the binary executable, even if I read almost everywhere that is bad!

My exception for hacking: if the correct password is output during the sendmail process, otherwise you will get a fake pass.

Your suggestions? Are other (safer) tricks different than storing a pass in a binary file?

+7
security passwords msmtp
source share
2 answers

There is no standard solution on how to save credentials with restriction

  • the need to use credentials in text form later
  • and unattended
  • in a system that is not completely controlled by you (if you just set the appropriate rights to files containing secrets)

You have several solutions, none of them completely solve your problem:

  • encrypt your credentials in a symmetrical way: you need to enter a key to decrypt them.
  • encrypt in an asymmetric way: you need to provide your private key, which must be stored somewhere (unattended) or entered into
  • obfuscate: as you mentioned, this only protects against a certain population
  • get it from another place - you need to determine the method or your other system.

You need to consider which risk is acceptable and go from there.

0
source share

The reason gpg -d is because it requires the private key of the person encrypted by the file. Therefore, simply placing this encrypted file in the public domain, it is still encrypted, and only one person (the one who has the secret key) can decrypt it. It is assumed that the secret key is locked on the user's machine and has not leaked. He also assumes that they have not configured any agents that cache the unlock password, while the hacker has direct access to the same computer. All this is very unlikely in 99% of all attacks. - Sukima 12/02/12 at 5:13

0
source share

More articles:


All Articles