0

This question is a bit far fetched (i don't even know if the way i'm going about doing this is correct).

I have a script that gathers some information on a computer. The intent is to have that script ftp/sftp/any-transfer etc some data to a remote server. This script is intended to be distributed among many people also.

Is it possible to hide the password/user of remote server in the script (or perhaps even the implementation details?). I was thinking of encoding it in some way. Any suggestions?

Also, in compiled languages like java or C, is it safe to just distribute around a compiled version of the code?

Thanks.

Improve this question
3
  • What are you doing with this script? Commented Aug 13, 2013 at 22:06
  • i'm doing web-crawling for the most part Commented Aug 13, 2013 at 22:13
  • 1
    I just usually use some public key encryption then base64encode it into a string ... (still not that secure since i have to somehow embed the public key that i used in the encryption ... but it protects it from some attacks, or you could make a compiled dll or something then access a check_password function in it or something Commented Aug 13, 2013 at 22:26

4 Answers 4

Reset to default
2

The answer is no. You can't put the authentication details into the program and make it impossible for users to get those same authentication details. You can try to obfuscate them, but it is not possible to ensure that they cannot be read.

Compiling the code will not even obfuscate them very much.

One approach to the problem would be to implement a REST web interface and supply each distribution of the program with an API key of some sort. Then set up the program to connect to the interface over SSL using its key and put whatever information it needs there. Then you could track which version is connecting from where and limit each distribution of the program to updating a restricted set of resources on the server. Furthermore you could use server heuristics to guess if an api key has leaked and block an account if that occurs.

Another way would be if all of the hosts/users of the program are trusted, then you could set up user accounts on a server node and each script could authenticate with its own username and password or SSH key. Your server node would then have to restrict access based on what each user is allowed to update. Using SSH key based authentication allows you to avoid leaving the passwords around while still allowing authenticated access to your server.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

I thought this type of operation was something many people did. I have a script that consumes a lot of ram .. and I wanted to have a few of my friends run it in the background. So there is no way around this?
I just updated the question with a possible approach. You just can't "hide" the password in the binary though.
still not entirely sure on the implementation of the API key though. Do you mean that each script comes with an API key in the distribution publicly. And the script calls the server with the API key? Sorry i'm confused
@LucasOu-Yang You could do something as easy as generating a random key for every user you distribute the program to, and handing them just that one key when you hand them your program. On the server side, check to see if their key is in the database. This will do the trick provided that your friends do not share their keys, either accidentally or on purpose. The username/password approach is superior because the key is not stored in a file. It's the password.
2

Just set the name to "username" and password to "password", and then when you give it to your friends, provision an account/credential that's only for them, and tell them to change the script and be done with it. That's the best/easiest way to do this.

Improve this answer

Comments

1

to add onto jmh's comments and answer another part of your question, it is possible to decompile the java from the .class byte code and get almost exactly what the .java file contains so that won't help you. C is more difficult to piece back together but again, its certainly possible.

Improve this answer

Comments

0

I sometimes compress credentials with zlib and compile to pyo file. It protect from "open in editor and press ctrl+f" and from not-programmers only. Sometimes I used PGP cryptography.)

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.