On 3/18/15 7:15 PM, Morty wrote:
virtuoso isql's use of a command-line argument to specify the password is problematic for security. This means that user passwords are visible via "ps". It also means that orchestration systems that log command-lines have passwords in the logs. I'd really like to get away from this. I can (somewhat) hide the password by putting it in a file and utilizing `cat $dba_password_file` in scripts, but it's still visible via ps, and it's clunky. Is there any baked-in way to specify the password via a password file, environment variable, or other mechanism?Hopefully such a thing already exists, and I just didn't find it. If not, feature request: please implement such a mechanism. [Or would you guys accept a patch to do this? I'm not much of a C coder, but I think I could handle something this trivial.] Note: this is currently under virtuoso open source version 7.1.0, under Linux. I'm sure we'll be upgrading to the most recent version shortly. But I don't see any changes to isql under the 7.2.0 release notes, so I'm assuming "upgrade to 7.2.0" won't solve my problems. The commercial version is not an option at this time. - Morty
Morty,You appear to assume that iSQL can only be used to connect to a Virtuoso instance using a single approach? Here an option dump (note: we even support use of pkcs#12 and pem files for secure connections that don't used passwords at all:
isql -?
OpenLink Interactive SQL (Virtuoso), version 0.9849b.
Usage :
isql <HOST>[:<PORT>] <UID> <PWD> file1 file2 ...
isql -H <server_IP> [-S <server_port>] [-U <UID>] [-P <PWD>]
[-E] [-X <pkcs12_file>] [-K] [-C <num>] [-b <num>]
[-u <name>=<val>]* [-i <param1> <param2>]
isql -?
Connection options:
-? - This help message
-U username - Specifies the login user ID
-P password - Specifies the login password
-H server_addr - Specifies the Server address (IP)
-S server port - Specifies the TCP port to connect to
-E - Specifies that encryption will be used
-C - Specifies that password will be sent in cleartext
-X pkcs12_file - Specifies that encryption & X509 certificates will
be used
-T server_cert - Specifies that CA certificate file to be used
-b size - Specifies that large command buffer to be used
(in KBytes)
-K - Shuts down the virtuoso on connecting to it
Parameter passing options:
-u name1=val1... - Everything after -u is stored to associative array U,
until -i is encountered. If no equal sign then
value
is NULL
-i - Ignore everything after the -i option, after which
comes arbitrary input parameter(s) for isql
procedure,
which can be referenced with $ARGV[$I] by the
ISQL-commands.
<OPT>=<value> - Sets the ISQL options
Note that if none of the above matches then the non-options go as
<HOST>[:<PORT>] <UID> <PWD> file1 file2 ...
--
Regards,
Kingsley Idehen
Founder & CEO
OpenLink Software
Company Web: http://www.openlinksw.com
Personal Weblog 1: http://kidehen.blogspot.com
Personal Weblog 2: http://www.openlinksw.com/blog/~kidehen
Twitter Profile: https://twitter.com/kidehen
Google+ Profile: https://plus.google.com/+KingsleyIdehen/about
LinkedIn Profile: http://www.linkedin.com/in/kidehen
Personal WebID: http://kingsley.idehen.net/dataspace/person/kidehen#this
smime.p7s
Description: S/MIME Cryptographic Signature
------------------------------------------------------------------------------ Dive into the World of Parallel Programming The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________ Virtuoso-users mailing list Virtuoso-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/virtuoso-users
