Return-Path: <Anderson.Robert@menlolog.com>
Mailing-List: contact user-help@ant.apache.org; run by ezmlm
Delivered-To: mailing list user@ant.apache.org
Received: (qmail 63690 invoked from network); 14 May 2003 17:46:14 -0000
Received: from mailhost2.cnf.com (HELO ljcqs053.cnf.com) (63.230.177.24)
  by daedalus.apache.org with SMTP; 14 May 2003 17:46:14 -0000
Received: from cnfqs057.cnf.prod.cnf.com (localhost [127.0.0.1])
	by ljcqs053.cnf.com (Postfix) with ESMTP id 107AE61
	for <user@ant.apache.org>; Wed, 14 May 2003 10:46:18 -0700 (PDT)
Received: by cnfqs057.cnf.prod.cnf.com with Internet Mail Service
 (5.5.2653.19)
	id <J61CQ8W8>; Wed, 14 May 2003 10:46:17 -0700
Message-ID: <BE11D0661FFA6F4297A2E3A054FBC37F765FCE@cnfqe029.cnf.prod.cnf.com>
From: "Anderson, Robert H - MWT" <Anderson.Robert@menlolog.com>
To: 'Ant Users List' <user@ant.apache.org>
Subject: RE: How do I encrypt the properties for Ant
Date: Wed, 14 May 2003 10:46:15 -0700
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2653.19)
Content-Type: text/plain;
	charset="iso-8859-1"
X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N

If you were to encrypt the passwords in a text file with a GPG key, then
include the private key to decrypt the passwords at build time, you would
still need to supply the passphrase to the private key, thus defeating the
purpose. And if there is no passphrase for the key, then anyone with access
to it could use it to decrypt the password file, so the purpose would be
defeated once again. You might try storing the passwords in plain text and
use file system permissions to control access. For example, store the
passwords in build.properties and make the mode 700 (or 770 with the
appropriate group ownership). 

-Rob A

-----Original Message-----
From: Moole Bhaskara R [mailto:Bhaskara.R.Moole@irs.gov]
Sent: Wednesday, May 14, 2003 9:51 AM
To: 'Ant Users List'
Subject: RE: How do I encrypt the properties for Ant


Thanks Nathan for clarifying digest. I am not a Cryptography expert :(

My actual requirements are not make passwords readable to anybody after
build code is completed. If the actual person / program executing the build
script is smart enough to decrypt the passwords, it is fine. I just can not
store or transmit passwords in plain text. I guess the right approach for
this is to use a key and encrypt passwords and then package the key with the
build script for decryption.

If anybody has sample code for this to do it in ant, please send it to me. I
appreciate any help in this regard.

Thank you,
Bhaskara.

-----Original Message-----
From: Nathan Christiansen [mailto:Nathan_Christiansen@tni.com]
Sent: Wednesday, May 14, 2003 12:35 PM
To: Ant Users List
Subject: RE: How do I encrypt the properties for Ant


This posting confuses me. I don't know how the posters are using the word
"digest" but it seems counterintuitive to my understanding of the
Cryptography use of the word "digest".

<CryptographyInfo>
A digest algorithm is used to create an irreversible hash of some type of
data (like passwords). It is impossible to reverse the process from the
digest to get the original data back.  What you need to do to save passwords
in a unreadable form that you will load back into memory in a usable form is
to save them in a reversible encrypted form like ArcFour, PGP, Triple-DES,
or Rijndael.
</CryptographyInfo>

I think you best bet is to create a shell wrapper script (or batch file if
you are on Windows) where you can specify the passwords on the command line
when running the script.

This will work if you manually do the build process each time (you will need
to type in the passwords manually each time you run the build.) 

However, if you want to automate the build process you might want to create
your own task (sub-classing org.apache.tools.ant.taskdefs.Property) to read
in an encrypted properties file.



build.xml fragment:
<property name="ftp.userid" value="ftpuser"/>
...
<ftp server="ftp.server.com" remotedir="destination_dir" 
     userid="${ftp.userid}" password="${ftp.password}" 
     depends="yes">
  <fileset dir="source_dir"/>
</ftp>


Bash shell Example:

Usage:
./dobuild.sh secret

dobuild.sh:
ant -Dftp.password=$1



Windows Batch File Example:

Usage:
dobuild secret

dobuild.bat:
@echo off
ant -Dftp.password=%1



-- Nathan Christiansen
   Tahitian Noni International
   http://www.tahitiannoni.com


-----Original Message-----
From: Moole Bhaskara R [mailto:Bhaskara.R.Moole@irs.gov]
Sent: Wednesday, May 14, 2003 9:12 AM
To: 'Ant Users List'
Subject: RE: How do I encrypt the properties for Ant


Hi,

I found a previous post without any further discussion on this subject.
Anybody has code to use digest to encrypt and decrypt, as suggested in the
following post?

Thanks,
Bhaskara.

PS: Thanks for your suggestion Rob. It does not work for my situation. SCP
is only for secure copying. Command line option is not possible because it
reveals the passwords as well.



[prev in list] [next in list] [prev in thread] [next in thread] 

List:     ant-user
Subject:  AW: ant build file security
From:     Jan.Materne () rzf ! fin-nrw ! de
Date:     2003-04-30 4:52:18
[Download message RAW]


I can see the problem.
Never used digest, but maybe that scenario works:

	<property name="managerapp.password"
value="GHXLC_digestEncodedPwd_OIWE" />
      <echo file="tmp" message="${managerapp.password}" />
	<java ... Decode the String in file 'tmp' ... />
	<loadfile property="managerapp.password.decrypted" srcFile="tmp" />

But I don�=A6t know how to work with digest, so you have to find line 3 for
your own :-)

If it works - let us now.



Jan Materne

> -----Urspr�ngliche Nachricht-----
> Von: Trevor Luo [ITSD] [mailto:trevorl@vtc.edu.hk]
> Gesendet am: Mittwoch, 30. April 2003 06:31
> An: user@ant.apache.org
> Betreff: ant build file security
> 
> Hi,
> 
> I am using ant for a while. Recently, I found a security 
> exposure in the
> 
> build.xml file:
> 
> <property name="managerapp.userid"    value="admin"/>
> <property name="managerapp.password"  value="secret"/>
> 
> As you see, the password is plain in text. How can I use the  digest
> encoding algorithm? Anyone can share this with me?
> 
> FYI: I am using tomcat 4.18 under linux 7.2.
> 
> Thanks in advance!
> 
> Trevor
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@ant.apache.org
> For additional commands, e-mail: user-help@ant.apache.org
> 

------_=_NextPart_001_01C30ED4.47010290--

[prev in list] [next in list] [prev in thread] [next in thread] 

-----Original Message-----
From: Anderson, Robert H - MWT [mailto:Anderson.Robert@menlolog.com]
Sent: Tuesday, May 13, 2003 5:48 PM
To: 'Ant Users List'
Subject: RE: How do I encrypt the properties for Ant


Try using the scp task with public key authentication. Or just pass in the
passwords on the command line....

ant -Dftp.password=something ...

-Rob Anderson

-----Original Message-----
From: Moole Bhaskara R [mailto:Bhaskara.R.Moole@irs.gov]
Sent: Tuesday, May 13, 2003 2:44 PM
To: 'user@ant.apache.org'
Subject: How do I encrypt the properties for Ant


Hi,

I am trying to create an Ant xml build file to compile, jar, sing the jars,
ftp the jars, and deploy them to WebSphere. last three steps require
authentication information (key store passwords, ftp user & password, WAS
admin user and password). I am prohibited from storing them in a plain text
file. How do I encrypt them and still make them available to Ant? I
considered creating a taskdef java class and distribute only the class file
to the build machines. I could not find a way to read the class attributes
into Ant.

I appreciate any information in this regard.

Thank you,
Bhaskara.

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@ant.apache.org
For additional commands, e-mail: user-help@ant.apache.org

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@ant.apache.org
For additional commands, e-mail: user-help@ant.apache.org