Storing credentials

[tasleson]

Today we have a plain text password in a configuration file. I believe we should hash the password in case the contents of the file become public.

Some ideas

• Hash the password
  • Use a prefix like [sha|md5]:"hashed password"
• Add check to make sure configuration file owned by root and only root has permissions to read
• Investigate other integrated authentication mechanisms so we can stop doing this ourselves

[dsonck92]

As integrated authentication mechanisms go from that I've touched/heard about:

• PAM, unsure if python libraries exist, it also adds some complexity to configuration with the /etc/pam.d stuff, but the benefit is that anything pam can do, targetd can do. In my instance, I think about my LDAP setup
• SASL, I like the idea of it, where you just write what you get to SASL, and get an ok back (iirc, a bit lost in my memory) which approves access
• PolicyKit, well, I liked the customization it allows a few years back, however in my old use case, I overloaded the daemon with too many requests to approve. This broke the daemon and killed any authentication possible by it, causing systemd to not work properly. So it must be noted that the queries targetd will do, should be somewhat rate limited. (As context, I used libvirtd with a project called archipel (xmpp access to VMs), archipel during its status polling was spamming libvirtd, which was then spamming PolKit)