For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

RahulG's avatar
RahulG
Icon for Altocumulus rankAltocumulus
Jun 01, 2020

Encrypting password

Hi All, I am wrinting a phython script to gather few details for GTM. But in that script I am passing the password to login into the device as a plain text. This poses a security issue and the script cannot be made available for others on our sharedrive. Could you please help me with the code where I dont have to provide the password as a plain text.

application delivery
BIG-IP DNS
iControlREST

1 Reply

  • Satoshi_Toyosa1's avatar
    Satoshi_Toyosa1
    Ret. Employee
    Jun 02, 2020

    I assume your script uses iControl REST (for example, K86953011). Two ideas.

     

    Idea 1: Add a code to enter the username and password upon the script's startup (or command line options). Create individual accounts on BIG-IP for the users who may use your python script. This requires user management, however, that's the best option security-wise.

     

    Idea 2: Use Basic Authentication. HTTP's Basic Authentication embeds base64 encoded username:password pair in the "Authorization" header (see RFC 2617). For example, username "admin" and password "admin" are combined with the delimiter ":" ("admin:admin"), then encoded into a string "YWRtaW46YWRtaW4=". This is less readable as compared to 100% plain text. A curl example is shown below:

     curl -sk https://$HOST/mgmt/tm/sys/version -H "Authorization: Basic YWRtaW46YWRtaW4="
(where $HOST is your BIG-IP)

    You can obtain the base64 string from a plain-text by executing the following Node.js snippet (Node.js is preinstalled on BIG-IP).

    node -p 'Buffer.from("admin:admin").toString("base64")'

    The issue is that you can decode the base64 string back to the plain text (easy). I assume your sharedrive is internal, so sharing the secret is acceptable.