cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

Encrypting password

RahulG
Altostratus
Altostratus

Hi All, I am wrinting a phython script to gather few details for GTM. But in that script I am passing the password to login into the device as a plain text. This poses a security issue and the script cannot be made available for others on our sharedrive. Could you please help me with the code where I dont have to provide the password as a plain text.

1 REPLY 1

Satoshi_Toyosa1
F5 Employee
F5 Employee

I assume your script uses iControl REST (for example, K86953011). Two ideas.

 

Idea 1: Add a code to enter the username and password upon the script's startup (or command line options). Create individual accounts on BIG-IP for the users who may use your python script. This requires user management, however, that's the best option security-wise.

 

Idea 2: Use Basic Authentication. HTTP's Basic Authentication embeds base64 encoded username:password pair in the "Authorization" header (see RFC 2617). For example, username "admin" and password "admin" are combined with the delimiter ":" ("admin:admin"), then encoded into a string "YWRtaW46YWRtaW4=". This is less readable as compared to 100% plain text. A curl example is shown below:

curl -sk https://$HOST/mgmt/tm/sys/version -H "Authorization: Basic YWRtaW46YWRtaW4=" (where $HOST is your BIG-IP)

You can obtain the base64 string from a plain-text by executing the following Node.js snippet (Node.js is preinstalled on BIG-IP).

node -p 'Buffer.from("admin:admin").toString("base64")'

The issue is that you can decode the base64 string back to the plain text (easy). I assume your sharedrive is internal, so sharing the secret is acceptable.