1

Currently I am working on php project. The project main theme is to login through ssh to some cisco switch in my local network , fetch details and populate it to user. To accomplish this I have created on database in MySQL consisting switch login credentials. And my PHP code will fetch the login credentials from database and do it's calculation on switch.

My question is that how can I securely store the switch credentials in my MySQL database to make it secure from any security vulnerabilities.

O. Jones
  • 103,626
  • 17
  • 118
  • 172
user8359297
  • 31
  • 1
  • 3
  • 1
    `from any security vulnerabilities` is a pretty wide topic. – user3783243 Jul 16 '19 at 17:55
  • Have you read [Safe Password Hashing](https://www.php.net/manual/en/faq.passwords.php)? – KIKO Software Jul 16 '19 at 17:56
  • @KIKOSoftware The password hashing is good when used for user authentication , but will it be equally effective in case of storing credentials for login to some other elements.. in my case it's cisco switch – user8359297 Jul 16 '19 at 18:03
  • 2
    Possible duplicate of [Best way to store password in database](https://stackoverflow.com/questions/1054022/best-way-to-store-password-in-database) – devlin carnate Jul 16 '19 at 18:05
  • This is similar, but not a duplicate, as OP here is asking about storing passwords to external systems/applications not for their current application. – Chris Schaller Jul 16 '19 at 22:22
  • 2
    Hashing is not going to be the answer here because OP needs to use the original password, not just verify it, look for encryption instead. basically encrypt the password and store the encrypted string into a string field in the database. Then do your best to make sure no one gains access to your encryption keys ;) – Chris Schaller Jul 16 '19 at 22:24

2 Answers2

3

You hope to store your cisco switch passwords in your database in a form where you can recover the password plain text to use it for ssh connections.

Even if you encrypt the passwords in the database, your program that accesses the database will have to be able to decrypt them to use them. So the decryption key necessarily will be available to your program. That's entirely different from the kind of password-hashing mechanism available in php. Password hashing doesn't allow you to recover the password from the hash, only to compare a user-presented password with the hashed password to see if they match.

Storing decryptable passwords is not secure, and can never be secure. If somebody cracks your server, they then have access to your entire infrastructure. (Cybercreeps with access to switches and routers can really make a mess.) This is the kind of thing that shows up in https://KrebsOnSecurity.com . Don't do it. Please.

If you want more-or-less automated access to your switches via ssh, your best bet is to use ssh's key management features. The machine from which you access the switches will have a private key, and each switch will have a public key corresponding to the private key. If you configure the public keys correctly you can restrict the operations available to users who present the corresponding public keys. It's a big topic, too big for a Stack Overflow answer.

As usual, Digital Ocean's writeup of this topic is useful. https://www.digitalocean.com/community/tutorials/how-to-configure-ssh-key-based-authentication-on-a-linux-server

O. Jones
  • 103,626
  • 17
  • 118
  • 172
  • That's very good, especially the part with ssh keys, if the swtch supports it – nbk Jul 16 '19 at 18:32
  • Hmm... Not sure it's really ssh unless it supports public key authentication. At any rate cisco gear does support this. – O. Jones Jul 16 '19 at 18:35
  • I think sp, but Florrent can look it up in the manual, which should be consulted anywaay – nbk Jul 16 '19 at 18:40
  • Dear O.jones in my network I have almost 60000 switches and this ssh private key will be very tedious and nearly impossible project. If there is any other way out??? – user8359297 Jul 17 '19 at 02:35
  • Key management is a real thing. For example, read this. https://serverfault.com/questions/824180/manage-ssh-keys With 60K managed switches I guess you aren't extremely short of money. And, I guess your institution is a big fat juicy target for cybercreeps. Ask cisco for advice? – O. Jones Jul 17 '19 at 10:31
0

Typically, securely storing switch (and router) credentials is done with TACACS+, which eliminates the need for hosts logging into the switches from storing credentials beyond those required to access the TACACS+ server.

Andrew
  • 1
  • 4
  • 19