Forum Discussion

RahulG's avatar
RahulG
Icon for Altocumulus rankAltocumulus
Jun 01, 2020

Encrypting password

Hi All, I am wrinting a phython script to gather few details for GTM. But in that script I am passing the password to login into the device as a plain text. This poses a security issue and the script cannot be made available for others on our sharedrive. Could you please help me with the code where I dont have to provide the password as a plain text.

1 Reply

  • I assume your script uses iControl REST (for example, K86953011). Two ideas.

     

    Idea 1: Add a code to enter the username and password upon the script's startup (or command line options). Create individual accounts on BIG-IP for the users who may use your python script. This requires user management, however, that's the best option security-wise.

     

    Idea 2: Use Basic Authentication. HTTP's Basic Authentication embeds base64 encoded username:password pair in the "Authorization" header (see RFC 2617). For example, username "admin" and password "admin" are combined with the delimiter ":" ("admin:admin"), then encoded into a string "YWRtaW46YWRtaW4=". This is less readable as compared to 100% plain text. A curl example is shown below:

     curl -sk https://$HOST/mgmt/tm/sys/version -H "Authorization: Basic YWRtaW46YWRtaW4="
    (where $HOST is your BIG-IP)

    You can obtain the base64 string from a plain-text by executing the following Node.js snippet (Node.js is preinstalled on BIG-IP).

    node -p 'Buffer.from("admin:admin").toString("base64")'

    The issue is that you can decode the base64 string back to the plain text (easy). I assume your sharedrive is internal, so sharing the secret is acceptable.