Currently I am working on php project. The project main theme is to login through ssh to some cisco switch in my local network , fetch details and populate it to user. To accomplish this I have created on database in MySQL consisting switch login credentials. And my PHP code will fetch the login credentials from database and do it’s calculation on switch.
My question is that how can I securely store the switch credentials in my MySQL database to make it secure from any security vulnerabilities.
Advertisement
Answer
You hope to store your cisco switch passwords in your database in a form where you can recover the password plain text to use it for ssh connections.
Even if you encrypt the passwords in the database, your program that accesses the database will have to be able to decrypt them to use them. So the decryption key necessarily will be available to your program. That’s entirely different from the kind of password-hashing mechanism available in php. Password hashing doesn’t allow you to recover the password from the hash, only to compare a user-presented password with the hashed password to see if they match.
Storing decryptable passwords is not secure, and can never be secure. If somebody cracks your server, they then have access to your entire infrastructure. (Cybercreeps with access to switches and routers can really make a mess.) This is the kind of thing that shows up in https://KrebsOnSecurity.com . Don’t do it. Please.
If you want more-or-less automated access to your switches via ssh, your best bet is to use ssh’s key management features. The machine from which you access the switches will have a private key, and each switch will have a public key corresponding to the private key. If you configure the public keys correctly you can restrict the operations available to users who present the corresponding public keys. It’s a big topic, too big for a Stack Overflow answer.
As usual, Digital Ocean’s writeup of this topic is useful. https://www.digitalocean.com/community/tutorials/how-to-configure-ssh-key-based-authentication-on-a-linux-server