topic Re: How to encrypt password in shell scripts ? in Operating System - HP-UX

How to encrypt password in shell scripts ?

Chris Fung — Sun, 09 Jun 2002 08:20:34 GMT

Hi all,

I've developed some scripts in which I need to embed the user name and password inside the scripts. We really can't stand for such a big security hole!! Is there any workaround solution(s) that I can encrypted the passwords inside the scripts? Besides, changing password will be a nightmare if we embed the password inside the scripts !!! Any idea? I am think whether we can make use of the existing Unix password handling routines to accomplish this task !!!

Please help, many thanks !!

Chris,

Re: How to encrypt password in shell scripts ?

Heiner E. Lennackers — Sun, 09 Jun 2002 12:03:01 GMT

Hi,

there is no standard shell command to do password encryptions. I think the best way is to use perl to verify the password:

Assume you have a shell variable USERNAME and the entered PASSWORD (switch of tty outout with "stty -echo", when the user should enter his password, and switch it on again after entering with "stty echo"

Then you can do the following (in sh or ksh):

USERPW=`grep "^${USERNAME}:" /etc/passwd | cut -d: -f2`
if [ ! -z "${USERPW}" ];then
ENCRPW=`perl -e "print crypt(${PASSWORD},${USERPW})"`
if [ "${USERPW}" = "${ENCRPW}" ];then
echo password OK
else
echo password WRONG
fi
else
echo no such user
fi

You may write a little c-program which will do the check if you dont want to use perl.

Heiner

Re: How to encrypt password in shell scripts ?

harry d brown jr — Sun, 09 Jun 2002 15:57:08 GMT

Chris,

Unless you write a c program that has the passwords embedded in them and encrypted - which of course makes your source code an issue, then there isn't much you can do.

You could use the setuid or setgid on the process. Or "sudo". You could also make the file unreadable to those that don't need to "read" the code.

live free or die
harry

Re: How to encrypt password in shell scripts ?

Nick Wickens — Mon, 10 Jun 2002 11:16:19 GMT

See the man page for crypt.

Problem is you always need to have some password entered to regain access to your encrypted data.

Failing that have you thought of using sudo to run that script only as root ?. I seem to recollect that sudo can also be used to run scripts as other users. You still need a user to enter their password so it is interactive but they would not need to know the password of the user running the function.

Re: How to encrypt password in shell scripts ?

Nick Wickens — Mon, 10 Jun 2002 11:23:02 GMT

Heres my use of crypt just using shell where fred contains the encrypted password -

ACCESS=/users/userpass
NAME=fred
echo "Please enter your root access password -> "
stty -echo
read PASSWORD
stty echo
PASSIN=$(crypt $PASSWORD <$ACCESS/$NAME 2>/dev/null)
if [ $PASSWORD = $PASSIN ];then
echo "Thank You"
else
exit
fi

Re: How to encrypt password in shell scripts ?

Mark Seaman — Mon, 10 Jun 2002 15:12:21 GMT

I have always had this problem with batch scripts. The best solution I have found is to have a single file that contains the password. Change the permissions on this file to 400. All scripts retrieve this password using 'cat': PWD=$(cat ~/file.txt).
Password changes only require updating a single file. Security issue not removed, but chance of compromise greatly reduced using this technique.

Re: How to encrypt password in shell scripts ?

Sridhar Bhaskarla — Mon, 10 Jun 2002 15:43:07 GMT

Hi,

See my response along with Rod's good suggestion this thread

http://forums.itrc.hp.com/cm/QuestionAnswer/1,,0xadb5d5fab40ed6118ff40090279cd0f9,00.html

-Sri

Re: How to encrypt password in shell scripts ?

Rodney Hills — Mon, 10 Jun 2002 15:47:23 GMT

Sri, which Rod? (I had a response at the top and another Rod had a response at the end.)

-- Rod Hills :-)

Re: How to encrypt password in shell scripts ?

Jerry Anderson_1 — Mon, 10 Jun 2002 16:20:33 GMT

This is an old problem with no perfect solution. My approach has been to use the .netrc file concept. That is, a separate file containing the userid/password pair which can be read by your batch file. This separate file is easy to maintain and you can secure it better than you can a shell script.

No matter what you do this file can be read by anybody who gains user level access to the account, and by root. So set up your environment so that if the userid/password are compromised the damage is minimized.

1. Set the permissions on this file as restrictive as possible - 0400.

2. Do not give group or other write permissions to the directory containing the file (so it can't be deleted to create a DoS).

3. Limit the people who have access to the account which owns the password file. All of them can read that file.

3. Do not use that userid/password for any other account. That way a compromise it somewhat contained.

4. Check the permissions/content of the file regularly and alert on changes. (Consider Tripwire).

Jerry