https://community.hpe.com/t5/operating-system-hp-ux/how-to-store-passwd-in-shell-scripts/m-p/3161683#M748372 Geoff, sorry to disagree, but the .netrc should not be owned by root, but by the user running ftp and be located in his/her homedirectory... And some FTP servers also request a homedirectory not writable by others.<BR /><BR />As for the mail variant: you can use any encryption algorithm on the data transferred you like. There are no passwords in it, only the send-script and receive-script (or better, program) need to know how to en- and decrypt the data. So it might be a good solution. And if you configure the receive script as mail-filter in your aliases file, the mail is processed the moment it comes in, so you don't have to schedule and poll for new mail... Mon, 19 Jan 2004 01:42:17 GMT Elmar P. Kolkman 2004-01-19T01:42:17Z https://community.hpe.com/t5/operating-system-hp-ux/how-to-store-passwd-in-shell-scripts/m-p/3161676#M748365 I need to create some shell scripts that will have FTP username and password info. I know this is not secure, but I dont know what alternatives there are for me. I'm ready to explain the security risks to my users, but want to have some options besides:<BR />1. "You have to type the passwd each time you run the script", and 2. <BR />"The password is in a world readable file, say goodbye to all security."<BR /><BR />Do I have any other options?<BR /><BR />TIA Mon, 12 Jan 2004 08:03:46 GMT https://community.hpe.com/t5/operating-system-hp-ux/how-to-store-passwd-in-shell-scripts/m-p/3161676#M748365 David Greenberg_3 2004-01-12T08:03:46Z https://community.hpe.com/t5/operating-system-hp-ux/how-to-store-passwd-in-shell-scripts/m-p/3161677#M748366 Hi Tia,<BR /><BR />The alternative is called scp.<BR />check:<BR /><BR /><A href="http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=350906" target="_blank">http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=350906</A><BR /><BR />Gideon<BR /><BR /> Mon, 12 Jan 2004 08:08:26 GMT https://community.hpe.com/t5/operating-system-hp-ux/how-to-store-passwd-in-shell-scripts/m-p/3161677#M748366 G. Vrijhoeven 2004-01-12T08:08:26Z https://community.hpe.com/t5/operating-system-hp-ux/how-to-store-passwd-in-shell-scripts/m-p/3161678#M748367 Check the thread.<BR /><A href="http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=350906" target="_blank">http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=350906</A><BR />sks Mon, 12 Jan 2004 08:09:22 GMT https://community.hpe.com/t5/operating-system-hp-ux/how-to-store-passwd-in-shell-scripts/m-p/3161678#M748367 Sanjay Kumar Suri 2004-01-12T08:09:22Z https://community.hpe.com/t5/operating-system-hp-ux/how-to-store-passwd-in-shell-scripts/m-p/3161679#M748368 To pass user names and passwords to FTP program, there is a way using .netrc file. This file should exist with file permission 600 in your home directory. <BR />Syntax:<BR /><BR />machine <MACHINE> login <LOGINNAME> password <PASSWORD><BR /><BR />When you use ftp command, this will check this file and authnticated.<BR /><BR />Also, you can go for exchanging public keys in SCP.<BR /><BR />-Thanks<BR />Vijay</PASSWORD></LOGINNAME></MACHINE> Mon, 12 Jan 2004 08:17:40 GMT https://community.hpe.com/t5/operating-system-hp-ux/how-to-store-passwd-in-shell-scripts/m-p/3161679#M748368 Vijaya Kumar_3 2004-01-12T08:17:40Z https://community.hpe.com/t5/operating-system-hp-ux/how-to-store-passwd-in-shell-scripts/m-p/3161680#M748369 Try not to do it with passwords in scripts or .netrc files. If a user can login to the server and the file is readable... but you know the risks.<BR /><BR />If you don't want to install additional software, you could use rcp. You don't need passwords, just the correct .rhosts file on the remote machine.<BR /><BR />If you can install additional software, or have it already installed, install ssh and use scp or sftp. The above thread contains a configuration document in SEP's response.<BR /> Mon, 12 Jan 2004 08:22:15 GMT https://community.hpe.com/t5/operating-system-hp-ux/how-to-store-passwd-in-shell-scripts/m-p/3161680#M748369 Elmar P. Kolkman 2004-01-12T08:22:15Z https://community.hpe.com/t5/operating-system-hp-ux/how-to-store-passwd-in-shell-scripts/m-p/3161681#M748370 You can use .netrc - just make sure the file is 400 and owned by root.<BR /><BR />Rgds...Geoff Mon, 12 Jan 2004 08:51:32 GMT https://community.hpe.com/t5/operating-system-hp-ux/how-to-store-passwd-in-shell-scripts/m-p/3161681#M748370 Geoff Wild 2004-01-12T08:51:32Z https://community.hpe.com/t5/operating-system-hp-ux/how-to-store-passwd-in-shell-scripts/m-p/3161682#M748371 I've successfully used mail to transfer information between systems. I write a program (generally Perl) to "catch" the data on the target system and use an alias in /etc/mail/aliases:<BR /><BR />myalias: |/usr/local/bin/myprogram<BR /><BR />to strip the headers and do something with the data that was sent to it.<BR /><BR />The advantages IMO are that it's audited (look at /var/adm/syslog/mail.log) and seems more reliable (it queues when a host is down instead of going into the bit bucket). A disadvantage is that by default it's plain text, but so is FTP. :)<BR /><BR />Mic Sun, 18 Jan 2004 23:56:35 GMT https://community.hpe.com/t5/operating-system-hp-ux/how-to-store-passwd-in-shell-scripts/m-p/3161682#M748371 Mic V. 2004-01-18T23:56:35Z https://community.hpe.com/t5/operating-system-hp-ux/how-to-store-passwd-in-shell-scripts/m-p/3161683#M748372 Geoff, sorry to disagree, but the .netrc should not be owned by root, but by the user running ftp and be located in his/her homedirectory... And some FTP servers also request a homedirectory not writable by others.<BR /><BR />As for the mail variant: you can use any encryption algorithm on the data transferred you like. There are no passwords in it, only the send-script and receive-script (or better, program) need to know how to en- and decrypt the data. So it might be a good solution. And if you configure the receive script as mail-filter in your aliases file, the mail is processed the moment it comes in, so you don't have to schedule and poll for new mail... Mon, 19 Jan 2004 01:42:17 GMT https://community.hpe.com/t5/operating-system-hp-ux/how-to-store-passwd-in-shell-scripts/m-p/3161683#M748372 Elmar P. Kolkman 2004-01-19T01:42:17Z https://community.hpe.com/t5/operating-system-hp-ux/how-to-store-passwd-in-shell-scripts/m-p/3161684#M748373 Hello and Thanks for your ideas.<BR />There were more passwords involved than I mentioned in my original message. I have decided to secure the script with SUDO.<BR /><BR />Thank you for all your help. Wed, 21 Jan 2004 10:18:39 GMT https://community.hpe.com/t5/operating-system-hp-ux/how-to-store-passwd-in-shell-scripts/m-p/3161684#M748373 David Greenberg_3 2004-01-21T10:18:39Z https://community.hpe.com/t5/operating-system-hp-ux/how-to-store-passwd-in-shell-scripts/m-p/3161685#M748374 use ssl encrytpion. or shoot your programmer. Wed, 21 Jan 2004 11:33:50 GMT https://community.hpe.com/t5/operating-system-hp-ux/how-to-store-passwd-in-shell-scripts/m-p/3161685#M748374 Donny Jekels 2004-01-21T11:33:50Z https://community.hpe.com/t5/operating-system-hp-ux/how-to-store-passwd-in-shell-scripts/m-p/3161686#M748375 Hi,<BR /><BR />My personal preference for the solution is using scp with public key trust setup. But just to add on to above ideas and thinking out of the box, there is also shc (shell compiler) you can use to obfuscate cleartext to a certain extent. the downside is that it reduces efficiency of the script because the generated binary file is much larger. <BR /><BR />shc is primarily for those shell script writers who want to "hide" their code. <BR /><BR />Hope this helps. Regards.<BR /><BR />Steven Sim Kok Leong Wed, 21 Jan 2004 12:05:50 GMT https://community.hpe.com/t5/operating-system-hp-ux/how-to-store-passwd-in-shell-scripts/m-p/3161686#M748375 Steven Sim Kok Leong 2004-01-21T12:05:50Z