topic password .. tricky question in Operating System - Linux

password .. tricky question

nightwish — Thu, 06 Jul 2006 11:41:33 GMT

How can i hide a user login and password in a script ?? ..

Re: password .. tricky question

Georg Tresselt — Thu, 06 Jul 2006 11:55:26 GMT

Use environment variables ??? After all, I don't know exactly what you are up to.

Re: password .. tricky question

nightwish — Thu, 06 Jul 2006 12:08:10 GMT

I want to do a script that suppots himself authentication .. For that i need to inclue the user login and the password in the script .. It exists anyay to do this without leaving password to the sigth of the users that read the script ?? !! ..

Re: password .. tricky question

Ivan Ferreira — Thu, 06 Jul 2006 13:35:22 GMT

You can try with a shell script compiler like CCsh:

http://www.comeaucomputing.com/faqs/ccshfaq.html

If you will try that, just ensure that the resulting binary command won't show the user and password when you run the "strings" command over the file.

Of course, you always can remove the read permissions.

Re: password .. tricky question

Andrew Bruce — Thu, 06 Jul 2006 19:53:21 GMT

Hi Nightwish,

There are possibly several ways to do what you're after, securely. It all depends on exactly what you're trying to do.

You mention that the script needs to authenticate against something. Is this something usual like telnet/ftp/http?

Also, who would normally run the script? If it is only ever run by the user whos details it contains, simply set the permissions so that only the user can access the script (chmod 400 <script> then other users cannot access it)..

If the script is for general use, then it all depends on how secure you want it to be...

Tell us more detail and we might be able to help.

Regards,

Andy Bruce

Re: password .. tricky question

nightwish — Fri, 07 Jul 2006 06:01:37 GMT

The use of script is for gerenal use .. And basically is to authenticate by ftp and telnet .. But my problem is i need to acess several machines .. And for that I have to specify a user and a password .. The tricky question is how i hide that user and is password in a script .. whithout the comand sudo ...

Thanks for the contibution ..

Regards ..

Re: password .. tricky question

Georg Tresselt — Fri, 07 Jul 2006 08:27:23 GMT

Well, one way to run ftp in a script would be the use of an .netrc file. As this file contains user name and password unecrypted, one may well argues that that is not exactly hidden.

http://www.die.net/doc/linux/man/man5/netrc.5.html

Re: password .. tricky question

Bill Thorsteinson — Fri, 07 Jul 2006 10:50:11 GMT

Replace Telnet and FTP with ssh and sftp or
scp and use authorized keys. No login required
if you have the correct keys.

You can password protect the key and and use a
key agent, or leave the key unpassword protected and trust the security of the
system. The unpassword protected variant is more secure than your script would be as
the key must be appropriately secured to
work.

Access by keys can be restricted in various
ways if required. This would further enhance
security over using a script.

In addition to not having to hide the password
in the file, you also won't be passing it
over the network in clear text. Another
gain in security.

Re: password .. tricky question

g33k — Fri, 14 Jul 2006 06:34:27 GMT

Bill is rigth, there is no possible way you ca hide password in script if you are using telnet or ftp.

The reason is simple as far as telnet and ftp aren't using any sort of encryption, the password is sended as plain text.
Which means in the moment you are logging you write those informations in socket as plain text. So anyone can tcpdump or anothert network analyzator and see it in packet.
Or even if you will encrypt it in script and script it self will decrypt this befor sending, anyone who can copy or modify your script is able to add one line with print loggin password just befor writen this information to the socket.

So anybody who is able to listen on network or modify your script will be able to get the password.

Sure you can make some sort of encrypted password and decrypt it just befor sending as I said but it will hide password just for BFUs.

Re: password .. tricky question

Charles Harris — Mon, 31 Jul 2006 05:04:36 GMT

Just a quick one if your really want to do something this in a script, it's not good at all but it will stop the casual browser seeing the password content in the script(s)....

Do a man ascii, and use echo -e to print the numerical value of each letter in the passwd.

eg: Pass=hello

PASSWD=`echo -e "\150\145\154\154\157"`

etc...

It's not good or safe at all, but it may deter the casual on looker... You can create your own key file and mix up the number in an array, although it's pretty pointless as it's so easy to reverse.

-=ChaZ=-

Re: password .. tricky question

Matti_Kurkela — Tue, 01 Aug 2006 07:50:13 GMT

Remember that if the user needs to execute a script, he/she must be able to read it.

If the user can read a script, he/she can also make a copy of it. Then he/she can edit his/her own copy of the script and remove all password checks you can make. If the user runs the modified script, it will be able to do the same things the password-protected version would.

If this problem is solvable in your specific case, consider storing a md5sum of the password instead of the password itself. When the user inputs the password, you can then pipe the user input through md5sum and then compare the md5sums. If they match, the password is correct.

Re: password .. tricky question

g33k — Tue, 01 Aug 2006 08:14:16 GMT

Matti pls. note one more thing... not even md5sum is safe becuase of md5 colisions and ofcourse rainbow crack(well need a lot of space but it's not such problem). If I should do sometihng similar I would use radder some salted hash md5crypt for example.

But anyway we all here know that telnet and ftp are not save in any case.