Solved: Ways to encrypt passwd in shell script

Frank de Vries · ‎01-18-2006

We run hpux 11.00 and 11.11 (V1)
and Oracle 8.1.7.x and 9.2.x ,
a lot of batch jobs run in cron.

Many scripts show username/passwd
as text and anyone with read access
to the script can obtain the passwd
to the application.

I would like to know of ways to encrypt
this passwd.

This also extends to passwd used in scripts
stopping the listener.

Just in case anyone suggest this:
We cannot for the time being use OPS$
accounts because we made the stupid choice
earlier to combine online and batchuser,
something I am addressing with the application
team.

So , I would like to find out more ways on
how to encrypt or obscure passwd in scripts.
If it is possible that is, I hope to hear
from you.

Look before you leap

Arunvijai_4 · ‎01-18-2006

Hello,

You can use a tool called "shc" which can be downloaded from, http://www.datsi.fi.upm.es/~frosal/. It is used for encrypting and decrypting shell scripts and password with that. Find out more information at, http://www.linuxsecurity.com/content/view/117920/49/

-Arun

"A ship in the harbor is safe, but that is not what ships are built for"

Peter Godron · ‎01-18-2006

Frank,
the best method of secure passwords is to stop people from seeing them in the first place! Remove read access to the files, leaving only trusted groups with access.

Also make sure you do not perform anything like:
sqlplus -s user/password
in a script, as then the info can be seen by the ps command.

Frank de Vries · ‎01-18-2006

Peter
Sorry I appreciate your concern,
but I am not going to award points
for these comments. You seemed
to have missed my hint that I am
addressing this already with the
application team.

I am looking for solutions, if you have
any of these , feel welcome.

No pun intended, but I have to be strict.

Look before you leap

RAC_1 · ‎01-18-2006

I see another way to do it. But try it and check before you implement.

You can put something like this in cron. The key here is "crypt key is visible"

01 01 * * * "/usr/bin/crypt 'xyz' < crytpted_script > uncrypted_script | /usr/bin/ksh

This should work.

There is no substitute to HARDWORK

RAC_1 · ‎01-18-2006

Correction.

01 01 * * * "/usr/bin/crypt 'xyz' < crytpted_script | /usr/bin/ksh

There is no substitute to HARDWORK

Peter Godron · ‎01-18-2006

Frank,
fully agree with your comments on my earlier, generic reply.
Here is another shell compiler:
http://www.geocities.com/SiliconValley/Horizon/5745/kcx.htm
as an alternative to shc

Yogeeraj_1 · ‎01-18-2006

hi frank,

I don't know if you have ever considered this.

why not use DBMS_JOB to run you batch jobs?

this is much easier and does not require any password!

very easy:

declare
l_job number;
begin
dbms_job.submit( l_job,
'abc;',
trunc(sysdate)+4/24,
'trunc(sysdate)+1+4/24' );
end;

will run the job at 4am every day.

Nb. make sure to set job_queue_processes and job_queue_interval (init.ora parameters).

hope this helps!

kind regards
yogeeraj

No person was ever honoured for what he received. Honour has been the reward for what he gave (clavin coolidge)

Frank de Vries · ‎01-18-2006

Yogeeraj

Interesting, no I had never considered
that.

Mind you most of our batch jobs
is based on external files that are
parsed and loaded via sqloader into
the tables.

The event to start the job is triggerd
when the ascii file arrives, which
is unpredictable. We use special filewatcher
called Autosys Unicenter from CA.

Look before you leap

Yogeeraj_1 · ‎01-18-2006

hi again,

as for external files issue, since you are also running oracle 9i, you can also consider external tables.

In fact, with external tables you can:

o merge a flat file with an existing table in one statement.

o sort a flat file on the way into a table you want compressed nicely

o do a parallel direct path load -- without splitting up the input file, writing scripts and so on

o run sqlldr in effect from a stored procedure or trigger (insert is not sqlldr)

o do multi-table inserts

o flow the data through a pipelined plsql function for cleansing/transformation

and so on.

hope this helps too!

kind regards
yogeeraj

No person was ever honoured for what he received. Honour has been the reward for what he gave (clavin coolidge)

Ivan Ferreira · ‎01-18-2006

I wonder if you run "strings" over the shm file, will be able to see the username and password.

Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?

Frank de Vries · ‎01-18-2006

Interesting extra intelligence, could
be handy to know.
I presume shm files are the extended tables ?

I value your input.

Knowledge = power = $$$$$

Look before you leap

Arturo Galbiati · ‎01-19-2006

Hi Frank,
I had in the past your same problem.
To fix this I put all the datbase passwords in a file crypted *I handle it using vi -x).
To get the password in the script I develloped a script that giving in input the user retrun the password in clear.
Let me know if you are intersted in this and I can post it.
(I like avoind post unrequested script).
HTH,
Art

Frank de Vries · ‎01-19-2006

Arturo
Yes that could solve a lot of time and admin
for me , thanks !!

Look before you leap

Arturo Galbiati · ‎01-20-2006

Hi,
these are the files I use.
1].
Create a directory ACCESS under unix user i.e.: pwdadm
/home/pwdadm/ACCESS

1].create the crypted file .access:

vi -x your_key access.dat
# Record format: unix_user;key;value
# The separator MUST be ';', space is a valid character
pwdadm;logon;password
#eof

logon is the database user and passowrd is teh user password

3]. created the parameter file .access
#!/usr/bin/ksh
export AccKey=your_key
export AccUsr=$(whoami)
#eof

4. create the script access.ksh:
#!/usr/bin/ksh
typeset -l ScrStr="${AccUsr};${1}"
#
AccFil=/home/pwdadm/ACCESS/access.dat
AccKey=${AccKey:-dummy}
AccVal=$(crypt $AccKey<$AccFil|awk -F"${ScrStr};" '/'$ScrStr'/ {print $2}')
if [[ -z "$AccVal" ]] ;then
echo "********"
exit 1
else
echo "$AccVal"
fi
#eof

the files should be these permissions:
-rwxr-xr-x .access
-rw-r--r-- access.dat
-rwxr-xr-x access.ksh

and the directories msut be readabel by all
(if you want to use this way in each Unix user, otherwise decide different permission)
Take care to add the path in your $PATH so any users can use it.

in your script you have to use:
. access
Oracle_password=$(access.ksh oracle_user)

the script access.ksh retuns the password for the oracle_user if aclled for the unix user pwdadm. You can have same user/password for different unix users.

HTH,
Art

Ways to encrypt passwd in shell script

Ways to encrypt passwd in shell script

Ways to encrypt passwd in shell script

Re: Ways to encrypt passwd in shell script

Re: Ways to encrypt passwd in shell script

Re: Ways to encrypt passwd in shell script

Re: Ways to encrypt passwd in shell script

Re: Ways to encrypt passwd in shell script

Re: Ways to encrypt passwd in shell script

Re: Ways to encrypt passwd in shell script

Re: Ways to encrypt passwd in shell script

Re: Ways to encrypt passwd in shell script

Re: Ways to encrypt passwd in shell script

Re: Ways to encrypt passwd in shell script

Re: Ways to encrypt passwd in shell script

Re: Ways to encrypt passwd in shell script

Re: Ways to encrypt passwd in shell script

Re: Ways to encrypt passwd in shell script

Re: Ways to encrypt passwd in shell script

Re: Ways to encrypt passwd in shell script

Re: Ways to encrypt passwd in shell script

Re: Ways to encrypt passwd in shell script

Re: Ways to encrypt passwd in shell script

Re: Ways to encrypt passwd in shell script

Re: Ways to encrypt passwd in shell script

Re: Ways to encrypt passwd in shell script

Re: Ways to encrypt passwd in shell script

Re: Ways to encrypt passwd in shell script

Re: Ways to encrypt passwd in shell script

Re: Ways to encrypt passwd in shell script

Re: Ways to encrypt passwd in shell script

Hewlett Packard Enterprise International