Operating System - HP-UX
1745887 Members
5273 Online
108723 Solutions
New Discussion юеВ

Ways to encrypt passwd in shell script

 
SOLVED
Go to solution
Frank de Vries
Respected Contributor

Ways to encrypt passwd in shell script

We run hpux 11.00 and 11.11 (V1)
and Oracle 8.1.7.x and 9.2.x ,
a lot of batch jobs run in cron.

Many scripts show username/passwd
as text and anyone with read access
to the script can obtain the passwd
to the application.

I would like to know of ways to encrypt
this passwd.

This also extends to passwd used in scripts
stopping the listener.

Just in case anyone suggest this:
We cannot for the time being use OPS$
accounts because we made the stupid choice
earlier to combine online and batchuser,
something I am addressing with the application
team.

So , I would like to find out more ways on
how to encrypt or obscure passwd in scripts.
If it is possible that is, I hope to hear
from you.


Look before you leap
14 REPLIES 14
Arunvijai_4
Honored Contributor
Solution

Re: Ways to encrypt passwd in shell script

Hello,

You can use a tool called "shc" which can be downloaded from, http://www.datsi.fi.upm.es/~frosal/. It is used for encrypting and decrypting shell scripts and password with that. Find out more information at, http://www.linuxsecurity.com/content/view/117920/49/

-Arun
"A ship in the harbor is safe, but that is not what ships are built for"
Peter Godron
Honored Contributor

Re: Ways to encrypt passwd in shell script

Frank,
the best method of secure passwords is to stop people from seeing them in the first place! Remove read access to the files, leaving only trusted groups with access.

Also make sure you do not perform anything like:
sqlplus -s user/password
in a script, as then the info can be seen by the ps command.

Frank de Vries
Respected Contributor

Re: Ways to encrypt passwd in shell script

Peter
Sorry I appreciate your concern,
but I am not going to award points
for these comments. You seemed
to have missed my hint that I am
addressing this already with the
application team.

I am looking for solutions, if you have
any of these , feel welcome.

No pun intended, but I have to be strict.
Look before you leap
RAC_1
Honored Contributor

Re: Ways to encrypt passwd in shell script

I see another way to do it. But try it and check before you implement.

You can put something like this in cron. The key here is "crypt key is visible"

01 01 * * * "/usr/bin/crypt 'xyz' < crytpted_script > uncrypted_script | /usr/bin/ksh

This should work.
There is no substitute to HARDWORK
RAC_1
Honored Contributor

Re: Ways to encrypt passwd in shell script

Correction.

01 01 * * * "/usr/bin/crypt 'xyz' < crytpted_script | /usr/bin/ksh
There is no substitute to HARDWORK
Peter Godron
Honored Contributor

Re: Ways to encrypt passwd in shell script

Frank,
fully agree with your comments on my earlier, generic reply.
Here is another shell compiler:
http://www.geocities.com/SiliconValley/Horizon/5745/kcx.htm
as an alternative to shc

Yogeeraj_1
Honored Contributor

Re: Ways to encrypt passwd in shell script

hi frank,

I don't know if you have ever considered this.

why not use DBMS_JOB to run you batch jobs?

this is much easier and does not require any password!

very easy:

declare
l_job number;
begin
dbms_job.submit( l_job,
'abc;',
trunc(sysdate)+4/24,
'trunc(sysdate)+1+4/24' );
end;

will run the job at 4am every day.

Nb. make sure to set job_queue_processes and job_queue_interval (init.ora parameters).


hope this helps!

kind regards
yogeeraj
No person was ever honoured for what he received. Honour has been the reward for what he gave (clavin coolidge)
Frank de Vries
Respected Contributor

Re: Ways to encrypt passwd in shell script

Yogeeraj

Interesting, no I had never considered
that.

Mind you most of our batch jobs
is based on external files that are
parsed and loaded via sqloader into
the tables.

The event to start the job is triggerd
when the ascii file arrives, which
is unpredictable. We use special filewatcher
called Autosys Unicenter from CA.



Look before you leap
Yogeeraj_1
Honored Contributor

Re: Ways to encrypt passwd in shell script

hi again,

as for external files issue, since you are also running oracle 9i, you can also consider external tables.

In fact, with external tables you can:

o merge a flat file with an existing table in one statement.

o sort a flat file on the way into a table you want compressed nicely

o do a parallel direct path load -- without splitting up the input file, writing scripts and so on

o run sqlldr in effect from a stored procedure or trigger (insert is not sqlldr)

o do multi-table inserts

o flow the data through a pipelined plsql function for cleansing/transformation

and so on.

hope this helps too!

kind regards
yogeeraj
No person was ever honoured for what he received. Honour has been the reward for what he gave (clavin coolidge)