HPE Community
Operating System - Linux
1828388 Members
3349 Online
109977 Solutions
New Discussion

password .. tricky question

 
nightwish
Advisor

‎07-06-2006 04:41 AM

‎07-06-2006 04:41 AM

password .. tricky question

How can i hide a user login and password in a script ?? ..
0 Kudos
Reply
11 REPLIES 11
Georg Tresselt
Honored Contributor

‎07-06-2006 04:55 AM

‎07-06-2006 04:55 AM

Re: password .. tricky question

Use environment variables ??? After all, I don't know exactly what you are up to.
http://www.tresselt.eu
0 Kudos
Reply
nightwish
Advisor

‎07-06-2006 05:08 AM

‎07-06-2006 05:08 AM

Re: password .. tricky question

I want to do a script that suppots himself authentication .. For that i need to inclue the user login and the password in the script .. It exists anyay to do this without leaving password to the sigth of the users that read the script ?? !! ..
0 Kudos
Reply
Ivan Ferreira
Honored Contributor

‎07-06-2006 06:35 AM

‎07-06-2006 06:35 AM

Re: password .. tricky question

You can try with a shell script compiler like CCsh:

http://www.comeaucomputing.com/faqs/ccshfaq.html

If you will try that, just ensure that the resulting binary command won't show the user and password when you run the "strings" command over the file.

Of course, you always can remove the read permissions.
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
0 Kudos
Reply
Andrew Bruce
Valued Contributor

‎07-06-2006 12:53 PM

‎07-06-2006 12:53 PM

Re: password .. tricky question

Hi Nightwish,

There are possibly several ways to do what you're after, securely. It all depends on exactly what you're trying to do.

You mention that the script needs to authenticate against something. Is this something usual like telnet/ftp/http?

Also, who would normally run the script? If it is only ever run by the user whos details it contains, simply set the permissions so that only the user can access the script (chmod 400 <script> then other users cannot access it)..

If the script is for general use, then it all depends on how secure you want it to be...

Tell us more detail and we might be able to help.

Regards,

Andy Bruce
I Love it when a plan comes together!
0 Kudos
Reply
nightwish
Advisor

‎07-06-2006 11:01 PM

‎07-06-2006 11:01 PM

Re: password .. tricky question

The use of script is for gerenal use .. And basically is to authenticate by ftp and telnet .. But my problem is i need to acess several machines .. And for that I have to specify a user and a password .. The tricky question is how i hide that user and is password in a script .. whithout the comand sudo ...

Thanks for the contibution ..

Regards ..
0 Kudos
Reply
Georg Tresselt
Honored Contributor

‎07-07-2006 01:27 AM

‎07-07-2006 01:27 AM

Re: password .. tricky question

Well, one way to run ftp in a script would be the use of an .netrc file. As this file contains user name and password unecrypted, one may well argues that that is not exactly hidden.

http://www.die.net/doc/linux/man/man5/netrc.5.html
http://www.tresselt.eu
0 Kudos
Reply
Bill Thorsteinson
Honored Contributor

‎07-07-2006 03:50 AM

‎07-07-2006 03:50 AM

Re: password .. tricky question

Replace Telnet and FTP with ssh and sftp or
scp and use authorized keys. No login required
if you have the correct keys.

You can password protect the key and and use a
key agent, or leave the key unpassword protected and trust the security of the
system. The unpassword protected variant is more secure than your script would be as
the key must be appropriately secured to
work.

Access by keys can be restricted in various
ways if required. This would further enhance
security over using a script.

In addition to not having to hide the password
in the file, you also won't be passing it
over the network in clear text. Another
gain in security.
0 Kudos
Reply
g33k
Valued Contributor

‎07-13-2006 11:34 PM

‎07-13-2006 11:34 PM

Re: password .. tricky question

Bill is rigth, there is no possible way you ca hide password in script if you are using telnet or ftp.

The reason is simple as far as telnet and ftp aren't using any sort of encryption, the password is sended as plain text.
Which means in the moment you are logging you write those informations in socket as plain text. So anyone can tcpdump or anothert network analyzator and see it in packet.
Or even if you will encrypt it in script and script it self will decrypt this befor sending, anyone who can copy or modify your script is able to add one line with print loggin password just befor writen this information to the socket.

So anybody who is able to listen on network or modify your script will be able to get the password.

Sure you can make some sort of encrypted password and decrypt it just befor sending as I said but it will hide password just for BFUs.
0 Kudos
Reply
Charles Harris
Super Advisor

‎07-30-2006 10:04 PM

‎07-30-2006 10:04 PM

Re: password .. tricky question

Just a quick one if your really want to do something this in a script, it's not good at all but it will stop the casual browser seeing the password content in the script(s)....

Do a man ascii, and use echo -e to print the numerical value of each letter in the passwd.

eg: Pass=hello

PASSWD=`echo -e "\150\145\154\154\157"`

etc...

It's not good or safe at all, but it may deter the casual on looker... You can create your own key file and mix up the number in an array, although it's pretty pointless as it's so easy to reverse.

-=ChaZ=-
0 Kudos
Reply
Matti_Kurkela
Honored Contributor

‎08-01-2006 12:50 AM

‎08-01-2006 12:50 AM

Re: password .. tricky question

Remember that if the user needs to execute a script, he/she must be able to read it.

If the user can read a script, he/she can also make a copy of it. Then he/she can edit his/her own copy of the script and remove all password checks you can make. If the user runs the modified script, it will be able to do the same things the password-protected version would.

If this problem is solvable in your specific case, consider storing a md5sum of the password instead of the password itself. When the user inputs the password, you can then pipe the user input through md5sum and then compare the md5sums. If they match, the password is correct.
MK
0 Kudos
Reply
g33k
Valued Contributor

‎08-01-2006 01:14 AM

‎08-01-2006 01:14 AM

Re: password .. tricky question

Matti pls. note one more thing... not even md5sum is safe becuase of md5 colisions and ofcourse rainbow crack(well need a lot of space but it's not such problem). If I should do sometihng similar I would use radder some salted hash md5crypt for example.

But anyway we all here know that telnet and ftp are not save in any case.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.