Simpler Navigation for Servers and Operating Systems - Please Update Your Bookmarks
Completed: a much simpler Servers and Operating Systems section of the Community. We combined many of the older boards, so you won't have to click through so many levels to get at the information you need. Check the consolidated boards here as many sub-forums are now single boards.
If you have bookmarked forums or discussion boards in Servers and Operating Systems, we suggest you check and update them as needed.
cancel
Showing results for 
Search instead for 
Did you mean: 

password .. tricky question

nightwish
Advisor

password .. tricky question

How can i hide a user login and password in a script ?? ..
11 REPLIES
Georg Tresselt
Honored Contributor

Re: password .. tricky question

Use environment variables ??? After all, I don't know exactly what you are up to.
http://www.tresselt.eu
nightwish
Advisor

Re: password .. tricky question

I want to do a script that suppots himself authentication .. For that i need to inclue the user login and the password in the script .. It exists anyay to do this without leaving password to the sigth of the users that read the script ?? !! ..
Ivan Ferreira
Honored Contributor

Re: password .. tricky question

You can try with a shell script compiler like CCsh:

http://www.comeaucomputing.com/faqs/ccshfaq.html

If you will try that, just ensure that the resulting binary command won't show the user and password when you run the "strings" command over the file.

Of course, you always can remove the read permissions.
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
Andrew Bruce
Valued Contributor

Re: password .. tricky question

Hi Nightwish,

There are possibly several ways to do what you're after, securely. It all depends on exactly what you're trying to do.

You mention that the script needs to authenticate against something. Is this something usual like telnet/ftp/http?

Also, who would normally run the script? If it is only ever run by the user whos details it contains, simply set the permissions so that only the user can access the script (chmod 400 <script> then other users cannot access it)..

If the script is for general use, then it all depends on how secure you want it to be...

Tell us more detail and we might be able to help.

Regards,

Andy Bruce
I Love it when a plan comes together!
nightwish
Advisor

Re: password .. tricky question

The use of script is for gerenal use .. And basically is to authenticate by ftp and telnet .. But my problem is i need to acess several machines .. And for that I have to specify a user and a password .. The tricky question is how i hide that user and is password in a script .. whithout the comand sudo ...

Thanks for the contibution ..

Regards ..
Georg Tresselt
Honored Contributor

Re: password .. tricky question

Well, one way to run ftp in a script would be the use of an .netrc file. As this file contains user name and password unecrypted, one may well argues that that is not exactly hidden.

http://www.die.net/doc/linux/man/man5/netrc.5.html
http://www.tresselt.eu
Bill Thorsteinson
Honored Contributor

Re: password .. tricky question

Replace Telnet and FTP with ssh and sftp or
scp and use authorized keys. No login required
if you have the correct keys.

You can password protect the key and and use a
key agent, or leave the key unpassword protected and trust the security of the
system. The unpassword protected variant is more secure than your script would be as
the key must be appropriately secured to
work.

Access by keys can be restricted in various
ways if required. This would further enhance
security over using a script.

In addition to not having to hide the password
in the file, you also won't be passing it
over the network in clear text. Another
gain in security.
g33k
Valued Contributor

Re: password .. tricky question

Bill is rigth, there is no possible way you ca hide password in script if you are using telnet or ftp.

The reason is simple as far as telnet and ftp aren't using any sort of encryption, the password is sended as plain text.
Which means in the moment you are logging you write those informations in socket as plain text. So anyone can tcpdump or anothert network analyzator and see it in packet.
Or even if you will encrypt it in script and script it self will decrypt this befor sending, anyone who can copy or modify your script is able to add one line with print loggin password just befor writen this information to the socket.

So anybody who is able to listen on network or modify your script will be able to get the password.

Sure you can make some sort of encrypted password and decrypt it just befor sending as I said but it will hide password just for BFUs.
Charles Harris
Super Advisor

Re: password .. tricky question

Just a quick one if your really want to do something this in a script, it's not good at all but it will stop the casual browser seeing the password content in the script(s)....

Do a man ascii, and use echo -e to print the numerical value of each letter in the passwd.

eg: Pass=hello

PASSWD=`echo -e "\150\145\154\154\157"`

etc...

It's not good or safe at all, but it may deter the casual on looker... You can create your own key file and mix up the number in an array, although it's pretty pointless as it's so easy to reverse.

-=ChaZ=-
Matti_Kurkela
Honored Contributor

Re: password .. tricky question

Remember that if the user needs to execute a script, he/she must be able to read it.

If the user can read a script, he/she can also make a copy of it. Then he/she can edit his/her own copy of the script and remove all password checks you can make. If the user runs the modified script, it will be able to do the same things the password-protected version would.

If this problem is solvable in your specific case, consider storing a md5sum of the password instead of the password itself. When the user inputs the password, you can then pipe the user input through md5sum and then compare the md5sums. If they match, the password is correct.
MK
g33k
Valued Contributor

Re: password .. tricky question

Matti pls. note one more thing... not even md5sum is safe becuase of md5 colisions and ofcourse rainbow crack(well need a lot of space but it's not such problem). If I should do sometihng similar I would use radder some salted hash md5crypt for example.

But anyway we all here know that telnet and ftp are not save in any case.