I want to do a script that suppots himself authentication .. For that i need to inclue the user login and the password in the script .. It exists anyay to do this without leaving password to the sigth of the users that read the script ?? !! ..
There are possibly several ways to do what you're after, securely. It all depends on exactly what you're trying to do.
You mention that the script needs to authenticate against something. Is this something usual like telnet/ftp/http?
Also, who would normally run the script? If it is only ever run by the user whos details it contains, simply set the permissions so that only the user can access the script (chmod 400 <script> then other users cannot access it)..
If the script is for general use, then it all depends on how secure you want it to be...
The use of script is for gerenal use .. And basically is to authenticate by ftp and telnet .. But my problem is i need to acess several machines .. And for that I have to specify a user and a password .. The tricky question is how i hide that user and is password in a script .. whithout the comand sudo ...
Well, one way to run ftp in a script would be the use of an .netrc file. As this file contains user name and password unecrypted, one may well argues that that is not exactly hidden.
Replace Telnet and FTP with ssh and sftp or scp and use authorized keys. No login required if you have the correct keys.
You can password protect the key and and use a key agent, or leave the key unpassword protected and trust the security of the system. The unpassword protected variant is more secure than your script would be as the key must be appropriately secured to work.
Access by keys can be restricted in various ways if required. This would further enhance security over using a script.
In addition to not having to hide the password in the file, you also won't be passing it over the network in clear text. Another gain in security.
Bill is rigth, there is no possible way you ca hide password in script if you are using telnet or ftp.
The reason is simple as far as telnet and ftp aren't using any sort of encryption, the password is sended as plain text. Which means in the moment you are logging you write those informations in socket as plain text. So anyone can tcpdump or anothert network analyzator and see it in packet. Or even if you will encrypt it in script and script it self will decrypt this befor sending, anyone who can copy or modify your script is able to add one line with print loggin password just befor writen this information to the socket.
So anybody who is able to listen on network or modify your script will be able to get the password.
Sure you can make some sort of encrypted password and decrypt it just befor sending as I said but it will hide password just for BFUs.
Just a quick one if your really want to do something this in a script, it's not good at all but it will stop the casual browser seeing the password content in the script(s)....
Do a man ascii, and use echo -e to print the numerical value of each letter in the passwd.
eg: Pass=hello
PASSWD=`echo -e "\150\145\154\154\157"`
etc...
It's not good or safe at all, but it may deter the casual on looker... You can create your own key file and mix up the number in an array, although it's pretty pointless as it's so easy to reverse.
Remember that if the user needs to execute a script, he/she must be able to read it.
If the user can read a script, he/she can also make a copy of it. Then he/she can edit his/her own copy of the script and remove all password checks you can make. If the user runs the modified script, it will be able to do the same things the password-protected version would.
If this problem is solvable in your specific case, consider storing a md5sum of the password instead of the password itself. When the user inputs the password, you can then pipe the user input through md5sum and then compare the md5sums. If they match, the password is correct.
Matti pls. note one more thing... not even md5sum is safe becuase of md5 colisions and ofcourse rainbow crack(well need a lot of space but it's not such problem). If I should do sometihng similar I would use radder some salted hash md5crypt for example.
But anyway we all here know that telnet and ftp are not save in any case.
