HPE Community
Operating System - HP-UX
1822142 Members
3953 Online
109640 Solutions
New Discussion юеВ

How to encrypt password in shell scripts ?

 
Chris Fung
Frequent Advisor

тАО06-09-2002 01:20 AM

тАО06-09-2002 01:20 AM

How to encrypt password in shell scripts ?

Hi all,

I've developed some scripts in which I need to embed the user name and password inside the scripts. We really can't stand for such a big security hole!! Is there any workaround solution(s) that I can encrypted the passwords inside the scripts? Besides, changing password will be a nightmare if we embed the password inside the scripts !!! Any idea? I am think whether we can make use of the existing Unix password handling routines to accomplish this task !!!

Please help, many thanks !!

Chris,
0 Kudos
Reply
8 REPLIES 8
Heiner E. Lennackers
Respected Contributor

тАО06-09-2002 05:03 AM

тАО06-09-2002 05:03 AM

Re: How to encrypt password in shell scripts ?

Hi,

there is no standard shell command to do password encryptions. I think the best way is to use perl to verify the password:

Assume you have a shell variable USERNAME and the entered PASSWORD (switch of tty outout with "stty -echo", when the user should enter his password, and switch it on again after entering with "stty echo"

Then you can do the following (in sh or ksh):

USERPW=`grep "^${USERNAME}:" /etc/passwd | cut -d: -f2`
if [ ! -z "${USERPW}" ];then
ENCRPW=`perl -e "print crypt(${PASSWORD},${USERPW})"`
if [ "${USERPW}" = "${ENCRPW}" ];then
echo password OK
else
echo password WRONG
fi
else
echo no such user
fi


You may write a little c-program which will do the check if you dont want to use perl.

Heiner
if this makes any sense to you, you have a BIG problem
0 Kudos
Reply
harry d brown jr
Honored Contributor

тАО06-09-2002 08:57 AM

тАО06-09-2002 08:57 AM

Re: How to encrypt password in shell scripts ?

Chris,

Unless you write a c program that has the passwords embedded in them and encrypted - which of course makes your source code an issue, then there isn't much you can do.

You could use the setuid or setgid on the process. Or "sudo". You could also make the file unreadable to those that don't need to "read" the code.

live free or die
harry
Live Free or Die
0 Kudos
Reply
Nick Wickens
Respected Contributor

тАО06-10-2002 04:16 AM

тАО06-10-2002 04:16 AM

Re: How to encrypt password in shell scripts ?

See the man page for crypt.

Problem is you always need to have some password entered to regain access to your encrypted data.

Failing that have you thought of using sudo to run that script only as root ?. I seem to recollect that sudo can also be used to run scripts as other users. You still need a user to enter their password so it is interactive but they would not need to know the password of the user running the function.

Hats ? We don't need no stinkin' hats !!
0 Kudos
Reply
Nick Wickens
Respected Contributor

тАО06-10-2002 04:23 AM

тАО06-10-2002 04:23 AM

Re: How to encrypt password in shell scripts ?

Heres my use of crypt just using shell where fred contains the encrypted password -


ACCESS=/users/userpass
NAME=fred
echo "Please enter your root access password -> "
stty -echo
read PASSWORD
stty echo
PASSIN=$(crypt $PASSWORD <$ACCESS/$NAME 2>/dev/null)
if [ $PASSWORD = $PASSIN ];then
echo "Thank You"
else
exit
fi
Hats ? We don't need no stinkin' hats !!
0 Kudos
Reply
Mark Seaman
Advisor

тАО06-10-2002 08:12 AM

тАО06-10-2002 08:12 AM

Re: How to encrypt password in shell scripts ?

I have always had this problem with batch scripts. The best solution I have found is to have a single file that contains the password. Change the permissions on this file to 400. All scripts retrieve this password using 'cat': PWD=$(cat ~/file.txt).
Password changes only require updating a single file. Security issue not removed, but chance of compromise greatly reduced using this technique.
0 Kudos
Reply
Sridhar Bhaskarla
Honored Contributor

тАО06-10-2002 08:43 AM

тАО06-10-2002 08:43 AM

Re: How to encrypt password in shell scripts ?

Hi,

See my response along with Rod's good suggestion this thread

http://forums.itrc.hp.com/cm/QuestionAnswer/1,,0xadb5d5fab40ed6118ff40090279cd0f9,00.html

-Sri
You may be disappointed if you fail, but you are doomed if you don't try
0 Kudos
Reply
Rodney Hills
Honored Contributor

тАО06-10-2002 08:47 AM

тАО06-10-2002 08:47 AM

Re: How to encrypt password in shell scripts ?

Sri, which Rod? (I had a response at the top and another Rod had a response at the end.)

-- Rod Hills :-)
There be dragons...
0 Kudos
Reply
Jerry Anderson_1
Occasional Advisor

тАО06-10-2002 09:20 AM

тАО06-10-2002 09:20 AM

Re: How to encrypt password in shell scripts ?

This is an old problem with no perfect solution. My approach has been to use the .netrc file concept. That is, a separate file containing the userid/password pair which can be read by your batch file. This separate file is easy to maintain and you can secure it better than you can a shell script.

No matter what you do this file can be read by anybody who gains user level access to the account, and by root. So set up your environment so that if the userid/password are compromised the damage is minimized.

1. Set the permissions on this file as restrictive as possible - 0400.

2. Do not give group or other write permissions to the directory containing the file (so it can't be deleted to create a DoS).

3. Limit the people who have access to the account which owns the password file. All of them can read that file.

3. Do not use that userid/password for any other account. That way a compromise it somewhat contained.

4. Check the permissions/content of the file regularly and alert on changes. (Consider Tripwire).

Jerry
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.