HPE Community
Operating System - HP-UX
1837467 Members
4215 Online
110117 Solutions
New Discussion

store a password for a script

 
SOLVED
Go to solution
Geetam
Frequent Advisor

‎09-13-2000 05:53 AM

‎09-13-2000 05:53 AM

store a password for a script

Can anyone suggest a way of storing a password, so it can be used in a script, without breaking 'all security rules'.

The best I can come up with is to create a user with a name which is almost imposible to remember, with an equally hard to memorise password. And store each in a different files with access rights, so they are hard to find/read. Not very secure in my opinion... (the script will give it all away)

Any better suggestions?
0 Kudos
Reply
3 REPLIES 3
Stefan Farrelly
Honored Contributor

‎09-13-2000 05:58 AM

‎09-13-2000 05:58 AM

Re: store a password for a script


You could try using the crypt command on these passwords when they are stored in a file, and also use crypt to decrypt them when needed. This way at least they are a bit more secure when stored in a file.
Im from Palmerston North, New Zealand, but somehow ended up in London...
0 Kudos
Reply
John Palmer
Honored Contributor

‎09-13-2000 06:07 AM

‎09-13-2000 06:07 AM

Solution

Re: store a password for a script

One technique is to keep the password in a file that is only readable by a particular user (that nobody can log in as) and to use the setuid bit (set-owner-ID-on file-execution - see man chmod) on the script that reads it.

This script would have to be responsible for its own security and would only return the password to one of a set of users or whatever restriction you wanted to employ.

You can also use the 'crypt' command to encrypt the password and use the setuid technique to obtain the encryption key.

I use a combination of both the above techniques for securely obtaining Oracle passwords for use by backup scripts etc.

On the subject of Oracle, never supply the password as a command line argument to any Oracle command as it can be seen in a 'ps' listing. For example instead of:-

sqlplus system/ <
do

sqlplus << EOD
system/
Reply
Kofi ARTHIABAH
Honored Contributor

‎09-13-2000 06:08 AM

‎09-13-2000 06:08 AM

Re: store a password for a script

Geetam:

It depends on what your script is trying to do. For example, let's say that you want a script that will automate logging onto another machine to execute some commands, you might want to consider using ssh with private/public key combinations with ssh.

The SSH documentation describes how you can setup two hosts to talk without exchanging passwords (only exchanging keys - which are unique to the machine-user combination)

security by obsurity is not very advisable!

Alternatively, you could write a program in c, and compile it with the password somehow embeded... maybe if you give more of an idea of what your program does, you might get more.
nothing wrong with me that a few lines of code cannot fix!
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.