Best practices for holding passwords in shell / Perl scripts?

Question

I\'ve recently had to dust off my Perl and shell script skills to help out some colleagues. The colleagues in question have been tasked with providing some reports from an inter

Answer 1

Since you've tagged ksh & bash I'm going to assume Linux.

Most of the problem is that if the user can read the script and locate the method you used to hide / encrypt the file then they will also be able to do the same thing manually.

A better way may be do the following:

1. Make your script so it can only be seen/read/opened by you. chmod 700 it. Hardcode passwords away.
2. Have a "launcher" script that is executable by the user and does a sudo .

This way the user can see your launcher script, examine it to see it only has the single command line. They can run it and it works, but they don't have permissions to read the source for the script that is sudo'd.

Answer 2

For storing passwords you could do a two step encryption routine, first with a hardcoded key in your script itself, and optionally a 2nd time with a key stored in a file (which is set using file permissons to have restricted access).

In a given situation you can then either use a key file (+ key from script), or if the situation requirements aren't that great he can just use the encyrption using the key is hardcoded in the script. In both cases the password would be encrypted in the config file.

There is no perfect solution because somehow you have to be able to decrypt and obtain the cleartext password...and if you can do it someone else can too if they have the right info.

Especially in the situation where we give them a perl script (vs. an exe) they can easily see how you do the encryption (and the hardcoded key)...which is why you should allow the option to use a keyfile (that can be protected by filesystem permissions) as well.

Some practical examples for how to implement is here

Answer 3

I have / had a similar issue with developers deploying SQL code to MSSQL (in fact to any database on that MSSQL server, so role had to be SysAdmin) using ANT from a Solaris server. Again I did not want to store the username and password in the ANT build.xml files so my solution, which I know is not ideal, is as follows:

1. Store name / value pairs for username and password in a plain text file
2. Encrypt file (on Solaris) and use a pass phrase only known to certain admins
3. Leave only the encrypted file on the Solaris system
4. ANT build.xml runs a sudo decrypt and prompts for pass phrase, which is entered by admin
5. ANT sources decrypted file loading username and password as variables for the SQL string
6. ANT immediately deleted the plaintext file
7. ANT deploys code and exits

This all happens in a matter of seconds, and the sql username and password is never visibly accessible on the server. As the code is deployed by allowed admins in production, the developers never need to include it in their code.

I am sure it could be better, but...

JB

Answer 4

On windows create a Folder and a File within it containing the passwords in clear text. Set the user who would run the scheduled job(script or batch) as the only person with read/write access to this folder and file. (remove even administrator). To all other scripts, add code to read the clear text password from this restricted file.

This should suffice for few.

Keywords: Password HardCoding

Answer 5

If the script is running remotely from the server.

1. Make your reports views
2. Give the user you are logging into ONLY access to select on the report views
3. Just store the password.

That way, all that the user can do, is select the data for its report. Even if someone happened to get the password, they would be limited as to what they could do with it.

Answer 6

There are commercial or more advance solutions such as cyberark AIM can do it better, but doing it for free and out of box, I have been piggy back the SSH public/private key because for one, SSH key pairs most likely already created conform the security policy; secondly, SSH key pairs are already have a set of standard protocol to protect the keys by the file permission, continuous system hardening (like tripwire), or key rotation.

This is how I did it:

1. Generate the ssh key pairs if not yet. The key pairs and directory will be protected by default system protocol/permission. ssh-keygen –t rsa –b 2048

2. use the ssh public key to encrypt the string and stored in same .ssh directory $ echo "secretword" | openssl rsautl -encrypt -inkey ~/.ssh/id_rsa.pub -pubin -out ~/.ssh/secret.dat

3. use ssh private key to decrypt the key, and pass the parameters to scripts/AP in the realtime. The script/programe to include the line to decrypt in realtime: string=openssl rsautl -decrypt -inkey ~/.ssh/id_rsa -in ~/.ssh/secret.dat

PS - I have been experimenting CYBERARK AIM agentless solution. it's sort of pain requires significant changes/API changes for the API/script. will keep you posted how that goes.