Linux - GeneralThis Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I was curious to know if there was a better way of encrypting a password prior to being used in a script. In other words, I have a script that has a password inside of it and would prefer to create a hash of the password and use the hash instead of the actual password so that it if someone were to use "ps" or packet capture the transmission of the script it would be a lot harder to unscramble. Is this not a standard practice?
So for example, I have a function in my script that uses ssh to perform a mysqldump remotely of a mysql database. So what can be added to my script that would use the hash and not use the actual password in the file?
Not really, there's usually a more specific way to improve the security, using credentials files rather than directly entering details etc.
In your example, can you not run mysqldump on the client side? I can see you're gzipping the output stream but if you can allow the standard output across the network then there's no need to send the password to the remote node. You could get some improvement by running over an ssh tunnel if you did want real time network compression instead of just saving the disk space.
Excellent point, I was curious. In my mind I was thinking of using the hash instead of the password so if the script gets comprimised then there are looking at a hash instead of the actual password.
well yes, but then that hash has to be understood by the target system. So basically what you'd be doing is turned an encrypted password system into an unencrypted password system, which just happens to use really weird looking passwords.
A very common technique is called a "salted hash."
For example, say your password was secret. So, you generate a random number, say, 123456, and you generate an MD5 hash from the string, 123456:secret:123456, say, and you send it to the host as your authentication token: 123456:the_md5_value.
Notice how the random number (the "salt") is sent in the clear along with the MD5 string, which has been calculated from the (unknown) secret plus the (public) salt. It serves to make the process non-deterministic: you could send the string secret ten million different ways (that is to say, with a different salt-value), and the interceptor would have no way to know that the password being sent was in fact identical; nor to determine what the password is. And yet, there are no "secrets" as to the manner in which the password-string is being concealed. Eve knows exactly how Alice and Bob are masking their password, but can't wedge what it is.
Last edited by sundialsvcs; 04-02-2012 at 04:06 PM.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.