LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 11-13-2015, 02:57 PM   #1
Entropy1024
Member
 
Registered: Dec 2012
Location: UK
Distribution: Ubuntu 16 & 17
Posts: 130

Rep: Reputation: Disabled
Passwords in scripts


I have a script to automatically log into a remote site and backup databases etc.

All works well but I'm uncomfortable having the password in plaintext. Is there any way to hide the passwords from prying eyes?

Many thanks
Tim
 
Old 11-13-2015, 03:06 PM   #2
smallpond
Senior Member
 
Registered: Feb 2011
Location: Massachusetts, USA
Distribution: CentOS 6 & 7
Posts: 3,242

Rep: Reputation: 882Reputation: 882Reputation: 882Reputation: 882Reputation: 882Reputation: 882Reputation: 882
Log in using ssh with public/private key - no password required. See the ssh-copy-id command.
 
Old 11-13-2015, 06:11 PM   #3
jpollard
Senior Member
 
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 4,844

Rep: Reputation: 1477Reputation: 1477Reputation: 1477Reputation: 1477Reputation: 1477Reputation: 1477Reputation: 1477Reputation: 1477Reputation: 1477Reputation: 1477
Or are you referring to database passwords in cleartext?
 
Old 11-13-2015, 09:14 PM   #4
Entropy1024
Member
 
Registered: Dec 2012
Location: UK
Distribution: Ubuntu 16 & 17
Posts: 130

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by jpollard View Post
Or are you referring to database passwords in cleartext?
Any password really.
 
Old 11-14-2015, 06:09 AM   #5
ondoho
LQ Addict
 
Registered: Dec 2013
Posts: 13,158
Blog Entries: 9

Rep: Reputation: 3604Reputation: 3604Reputation: 3604Reputation: 3604Reputation: 3604Reputation: 3604Reputation: 3604Reputation: 3604Reputation: 3604Reputation: 3604Reputation: 3604
there's always a tradeoff between convenience and security.
you can't have both.

that said, it might be possible to have some sort of basic encryption or rather obfuscation on the password, so you don't have it inside the script (or some other file) in plain text.

my distros packet manager shows a few results when searching for "password encrypt" - i suggest you do the same.

or see here:
http://stackoverflow.com/questions/5...r-php-constant
(just the first search result)
 
Old 11-14-2015, 06:20 AM   #6
jpollard
Senior Member
 
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 4,844

Rep: Reputation: 1477Reputation: 1477Reputation: 1477Reputation: 1477Reputation: 1477Reputation: 1477Reputation: 1477Reputation: 1477Reputation: 1477Reputation: 1477
Quote:
Originally Posted by Entropy1024 View Post
Any password really.
I thought that might be the case.

The problem is that even though ssh doesn't require an embedded password (using RSA), it only works if the RSA key is unencrypted... If they are, then you have to supply a passphrase either directly, or through the user agent tool which retains that passphrase/unencrypted keys to supply to ssh (which is still better than embedding the password in a script).

The problem with database passwords is that there is no alternative. They have to be in cleartext when supplied to the database to establish the connection (one of the problems with web services is that the unencrypted password is in the web scripts, and I have not seen any alternatives either).
 
Old 11-14-2015, 07:33 AM   #7
wpeckham
Senior Member
 
Registered: Apr 2010
Location: Continental USA
Distribution: Debian, Ubuntu, Fedora, RedHat, DSL, Puppy, CentOS, Knoppix, Mint-DE, Sparky, Vsido, tinycore, Q4OS
Posts: 3,152

Rep: Reputation: 1368Reputation: 1368Reputation: 1368Reputation: 1368Reputation: 1368Reputation: 1368Reputation: 1368Reputation: 1368Reputation: 1368Reputation: 1368
Feel stupid

I researched this very problem, and found only a few solutions. These are the only ones I adopted:
1. do my connections (At lease if they require passwords) from a well secured and locked down machine, so that no one but I have ACCESS to see anything that would give away the password. (As a system guy, this made sense but is obviously only as good as your isolation precautions).
2. Hard code the passwords into encrypted executables. (This only makes sense if you come form a programming background, I do)

And in both cases, use a secured channel for communications (VPN, ssl tunnel ala ssh, etc).
In the end, you cannot make it impossible to break password based security. Your objective is to make it so troublesome or expensive that no one will bother.

It seems stupid that OS and SYSTEM people have developed better answers, but the DATABASE people are still using 1980s solutions. (Says the guy who only USES databases, and has rarely developed DB software!)

Last edited by wpeckham; 11-14-2015 at 07:35 AM.
 
Old 11-14-2015, 10:38 AM   #8
jpollard
Senior Member
 
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 4,844

Rep: Reputation: 1477Reputation: 1477Reputation: 1477Reputation: 1477Reputation: 1477Reputation: 1477Reputation: 1477Reputation: 1477Reputation: 1477Reputation: 1477
The problem with databases is that no matter how you use them, applications are what connects. If if no human is involved (which is the majority of the case with batch processing), then the password MUST be provided in clear text.
 
Old 11-14-2015, 02:55 PM   #9
Entropy1024
Member
 
Registered: Dec 2012
Location: UK
Distribution: Ubuntu 16 & 17
Posts: 130

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by wpeckham View Post
I researched this very problem, and found only a few solutions. These are the only ones I adopted:
1. do my connections (At lease if they require passwords) from a well secured and locked down machine, so that no one but I have ACCESS to see anything that would give away the password. (As a system guy, this made sense but is obviously only as good as your isolation precautions).
2. Hard code the passwords into encrypted executables. (This only makes sense if you come form a programming background, I do)

And in both cases, use a secured channel for communications (VPN, ssl tunnel ala ssh, etc).
In the end, you cannot make it impossible to break password based security. Your objective is to make it so troublesome or expensive that no one will bother.

It seems stupid that OS and SYSTEM people have developed better answers, but the DATABASE people are still using 1980s solutions. (Says the guy who only USES databases, and has rarely developed DB software!)
Thanks for the information.
It's odd as I thought Linux was pretty much built with security in mind. I would have thought there would be some way to have a hash function or something. I guess for FTP the certs are a good solution.

Anyway, appreciate all the help.
Tim
 
Old 11-14-2015, 03:16 PM   #10
wpeckham
Senior Member
 
Registered: Apr 2010
Location: Continental USA
Distribution: Debian, Ubuntu, Fedora, RedHat, DSL, Puppy, CentOS, Knoppix, Mint-DE, Sparky, Vsido, tinycore, Q4OS
Posts: 3,152

Rep: Reputation: 1368Reputation: 1368Reputation: 1368Reputation: 1368Reputation: 1368Reputation: 1368Reputation: 1368Reputation: 1368Reputation: 1368Reputation: 1368
Just for the record.
Linux is the kernel, and it is secure as the team and Linus T. can make it.
Your access is (mostly) controlled by applciations, generally GNU, and as secure as R. S. and that team can make them.

Databases are different teams, and they do not always communicate well with the first two.

When most people say "linux" they really mean the distribution or OS that blends the first two, and arguing about the real meaning is splitting hair (of which I have VERY few now) and a waste of time and talent.

Blaming Linux for database, shell, network, or application behavior is pointless unless you are willing to act to fix the problem.

The third, the database people, generally live off in their own little world. (Exceptions abound, natch.) Secure is nearly always second to "make it work" followed by "faster", because that is what their users demand of them!

All three groups are REALLY, REALLY smart people! None of them deserve disrespect. I would not have that job for the world and can only stand in awe.

That said, if you want a password-free way to securely access data in your database then you need to TELL them! Pick one or more of the database engines you would like to use, find those forums, and start asking about a solution to this problem. These guys LOVE a challenge! You may not like their solutions, but there WILL be solutions. That is pretty much how this all works.

If you do not ask, it may never happen.

Last edited by wpeckham; 11-14-2015 at 03:18 PM. Reason: On being the squeeky wheel....
 
1 members found this post helpful.
Old 11-14-2015, 07:50 PM   #11
jpollard
Senior Member
 
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 4,844

Rep: Reputation: 1477Reputation: 1477Reputation: 1477Reputation: 1477Reputation: 1477Reputation: 1477Reputation: 1477Reputation: 1477Reputation: 1477Reputation: 1477
Quote:
Originally Posted by wpeckham View Post
Just for the record.
Linux is the kernel, and it is secure as the team and Linus T. can make it.
Your access is (mostly) controlled by applciations, generally GNU, and as secure as R. S. and that team can make them.

Databases are different teams, and they do not always communicate well with the first two.

When most people say "linux" they really mean the distribution or OS that blends the first two, and arguing about the real meaning is splitting hair (of which I have VERY few now) and a waste of time and talent.

Blaming Linux for database, shell, network, or application behavior is pointless unless you are willing to act to fix the problem.

The third, the database people, generally live off in their own little world. (Exceptions abound, natch.) Secure is nearly always second to "make it work" followed by "faster", because that is what their users demand of them!

All three groups are REALLY, REALLY smart people! None of them deserve disrespect. I would not have that job for the world and can only stand in awe.

That said, if you want a password-free way to securely access data in your database then you need to TELL them! Pick one or more of the database engines you would like to use, find those forums, and start asking about a solution to this problem. These guys LOVE a challenge! You may not like their solutions, but there WILL be solutions. That is pretty much how this all works.

If you do not ask, it may never happen.
Oh, it has been asked.

The problem is that no matter what you use... a password in cleartext (or its equivalent) always shows up. Use a dongle? still unencrypted password... no intelligence in the dongle, it will supply a key as long as it is asked appropriately. Want that request encrypted? then you have to have an unencrypted key entry to set the link up... and that becomes your unencrypted password.

Even with SSH - the authentication keys have to be unencrypted to be used...

All that happens is that the password is in a different location.
 
Old 11-15-2015, 07:47 AM   #12
wpeckham
Senior Member
 
Registered: Apr 2010
Location: Continental USA
Distribution: Debian, Ubuntu, Fedora, RedHat, DSL, Puppy, CentOS, Knoppix, Mint-DE, Sparky, Vsido, tinycore, Q4OS
Posts: 3,152

Rep: Reputation: 1368Reputation: 1368Reputation: 1368Reputation: 1368Reputation: 1368Reputation: 1368Reputation: 1368Reputation: 1368Reputation: 1368Reputation: 1368
All solutions are wrong?

jpollard: suggest, then, an alternative.
 
Old 11-15-2015, 08:35 AM   #13
jpollard
Senior Member
 
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 4,844

Rep: Reputation: 1477Reputation: 1477Reputation: 1477Reputation: 1477Reputation: 1477Reputation: 1477Reputation: 1477Reputation: 1477Reputation: 1477Reputation: 1477
The closest I've seen has been Kerberos. A time limited credential.

Unfortunately, that has exactly the same weaknesses as a password - other than the requirement to periodically renew the credential.

If the credential can be captured, the database is vulnerable until the credential is revoked or times out. On the plus side, the timeout period can be short. Though the shorter it is the more often the credential has to be renewed.

It also doesn't work well with things like web servers due to the need to renew the credential (which tends to make people create longer term credentials...)

There IS no good solution.

Only a variety of poor ones.
 
Old 09-20-2016, 12:39 PM   #14
ondoho
LQ Addict
 
Registered: Dec 2013
Posts: 13,158
Blog Entries: 9

Rep: Reputation: 3604Reputation: 3604Reputation: 3604Reputation: 3604Reputation: 3604Reputation: 3604Reputation: 3604Reputation: 3604Reputation: 3604Reputation: 3604Reputation: 3604
Quote:
Originally Posted by wpeckham View Post
Blaming Linux for database, shell, network, or application behavior is pointless unless you are willing to act to fix the problem.
quoted for truth.
after having been linked here from a newer thread.
 
Old 09-21-2016, 06:54 AM   #15
AnanthaP
Member
 
Registered: Jul 2004
Location: Chennai, India
Distribution: UBUNTU 5.10 since Jul-18,2006 on Intel 820 DC
Posts: 899

Rep: Reputation: 209Reputation: 209Reputation: 209
Nearest I can think is to store the passwords (in plain text) in a file on a folder that is readable only by the genuine user or group.

In the password script you might then write something like
pass=$(cat securefolder\securefile)

At least front end will not directly see the plain text password.

OK
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
SVN in shell scripts - automating passwords Bfkhiya Linux - Software 3 10-01-2011 10:41 AM
crypt() perl function to encrypt Password in shell scripts or How Encrypt passwords ? balakrishnay Linux - General 13 01-14-2010 10:35 AM
how to convert user passwords and group passwords using pwconv? dolceinter1 Linux - Security 2 11-04-2008 11:03 PM
passwords in shell scripts djcham Linux - Software 4 10-04-2005 02:57 AM
Is there a way to sync Samba passwords with linux user passwords MarleyGPN Linux - Networking 2 09-09-2003 11:59 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 11:54 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration