LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 04-07-2016, 09:13 AM   #16
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 2,680

Rep: Reputation: Disabled

Not storing passwords as plaintext is a good idea. However, storing them using an easily reversible encoding scheme doesn't actually improve security at all (with the possible exception of "shoulder surfing" scenarios). And if security is not an issue, why obfuscate the passwords at all?

If you just want to store the passwords in a separate file, you can pull them in using the < redirection operator.

To make the passwords slightly less readable, you could store them using base64 encoding:
Code:
echo YourPassword | base64 >> passwordfile.txt
This is basically what you're doing in PowerShell.

Of course, you could use openssl to actually encrypt the passwords, but since you'd have to specify the decryption password in the script, that would be no real improvement over simple encoding.

If the file contains the hostnames or IP addresses of the servers, you could easily add the (encoded) passwords in a second column and use a combination of grep and cut to retrieve them.
 
1 members found this post helpful.
Old 04-07-2016, 09:19 AM   #17
aristosv
Member
 
Registered: Dec 2014
Posts: 197

Original Poster
Rep: Reputation: 3
Quote:
Originally Posted by ilesterg View Post
Exactly why I was interested to know how the password is being used. I can't imagine a powershell/cmd script which makes use of an "encrypted" string as a credential but will still be able to connect to an ftp server.
I never said I used the powershell script for ftp operations. I posted the powershell example to show how I authenticate while using powershell and a text file containing an encrypted password. My question was simple. Can I do with bash script, what I do with powershell. ie. have an encrypted password in a text file, and use it in a bash script to authenticate.

Code:
$user = "usernamehere"
$pass = Get-Content C:\tmp\password.txt | ConverTto-SecureString
$cred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $user, $pass
Connect-VIServer -Credential $cred -Server $vcenter
 
Old 04-07-2016, 09:29 AM   #18
aristosv
Member
 
Registered: Dec 2014
Posts: 197

Original Poster
Rep: Reputation: 3
Quote:
Originally Posted by Ser Olmy View Post
Not storing passwords as plaintext is a good idea. However, storing them using an easily reversible encoding scheme doesn't actually improve security at all (with the possible exception of "shoulder surfing" scenarios). And if security is not an issue, why obfuscate the passwords at all?

If you just want to store the passwords in a separate file, you can pull them in using the < redirection operator.

To make the passwords slightly less readable, you could store them using base64 encoding:
Code:
echo YourPassword | base64 >> passwordfile.txt
This is basically what you're doing in PowerShell.

Of course, you could use openssl to actually encrypt the passwords, but since you'd have to specify the decryption password in the script, that would be no real improvement over simple encoding.

If the file contains the hostnames or IP addresses of the servers, you could easily add the (encoded) passwords in a second column and use a combination of grep and cut to retrieve them.
I understand what you are saying, and security is not really an issue in that specific environment. No one will try to hack these files to find out the password. In most cases if someone asks me I'll give it to them anyway. I just don't want files containing passwords accessible with a double-click. (or cat in this case).

I appreciate the code you posted. How would I read the passwordfile in my bash script?
 
Old 04-07-2016, 09:31 AM   #19
pan64
LQ Guru
 
Registered: Mar 2012
Location: Hungary
Distribution: debian/ubuntu/suse ...
Posts: 13,570

Rep: Reputation: 4335Reputation: 4335Reputation: 4335Reputation: 4335Reputation: 4335Reputation: 4335Reputation: 4335Reputation: 4335Reputation: 4335Reputation: 4335Reputation: 4335
VAR=$(base64 -d passwordfile)
 
Old 04-07-2016, 09:31 AM   #20
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 2,680

Rep: Reputation: Disabled
Code:
#!/bin/sh

server=foo.domain.lan
user=usernamehere
pass=$(cat password.txt | base64 -d)

lftp <<EOF
open $server
login $user $pass
#... FTP commands go here ...
quit
EOF
 
Old 04-07-2016, 09:33 AM   #21
aristosv
Member
 
Registered: Dec 2014
Posts: 197

Original Poster
Rep: Reputation: 3
Something like this I presume?

Code:
pass="cat passwordfile.txt | base64 --decode"
and then use $pass
 
Old 04-07-2016, 09:33 AM   #22
aristosv
Member
 
Registered: Dec 2014
Posts: 197

Original Poster
Rep: Reputation: 3
you beat me to it. thanks
 
Old 04-07-2016, 09:36 AM   #23
schneidz
LQ Guru
 
Registered: May 2005
Location: boston, usa
Distribution: fc-15/ fc-20-live-usb/ aix
Posts: 5,272

Rep: Reputation: 914Reputation: 914Reputation: 914Reputation: 914Reputation: 914Reputation: 914Reputation: 914Reputation: 914
Quote:
Originally Posted by aristosv View Post
The script will connect on multiple ftp servers using lftp (local insecure servers working on port 21) to download/synchronize various files.
Again, security is of no concern. This is an old legacy environment which has been completely isolated because is no longer supported. Still, I don't want passwords to be visible in scripts.
well theres your problem. has your company thought about upgrading to scp/sftp ? then you could just use public/private keys.

my company has a bunch of old mainframes which i ftp stuff from time to time and my heredocs have my username and password in clear text.

i dont feel guilty because in case of a breach i will just tell them if they really cared for security they wouldve upgraded to a more secure system years ago.
Quote:
Originally Posted by pan64 View Post
you need to explain your workflow. What will be stored in which file, where/how do you want to use that secured password? What should be protected?
Remember you do not use script in windows but a binary executable (but probably I missed something).
If you have a powershell script you may also try to post it and we will help you to convert it to unix/bash somehow.
i suspect its doing something slightly more sophisticated than circular shifting the password by 5 characters or so, e.g.:
Quote:
'hello-world' becomes -> 'mjqqt2|twqi'
and then the closed-sourced binary will just undo the algorithm on-the-fly (security by obscurity) ?


also wouldnt rsync be the preferred method here ?

Last edited by schneidz; 04-07-2016 at 09:46 AM.
 
Old 04-07-2016, 09:39 AM   #24
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 2,680

Rep: Reputation: Disabled
Quote:
Originally Posted by pan64 View Post
VAR=$(base64 -d passwordfile)
But then you don't qualify for the UUoC award.

(I believe the use of either redirection or cat and pipes can, in some cases, make a script more readable than if one uses a command's built-in ability to read a file. And in some cases there are subtle differences in how the command handles the data, gzip being example.)
 
1 members found this post helpful.
Old 04-07-2016, 09:45 AM   #25
pan64
LQ Guru
 
Registered: Mar 2012
Location: Hungary
Distribution: debian/ubuntu/suse ...
Posts: 13,570

Rep: Reputation: 4335Reputation: 4335Reputation: 4335Reputation: 4335Reputation: 4335Reputation: 4335Reputation: 4335Reputation: 4335Reputation: 4335Reputation: 4335Reputation: 4335
pass=$(cat password.txt | base64 -d)
will construct an additonal process and a pipe which is definitely slower and eats up more resources. (Obviously?) in this case it is not important at all, but in general this practice is not really recommended.
 
Old 04-07-2016, 11:57 AM   #26
Shadow_7
Senior Member
 
Registered: Feb 2003
Distribution: debian
Posts: 4,000
Blog Entries: 1

Rep: Reputation: 846Reputation: 846Reputation: 846Reputation: 846Reputation: 846Reputation: 846Reputation: 846
Quote:
Originally Posted by aristosv View Post
Code:
Read-Host -assecurestring | convertfrom-securestring | Out-File C:\tmp\password.txt
Code:
Get-Content C:\tmp\password.txt | ConvertTo-SecureString
So basically

$ echo bubbaspassword | base64 | tee /dev/stderr | base64 -d

Or something like that. Swapping base64 for pgp or some other encryption standard. Not that it matters, having the encrypted password and the means to decrypt it kind of defeats the purpose. Outside of defeating some find scanning software looking for exact matches to the unencrypted string. Much like storing that data in program as hex or rot13 or elongated code to stitch together a string from single chars over several commands so it doesn't show up when using the string command. Except when looking at the running program in memory.
 
1 members found this post helpful.
Old 04-07-2016, 12:08 PM   #27
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 9,078
Blog Entries: 4

Rep: Reputation: 3179Reputation: 3179Reputation: 3179Reputation: 3179Reputation: 3179Reputation: 3179Reputation: 3179Reputation: 3179Reputation: 3179Reputation: 3179Reputation: 3179
You would write a program, using some language like Perl or PHP or what-have-you, that would ... say ... interact with a database to retrieve strings from them and to unmask them.

But it would be far easier to connect using "sftp" and to install digital certificates at both sides which would allow the connection to be made "securely, but password-prompt free." The script is run from a user which has all the necessary certificates in its .ssh directory, and that is running an SSH-agent. The remote host accepts the connection upon presentation of this appropriate, unique, certificate.

And I think that you should be doing the same thing with regard to your Windows connections, too! A password is never good-enough. Both operating-system environments support this.

A command like rsync -az --rsh=ssh ... would handle the entire synchronization process ... in both directions, if you like ... entirely on its own, establishing a secure (password-free, if you follow my suggestion) connection, determining what file changes needed to be made, and magically making them.

Last edited by sundialsvcs; 04-07-2016 at 12:11 PM.
 
1 members found this post helpful.
Old 04-07-2016, 12:38 PM   #28
schneidz
LQ Guru
 
Registered: May 2005
Location: boston, usa
Distribution: fc-15/ fc-20-live-usb/ aix
Posts: 5,272

Rep: Reputation: 914Reputation: 914Reputation: 914Reputation: 914Reputation: 914Reputation: 914Reputation: 914Reputation: 914
Quote:
Originally Posted by Shadow_7 View Post
So basically

$ echo bubbaspassword | base64 | tee /dev/stderr | base64 -d

Or something like that. Swapping base64 for pgp or some other encryption standard. Not that it matters, having the encrypted password and the means to decrypt it kind of defeats the purpose. Outside of defeating some find scanning software looking for exact matches to the unencrypted string. Much like storing that data in program as hex or rot13 or elongated code to stitch together a string from single chars over several commands so it doesn't show up when using the string command. Except when looking at the running program in memory.
yup, reminds me of this:
http://www.linuxquestions.org/questi...9/#post5527225
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Bash script to keep an encrypted text file of passwords LXer Syndicated Linux News 0 02-08-2015 07:21 AM
Hiding bash script contents glennbtn Linux - Server 2 08-08-2013 05:00 AM
Bash for multiple accounts with auto-gen passwords vivchowd Red Hat 3 02-01-2013 05:25 AM
BASH scripting: Hide plain text passwords sqn Programming 7 06-16-2010 06:55 AM
Sync MySQL passwords with local account passwords? turbine216 Linux - Software 2 02-18-2005 04:15 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 12:22 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration