Solved

Mask the username/password in a script

Posted on 2004-04-28
12
1,071 Views
Last Modified: 2013-12-26
Hi,

I wrote a perl script which connects to another unix system to do some jobs.
The script will be executed by another operator. The operator has the access of the first system but he doesn't have access on the 2nd unix.
Right now, I put the username & password of the 2nd unix system in the script. This will disclose the account to the user who doesn't have right.

What can i do so that the operator can execute the script without knowing the username & password of the system?

Thanks.
0
Comment
Question by:matchz
  • 5
  • 3
  • 2
  • +2
12 Comments
 
LVL 25

Expert Comment

by:lwadwell
ID: 10937054
does the other operator need read access to the script...or only execute privilege?

as long as the perl script doesn't output to username and password to anywhere visible...and the other operator only has execute rights...'chmod 711 <progname>' will give you as the owner full read, write and execute privilege...but people who are in the same unix group or public can execute.

this means that others can only run the program/script...they are not allowed to view or edit the file.
0
 

Author Comment

by:matchz
ID: 10937167
Actually, I tried to change the access to 711. However, the perl will return permission denied until i change the access right to 750
0
 
LVL 12

Expert Comment

by:stefan73
ID: 10937538
Hi matchz,
Don't store plaintext passwords anywhere. It's a major security risk. If you want the other operator to run a job, consider using ssh public key authentication:

(The "client" is your account from where you want to connect to the "server")

1. Create a public/private key pair on your client:

      ssh-keygen -b 2048 -t dsa -f ~/.ssh/id_dsa -N ''
      Check that you private key (~/.ssh/id_dsa) is ONLY readable by you:
      
      sschuerg@client:/home/sschuerg $ ls -l ~/.ssh
      total 64
      -rw-------   1 sschuerg  FIUA2K      1192 Mar 29 11:25 id_dsa
      -rw-r--r--   1 sschuerg  FIUA2K      1116 Mar 29 11:25 id_dsa.pub
      
      
2. Copy you newly generated public key from you client to the server using scp:

      scp ~/.ssh/id_dsa.pub login@server:.ssh/my_public_key
      (This will ask for the password)
            
      (see scp's man page for more details)
      
3. Login to the server to check the key configuration:

      ssh login@server    (This will ask for the password)
      cd .ssh
      ls -l
      
      ...This will show something like
      
      server!login:~/.ssh [101]> ls -l
      total 12
      -rw-r--r--   1 login  mndev        331 Jun 20  2003 authorized_keys
      -rw-r--r--   1 login  mndev       4478 Mar 29 11:26 authorized_keys2
      -rw-r--r--   1 login  mndev       1116 Mar 29 11:26 my_public_key
      
      If there is no "authorized_keys2" file, simply rename your file:
      mv my_public_key authorized_keys2

      Otherwise, append it to the existing file:
      cat my_public_key >> authorized_keys2
      rm -f my_public_key
      
      and logout.
      
4. Check if authentication works:
      (from client)      
      
      ssh login@server


Now you can run any job with

ssh login@server <command chain>


Cheers,
Stefan
0
Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

 
LVL 48

Expert Comment

by:Tintin
ID: 10944097
What method are you using to "connect" to the other server?  telnet, ssh, http, ftp, rsh, etc?
0
 

Author Comment

by:matchz
ID: 10945028
Now, i am using the Net::Telnet Lib in perl. I am using telnet to connect to the server.
0
 
LVL 48

Expert Comment

by:Tintin
ID: 10945428
You'll be much better off using ssh in the manner stefan73 suggested.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 10946651
mode 711 is useless for scripts, you always need read permission for it, hence the permission denied
Either you need to write a wrapper program (not script) to call your perl as propper user, or go with ssh.
You also may use sudo.
I'd suggest ssh.
0
 
LVL 48

Expert Comment

by:Tintin
ID: 10954294
There seems to be a theme here and it's called ssh.
0
 

Author Comment

by:matchz
ID: 11020892
So how can i estabish a ssh session in a perl script?
There are some logics inside the perl script. Is there any libraries for this purpse?
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 11023053
use Net::SSH;
0
 
LVL 48

Accepted Solution

by:
Tintin earned 125 total points
ID: 11027674
To expand on ahoffmann's answer

http://search.cpan.org/~ivan/Net-SSH-0.08/SSH.pm
0
 
LVL 48

Expert Comment

by:Tintin
ID: 11035908
You really should have given the points to stefen73 and ahoffman.
0

Featured Post

Master Your Team's Linux and Cloud Stack!

The average business loses $13.5M per year to ineffective training (per 1,000 employees). Keep ahead of the competition and combine in-person quality with online cost and flexibility by training with Linux Academy.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Introduction: Finishing the grid – keyboard support for arrow keys to manoeuvre, entering the numbers.  The PreTranslateMessage function is to be used to intercept and respond to keyboard events. Continuing from the fourth article about sudoku. …
Have you tried to learn about Unicode, UTF-8, and multibyte text encoding and all the articles are just too "academic" or too technical? This article aims to make the whole topic easy for just about anyone to understand.
This video will show you how to get GIT to work in Eclipse.   It will walk you through how to install the EGit plugin in eclipse and how to checkout an existing repository.
Along with being a a promotional video for my three-day Annielytics Dashboard Seminor, this Micro Tutorial is an intro to Google Analytics API data.

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question