?
Solved

Mask the username/password in a script

Posted on 2004-04-28
12
Medium Priority
?
1,078 Views
Last Modified: 2013-12-26
Hi,

I wrote a perl script which connects to another unix system to do some jobs.
The script will be executed by another operator. The operator has the access of the first system but he doesn't have access on the 2nd unix.
Right now, I put the username & password of the 2nd unix system in the script. This will disclose the account to the user who doesn't have right.

What can i do so that the operator can execute the script without knowing the username & password of the system?

Thanks.
0
Comment
Question by:matchz
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
  • 2
  • +2
12 Comments
 
LVL 25

Expert Comment

by:lwadwell
ID: 10937054
does the other operator need read access to the script...or only execute privilege?

as long as the perl script doesn't output to username and password to anywhere visible...and the other operator only has execute rights...'chmod 711 <progname>' will give you as the owner full read, write and execute privilege...but people who are in the same unix group or public can execute.

this means that others can only run the program/script...they are not allowed to view or edit the file.
0
 

Author Comment

by:matchz
ID: 10937167
Actually, I tried to change the access to 711. However, the perl will return permission denied until i change the access right to 750
0
 
LVL 12

Expert Comment

by:stefan73
ID: 10937538
Hi matchz,
Don't store plaintext passwords anywhere. It's a major security risk. If you want the other operator to run a job, consider using ssh public key authentication:

(The "client" is your account from where you want to connect to the "server")

1. Create a public/private key pair on your client:

      ssh-keygen -b 2048 -t dsa -f ~/.ssh/id_dsa -N ''
      Check that you private key (~/.ssh/id_dsa) is ONLY readable by you:
      
      sschuerg@client:/home/sschuerg $ ls -l ~/.ssh
      total 64
      -rw-------   1 sschuerg  FIUA2K      1192 Mar 29 11:25 id_dsa
      -rw-r--r--   1 sschuerg  FIUA2K      1116 Mar 29 11:25 id_dsa.pub
      
      
2. Copy you newly generated public key from you client to the server using scp:

      scp ~/.ssh/id_dsa.pub login@server:.ssh/my_public_key
      (This will ask for the password)
            
      (see scp's man page for more details)
      
3. Login to the server to check the key configuration:

      ssh login@server    (This will ask for the password)
      cd .ssh
      ls -l
      
      ...This will show something like
      
      server!login:~/.ssh [101]> ls -l
      total 12
      -rw-r--r--   1 login  mndev        331 Jun 20  2003 authorized_keys
      -rw-r--r--   1 login  mndev       4478 Mar 29 11:26 authorized_keys2
      -rw-r--r--   1 login  mndev       1116 Mar 29 11:26 my_public_key
      
      If there is no "authorized_keys2" file, simply rename your file:
      mv my_public_key authorized_keys2

      Otherwise, append it to the existing file:
      cat my_public_key >> authorized_keys2
      rm -f my_public_key
      
      and logout.
      
4. Check if authentication works:
      (from client)      
      
      ssh login@server


Now you can run any job with

ssh login@server <command chain>


Cheers,
Stefan
0
Learn how to optimize MySQL for your business need

With the increasing importance of apps & networks in both business & personal interconnections, perfor. has become one of the key metrics of successful communication. This ebook is a hands-on business-case-driven guide to understanding MySQL query parameter tuning & database perf

 
LVL 48

Expert Comment

by:Tintin
ID: 10944097
What method are you using to "connect" to the other server?  telnet, ssh, http, ftp, rsh, etc?
0
 

Author Comment

by:matchz
ID: 10945028
Now, i am using the Net::Telnet Lib in perl. I am using telnet to connect to the server.
0
 
LVL 48

Expert Comment

by:Tintin
ID: 10945428
You'll be much better off using ssh in the manner stefan73 suggested.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 10946651
mode 711 is useless for scripts, you always need read permission for it, hence the permission denied
Either you need to write a wrapper program (not script) to call your perl as propper user, or go with ssh.
You also may use sudo.
I'd suggest ssh.
0
 
LVL 48

Expert Comment

by:Tintin
ID: 10954294
There seems to be a theme here and it's called ssh.
0
 

Author Comment

by:matchz
ID: 11020892
So how can i estabish a ssh session in a perl script?
There are some logics inside the perl script. Is there any libraries for this purpse?
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 11023053
use Net::SSH;
0
 
LVL 48

Accepted Solution

by:
Tintin earned 500 total points
ID: 11027674
To expand on ahoffmann's answer

http://search.cpan.org/~ivan/Net-SSH-0.08/SSH.pm
0
 
LVL 48

Expert Comment

by:Tintin
ID: 11035908
You really should have given the points to stefen73 and ahoffman.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction: Load and Save to file, Document-View interaction inside the SDI. Continuing from the second article about sudoku.   Open the project in visual studio. From the class view select CSudokuDoc and double click to open the header …
Introduction: Database storage, where is the exe actually on the disc? Playing a game selected randomly (how to generate random numbers).  Error trapping with try..catch to help the code run even if something goes wrong. Continuing from the seve…
This video will show you how to get GIT to work in Eclipse.   It will walk you through how to install the EGit plugin in eclipse and how to checkout an existing repository.
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
Suggested Courses

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question