Solved

Mask the username/password in a script

Posted on 2004-04-28
12
1,069 Views
Last Modified: 2013-12-26
Hi,

I wrote a perl script which connects to another unix system to do some jobs.
The script will be executed by another operator. The operator has the access of the first system but he doesn't have access on the 2nd unix.
Right now, I put the username & password of the 2nd unix system in the script. This will disclose the account to the user who doesn't have right.

What can i do so that the operator can execute the script without knowing the username & password of the system?

Thanks.
0
Comment
Question by:matchz
  • 5
  • 3
  • 2
  • +2
12 Comments
 
LVL 25

Expert Comment

by:lwadwell
ID: 10937054
does the other operator need read access to the script...or only execute privilege?

as long as the perl script doesn't output to username and password to anywhere visible...and the other operator only has execute rights...'chmod 711 <progname>' will give you as the owner full read, write and execute privilege...but people who are in the same unix group or public can execute.

this means that others can only run the program/script...they are not allowed to view or edit the file.
0
 

Author Comment

by:matchz
ID: 10937167
Actually, I tried to change the access to 711. However, the perl will return permission denied until i change the access right to 750
0
 
LVL 12

Expert Comment

by:stefan73
ID: 10937538
Hi matchz,
Don't store plaintext passwords anywhere. It's a major security risk. If you want the other operator to run a job, consider using ssh public key authentication:

(The "client" is your account from where you want to connect to the "server")

1. Create a public/private key pair on your client:

      ssh-keygen -b 2048 -t dsa -f ~/.ssh/id_dsa -N ''
      Check that you private key (~/.ssh/id_dsa) is ONLY readable by you:
      
      sschuerg@client:/home/sschuerg $ ls -l ~/.ssh
      total 64
      -rw-------   1 sschuerg  FIUA2K      1192 Mar 29 11:25 id_dsa
      -rw-r--r--   1 sschuerg  FIUA2K      1116 Mar 29 11:25 id_dsa.pub
      
      
2. Copy you newly generated public key from you client to the server using scp:

      scp ~/.ssh/id_dsa.pub login@server:.ssh/my_public_key
      (This will ask for the password)
            
      (see scp's man page for more details)
      
3. Login to the server to check the key configuration:

      ssh login@server    (This will ask for the password)
      cd .ssh
      ls -l
      
      ...This will show something like
      
      server!login:~/.ssh [101]> ls -l
      total 12
      -rw-r--r--   1 login  mndev        331 Jun 20  2003 authorized_keys
      -rw-r--r--   1 login  mndev       4478 Mar 29 11:26 authorized_keys2
      -rw-r--r--   1 login  mndev       1116 Mar 29 11:26 my_public_key
      
      If there is no "authorized_keys2" file, simply rename your file:
      mv my_public_key authorized_keys2

      Otherwise, append it to the existing file:
      cat my_public_key >> authorized_keys2
      rm -f my_public_key
      
      and logout.
      
4. Check if authentication works:
      (from client)      
      
      ssh login@server


Now you can run any job with

ssh login@server <command chain>


Cheers,
Stefan
0
 
LVL 48

Expert Comment

by:Tintin
ID: 10944097
What method are you using to "connect" to the other server?  telnet, ssh, http, ftp, rsh, etc?
0
 

Author Comment

by:matchz
ID: 10945028
Now, i am using the Net::Telnet Lib in perl. I am using telnet to connect to the server.
0
 
LVL 48

Expert Comment

by:Tintin
ID: 10945428
You'll be much better off using ssh in the manner stefan73 suggested.
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 51

Expert Comment

by:ahoffmann
ID: 10946651
mode 711 is useless for scripts, you always need read permission for it, hence the permission denied
Either you need to write a wrapper program (not script) to call your perl as propper user, or go with ssh.
You also may use sudo.
I'd suggest ssh.
0
 
LVL 48

Expert Comment

by:Tintin
ID: 10954294
There seems to be a theme here and it's called ssh.
0
 

Author Comment

by:matchz
ID: 11020892
So how can i estabish a ssh session in a perl script?
There are some logics inside the perl script. Is there any libraries for this purpse?
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 11023053
use Net::SSH;
0
 
LVL 48

Accepted Solution

by:
Tintin earned 125 total points
ID: 11027674
To expand on ahoffmann's answer

http://search.cpan.org/~ivan/Net-SSH-0.08/SSH.pm
0
 
LVL 48

Expert Comment

by:Tintin
ID: 11035908
You really should have given the points to stefen73 and ahoffman.
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Powershell based monitoring system 2 127
Replacement selected text 2 47
wait notify demo infinite loop 3 81
Problem to open Excel file 15 44
Introduction: The undo support, implementing a stack. Continuing from the eigth article about sudoku.   We need a mechanism to keep track of the digits entered so as to implement an undo mechanism.  This should be a ‘Last In First Out’ collec…
Have you tried to learn about Unicode, UTF-8, and multibyte text encoding and all the articles are just too "academic" or too technical? This article aims to make the whole topic easy for just about anyone to understand.
This video will show you how to get GIT to work in Eclipse.   It will walk you through how to install the EGit plugin in eclipse and how to checkout an existing repository.
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now