Using encrypted password file in Linux

ashsysad
ashsysad used Ask the Experts™
on
Hello,

We have a situation like this. We have a Shell script in which we hard-coded the Password for a Production account. The script will login to another server using the hard-coded password and perform some operation.

We feel it's potentially unsafe hard-coding the password in the script, hence am wondering why don't we use an encrypted file which will contain password details and only during the execution, it will decrypt only during the execution.  Please let me know if it is possible.

I'm aware of the other options like using SSH password less keys but my management isn't convinced with it.

Thanks in advance !!
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
hello. you could try gpg
$ gpg -c filename
Enter passphrase:<YOUR-PASSWORD>
Repeat passphrase:<YOUR-PASSWORD>
option
-c : Encrypt with symmetric cipher.

To decrypt file use gpg command:
$ gpg filename

Enter passphrase:<YOUR-PASSWORD>
Decrypt file and write output to file filename.txt you can run command:
$ gpg filename.gpg –o filename.txt
hope that helps

Author

Commented:
Thanks Stergium. The syntax to decrypt a file and write the output to file is giving syntax error. Could you please check ?

# gpg confidentail.txt.gpg -o passfile
usage: gpg [options] [filename]
# gpg -d confidentail.txt.gpg -o passfile
usage: gpg [options] --decrypt [filename]
# gpg -d confidentail.txt.gpg passfile
usage: gpg [options] --decrypt [filename]
#
Top Expert 2007
Commented:
I would try to convince your management that ssh keys are a much more secure way of handling the problem than trying to encrypt a password (you will still need a key to decrypt it, so it just defers the problem with needing a password).

You can lock down ssh connections based on other criteria such as source IP address, turning tunnelling off etc.
Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
Makes sense Tintin. It would be grateful if  you give me the steps to lock down the SSH connection based on Source IP address ?
Most Valuable Expert 2013
Top Expert 2013
Commented:
As you can see in  stergium's comment - you need a password/phrase to decrypt if you don't want to use a public/private key pair, just as with ssh.

If the user has to enter something - why not have them enter the password directly, without the diversion over an intermediate encryption?

"One way encryption" as done with e.g. crypt() is not an option, as it seems, because it would require the password in clear text in your script as well.

So again: encryption to be used in a later decryption without the need to enter a passphrase is only possible with key pairs.

Why not use ssh then?

And even with ssh you will have to store your private key in a very safe place.

So why not just store a clear text password file in a safe place and read in the password(s) from this file in your script?


wmp

Author

Commented:
@Wmp,  I'm trying how to assign the password present in a file to a Variable in a script. I'm trying like this but it isn't working.  Please help.

# cat secretfile
newpass
# var1=`--stdin secretfile`
-bash: --stdin: command not found
# var1 --stdin secretfile
-bash: test: --stdin: unary operator expected
#
Most Valuable Expert 2013
Top Expert 2013
Commented:
var1=$(cat secretfile)

or

read var1 < secretfile

The above suggestions assume that there is indeed one single line containing one single word in secretfile.

If you'd like to set up the inputfile in a different way (e.g. one or several user/password combinations) please let me know.

Author

Commented:
Thankyou all. With this discussion, I got some useful information on password security in scripts.

Author

Commented:
Thankyou all !!

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial