Hiding passwords in scripts
wordpress meta
title: 'Hiding Passwords in Scripts'
date: '2014-05-24T06:49:26-05:00'
status: publish
permalink: /hiding-passwords-in-scripts
author: admin
excerpt: ''
type: post
id: 287
category:
- Security
tag: []
post_format: []
title: 'Hiding Passwords in Scripts'
date: '2014-05-24T06:49:26-05:00'
status: publish
permalink: /hiding-passwords-in-scripts
author: admin
excerpt: ''
type: post
id: 287
category:
- Security
tag: []
post_format: []
Sometimes you need to pass a password or even just a string on the command line which you would rather obscure. For example:
serverControl.sh -u admin -p $MYPASS -c shutdown
Note anything below is not the ideal way of dealing with passwords you should probably use SSH keys if possible instead.
Sometimes you really do not have a better option and this might be your only option. Still it is a weak solution though to store passwords. I simplified but you probably don't want to use obvious variable names or files either.
Very simple base64 encoding:
$ echo "passwd" | base64
cGFzc3dkCg==
$ echo "cGFzc3dkCg==" | base64 --decode
passwd
# Use in script as follow or better use a file to store the string:
MYENCPASS="cGFzc3dkCg=="
MYPASS=`echo "$MYENCPASS" | base64 --decode`
Using aesutil:
I saw someone mention aesutil on the Internet but it appears like few modern Linux distros comes with aesutil tools though.
# mkrand generates a 15-character random
$ SALT=`mkrand 15` passwd
$ `echo "passwd" | aes -e -b -B -p $SALT`
i/b9pkcpQAPy7BzH2JlqHVoJc2mNTBM=
# Use in script as follow or use a file to store the string:
MYENCPASS="i/b9pkcpQAPy7BzH2JlqHVoJc2mNTBM="
MYPASS=`echo "$MYENCPASS" | aes -d -b -p $SALT`
Or maybe openssl is an option:
This is still very lame as you still have to use a password for the opensssl command. I just named it garbageKey but you are probably better off making it more obscure.
# Test
$ echo 'mySecretPassword' | openssl enc -base64 -e -aes-256-cbc -nosalt -pass pass:garbageKey
yQA4stTBI8njgNgdmttwjlcFrywQD4XEIgK8HzqEOxI=
$ echo 'yQA4stTBI8njgNgdmttwjlcFrywQD4XEIgK8HzqEOxI=' | openssl enc -base64 -d -aes-256-cbc -nosalt -pass pass:garbageKey
mySecretPassword
# Use a hidden file
$ echo 'mySecretPassword' | openssl enc -base64 -e -aes-256-cbc -nosalt -pass pass:garbageKey > .hidden.lck
$ cat .hidden.lck
yQA4stTBI8njgNgdmttwjlcFrywQD4XEIgK8HzqEOxI=
# In a script
$ MYENCPASS=`cat .hidden.lck | openssl enc -base64 -d -aes-256-cbc -nosalt -pass pass:garbageKey`
$ echo $MYENCPASS
mySecretPassword
As you can see in the last example I used a hidden file also instead of keeping the encryption string in the file.