redoblog

February 24, 2010

Hiding Passwords – Security by Obscurity

Filed under: Connectivity — redoblog @ 9:00 pm

I’ve written quite a lot of scripts over the last twenty years and have always tried to secure my database usernames and passwords. I’ve made use of directories with 0400 and 0440 permissions, making the directories only readable by a certain group. Then I’d add the group id to the “run as” user of my script. I’ve gone a little further as well and tried to hide my passwords by obscurity, doing things such as making my files “.passwords” (well, not that name, but I need to be careful how much I give away, after all, this is a blog!).

So if for example I create a file called “/home/ahbaidg/.hidden/.passwords” the file’s contents would look like this:

# File: .passwords
# Notes: Comments cause lines to be ignored
# Entry format: APPID:DBNAME:DBUSER:DBPASS
# APPID – is an application identifier
# DBNAME – is the TNS Names entry to connect to the database
# DBUSER – is the username to connect with
# DBPASS – is the password to use
#
# Billing App entries for my read only reporting user against PRODDB database
BILLINGREPORTS:PRODDB:BILLRO:0r4cle
#
# Reservation App entries for my read only user against RESERVS database
RESRO:RESERVS:RESRO:d4t4b4s3

I’d protect the file from world readability and use “chmod 0400 .passwords” so only my app could read it.

Then in my shell scripts I’d grep through the file and use awk to parse it like so:

#!/bin/bash
export ACCOUNTS=/home/ahbaidg/.hidden/.passwords
export MYAPP=BILLINGREPORTS

DBNAME=`cat $ACCOUNTS | grep -v ^# | grep ^$MYAPP | awk -F: '{print $2}'`
DBUSER=`cat $ACCOUNTS | grep -v ^# | grep ^$MYAPP | awk -F: '{print $3}'`
DBPASS=`cat $ACCOUNTS | grep -v ^# | grep ^$MYAPP | awk -F: '{print $4}'`

The remainder of the script would then connect to the database doing something like:

echo $DBPASS | sqlplus-s -R 3 -L $DBUSER@$DBNAME

The password is in a readable file and can eventually be read if someone had the right privileges on the host. My approach was to hide the password by obscuring it. With sufficient privileges, the password is in plain text and remains readable. How can this be made more secure? One way is to use an Oracle Wallet. A wallet can be distributed to users without sharing the user password and at the same time storing the passwords in an encrypted store.

In my next post I’ll go into how to setup an Oracle Wallet.

Stay Tuned!

1 Comment »

  1. […] 19-How to hide (obsecure) your passwords in shell scripts ? (recommended) Ahbaid Gaffoor-Hiding Passwords – Security By Obscurity […]

    Pingback by Blogroll Report 19/02/2010 – 26/02/2010 « Coskan’s Approach to Oracle — March 20, 2010 @ 8:30 pm

    Reply

RSS feed for comments on this post. TrackBack URI

Leave a comment

Create a free website or blog at WordPress.com.