[Tfug] Passwords in Plain-text? Shell scripts and CIFS
Choprboy
choprboy at dakotacom.net
Thu Aug 7 19:52:27 MST 2008
On Thursday 07 August 2008 12:59, Matt Jacob wrote:
> Christopher Robbins wrote:
> > server. Is there a better way to secure the username/password combo
> > than just
> > a plain-text file in /etc? Is there a wiser way to keep these passwords
> > secure?
>
> Have you considered installing an SSH server on the Windows box and
> using public/private keypairs for passwordless authentication?
>
I have used the SSH key pair method many times with great success, and that
would be my first choice as well. However, I have also run into a number of
cases where I needed a script to have access to something else where SSH is
not an option (examples: periodic FTP downloads/uploads, scripted SQL access,
Windows share copying).
Unfortunately, you pretty much have to use a plain text user/password storage.
But there a fairly easy way to apply a moderate amount of protection to this
to keep other users on the system from seeing and exploiting.
FTP/SQL/SMB/etc. all have options to read options from a file. Using that
option you can keep the user/pass from being seen in the system process list
and secure the plain text somewhere generally inaccessable.
Create a new user and put /sbin/nologin in passwd, so it can;t be
conventionally used. Lock down the users directories to prevent other users
from cd/ls. Ceate an options file with the user/pass defined in it and make
it 400 read only by the user. Give the user permissions to perform/access the
particular task you need, then put in a crontab to automatically run the task
needed.
Adrian
More information about the tfug
mailing list