Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> RE: How to encrypt shell scripts on Unix

RE: How to encrypt shell scripts on Unix

From: Mark W. Farnham <mwf_at_rsiz.com>
Date: Thu, 12 Oct 2006 15:40:58 -0400
Message-ID: <004d01c6ee36$5818e8f0$0c00a8c0@Thing1> 





    
  
  1.   Jared and Mark Bobak are right on target, use a password server
strategy or ops$, but do not embed passwords all over the place.

  
  2.   Even when using a password server, do something like:

 






#! /bin/ksh




#  Copyright (C) 1994  Rightsizing, Inc.




#




#  Used by permission, All Rights Reserved




#




#  runksh1 -- Run a sqlplus script as user/pw




#             file without showing the password in ps.




#




#  Usage:    echo "user/pw" | ksh runksh1 scriptname [parameters]




read userpw



scriptname=$1



shift 1



parameters=$@



sqlplus << INPUT01



$userpw



start $scriptname $parameters



exit



INPUT01


 

This will vary a bit by which shell(s) you use, but this makes it very
difficult (impossible? Unless you're so powerful on the machine anyway that
nothing is going to stop you anyway) to see the passwords anywhere after the
password server coughs them up. Note that this is different from passing an
argument to the shell, which will persist. Using echo makes the value
ephemeral as the first job in the pipeline is gone very quickly. Of course
the original purpose of this shell can also served by encrypting or
overwriting the ps args, but doing it this way works whether that is done or
not.

 



Regards,

 



Mwf

 



Oh, and that's my copyright so all y'all can use it freely, yas just can't
turn around and copyright it so I can't use it.

 






From: oracle-l-bounce_at_freelists.org [mailto:oracle-l-bounce_at_freelists.org]
On Behalf Of Jared Still


Sent: Thursday, October 12, 2006 2:24 PM
To: Amir.Hameed_at_xerox.com


Cc: oracle-l_at_freelists.org


Subject: Re: How to encrypt shell scripts on Unix

 



On 10/11/06, Hameed, Amir <Amir.Hameed_at_xerox.com> wrote:



Hi folks,


I am interested in knowing if anyone has successfully encrypt their
shell scripts (particularly on Solaris) that contained sensitive
information (passwords, etc..) and how did they do it. I am trying to 
use the "shc" utility which is supposed to do the job but it is not
working and keeps giving errors.


Any feedback will be appreciated.

 




You may want to consider an alternative:  do not put sensitive 
information (like passwords) into shell scripts.



Use some type of password server to supply passwords to
the script at runtime.  



Benefits are twofold:  


1) no passwords in your scripts.


2) when passwords change, no modifications to the script are required. 



-- 
Jared Still
Certifiable Oracle DBA and Part Time Perl Evangelist




--
http://www.freelists.org/webpage/oracle-l


Received on Thu Oct 12 2006 - 14:40:58 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US