Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> RE: How to encrypt shell scripts on Unix

RE: How to encrypt shell scripts on Unix

From: Hameed, Amir <Amir.Hameed_at_xerox.com>
Date: Thu, 12 Oct 2006 15:51:55 -0400
Message-ID: <77A4D80DB2ADD74EB5D7F1D31626F0C0038A7815@usa0300ms03.na.xerox.net> 





Mark,


In Oracle 11i Applications, there are services (application server,
forms server, concurrent manager, etc.) that are started on different
tiers using Oracle's supplied standard scripts. Each of those scripts
require that a username/passwd be supplied to start those services. This
is where I need help. All our DBA accounts are external and we do not
store passwords in any script, with the exception of those that are used
to call Oracle's standard scripts.
 



Thanks



Amir





	From: Mark W. Farnham [mailto:mwf_at_rsiz.com] 
	Sent: Thursday, October 12, 2006 3:41 PM
	To: jkstill_at_gmail.com; Hameed, Amir
	Cc: oracle-l_at_freelists.org
	Subject: RE: How to encrypt shell scripts on Unix
	
	

	a)       Jared and Mark Bobak are right on target, use a


password server strategy or ops$, but do not embed passwords all over
the place.



        b)       Even when using a password server, do something like:

         



	#! /bin/ksh




	#  Copyright (C) 1994  Rightsizing, Inc.




	#




	#  Used by permission, All Rights Reserved




	#




	#  runksh1 -- Run a sqlplus script as user/pw




	#             file without showing the password in ps.




	#




	#  Usage:    echo "user/pw" | ksh runksh1 scriptname

[parameters]



        read userpw



        scriptname=$1



        shift 1



        parameters=$@



        sqlplus << INPUT01



        $userpw



        start $scriptname $parameters



        exit



        INPUT01


         

        This will vary a bit by which shell(s) you use, but this makes
it very difficult (impossible? Unless you're so powerful on the machine
anyway that nothing is going to stop you anyway) to see the passwords
anywhere after the password server coughs them up. Note that this is
different from passing an argument to the shell, which will persist.
Using echo makes the value ephemeral as the first job in the pipeline is
gone very quickly. Of course the original purpose of this shell can also
served by encrypting or overwriting the ps args, but doing it this way
works whether that is done or not.

         



        Regards,

         



        Mwf

         



        Oh, and that's my copyright so all y'all can use it freely, yas
just can't turn around and copyright it so I can't use it...

         

        






        From: oracle-l-bounce_at_freelists.org


[mailto:oracle-l-bounce_at_freelists.org] On Behalf Of Jared Still

	Sent: Thursday, October 12, 2006 2:24 PM
	To: Amir.Hameed_at_xerox.com
	Cc: oracle-l_at_freelists.org
	Subject: Re: How to encrypt shell scripts on Unix

	 

	On 10/11/06, Hameed, Amir <Amir.Hameed_at_xerox.com> wrote:

		Hi folks,
		I am interested in knowing if anyone has successfully
encrypt their
		shell scripts (particularly on Solaris) that contained
sensitive
		information (passwords, etc..) and how did they do it. I
am trying to 
		use the "shc" utility which is supposed to do the job
but it is not
		working and keeps giving errors.
		Any feedback will be appreciated.

	 

	
	You may want to consider an alternative:  do not put sensitive 
	information (like passwords) into shell scripts.
	
	Use some type of password server to supply passwords to
	the script at runtime.  
	
	Benefits are twofold:  
	1) no passwords in your scripts.
	2) when passwords change, no modifications to the script are


required. 
        
        

	-- 
	Jared Still
	Certifiable Oracle DBA and Part Time Perl Evangelist





--
http://www.freelists.org/webpage/oracle-l


Received on Thu Oct 12 2006 - 14:51:55 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US