Oracle FAQ Your Portal to the Oracle Knowledge Grid

Home -> Community -> Mailing Lists -> Oracle-L -> RE: How to encrypt shell scripts on Unix

RE: How to encrypt shell scripts on Unix

From: Hameed, Amir <>
Date: Thu, 12 Oct 2006 15:51:55 -0400
Message-ID: <>

In Oracle 11i Applications, there are services (application server, forms server, concurrent manager, etc.) that are started on different tiers using Oracle's supplied standard scripts. Each of those scripts require that a username/passwd be supplied to start those services. This is where I need help. All our DBA accounts are external and we do not store passwords in any script, with the exception of those that are used to call Oracle's standard scripts.  



	From: Mark W. Farnham [] 
	Sent: Thursday, October 12, 2006 3:41 PM
	To:; Hameed, Amir
	Subject: RE: How to encrypt shell scripts on Unix

	a)       Jared and Mark Bobak are right on target, use a
password server strategy or ops$, but do not embed passwords all over the place.

        b) Even when using a password server, do something like:          

#! /bin/ksh

# Copyright (C) 1994 Rightsizing, Inc.


# Used by permission, All Rights Reserved


# runksh1 -- Run a sqlplus script as user/pw

# file without showing the password in ps.


# Usage: echo "user/pw" | ksh runksh1 scriptname

        read userpw


        shift 1


        sqlplus << INPUT01


        start $scriptname $parameters


        INPUT01                   This will vary a bit by which shell(s) you use, but this makes it very difficult (impossible? Unless you're so powerful on the machine anyway that nothing is going to stop you anyway) to see the passwords anywhere after the password server coughs them up. Note that this is different from passing an argument to the shell, which will persist. Using echo makes the value ephemeral as the first job in the pipeline is gone very quickly. Of course the original purpose of this shell can also served by encrypting or overwriting the ps args, but doing it this way works whether that is done or not.          



        Oh, and that's my copyright so all y'all can use it freely, yas just can't turn around and copyright it so I can't use it...                   

[] On Behalf Of Jared Still

	Sent: Thursday, October 12, 2006 2:24 PM
	Subject: Re: How to encrypt shell scripts on Unix


	On 10/11/06, Hameed, Amir <> wrote:

		Hi folks,
		I am interested in knowing if anyone has successfully
encrypt their
		shell scripts (particularly on Solaris) that contained
		information (passwords, etc..) and how did they do it. I
am trying to 
		use the "shc" utility which is supposed to do the job
but it is not
		working and keeps giving errors.
		Any feedback will be appreciated.


	You may want to consider an alternative:  do not put sensitive 
	information (like passwords) into shell scripts.
	Use some type of password server to supply passwords to
	the script at runtime.  
	Benefits are twofold:  
	1) no passwords in your scripts.
	2) when passwords change, no modifications to the script are
	Jared Still
	Certifiable Oracle DBA and Part Time Perl Evangelist

Received on Thu Oct 12 2006 - 14:51:55 CDT

Original text of this message