Beefy Boxes and Bandwidth Generously Provided by pair Networks
There's more than one way to do things
 
PerlMonks  

plaintext password in scripts run through cron

by krusty (Hermit)
on Oct 17, 2003 at 11:43 UTC ( #299980=perlquestion: print w/ replies, xml ) Need Help??
krusty has asked for the wisdom of the Perl Monks concerning the following question:

I have a number of perl scripts run through cron to connect to my oracle database and about 50 systems I ssh into for administrative tasks. I'd like to not store the passwords in plaintext anywhere on disk, and because they must be run automatically, I am not sure I could encrypt it and decrypt at the appropriate moment without storing some plaintext password somewhere.

I can't be the only one with this problem. Any ideas on how to resolve the issue?

Thanks!
KLN

Comment on plaintext password in scripts run through cron
Re: plaintext password in scripts run through cron
by ptkdb (Monk) on Oct 17, 2003 at 12:12 UTC
    It is possible to configure ssh for 'auto-login' through public keys. However, the configuration can be a headache the first time through. Especially since the standard can vary widely between various vendor ssh's and openssh and ssh and ssh2. Also, older versions of SSH were VULNERABLE to certain worm attacks.

    SSH has a variety of configuration options that let you login through the use of generated keys. Consult the man pages on ssh and ssh-keygen. What you do is generate an RSA or DSA key for your system and put the identity.pub(public version of the key) into the .ssh/authorized_keys file on the systems that you want to login to remotely without a password and set your .ssh/config file to accept a key instead of a password.

    Good book on the subject: SSH, the Secure Shell

    Web Reference for SourceForge's SSH system: Guide To Generating and Posting SSH Keys

    Do this with CAUTION. It leaves cleartext off of your system of course, but if someone were to appropriate the identity files it could leave your target systems vulnerable.

    One thing you could do is to replace the private identity key in your home system with a symlink to /mnt/floppy or /mnt/cdrom and keep the files there and only insert them when you get to work. I'm not sure that will work though, I've never done it myself, having just thought of it now, but I'm dying to try it. :)

    My own .ssh/config files at home are setup in this way for a couple of sytems, and I'll see if I can't put a more detailed write up here later.

    update:

    This is a very handy technique for CVS systems that are accessed through ssh, spares you alot of entering/re-entering passwords. Setting this up and using PCL-CVS under emacs actually makes CVS almost fun to use.

    Confession:

    I tried to put the <blink> tag around 'vulnerable'.

Re: plaintext password in scripts run through cron
by BazB (Priest) on Oct 17, 2003 at 12:28 UTC

    ptkdb covers the SSH side of things well.

    As for any database passwords, I'd be inclined to simply store passwords in a file that is readable only by the user running the script.
    Parse, do or otherwise include that file as required.

    If that requires a new user and/or group just for running automated commands, so be it.

    Cheers,

    BazB


    If the information in this post is inaccurate, or just plain wrong, don't just downvote - please post explaining what's wrong.
    That way everyone learns.

Re: plaintext password in scripts run through cron
by robobunny (Friar) on Oct 17, 2003 at 13:12 UTC
    Just to supply a paranoid alternative...you could always write yourself a small daemon that kicks off the scripts for you instead of cron (and have it parse a cron-style file). When you start up your daemon, have it prompt for the necessary passwords, or set them as environment variables. That way you don't have to store the passwords at all, but you will have to make sure you remember to restart the daemon manually if the machine gets rebooted. Since you have so many systems, I assume you're already running some kind of monitoring software, so you could have it alert you if the daemon isn't running.

      Just a tip when storing passwords in a daemon. On most platforms putting it in the environment isn't any safer than putting it in a file on disk (if you are on a linux box, try 'cat /proc/$$/environ').


      We're not surrounded, we're in a target-rich environment!
        Well that's unfortunate. I guess you're better off avoiding environment variables for that sort of thing then, although Solaris and Tru64 don't supply that info in /proc. I don't know about other OS's.
Re: plaintext password in scripts run through cron
by zengargoyle (Deacon) on Oct 17, 2003 at 20:43 UTC

    this is my favorite SSH key usage introduction. worth the free registration (and no spam yet). it's from the IBM developerWorks pages. (and writen by the Gentoo guy)

    there are three parts covering setting up your keys and using key-agent.

    eventually you pretty much have to trust the filesystem, or you require human-being to type in password and trust the human...

    i use Kerberos for my database authn and authz, but still anybody who can manage to read the /etc/krb5cc_0 cache could gain access... but it does keep simple plaintext passwords out of the files.

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: perlquestion [id://299980]
Approved by dorko
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others scrutinizing the Monastery: (8)
As of 2014-10-24 12:19 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    For retirement, I am banking on:










    Results (131 votes), past polls