There is no easy answer to this one. If you store the password where the script can find it, anyone with the same rights as the script can do the same.

If you have a more secure environment nearby (i.e. root account while script runs as user), you might put the secure part into the root account and leave the user script without knowledge of the password. I.e. a root suid script does the authentication. It also logs the call and alerts everyone if it gets called too often, from the wrong script, at the wrong times.

If your script can read the password, anyone who can run your script can read the password. If you stick a key in your script, anyone who can read your script can read the key. The script has to be able to locate the file, so anyone who can read the script can read the file's path, so hiding it just makes it harder for you to remember where you stuck it.

Assuming a Linux context, the best way IMHO would be to configure sudo to allow root privalege w/o a password on that script, and then make the password file root-only rw (600, let's say). This will save you by leveraging the security model already in place. If someone has rooted your machine, then nothing on there is secret anymore. See Stack Overflow.

I should have mentioned that this is a web server (CGI code) that we are trying to keep secure. Running as root is not an option.

TechFly,

I did something like this for a web-site that uses 'http' and not 'https'. The site required the user to login before seeing his information. The purpose was to prevent malicious updating of user information by hackers, and the site did not hold any sensitive information. The solution was to develop a mathematical Perl algorithm on the server side, and a javascript generated mathematical response from the PC.

The 'cgi-bin' Perl script would send a 'login' screen with dynamically generated tokens that when the person typed the password, javascript would change the tokens to a new set that was sent to the server. Perl on the server would process the new tokens and use the server side 'password' and if they matched correctly, then the user was logged in. The tokens never repeated, and were generated so that they had to be used within 1 minute. If this is what you need, I'll find the code and post it.

For our purposes this was safe enough!

Regards...Ed

I suggest that you look closely at the authentication methods that are available to these external servers.   For example, many database systems allow for authentication by means of LDAP (OpenDirectory), or more generally through pluggable authentication modules.   In short, you want the target server to recognize the authenticity of the requestor, not only by means of some magic-word or cookie that has been correctly supplied, but by who he is, or perhaps where.   If you embed a password into an application such that anyone anywhere who has access to the server can present that password and be allowed inside the gate, then the entire security of the system devolves to the protection that may be afforded to that magic cookie ... which protection must be presumed to be zero.

Re: Update ...   No, it does not complicate anything that “the scripts are CGI code on a website.”   That is assumed.   The CGI servers are the ones who are recognized by the web server as being “authenticated” and then “authorized” to do certain (specific!) things, and, provided that only they are permitted to use the credential, all is well.   Furthermore, the scripts must be stored in such a way that the source-code form cannot be obtained in any way ... or by any other user of those same computer systems.   (Many shared-hosted sites are simply compromised by neighbors, as all of them are in the ftpusers group.)

You should also use firewalls to prevent access to the database servers et al from “outside.”

Use every means possible to ensure that the authentication tokens, even if obtained by a thief, cannot be employed by that thief.

Also note that there is nothing particularly Perl-specific about this discussion ... any other-language site on web site hardening would be equally apropos, and should be reviewed.