在Shell/Perl脚本中保存密码的最佳做法? [英] Best practices for holding passwords in shell / Perl scripts?
问题描述
我最近不得不利用Perl和Shell脚本技巧来帮助一些同事.有问题的同事的任务是从具有大型Oracle数据库后端的内部应用程序中提供一些报告,而他们根本不具备执行此操作的技能.尽管有些人可能会问我是否也具备这些技能(咧嘴笑),但显然有足够多的人认为我这样做意味着我不能感到疲倦.
I've recently had to dust off my Perl and shell script skills to help out some colleagues. The colleagues in question have been tasked with providing some reports from an internal application with a large Oracle database backend, and they simply don't have the skills to do this. While some might question whether I have those skills either (grin), apparently enough people think I do to mean I can't weasel out of it.
所以我的问题-为了从数据库中提取报告,我的脚本显然必须连接并运行查询.到目前为止,我还没有想出一个好的解决方案来存储数据库的用户名和密码,因此当前在脚本中将其以纯文本格式存储.
So to my question - in order to extract the reports from the database, my script is obviously having to connect and run queries. I haven't thus far managed to come up with a good solution for where to store the username and password for the database so it is currently being stored as plaintext in the script.
是否有其他人已经写过的好的解决方案,也许是作为CPAN模块?还是还有其他更好的方法-例如将用户名/密码组合保存在一个完全独立的文件中,该文件隐藏在文件系统上的其他位置?还是我应该对其进行简单加密,以免它们被系统级grep从我的脚本中删除?
Is there a good solution for this that someone else has already written, perhaps as a CPAN module? Or is there something else that's better to do - like keep the user / password combo in a completely separate file that's hidden away somewhere else on the filesystem? Or should I be keeping them trivially encrypted to just avoid them being pulled out of my scripts with a system-wide grep?
Oracle数据库位于HP-UX服务器上.
应用程序服务器(运行shell脚本)是Solaris.
只能将脚本设置为仅由我自己拥有,它们必须由多个支持人员可以访问的服务帐户拥有.
这些脚本旨在作为cron作业运行.
我很想使用公钥身份验证,但是我不知道使它与Oracle一起使用的方法-如果有这样的方法-启发我!
The Oracle database sits on an HP-UX server.
The Application server (running the shell scripts) is Solaris.
Setting the scripts to be owned by just me is a no-go, they have to be owned by a service account that multiple support personnel have access to.
The scripts are intended to be run as cron jobs.
I'd love to go with public-key authentication, but am unaware of methods to make that work with Oracle - if there is such a method - enlighten me!
推荐答案
最佳实践,恕我直言,不要在shell/Perl脚本中保存任何密码.这就是公钥认证的目的.
Best practice, IMHO, would be to NOT hold any passwords in a shell / Perl script. That is what public key authentication is for.
这篇关于在Shell/Perl脚本中保存密码的最佳做法?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
