模糊处理在bash存储的密码 [英] Obfuscating stored passwords in bash
问题描述
我有一个bash脚本,我需要写我的密码来运行程序。其他人可以看到它。有没有写一个不太明显的方式密码的方法吗?即使他能在bash做同样的命令,并获取了密码,他不能在文本阅读。
I have a bash script that I need to write my password to run a program. Other people can see it. Are there a way to write the password in a not too obvious way? Even if he can do the same command in bash and get the password, he can't read it in text.
今天,我这样做:
PASSWORD="1234567"
program --pass=$PASSWORD
我想这样做。
PASSWORD="10101001001010010101010100101" #binary or other code
NEW_PASS=`decrypt $PASSWORD`
program --pass=$NEW_PASS
任何想法?
推荐答案
什么你问的不仅是邪恶的 - 它只是简单的将无法正常工作的
What you're asking for is not only evil -- it simply won't work.
所有的用户需要做的,看看你的密码是运行的bash -x your_script ,输出将包括
All a user has to do to see your password is to run bash -x your_script and the output will include
+program '--pass=decrypted-password-here'
...无论多么有效的混淆可能是。
...no matter how effective the obfuscation might have been.
什么是你想打电话,需要一个密码,实际的程序?你可以隐藏一个setuid包装背后的密码,这样,包装可以读取密码文件,即使谁运行它不能用户?你(借用DigitalRoss的建议)可以设置有存储的密码(或更好,证书或密钥对)的副本的用户帐户,其配置只能够运行脚本,没有别的了SSH,并给予应该是谁能够运行该脚本的权限,以SSH作为该用户(或sudo给该用户只单一的命令,或等等)的用户?
What's the actual program you're trying to call that needs a password? Can you hide your password behind a setuid wrapper, such that the wrapper can read the password file even if the user who runs it can't? Can you (borrowing DigitalRoss's suggestion) set up a user account which has a copy of the stored password (or, better, a certificate or keypair), configure it only to be able to run your script and nothing else over SSH, and give the users who should be able to run the script permissions to SSH as that user (or sudo to that user for only the single command, or so forth)?
等
在短:瞄准真正的安全,而不是混淆
In short: Aim for real security, not obfuscation.
现在,如果你的没有的希望迷惑 - 传统的做法是ROT-16:
Now, if you did want obfuscation -- the traditional approach is ROT-16:
obfuscated_password="qrpelcgrq-cnffjbeq-urer"
real_password="$(tr a-zA-Z n-za-mN-ZA-M <<<"$obfuscated_password")"
...但如果这是你真正关心任何,不要混淆一个密码 - 用上面给出的方法之一,以避免用户可读的方式存储的密码在所有
...but if it's a password you actually care about whatsoever, don't obfuscate -- use one of the approaches given above to avoid storing a password in a user-readable manner at all.
这篇关于模糊处理在bash存储的密码的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
