How to store the passwords securely and use in scripts? Post: 303034104

Sponsored Content

Top Forums Shell Programming and Scripting How to store the passwords securely and use in scripts? Post 303034104 by Neo on Thursday 18th of April 2019 06:19:46 AM

04-18-2019

Administrator

Just to add to this, and to emphasize what others have said:

When we store a user password in the DB, for example a web site DB, that password is the cryptographic hash of the password + a bit of salt. When a user logs in they normally type a plain text password and that password is sent in plaintext across the net, hopefully in a secure SSL channel. At the server side, the plain text password is retrieved by the server side logic and then the cryptographic hash + salt is compared to the same in the DB.

In some cases, the hash (more often than not an "md5()" hash) is stored locally on the client side the hash is sent as a cookie (or a $_POST or $_GET var), for example, so the plaintext password is not required (this is but one scenario).

However, on the server, we assume there is some standard file system security in place.

So, when an application needs to access the DB, normally the password is stored securely in a plain text configuration file. Likewise, we can store the hash instead of the password, but since the hash of the password and the password can both be used to gain access, most "day to day CMS" systems store the plaintext password in a secure file.

Some people hide this file is some obscure location on the server, like in a "hidden" dot file. This kind of security-by-obscurity is not very good, but some think it is better than nothing.

However, this is just a description of basic authentication.

Systems which have a higher risk use more complex (and expensive) methods for authentication.

As Robin mentioned, we need the details of the application and basic system architecture to properly advise; and as I have mentioned, we should know the risk profile of the system, to really help you.

This User Gave Thanks to Neo For This Post:

Neo

View Public Profile for Neo

Visit Neo's homepage!

Find all posts by Neo

8 More Discussions You Might Find Interesting

1. Shell Programming and Scripting

How to pass passwords to bash scripts?

I'm finding the following command very tedious to type in all the time, so I created a one line bash script called mount.bash with the following contents: mount -t cifs //mark/C\$ -o unc=//mark\\C$,ip=10.1.1.33,user=Administrator,password=$1 /mnt/mark I don't like the fact that I have to put...

2. Shell Programming and Scripting

Checking passwords - scripts

Hi Unix experts.... I am in the process checking user and root password of more than 1000 servers manulay. I am very pissed of checking these many servers manualy. Could some one of you help me how can i check the passwords just by runing some scripts..! Need Help Guys..! :confused:

3. Solaris

installing solaris securely

Ok, I am trying to install solaris, but I would like as a lean installation as possible (while still having a shread of functionality). If I chose the minimal install I have little if no utilities to do work on the box. My question is what installation method do most admins take? ...

4. Shell Programming and Scripting

Oracle Passwords in Unix scripts

Hi Most of the shell scripts I am dealing with have to connect to oracle database . The username password is stored in a environment file which sets the variables for username and password . Set user id do not work on AIX so users who will execute these scripts need to have read or execute...

5. Shell Programming and Scripting

SSH - Passing Unix login passwords through shell scripts

Hi All , I need to call a script runscript_B.sh on server A, the runscript_B.sh script locating in server B. The runscript_B.sh in calls another script runscript_A on server A itself. it seend, i need to be connect from Server A to Server B using ssh. I have tryed like this in...

6. UNIX for Advanced & Expert Users

When did UNIX start using encrypted passwords, and not displaying passwords when you type them in?

I've been using various versions of UNIX and Linux since 1993, and I've never run across one that showed your password as you type it in when you log in, or one that stored passwords in plain text rather than encrypted. I'm writing a script for work for a security audit, and two of the...

7. AIX

When did AIX start using /etc/security/passwd instead of /etc/passwd to store encrypted passwords?

Does anyone know when AIX started using /etc/security/passwd instead of /etc/passwd to store encrypted passwords?

8. UNIX for Advanced & Expert Users

Store passwords , accounts, IPs, hostnames

Hi, this question is not specially unix related, but I expect advanced and expert unix users to have a solution for this, and I've found no other subforum that fits ;) what do you use to store accounts, customer ids, ip addresses, users and specially passwords, to access them from...

LEARN ABOUT SUSE

md5crypt

md5crypt(n)						   MD5-based password encryption					       md5crypt(n)

__________________________________________________________________________________________________________________________________________________

NAME

       md5crypt - MD5-based password encryption

SYNOPSIS

       package require Tcl  8.2

       package require md5  2.0

       package require md5crypt  ?1.1.0?

       ::md5crypt::md5crypt password salt

       ::md5crypt::aprcrypt password salt

       ::md5crypt::salt ?length?

_________________________________________________________________

DESCRIPTION

       This  package  provides	an implementation of the MD5-crypt password encryption algorithm as pioneered by FreeBSD and currently in use as a
       replacement for the unix crypt(3) function in many modern systems. An implementation of the closely related Apache MD5-crypt is also avail-
       able.  The output of these commands are compatible with the BSD and OpenSSL implementation of md5crypt and the Apache 2 htpasswd program.

COMMANDS

       ::md5crypt::md5crypt password salt
	      Generate a BSD compatible md5-encoded password hash from the plaintext password and a random salt (see SALT).

       ::md5crypt::aprcrypt password salt
	      Generate an Apache compatible md5-encoded password hash from the plaintext password and a random salt (see SALT).

       ::md5crypt::salt ?length?
	      Generate a random salt string suitable for use with the md5crypt and aprcrypt commands.

SALT

       The salt passed to either of the encryption schemes implemented here is checked to see if it begins with the encryption scheme magic string
       (either "$1$" for MD5-crypt or "$apr1$" for Apache crypt). If so, this is removed. The remaining characters up to the next $ and  up  to  a
       maximum	of  8  characters  are then used as the salt. The salt text should probably be restricted the set of ASCII alphanumeric characters
       plus "./" (dot and forward-slash) - this is to preserve maximum compatability with the unix password file format.

       If a password is being generated rather than checked from a password file then the salt command may be used to generate a random salt.

EXAMPLES

       % md5crypt::md5crypt password 01234567
       $1$01234567$b5lh2mHyD2PdJjFfALlEz1

       % md5crypt::aprcrypt password 01234567
       $apr1$01234567$IXBaQywhAhc0d75ZbaSDp/

       % md5crypt::md5crypt password [md5crypt::salt]
       $1$dFmvyRmO$T.V3OmzqeEf3hqJp2WFcb.

BUGS, IDEAS, FEEDBACK
       This document, and the package it describes, will undoubtedly contain bugs and other problems.  Please report such in the category md5crypt
       of the Tcllib SF Trackers [http://sourceforge.net/tracker/?group_id=12883].  Please also report any ideas for enhancements you may have for
       either package and/or documentation.

SEE ALSO

       md5

KEYWORDS

       hashing, md5, md5crypt, message-digest, security

COPYRIGHT

       Copyright (c) 2003, Pat Thoyts <patthoyts@users.sourceforge.net>

md5crypt							       1.1.0							       md5crypt(n)