Encrypt DB password in Script


 
Thread Tools Search this Thread
Top Forums Shell Programming and Scripting Encrypt DB password in Script
# 1  
Old 07-31-2012
Encrypt DB password in Script

Hi,

I have a SQL which i want to run through a shell script.
Code:
query_result=`/home/oracle/product/11.2.0/bin/sqlplus -S uname/pwd@DBNAME <<!
set heading off feedback off trimspool on 
set pagesize 0
set linesize 9999
spool $PARAM_PATH/param_name.txt;
Select sysdate from dual;
spool off;
exit
!`
echo $query_result

I do not want to Password to be visible.
So i gathered some information on the way to do this.
The most common way was to have the sql in a file and run the.sql file in a script and have only required permissions on it. Like below
Code:
sqlplus -S system/manager @my_sql_script.sql

But even here system/manager is the uname and pwd.
So how to avoid the pwd from being visible.?

Thanks,
Chetan.C
# 2  
Old 07-31-2012
HI , you may define the username and password in profile and make it restricted.
Then you may use the variables against the username/password.

But I am sure that others on this portal may come up with great idea's.
An intelligent guy at your site may try to echo the variable values.
This User Gave Thanks to aashish.sharma8 For This Post:
# 3  
Old 07-31-2012
Obscuring it isn't much help. You have to be able to retrieve it, and anything you can retrieve, so can anyone else.

Putting it in variables won't help, it'll still be visible in ps.
This User Gave Thanks to Corona688 For This Post:
# 4  
Old 08-01-2012
@chetan.c: When you say visible, do you mean in ps output or defined in the script?
You can invoke sqlplus without logging in but calling a .sql-commandfile and use the SQL*Plus connect command to log in to your database. This way username and password do not show up in ps and are not visible in your main script.
Calling script:
Code:
...
$ORACLE_HOME/bin/sqlplus -s /nolog @/path/to/your/commandfile.sql $PARAM_PATH
...

commandfile.sql:
Code:
connect username/password
set heading off feedback off trimspool on 
set pagesize 0
set linesize 9999
spool &1/param_name.txt;
Select sysdate from dual;
spool off;
exit

Another way to hide login-information from ps-output is to use coprocesses (ksh or bash >= 4.0) or pipes. Here the implementation is a bit more tricky and depends on the shell you use.
This User Gave Thanks to cero For This Post:
# 5  
Old 08-01-2012
Thanks Ashish/Corona688.

@cero:
Actually i want the best practice to secure the Password.
So i should be setting appropriate permissions on the command file right?


Thanks,
Chetan.C
# 6  
Old 08-01-2012
The commandfile has to be readable, so appropriate permissions will not keep the passwords completely hidden. Actually I do not think there is a way to secure the password that anyone who is able to read and understand your script can not revert.
An alternative would be to use SSL authentification instead of a password.
# 7  
Old 08-01-2012
Quote:
Originally Posted by chetan.c
Thanks Ashish/Corona688.

@cero:
Actually i want the best practice to secure the Password.
"Best practices" for retrievably-stored passwords is to not do that, at all, ever Smilie Most sane login systems refuse to use stored passwords, and some even provide safer alternative methods(like ssh keys).

If it's unavoidable, keep it in a file that's only readable by the application you need, then pass the password into the relevant application with pipes so they can't be snooped on ps.

Last edited by Corona688; 08-01-2012 at 12:31 PM..
Login or Register to Ask a Question

Previous Thread | Next Thread

10 More Discussions You Might Find Interesting

1. Shell Programming and Scripting

Encrypt and decrypt the password in a Shell Script

Hello, I have the following UNIX shell script which connects to the teradata database and executes the SQL Queries. For this, I am passing database name, username and password. I don't want to reveal my password to anyone. So, is there any way that I can encrypt my password and read the... (2 Replies)
Discussion started by: ronitreddy
2 Replies

2. Shell Programming and Scripting

Encrypt and decrypt a password in shell script

Hi All, very good morning all. I am trying to connect to informatica repository by using shell script. I have written pmrep connect command in the script file. But i need to provide repository, domain ,username and password to connect. Username and password are hard coded in the script... (8 Replies)
Discussion started by: SekhaReddy
8 Replies

3. Shell Programming and Scripting

Encrypt Password file and decrypt in a shell script

Hi All, I have stored Oracle database passwords in a hidden file - .pass_file. My shell script reads the hidden file, gets the password and then logs in to the Oracle database and runs some SQL script. My requirement is: I need to provide the shell script to be executed by someone else. So,... (1 Reply)
Discussion started by: sunpraveen
1 Replies

4. Shell Programming and Scripting

Encrypt password but use * when typing password

Hi, I came across the following script for encrypting the password in this forum #! /usr/bin/ksh exec 4>/dev/tty function getpass { typeset prompt=$1 typeset backspace=$(echo \\b\\c) typeset enter=$(echo \\r\\c) typeset savesetting=$(stty -g) ... (9 Replies)
Discussion started by: dbashyam
9 Replies

5. Shell Programming and Scripting

how to encrypt a password in shell script

Hi, I have run the below script which is connected to db2 v9.5. There is no issue. The only problem is how to encrypt the dbpwd? #!/bin/ksh #---- Set Environment dbalias="dev1db" dbuser="user1" dbpwd="password" #---- Connect to the Database cd /opt/ibm/db2/V9.5/bin db2 "connect to... (1 Reply)
Discussion started by: lookinginfo
1 Replies

6. Shell Programming and Scripting

How to hide/encrypt password in script?

Hi I have following problem Im writing a script (in bash ) , where need to be written login & passwd for databas client . Its need to in following form login passwd@dbhostname . The problem is so anybody can read it so the passwd & login are visible and thats not very safety . Can... (8 Replies)
Discussion started by: kvok
8 Replies

7. UNIX for Advanced & Expert Users

Encrypt the password ,source it in a expect script...!!

Hello folks I have a conf file ,say 'pass.conf' ,which is storing ascii password : PASS1111. I need to encrypt this password once and store it in a file. I ,then need to write a script which would read this encrypted password and decrypts it.The o/p o this script shud be this decrypted... (8 Replies)
Discussion started by: ak835
8 Replies

8. Shell Programming and Scripting

how to set password/encrypt a shell script

Hi, I have written a shell script in unix for my customer. Now I want to make it only execute and not to read/write. Can anybody help me how to set password protect/encript my script. Thanks Suresh (3 Replies)
Discussion started by: suresh3566
3 Replies

9. Shell Programming and Scripting

How to Encrypt password

Hello, I have a paramter file, In which I store all the user-ids and passwords for the project. So if a user just invokes the paramter file he has access to all the variables, which i have exported in the parmatere file. Now if a user echo's the variable which stores the databse password.... (1 Reply)
Discussion started by: DSDexter
1 Replies

10. Shell Programming and Scripting

Expect Script....encrypt password and use

Could someone please help me...I have an expect script. There's a need for a log in during the script and a password is required...right now the password is just a variable in the expect script...what would be the best way to put that in an encrypted flat file and have the expect script pull the... (2 Replies)
Discussion started by: cubs0729
2 Replies
Login or Register to Ask a Question