What would be the proper way to secure a shell script so the username and password are not viewable as plain text? Currently, I am securing permissions to the script folder: chown root /usr/local/bin/maintenance.sh chmod 700 /usr/local/bin/maintenance.sh I do not think administrator level credentials should ever be stored in plain text. Any help would be appreciated.
What sort of threats do you have in mind that you are protecting against? I've stored passwords on a mandos server and it protects against a lot of them, at the expense of requiring an external server and network connectivity when the password is needed.
there's several methods described here.... security - Hide/encrypt password in bash file to stop accidentally seeing it - Stack Overflow
I guess it depends on what the script is doing and if it's run automatically. If this script is just doing things locally but it needs e.g. a MySQL root password and it is run automatically by a cronjob, then setting user to root and chmod 600 should be fine. The simple reason is that if someone is root and can read that file, he can change any local password anyway, so there is no security benefit in encoding the password. If the script is not run automatically by a cronjob, then encrypting the password can be a security benefit though if the script then interactively asks the admin to enter a second password to decrypt the root credentials. Or if you want to obfuscate passwords so that someone you might show the script does not see it at first glance, but that's more or less security by obscurity, so it does not add any real security.
"What sort of threats do you have in mind that you are protecting against?" I want to prevent the identity theft of administrator level credentials if a thumb drive or laptop is lost or stolen. My short term goal is to remove all administrator level credentials from plain text files including shell scripts. The previous security scheme depended solely on access control by restricting directory permissions and security was not something I considered until backing up my scripts on a USB thumb drive for offsite transport, and noticing the administrator level password in plain text within the script. Long term goal is to get in the habit of securing usernames/passwords for future scripts. "there's several methods described here...." I did not see this web page when I was searching online for methods to secure a password. The source method I think will work for my purposes. "obfuscate passwords so that someone you might show the script does not see it at first glance," This was my original thought to secure the password, especially if it is not in a permissions restricted folder. I think setting a separate password file as described in the link provided by nhybgtvfr then invoking the password file within the shell script using the "source" command will prevent the password from being seen. Thank you all!
Use device encryption, both for the USB and all disks in laptops (and all workstations and servers, for that matter). That solves your concern outright, and you can use any additional measures you like to protect against other threats.
