I work in an environment where we have a Oracle DB Server on a AIX box. There are several batch scripts that load and execute on the database. The DBA wants to periodically change the password. Ideally I would like to have one common place to maintain the database as it is changed. I was thinking the .profile, however I would like do do something more secure and less obvious. Does anyone have any suggestions on how to securely store a password to be used in shell scripts?
Of course, the first recommendation is not to keep passwords in files. Having said that, one way I've seen used is to store the password in an executable script that accepts a parameter. Put the script somewhere down a tree, name it something non-descript and make it only readable/executable by the db user and put it in a directory only accessible by that user. Use a case statment to return the password based on the input of the database name. Also, check to see if it is an automated process (scheduler, cron, etc) that is executing it, and if not, send the login user's name to the logger facitility.
case $1 in
db1)
echo mypass;;
db2)
echo myotherpass;
esac
user check and log statement...
At our company we store the password in an encrypted file, available only through an internally developed utility. This utility will only export the password (and other connect information) to the environment if it doesn't have a TTY connected, which is only the case when started through cron (or something similar)