String encryption and decryption

Shell Programming and Scripting
1

Hello All,

There are so many questions on this and I didn't find any concluded answer.

I want to encrypt a string in the script, actually this is a password. I tried using openssl (I am a newbie to openssl), but it is generating a long one which we can't remember.

I want to encrypt the password and want to share it, so users can use that and my script needs to decrypt when the users enter it.

Any solutions, where I can generate small passwords (or equal length of original).

Thanks!

AIX 5.3

2

First off, putting passwords in scripts is a VERY BAD idea. It doesn't matter if they are encrypted or not, because having the password in clear text for all to read is just a small part of the problem, The bigger problem is that passwords are likely to change over time and you will have to change the script (and probably several scripts, if you employ that mechanism more often) every time. Chances are you forget on of these scripts and this will only surface in the moment you need it least.

Another thing is, that, regardless of how you encrypt the password, all the tools necessary to decrypt it are on the system already, therefore, it doesn't matter if you put it there in clear text or encrypted. Suppose your password is encrypted with the /some/encryption utility and will decrypted with the /some/decryption utility. You encrypt the password, get some value and have now a line in your script looking like

/do/something -pw=$(/some/decryption <encrypted-PW>)

If i want to know the password and only have your script, what would prevent me from taking the encypted value from your script and issue

/some/decryption <encrypted-PW>

at the command line to get the unencrypted password myself?

If you do the decryption on the remote machine the problem stays the same: i will send the encrypted version and the remote system will decrypt it itself, so that the encrypted form of the password becomes the effective PW.

So, after this lengthy explanation of why this will not work in any way what will work?

Let us first rephrase the requirement: Something should be done at remote system X as user X. User A on the local system should initiate that using a script.

Now.create a user B at your local system. establish a line of trust between this user B and user X at the remote host by exchanging ssh-keys. User B(local) can now log on as user X(remote) without any password.

Now give the ownership of your script to this user B(local) and make it executable only for this user. User B would now be able to run this script and do the remote part without any password through the SSH-mechanism.

Now set up a sudo permission for User A(local) to run the script as user B(local). This way User A is not required to know the password for neither user B nor the remote system. He will still not be able to do anything else than run this script (sudo will prevent that).

Disable logging in for user B(local) so that nobody can misuse the line of trust established between user B(local) and user X(remote).

I hope this helps.

bakunin

1 Like
3

crypt can hide your password, but makes binary. Compression hardens the data for encryption, but makes short strings long. To make it friendly text, you can pass that to an encoder like uuencode or base64: Man Page for base64 (OpenSolaris Section 1) - The UNIX and Linux Forums .

$ echo user_password | crypt master_password | od -xc     
0000000    6e1f    c36b    9569    bfd2    5264    d224    8031
          n 037 303   k 225   i 277 322   R   d 322   $ 200   1
0000016
 
$ user_pw_enc=$( echo user_password | crypt master_password | base64 )
$ user_pw_dec=$( echo user_pw_enc | base64 -d | crypt master_password )
$
4

The answer is, simply, "don't do that".

If you can retrieve a password, so can a hacker. There's no point.

Never, ever keep around retrievably-stored passwords if you can possibly help it. Not even the OS does that, for its login system.

1 Like
5

Unfortunately, I don't have crypt.

6

There are many free clones of crypt: crypt open source code - Google Search

Make sure you are putting the master password and user passwords in secure places. All apps and systems have their hidden secrets and keys. This may be a good place for Public/Private Key Encryption. Lots written about the security challenges of any authentication system. Authentication is often that the encrypted trial password matches the encrypted stored password, so every raw password is only a transient memory artifact in automatic variables.