Question

8

What is the least insecure way to store a password that is used by a script?

rated 0 times [ 8] [ 0] / answers: 1 / hits: 10425 / 1 Year ago, tue, may 2, 2023, 9:12:53

I have a Bash script that automatically authenticates with a service using my username and password. The credentials are currently stored as plain text within the script.

What precautions should I take to most securely store these credentials while still allowing the script access?

Points of clarification:

I understand that, if available, other methods of authentication should be used instead. I still want to know what to do in the case that password authentication is the only option.

Not storing the password at all is not an acceptable answer here. I am asking about the case in which the script must have unattended access to the password.

Answers

Only authorized users can answer the question. Please sign in first, or register a free account.

whoppinolo

Add To Favorites

Follow

Total Points: 93

Total Questions: 113

Total Answers: 107

Location: Cyprus

Member since Mon, Oct 24, 2022

2 Years ago

whoppinolo questions

1 Download speed very slow in Ubuntu 20.04.1 while upload speed is perfectly fine over wifi

Mon, May 9, 22, 01:50, 2 Years ago

1 How do I set a static IP in ubuntu server 20.04?

Tue, Feb 14, 23, 08:30, 1 Year ago

1 iexplorer under wine is missing wine-gecko

Wed, Sep 28, 22, 06:56, 2 Years ago

1 how to retrieve server life uptime?

Fri, May 27, 22, 01:55, 2 Years ago

1 how to change language in i3wm

Tue, Oct 12, 21, 09:33, 3 Years ago

View All

answered 1 Year ago ofunn · Accepted Answer

What kind of service? Certain services have other methods to authenticate, e.g. SSH keys for SSH in conjunction with SSH agent.

I'd store the password separate from the script, and make sure that all path components have the correct permissions set. E.g., make sure that in the path /path/to/file, /, /path and /path/to are owned by a user you trust (root) and that these are not writable by someone who is not allowed to see your files. Finally, the recommended permissions for file is 600 or 400.

That file could look like this:

PASSWORD='something that you cannot remember'

In your script, use the below code to import the variable:

. /path/to/file

As for your script, make sure that it does not contain holes which may allow attackers to execute code in the script context (e.g. uncontrolled environment which may have an arbitrary $PATH variable set or invalid use of other files (e.g. sourcing a world-writable file).

As for the actual protection of your password, you can't. It must be available somehow to the other service. As an alternative, you can encrypt the file/ script containing the password using openssl or gpg so you need to enter a password before the credentials are unlocked. This is especially useful if your service's password is hard to remember.