Fatal编程技术网
  • security/
  • Security 在bash文件中隐藏/加密密码以防止意外看到它

Security 在bash文件中隐藏/加密密码以防止意外看到它

security bash unix passwords

Security 在bash文件中隐藏/加密密码以防止意外看到它,security,bash,unix,passwords,Security,Bash,Unix,Passwords,抱歉,如果以前有人问过这个问题,我确实检查过,但找不到任何东西 Unix中是否有一个函数可以对批处理文件中的密码进行加密和解密,以便我可以将其导入bash文件中的其他命令中 我意识到,这样做并不能提供真正的安全性,更重要的是,如果有人在我身后看脚本,他们会意外地看到密码:) 我正在用红帽5.3跑步 我有一个脚本,它做了类似的事情: serverControl.sh -u admin -p myPassword -c shutdown 我想这样做: password = decrypt("fgs

抱歉,如果以前有人问过这个问题,我确实检查过,但找不到任何东西

Unix中是否有一个函数可以对批处理文件中的密码进行加密和解密,以便我可以将其导入bash文件中的其他命令中

我意识到,这样做并不能提供真正的安全性,更重要的是,如果有人在我身后看脚本,他们会意外地看到密码:)

我正在用红帽5.3跑步

我有一个脚本,它做了类似的事情:

serverControl.sh -u admin -p myPassword -c shutdown
我想这样做:

password = decrypt("fgsfkageaivgea", "aDecryptionKey")
serverControl.sh -u admin -p $password -c shutdown
这不会以任何方式保护密码,但会防止有人意外地从我肩上看到它。

您应该能够使用
crypt
mcrypt
gpg
来满足您的需要。它们都支持许多算法<代码>密码有点过时了

更多信息:

OpenSSL提供了一个可以加密但不能解密的命令,因为它只进行哈希运算。您还可以下载类似的内容,这样您就可以使用一个功能强大且众所周知的对称加密例程

例如:

#!/bin/sh    
# using aesutil
SALT=$(mkrand 15) # mkrand generates a 15-character random passwd
MYENCPASS="i/b9pkcpQAPy7BzH2JlqHVoJc2mNTBM=" # echo "passwd" | aes -e -b -B -p $SALT 
MYPASS=$(echo "$MYENCPASS" | aes -d -b -p $SALT)

# and usage
serverControl.sh -u admin -p $MYPASS -c shutdown

#!/bin/sh
. encpass.sh
password=$(get_secret)
  • 将其从屏幕边缘缩进(假设不使用换行,并且编辑器宽度恒定)

  • 将其存储在一个单独的文件中并读取
我使用base64解决了同样的问题,也就是说,人们可以在我身后看到我的密码

这就是我所做的- 我创建了一个新的“db_auth.cfg”文件,并创建了一个参数,其中一个是我的db密码。我将该文件的权限设置为750

DB_PASSWORD=Z29vZ2xl
在我的shell脚本中,我使用“source”命令获取文件,然后将其解码回脚本中使用

source path_to_the_file/db_auth.cfg
DB_PASSWORD=$(eval echo ${DB_PASSWORD} | base64 --decode)
我希望这有帮助。

上面代码中的以下行不起作用

DB_PASSWORD=$(eval echo ${DB_PASSWORD} | base64 --decode)
正确的行是:

DB_PASSWORD=`echo $PASSWORD|base64 -d`
并将密码作为密码保存在其他文件中。

有一种更方便的方法将密码存储在脚本中,但您必须对脚本进行加密和模糊处理,使其无法读取。为了成功地加密和模糊shell脚本,并使该脚本真正可执行,请尝试在此处复制和粘贴它:

在上面的页面上,您所要做的就是提交脚本并为脚本指定一个正确的名称,然后点击下载按钮。将为您生成一个zip文件。右键单击下载链接并复制提供的URL。然后,转到UNIX对话框并执行以下步骤

安装:

1. wget link-to-the-zip-file
2. unzip the-newly-downloaded-zip-file
3. cd /tmp/KingLazySHIELD
4. ./install.sh /var/tmp/KINGLAZY/SHIELDX-(your-script-name) /home/(your-username) -force
上述安装命令将为您做的是:

1. wget link-to-the-zip-file
2. unzip the-newly-downloaded-zip-file
3. cd /tmp/KingLazySHIELD
4. ./install.sh /var/tmp/KINGLAZY/SHIELDX-(your-script-name) /home/(your-username) -force
  • 在目录/var/tmp/kinglayz/SHIELDX-(脚本名称)中安装脚本的加密版本
  • 它将把一个指向这个加密脚本的链接放在您在替换/home/(您的用户名)中指定的任何目录中,这样,您就可以轻松地访问脚本,而不必键入绝对路径
  • 确保没有人可以修改脚本-任何修改加密脚本的尝试都将使其无法运行…直到停止或删除这些尝试。它甚至可以配置为在有人试图对脚本执行任何操作而不是运行脚本时通知您…例如。黑客或修改尝试
  • 确保绝对没有人可以复制它。没有人能把你的脚本复制到一个隐蔽的地方,然后试着用它来看看它是如何工作的。脚本的所有副本都必须链接到安装期间指定的原始位置(步骤4)
    • 注意:

    1. wget link-to-the-zip-file
2. unzip the-newly-downloaded-zip-file
3. cd /tmp/KingLazySHIELD
4. ./install.sh /var/tmp/KINGLAZY/SHIELDX-(your-script-name) /home/(your-username) -force
    这不适用于提示并等待用户响应的交互式脚本。用户期望的值应该硬编码到脚本中。加密确保没有人能够真正看到这些值,因此您不必担心这一点

    关系:

    1. wget link-to-the-zip-file
2. unzip the-newly-downloaded-zip-file
3. cd /tmp/KingLazySHIELD
4. ./install.sh /var/tmp/KINGLAZY/SHIELDX-(your-script-name) /home/(your-username) -force
    本文提供的解决方案回答了您的问题,因为它加密了包含您想要加密的密码的实际脚本。你可以让密码保持原样(未加密),但密码所在的脚本被严重混淆和加密,你可以放心没有人能看到它。如果试图窥探脚本,您将收到有关它们的电子邮件通知。

    另一种解决方案,不考虑安全性(我也认为最好将凭据保存在另一个文件或数据库中),就是使用gpg加密密码并将其插入脚本中

    我使用一个无密码的gpg密钥对,我将其保存在usb中。(注意:导出此密钥对时不要使用--armor,请以二进制格式导出它们)

    首先加密您的密码:

    编辑:在该命令前面加一个空格,以便bash历史记录不会记录该命令

    这将在standart输出中打印出gpg加密密码。复制整个消息并将其添加到脚本中:

    password=$(gpg --batch --quiet --no-default-keyring --secret-keyring /media/usb/key.priv --decrypt <<EOF 
-----BEGIN PGP MESSAGE-----

hQEMA0CjbyauRLJ8AQgAkZT5gK8TrdH6cZEy+Ufl0PObGZJ1YEbshacZb88RlRB9
h2z+s/Bso5HQxNd5tzkwulvhmoGu6K6hpMXM3mbYl07jHF4qr+oWijDkdjHBVcn5
0mkpYO1riUf0HXIYnvCZq/4k/ajGZRm8EdDy2JIWuwiidQ18irp07UUNO+AB9mq8
5VXUjUN3tLTexg4sLZDKFYGRi4fyVrYKGsi0i5AEHKwn5SmTb3f1pa5yXbv68eYE
lCVfy51rBbG87UTycZ3gFQjf1UkNVbp0WV+RPEM9JR7dgR+9I8bKCuKLFLnGaqvc
beA3A6eMpzXQqsAg6GGo3PW6fMHqe1ZCvidi6e4a/dJDAbHq0XWp93qcwygnWeQW
Ozr1hr5mCa+QkUSymxiUrRncRhyqSP0ok5j4rjwSJu9vmHTEUapiyQMQaEIF2e2S
/NIWGg==
=uriR
-----END PGP MESSAGE-----
EOF)

    password=$(gpg--batch--quiet--no default keyring--secret keyring/media/usb/key.priv--decrypt虽然这不是一个内置的Unix解决方案,但我已经使用一个shell脚本实现了一个解决方案,该脚本可以包含在您正在使用的任何shell脚本中。这可以在符合POSIX的设置中使用。(sh、bash、ksh、zsh)github repo->中提供了完整的描述。此解决方案将自动为脚本生成密钥,并将密钥和密码(或其他机密)存储在用户下方的隐藏目录中(即~/.encpass)
    
在脚本中,您只需将encpass.sh作为源代码,然后调用get_secret方法。例如:
    

    #!/bin/sh    
# using aesutil
SALT=$(mkrand 15) # mkrand generates a 15-character random passwd
MYENCPASS="i/b9pkcpQAPy7BzH2JlqHVoJc2mNTBM=" # echo "passwd" | aes -e -b -B -p $SALT 
MYPASS=$(echo "$MYENCPASS" | aes -d -b -p $SALT)

# and usage
serverControl.sh -u admin -p $MYPASS -c shutdown

    

    #!/bin/sh
. encpass.sh
password=$(get_secret)

    
下面粘贴的是encpass.sh代码的精简版本(您可以在github上获得完整版本),以便于查看:
    

     #!/bin/sh
 ################################################################################
 # Copyright (c) 2020 Plyint, LLC <contact@plyint.com>. All Rights Reserved.
 # This file is licensed under the MIT License (MIT). 
 # Please see LICENSE.txt for more information.
 # 
 # DESCRIPTION: 
 # This script allows a user to encrypt a password (or any other secret) at 
 # runtime and then use it, decrypted, within a script.  This prevents shoulder 
 # surfing passwords and avoids storing the password in plain text, which could 
 # inadvertently be sent to or discovered by an individual at a later date.
 #
 # This script generates an AES 256 bit symmetric key for each script (or user-
 # defined bucket) that stores secrets.  This key will then be used to encrypt 
 # all secrets for that script or bucket.  encpass.sh sets up a directory 
 # (.encpass) under the user's home directory where keys and secrets will be 
 # stored.
 #
 # For further details, see README.md or run "./encpass ?" from the command line.
 #
 ################################################################################

 encpass_checks() {
    [ -n "$ENCPASS_CHECKS" ] && return

    if [ -z "$ENCPASS_HOME_DIR" ]; then
        ENCPASS_HOME_DIR="$HOME/.encpass"
    fi
    [ ! -d "$ENCPASS_HOME_DIR" ] && mkdir -m 700 "$ENCPASS_HOME_DIR"

    if [ -f "$ENCPASS_HOME_DIR/.extension" ]; then
        # Extension enabled, load it...
        ENCPASS_EXTENSION="$(cat "$ENCPASS_HOME_DIR/.extension")"
        ENCPASS_EXT_FILE="encpass-$ENCPASS_EXTENSION.sh"
        if [ -f "./extensions/$ENCPASS_EXTENSION/$ENCPASS_EXT_FILE" ]; then
            # shellcheck source=/dev/null
          . "./extensions/$ENCPASS_EXTENSION/$ENCPASS_EXT_FILE"
        elif [ ! -z "$(command -v encpass-"$ENCPASS_EXTENSION".sh)" ]; then 
            # shellcheck source=/dev/null
            . "$(command -v encpass-$ENCPASS_EXTENSION.sh)"
        else
            encpass_die "Error: Extension $ENCPASS_EXTENSION could not be found."
        fi

        # Extension specific checks, mandatory function for extensions
        encpass_"${ENCPASS_EXTENSION}"_checks
    else
        # Use default OpenSSL implementation
        if [ ! -x "$(command -v openssl)" ]; then
            echo "Error: OpenSSL is not installed or not accessible in the current path." \
                "Please install it and try again." >&2
            exit 1
        fi

        [ ! -d "$ENCPASS_HOME_DIR/keys" ] && mkdir -m 700 "$ENCPASS_HOME_DIR/keys"
        [ ! -d "$ENCPASS_HOME_DIR/secrets" ] && mkdir -m 700 "$ENCPASS_HOME_DIR/secrets"
        [ ! -d "$ENCPASS_HOME_DIR/exports" ] && mkdir -m 700 "$ENCPASS_HOME_DIR/exports"

    fi

   ENCPASS_CHECKS=1
 }

 # Checks if the enabled extension has implented the passed function and if so calls it
 encpass_ext_func() {
   [ ! -z "$ENCPASS_EXTENSION" ] && ENCPASS_EXT_FUNC="$(command -v "encpass_${ENCPASS_EXTENSION}_$1")" || return
    [ ! -z "$ENCPASS_EXT_FUNC" ] && shift && $ENCPASS_EXT_FUNC "$@" 
 }

 # Initializations performed when the script is included by another script
 encpass_include_init() {
    encpass_ext_func "include_init" "$@"
    [ ! -z "$ENCPASS_EXT_FUNC" ] && return

    if [ -n "$1" ] && [ -n "$2" ]; then
        ENCPASS_BUCKET=$1
        ENCPASS_SECRET_NAME=$2
    elif [ -n "$1" ]; then
        if [ -z "$ENCPASS_BUCKET" ]; then
          ENCPASS_BUCKET=$(basename "$0")
        fi
        ENCPASS_SECRET_NAME=$1
    else
        ENCPASS_BUCKET=$(basename "$0")
        ENCPASS_SECRET_NAME="password"
    fi
 }

 encpass_generate_private_key() {
    ENCPASS_KEY_DIR="$ENCPASS_HOME_DIR/keys/$ENCPASS_BUCKET"

    [ ! -d "$ENCPASS_KEY_DIR" ] && mkdir -m 700 "$ENCPASS_KEY_DIR"

    if [ ! -f "$ENCPASS_KEY_DIR/private.key" ]; then
        (umask 0377 && printf "%s" "$(openssl rand -hex 32)" >"$ENCPASS_KEY_DIR/private.key")
    fi
 }

 encpass_set_private_key_abs_name() {
    ENCPASS_PRIVATE_KEY_ABS_NAME="$ENCPASS_HOME_DIR/keys/$ENCPASS_BUCKET/private.key"
    [ ! -n "$1" ] && [ ! -f "$ENCPASS_PRIVATE_KEY_ABS_NAME" ] && encpass_generate_private_key
 }

 encpass_set_secret_abs_name() {
    ENCPASS_SECRET_ABS_NAME="$ENCPASS_HOME_DIR/secrets/$ENCPASS_BUCKET/$ENCPASS_SECRET_NAME.enc"
    [ ! -n "$1" ] && [ ! -f "$ENCPASS_SECRET_ABS_NAME" ] && set_secret
 }

 encpass_rmfifo() {
    trap - EXIT
    kill "$1" 2>/dev/null
    rm -f "$2"
 }

 encpass_mkfifo() {
    fifo="$ENCPASS_HOME_DIR/$1.$$"
    mkfifo -m 600 "$fifo" || encpass_die "Error: unable to create named pipe"
    printf '%s\n' "$fifo"
 }

 get_secret() {
    encpass_checks
    encpass_ext_func "get_secret" "$@"; [ ! -z "$ENCPASS_EXT_FUNC" ] && return

    [ "$(basename "$0")" != "encpass.sh" ] && encpass_include_init "$1" "$2"

    encpass_set_private_key_abs_name
    encpass_set_secret_abs_name
    encpass_decrypt_secret "$@"
 }

 set_secret() {
    encpass_checks

    encpass_ext_func "set_secret" "$@"; [ ! -z "$ENCPASS_EXT_FUNC" ] && return

    if [ "$1" != "reuse" ] || { [ -z "$ENCPASS_SECRET_INPUT" ] && [ -z "$ENCPASS_CSECRET_INPUT" ]; }; then
        echo "Enter $ENCPASS_SECRET_NAME:" >&2
        stty -echo
        read -r ENCPASS_SECRET_INPUT
        stty echo
        echo "Confirm $ENCPASS_SECRET_NAME:" >&2
        stty -echo
        read -r ENCPASS_CSECRET_INPUT
        stty echo

        # Use named pipe to securely pass secret to openssl
        fifo="$(encpass_mkfifo set_secret_fifo)"
    fi

    if [ "$ENCPASS_SECRET_INPUT" = "$ENCPASS_CSECRET_INPUT" ]; then
        encpass_set_private_key_abs_name
        ENCPASS_SECRET_DIR="$ENCPASS_HOME_DIR/secrets/$ENCPASS_BUCKET"

        [ ! -d "$ENCPASS_SECRET_DIR" ] && mkdir -m 700 "$ENCPASS_SECRET_DIR"

        # Generate IV and create secret file
        printf "%s" "$(openssl rand -hex 16)" > "$ENCPASS_SECRET_DIR/$ENCPASS_SECRET_NAME.enc"
        ENCPASS_OPENSSL_IV="$(cat "$ENCPASS_SECRET_DIR/$ENCPASS_SECRET_NAME.enc")"

        echo "$ENCPASS_SECRET_INPUT" > "$fifo" &
        # Allow expansion now so PID is set
        # shellcheck disable=SC2064
        trap "encpass_rmfifo $! $fifo" EXIT HUP TERM INT TSTP

        # Append encrypted secret to IV in the secret file
        openssl enc -aes-256-cbc -e -a -iv "$ENCPASS_OPENSSL_IV" \
            -K "$(cat "$ENCPASS_HOME_DIR/keys/$ENCPASS_BUCKET/private.key")" \
            -in "$fifo" 1>> "$ENCPASS_SECRET_DIR/$ENCPASS_SECRET_NAME.enc"
    else
        encpass_die "Error: secrets do not match.  Please try again."
    fi
 }

 encpass_decrypt_secret() {
    encpass_ext_func "decrypt_secret" "$@"; [ ! -z "$ENCPASS_EXT_FUNC" ] && return

    if [ -f "$ENCPASS_PRIVATE_KEY_ABS_NAME" ]; then
        ENCPASS_DECRYPT_RESULT="$(dd if="$ENCPASS_SECRET_ABS_NAME" ibs=1 skip=32 2> /dev/null | openssl enc -aes-256-cbc \
            -d -a -iv "$(head -c 32 "$ENCPASS_SECRET_ABS_NAME")" -K "$(cat "$ENCPASS_PRIVATE_KEY_ABS_NAME")" 2> /dev/null)"
        if [ ! -z "$ENCPASS_DECRYPT_RESULT" ]; then
            echo "$ENCPASS_DECRYPT_RESULT"
        else
            # If a failed unlock command occurred and the user tries to show the secret
            # Present either a locked or failed decrypt error.
            if [ -f "$ENCPASS_HOME_DIR/keys/$ENCPASS_BUCKET/private.lock" ]; then 
            echo "**Locked**"
            else
                # The locked file wasn't present as expected.  Let's display a failure
            echo "Error: Failed to decrypt"
            fi
        fi
    elif [ -f "$ENCPASS_HOME_DIR/keys/$ENCPASS_BUCKET/private.lock" ]; then
        echo "**Locked**"
    else
        echo "Error: Unable to decrypt. The key file \"$ENCPASS_PRIVATE_KEY_ABS_NAME\" is not present."
    fi
 }

 encpass_die() {
   echo "$@" >&2
   exit 1
 }
 #LITE

    

    !/bin/sh
################################################################################
#版权所有(c)2020 Plyint,LLC.所有