Question: I want to create user for oracle databases. For that i have created shell script, it will ask to enter the username and password. then these variables will be stored in SQL query to get output. Please find the below commands:
**Here password is in plain text. Please tell how to encrypt and decrypt the password which is giving in input form. ? **
**echo -n "Enter user to be created"
read USERNAME
echo -n "Enter new password"
read PASSWORD
output=`sqlplus -s '/as sysdba' <<EOF
CREATE USER "$USERNAME" IDENTIFIED BY "$PASSWORD"
DEFAULT TABLESPACE "$DETAB"
TEMPORARY TABLESPACE TEMP
PROFILE DEFAULT
ACCOUNT UNLOCK;
exit;
EOF`**
Your use of shell variables in general is a problem, from a security perspective. The instant you store the password in a shell variable, it can be read by other users on the system. A better approach would be to prompt the user for input as part of the SQL script, rather than in the shell:
create_user.sql:
-- get username
accept username char prompt 'Enter user to be created > ';
-- get password and hide value from screen
accept password char prompt 'Enter password > ' HIDE;
-- get default tablespace
accept detab char prompt 'Enter default tablespace > ';
set echo off;
CREATE USER &&username IDENTIFIED BY &&password
DEFAULT TABLESPACE &&detab
TEMPORARY TABLESPACE TEMP
PROFILE DEFAULT
ACCOUNT UNLOCK;
exit;
Then run the script like this:
sqlplus / as sysdba #create_user.sql
The script can now run without exposing the password value to the shell, or being echoed to the screen.
I've written previously on these types of issues. See here for more info: https://pmdba.wordpress.com/2020/01/13/how-to-hide-oracle-passwords-in-a-script/
As suggested in the comments, here the revised script
echo -n "Enter user to be created"
read USERNAME
echo -n "Enter new password"
read PASSWORD
output=`sqlplus -s '/nolog' >/dev/null 2>/dev/null <<EOF
WHENEVER SQLERROR EXIT SQL.SQLCODE
connect / as sysdba
CREATE USER "$USERNAME" IDENTIFIED BY "$PASSWORD"
DEFAULT TABLESPACE "$DETAB"
TEMPORARY TABLESPACE TEMP
PROFILE DEFAULT
ACCOUNT UNLOCK;
exit;
EOF`
success=`echo $? `
unset PASSWORD
echo $USERNAME
echo $success
echo $output
echo $PASSWORD
if $success returns 0 everything is ok. if not there is an error.
But $output and $PASSWORD are empty at the end of the execution
For debug purpose, do not redirect to /dev/null but you will see the password.
Passwords are stored encrypted inside Oracle as already said in the comments by other people helping you
Other suggestion
I think that the better solution is to force the User to Change the Password at First/Next Login
e.g Create the user with :
the option by a password expire
a dummy password and password expire option
expire the password using the command alter user $USERNAME password expire;.
By doing this Oracle will ask to the user to update his password at the first or next connection. The password issue will be managed by sqlplus directly (or by other tools).
You can add in your script
conn $USENAME/<dummypwd> and sqlplus will prompt for the new password
Related
We currently have several users that are using the admin user when logging into a server via SSH. They all have their own users but unfortunately they still occasionally use the admin one. We can lock this down of course and take action to make sure that user is never used, but I'm looking to see if there is a way to force each login to enter a reason why they are using that user, before they can login and access the server whenever they use the admin user.
This way we can have an easy way to compare access log files with employee names and the reason why they are using that user.
Any thoughts?
Here's what I would do.
Register everyone's ssh public key into admin user's authorized_keys. In each entry, set the environment EMPLOYEE to the employeename. This will require that PermitUserEnviroment be set to yes in /etc/ssh/sshd_config. A sample entry should look like below.
environment="EMPLOYEE=employee1" ssh-rsa AAAAB3NzaC1y.....EU88ovYKg4GfclWGCFYTuw8==
Now that we have an environment variable named EMPLOYEE, we can write a simple script to ask for the reason.
Create a file /etc/profile.d/reason.sh. The file does not need to be executable as it will be sourced.
if [[ $(whoami) = "admin" ]]; then
read -p "Please specify the reason for logging in as $USER user: " reason
if [ -z "$reason" ]; then
logout
fi
fi
Now you have $EMPLOYEE and $reason to log.
Here's a thought
#!/bin/bash
# if the user tries Ctrl+C to avoid this check
trap INT no_shell_for_you
no_shell_for_you() { exec /bin/false; }
read -p "Your username please: " username
if getent password "$username" >/dev/null 2>&1; then
echo "Welcome, $username"
# log $username somewhere
exec /bin/bash -l
else
no_shell_for_you
fi
Save that as ~admin_user/bin/get_real_user.sh
Add /full/path/to/admin_user/bin/get_real_user.sh to /etc/shells
Do sudo chsh -s /full/path/to/admin_user/bin/get_real_user.sh admin_user
This is untested. Test thoroughly before step 3.
I have created a new user and password. Now I need to change the username and password from the web page. I am able to change the username using usermod.
But I am not able to change to password using the passwd command.
Here the code:
shell_exec('(echo "'.$FTPpassword.'";sleep 1; echo "'.$FTPpassword.'") | passwd $FTPUserName');
Instead of $FTPUserName , if I send username test as :
shell_exec('(echo "'.$FTPpassword.'";sleep 1; echo "'.$FTPpassword.'") | passwd test');
it is updating password of the user "test".
Anyone know how to change the password of a user using shell_exec?
Regards,
Sowmya
Use --stdin flag. This option is used to indicate that passwd should read the new password from standard input, which can be a pipe.
shell_exec("echo $FTPpassword | passwd $FTPUserName --stdin");
I wrote a shell script to automate mysqldump.
I don't want my password to be entered in the script file. Can anyone suggest me an alternative way to do this?
If you are running the script interactively, then you can use read to read the password into an environmental variable, and then echo that password to mysqldump.
read -s -p 'password: ' password
echo "$password" | mysqldump ...
The password will be stored in plain text in memory but not elsewhere.
Alternatively as per the documentation you can use an option file to avoid giving the password on the command line. The file would contain something similar to the below:
[client]
# The following password will be sent to all standard MySQL clients
password="my_password"
I had made a script that allows ftp login.But I dont know how to add password for the user
#!/bin/bash
if grep -q $1 "/opt/proftpd.conf"; then
echo "$1 is an ftp user"
HOST='192.168.1.212'
USER=''$1''
FILE=''$2''
ftp -n -v $HOST <<END_SCRIPT
quote USER $USER
put $FILE
quit
END_SCRIPT
ls -la /home/$1
exit 0
else
echo "$1 is not an ftp user"
fi
exit 0
How can I add the user password for ftpuser?...
An example:
#!/bin/bash
ftp_host="192.168.1.212"
ftp_user="$1"
ftp_file="$2"
read -s -p "Enter password for user ${ftp_user}: " ftp_pass
ftp -n -v ${ftp_host} << EOF
quote USER ${ftp_user}
quote pass ${ftp_pass}
bin
put ${ftp_file}
EOF
It depends on the ftp version.
Sometime versions allow to give user and password together with host name:
ftp://[user[:password]#]host[:port]/path
There are also two ftp commands that allow to pass credentials (man ftp):
account [passwd]
Supply a supplemental password required by a remote system
for access to resources once a login has been successfully
completed. If no argument is included, the user will be
prompted for an account password in a non-echoing input mode.
user user-name [password] [account]
Identify yourself to the remote FTP server. If the password
is not specified and the server requires it, ftp will prompt
the user for it (after disabling local echo). If an account
field is not specified, and the FTP server requires it, the
user will be prompted for it. If an account field is speci-
fied, an account command will be relayed to the remote server
after the login sequence is completed if the remote server
did not require it for logging in. Unless ftp is invoked
with "auto-login" disabled, this process is done automati-
cally on initial connection to the FTP server.
I have created a shell script like this.But getting syntax error in grant command, I think near password area.Please help me if anyone could.
ssh -t qbadmin#10.3.2.0 '
su root -c "
echo \"Give db name :\";
read db_name;
echo \"Give password :\";
read db_pass;
host=localhost;
sql1=\"create database \$db_name;\";
sql2=\"grant all on \${db_name}.* to \${db_name}#\${host} identified by \"\${db_pass}\";\";
sql3=\"\${sql1}\${sql2}\";
mysql -u root -p -e \"\${sql3}\";
";
'
The database has created in the remote machine successfully, but the grant command returned error..! My guess is the error might be because of the usage of \" character before and after ${db_pass} in the grant command.Please do help me to solve this.
Thanks.
Nested quoting is always tricky. Why don't you just ssh to the remote host as root?
ssh -t root#10.3.2.0 '
echo "Give db name :"
read db_name;
echo "Give password :"
read db_pass
host=localhost
sql1="create database \$db_name;"
sql2="grant all on ${db_name}.* to ${db_name}#${host} identified by ${db_pass};"
sql3="${sql1}${sql2}"
mysql -p -e "${sql3}"
'