Hi I'm using makefile to do lots of compiling and remote works.
In many occasion I would need to type in username and password for remote connection, VPN, code upload and other stuffs.
May it be possible to use makefile to auto type in the credential information?
Thanks a lot!
It is not the role of make to do this kind of thing. So there is no special support in a Makefile for handling credentials.
However, if you can get a shell script to do the "auto-typing" or provide the required credentials some other way, then you should be able to use the same approach in a Makefile.
We can't advise you on how the script would work, because you have given no actual details of the commands etc that you are using for remote access.
But if you are using ssh from a Linux box, you could use public key authentication and ssh-agent and avoid the problem entirely. This would be a lot more secure than:
using user / password auth at all, and
embedding passwords in your makefiles ... for someone else to find when they steal your laptop or whatever.
Related
I have a number of Unix Shell scripts that logon to SQLPLUS in a batch environment. In order to logon to SQLPLUS the user and password are currently available to the shell script in plain text from a text file. Not Good ! I need to change this so that the password is protected and possibly encrypted, but the shell script can pick up the password and decrpyt to use. I'm not really sure how I would go about achieving my objectives, other than I presume I need to write some shell script code that can be in a library and pulled into all my shell scripts as required. Any suggestions would be welcome.
Probably not what you want to hear.
Encrypting or otherwise obfuscating the password in your shell script does not provide any real security: only "security by obscurity" which isn't actually secure. This is a good reading about passwords in plaintext.
So in my opinion it would be best, that as less people as possible have access to the shell script.
IMHO best possible solution in this case something like HashiCorp Vault Vault
You are setting up Vault server in secure/audited network/host and store your password there (vault will encrypt it for you). Then you generating vault access token with rights to read db password. With Vault you have http(s) API which will give your secret if you have correct token (curl inside shell script). Examples: api documentation
It is not best solution but with this you centralizing your secrets storage, everything encrypted, you can audit and revoke access to your secrets. This is way better than db passwords in plaintext all over your infrastructure.
I'm writing a bash script that needs login credentials (username and password) to make an API call. The script will eventually become a cron job, so it's not feasible to prompt the user for login credentials. What is the best way to hide the credentials in a bash script?
If you can't set up restricted read permissions on the bash script itself (e.g. only root can read it), the usual approach is to use a separate file, with said restrictions (only root or a dedicated user can read it (chmod 400 filename)).
This is how you store your ssh keys in ~/.ssh/, as well.
If you are worried about someone having full access to your drive, e.g. someone stealing it, try cryptsetup/luks.
If you are worried about someone reading the unencrypted raw device, you might try breaking up the password, and assemble it in memory when needed...
SSHPASS=$_pass sshpass -e ssh -o StrictHostKeyChecking=no $_host
I use this bit for instance and prompt user input to a restricted file, a bit more security not actually passing the variable during SSH session, but instead defining as an env variable. Haven't had many concerns from my work place Security Engineers. You can always do as others stated and have that file already containing creds rather than prompting and do the same here.
I am trying to create an Alfred workflow that connects to my server through ssh without asking for my password. I tried
ssh root#myServerIP ; mypswd
and many other variants, but i can't seem to be able to wait for terminal to ask me my password before the script answer it.
Is it possible, in this case and in general to pre-enter the password on a terminal command ?
Thanx a lot in advance
Jad
There is no need of ; at the end. You can just hit enter at the end of the line and it will take it as an input for next command. for your case, it would look something like this.
ssh root#myServerIP
mypswd
If it's possible, I'd try to make it so that your workflow doesn't involve using SSH as root. Storing your password in a script seems like a security risk.
What I would suggest is using public/private key pairs (tutorial here and other places) to enable passwordless login from your client to the server, and sidestep the issue entirely. It's technically possible to do this with the root account as well, but again, I wouldn't recommend it.
I'm writing a Ruby script that uses the PG gem to set up a database connection and send files. I'm structuring it to take variables for the hostname, username, database name, and port. In a Shell script I've written to manage some companion tasks, I rely on the password stored in ~/.pgpass instead of having the user enter a password for psql because there are a lot of transactions and sometimes entering the password can fail for no apparent reason (and it sucks entering it in 20 times).
Will PG access the same source when a password isn't explicitly provided? By convention, I've included the password in the file, but since this is being pushed to an internally available repo, I'd prefer not to have that information in my file. I'm trying to test the functionality now, but was wondering if anyone in the SO community knows the answer to this question. If PG doesn't access the .pgpass file, is there a way to reference the variable and write it into the file without prompting the user to enter the password?
Thanks in advance for your help.
Yes, it will use ~/.pgpass just like any interface based on libpq, the C PostgreSQL client library.
However, a good alternative for not having the password in a file is to have it in the PGPASSWORD environment variable. If you set this in a script, it will be inherited by every program it calls.
PGPASSWORD when set will be used as the password for any libpq connection, which means the majority of programs that connect to PostgreSQL.
I have an installation package that installs a service process that I create. I'd like to prompt the user for the username/password of the account that the service process should run under. I'd like to verify the the username/password combination are valid before continuing with the installation. I have a C DLL that I am using for special installation behavior, but I can't figure out how to use the Windows API to verify an account's credentials. I'd like to be able to support the same account name syntax used by the service control manager.
The function you want to use is LogonUser. You can even be extra-cool and specify the LOGON32_LOGON_SERVICE flag which checks to make sure the user has the appropriate permissions to run a service.
LogonUser is the canonical way to do this, though Microsoft somewhat discourages it.
I've implemented this using the LogonUser function as you guys have mentioned (by the way, this service requires WinXP SP2 or later so I'm not worried about the privilege issue). However, this isn't quite working as I had hoped. If I call QueryServiceConfig, lpServiceStartName is in the format ".\accountname". If I pass this string as is to LogonUser, it fails. I assume the portion before the '\' represents the machine on which the user belongs?
Also, if I call ChangeServiceConfig specifying "LocalSystem" and "" for the lpServiceStartName and lpPassword parameters respectively, this works fine. However, calling LogonUser with these parameters does not work.
I'd really like to use the same syntax that the SCM uses for the account names.