I have created a Jenkins job which executes a shell script. "Unsafe" people can open it and start the job. The job executes a db tool in shell which requires the db password.
The Jenkins instance is run on a computer which can be accessed by "unsafe" people. The job is delegated to a slave which is accessed by "safe" people.
This is a parameterized build, has one parameter: password as Password Parameter.
For the sake of brevity the relevant part of the script is as follows:
#!/bin/bash +x
dban -u username -p ${password}
It runs fine and fails fine if the password is not correct. Echoing the command invoked is disabled by +x as the first line says.
Is this that simple? What else should I consider for safety reasons?
Do you want people to run the build and not have to pass in the parameter of the password? If so you should checkout setting up a credential for it.
https://support.cloudbees.com/hc/en-us/articles/203802500-Injecting-Secrets-into-Jenkins-Build-Jobs
https://github.com/jenkinsci/credentials-plugin/blob/master/docs/user.adoc
Related
I have a file on Git with the following shell script
File Name = Job.sh
echo "Warehouse script starting"
ssh -n username#server_name "mkdir -p ~/directory_name/folder_name/file_name"
Under Execute Shell in Jenkins I am running -
sh job.sh
The echo command gets printed in the console. But the job is not doing ssh into username#server_name and creating the directory. Appreciate any feedback.
Try the same command when connected directly to the Jenkins agent (using the account used by Jenkins on that agent)
The goal is to check if that user (on that server agent) does have the right pubic/private key pair in its $HOME/.ssh folder.
And double-check the public key is in servername:~username/.ssh/authorized_keys.
Make sure the private key is not encrypted, to avoid having to deal with ssh-agent and passphrase caching. At least for now, for testing your setup.
Note: the -n option (preventing to read from stdin) is usually for ssh commands executed in the background. You might not need it in your case.
Try also to add #!/bin/bash -x at the beginning of your script (assuming you do have a bash) in order to print all lines executed.
thanks for taking time reading my issue.
I have a jenkins job that executes a shell script on a remote machine via ssh.
This script asks for username and password in a "form" way, so the two vars can not be sent as parameters. This script also verifies if the username and password are set as environment variables on the remote machine, if so, it runs without asking for inputs.
Here is the command i give to jenkins job build:
ssh admin#10.24.66.254 'SVN_USER=foo SVN_PASSWORD=bar sh /app/script.sh'
--> The script runs properly BUT, it shows my credentials on the jenkins job conf and console output.
--> Now i think about parametrizing the job so that it will dynamicly ask for username/password, but i don't know how to inject them into my command line so that i can transfer them as env vars on the remote machine.
when i do:
ssh admin#10.24.66.254 'SVN_USER=$LOGIN SVN_PASSWORD=$PWD sh /app/script.sh'
it doesnt consider that $LOGIN and $PWD are jenkins input vars because of the simple quotes used to execute the script.
I hope i clarified well the situation, thanks for reading !
A good starting point for this would be Injecting-Secrets-into-Jenkins-Build-Jobs
OR
You can also use Jenkin's Environment Injector Plugin. But be sure to review the security notices while using this plugin.
I have the following task for my golang code:
The command has to be run as root user on the server remotely in bash and the command output has to be fetched in a variable.
Logging over ssh as root is disabled.
sudo on the server is disabled, so I have to use 'su -' and type password
since I want to make it as automated as possible in bash, the password has to be stored inside the command
Here are the workflow actions:
Login via SSH (as unprivileged user) to remote host
Elevate to privileged 'root' user --> su -
Type the root password
run the command which root can execute
get to output to string on localhost and do some actions
I have Googled for days, but it seems that I cannot find a solution for this.
Does anyone have a solution to this?
The issue you are facing is concerning interacting with the command after it has been executing.
It is quite easy to use exec.Command for non-interactive commands.
I would recommend using Expect for interaction, or the Golang equivalent located here.
I am new to unix and scripting, need your help for the below scenario.
These are the contents of my .sh file
#!/bin/bash
usrun xyz
whoami
When I am calling this bash file from putty its asking me for my xyz user's password some other information to properly log in the xyz user.
After successfully login, the $ sign in putty changes to #### xyz$, so I am guessing its opening a new session for the xyz user.
However, after that, the whoami command is not getting executed. Only after I type exit the whoami command is getting executed.
why is this happening? How to execute the whoami command after successful authentication of xyz user?
The #### represents the last four digits of my server to which I am currently connected to via putty.
The usrun command without any parameters blocks the execution of the bash script. Thus, until the command is not finished (when you type exit), the next command (whoami) is not executed.
If you want to login into the machine and execute a command you should try:
#!/bin/bash
usrun -u xyz whoami
The -u option allows you to specify the user and next you can provide the command to execute.
If you want to execute more than one command in the remote machine using Putty I suggest you to follow something similar to this post:
https://superuser.com/questions/1103873/how-to-type-commands-in-putty-by-creating-batch-file
I wrote a shell script to hook into a password protected database. A couple of others want to use the same shell script to share the database access, but I don't want to expose the password that is being used. Is there a way to lock the script so that no one can read it and only execute it? It'd also be ideal for them to enter their sudo password to run the script
Is there a way to lock the script so that no one can read it and only
execute it? It'd also be ideal for them to enter their sudo password
to run the script
Sure. Let's say the script containing the credentials is /usr/local/bin/myscript. Make this file owned by a privileged user. Let's say we have a user named "credentials":
# chown credentials /usr/local/bin/myscript
# chmod 700 /usr/local/bin/myscript
Now only the credentials user can read and execute this script.
Create another script /usr/local/bin/mywrapper that looks like this:
#!/bin/sh
exec sudo -u credentials /usr/local/bin/myscript
And create the appropriate /etc/sudoers entry:
auser ALL=(credentials) /usr/local/bin/myscript
So now, user auser runs "mywrapper". This in turn uses sudo to call the real script, which will prompt auser for their password.
I think this does everything you want. We use a mechanism very much like this at my office to protect credentials (in our case, ssh private keys).
In order to execute a shell script, you have to be able to read it. There are a couple of things you could do:
Who administers this database? Could the users get their own passwords for read only access? That would be ideal because it could limit their access to a small subset of the database.
If they have to have sudo access to run this script, maybe it's possible to remove the password out of the file and into a file that has 600 permissions set. The problem is that this could leak. For example, what if they run the script with set -xv? Then, they could see the password as the script executes.
Can you create a subset of data they might be interested in outside of the database? Then, have your script access that?
Or, you might want to take a look at several read-only modules in Perl. I'm thinking something like Acme::EyeDrops or Acme::Bleach which remove all those unsightly letters and numbers from your Perl script. (And I wonder why Python programmers say Perl is unreadable?)