I am writing a bash script that I plan to execute via cron. In this script, I want to execute a command against a MySQL database, something like this:
$ mysql -u username -ppassword -e 'show databases;'
For clarity and those not familiar with mysql, the "-u" switch accepts the username for accessing the database and the "-p" is for password (space omitted purposely).
I am looking for a good way to keep the username/password handy for use in the script, but in a manner that will also keep this information secure from prying eyes. I have seen strategies that call for the following:
but I don't feel that this is very secure either (something about keeping passwords in the clear makes me queasy).
So how should I go about safeguarding password that will be used in an automated script on Linux?
One way you can obfuscate the password is to put it into an options file. This is usually located in ~/.my.cnf on UNIX/Linux systems. Here is a simple example showing user and password:
[client]
user=aj
password=mysillypassword
The only truly safe way to guard your password is to encrypt it. But then you have the problem of safeguarding the encryption key. This problem is turtles all the way down.
When the good people who build OpenSsh tackled this problem, they provided a tool called ssh-agent
which will hold onto your credentials and allow you to use them to connect to a server at need. But even ssh-agent
holds a named socket in the filesystem, and anybody who can get access to that socket can act using your credentials.
I think the only two alternatives are
Have a person type a password.
Trust the filesystem.
I'd trust only a local filesystem, not a remote mounted one. But I'd trust it.
Security is hell.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With