How to store user credentials for a script
I need to use an old version of ClearQuest 7, and the only APIs included in our installation are for VBA (Excel) and RatlPERL. (The REST API is not an option for us - although it has the same cleartext permissions issue.)
I wrote a ratlperl script that runs queries against the defects database and produces csv output. Please note that ratlperl requires cleartext user credentials for authentication.
ratlperl query.cqpl -u %userid% -p %password% -q "%query%" -c %outfile%
This script is called from Windows Batch File . When run from the Windows command line without parameters, the batch file prompts for user credentials, but they can also be supplied as parameters.
query.bat %userid% %password%
I am running daily requests and user credentials are passed as parameters to a batch file.
This all works well, but I don't want to store the cleartext password this way. The registry will be one option, but anyone with access to the machine will have access to these credentials.
How do I store these credentials in a somewhat secure way?
source to share
There are two things in there. One of them has a list of processes that "map" authorization credentials. Particularly on Unix - if you run ps
it will show you arguments, which can include username and password. The way to handle this is basically "read from a file, not an argument list". On Unix, you can also change $0
to change how you display in ps
(but this does not help the command history, and also not ideal as there will be a short period before it is applied).
Another is keeping the data at rest.
This is a little tricky. Fundamentally enough, there aren't many solutions to allow your script to gain access to credentials that would prevent an attacker from doing so.
In the end, in an easy way to inject print $password
into your script ... they bypass just about any control you could overlay on it. Especially if they have admin access to your box, at which point ... there really is nothing you can do.
Solutions I would suggest:
Create a file with (clear text) username and password. Set it to minimum permissions. Run the script as a user with privileges, but don't let anyone else access that user account.
This way, other people can "see" your script (and may have to run it), but they cannot copy / hack / run it themselves.
I would suggest sudo
for this on Unix. For Windows, I'm not sure how much complexity you have compared to RunAs
- it's worth looking at or alternatively having a scheduled task that runs as your service account and collects "request files" for processing that anyone can generate.
source to share
Since the security level shouldn't be that high, perhaps consider making a simple exe? Perhaps the password could somehow be read from memory, but I think that this method creates a rather large barrier.
Or something like this might be helpful?
http://www.battoexeconverter.com/
NTN
source to share