如何隐藏用于访问 MySQL 的 bash 脚本中使用的密码/用户名?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/2144218/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How can I hide a password/username used in a bash script for accessing MySQL?
提问by Steven
I am writing a bash script that I plan to execute via cron. In this script, I want to execute a command against a MySQL database, something like this:
我正在编写一个计划通过 cron 执行的 bash 脚本。在这个脚本中,我想对 MySQL 数据库执行一个命令,如下所示:
$ mysql -u username -ppassword -e 'show databases;'
For clarity and those not familiar with mysql, the "-u" switch accepts the username for accessing the database and the "-p" is for password (space omitted purposely).
为了清楚和那些不熟悉 mysql 的人,“-u”开关接受访问数据库的用户名,“-p”是密码(故意省略空格)。
I am looking for a good way to keep the username/password handy for use in the script, but in a manner that will also keep this information secure from prying eyes. I have seen strategies that call for the following:
我正在寻找一种很好的方法来保持用户名/密码在脚本中使用方便,但同时也可以保护这些信息不被窥探。我见过要求以下内容的策略:
- Keep password in a file: pword.txt
- chmod 700 pword.txt (remove permissions for all except the file's owner"
- Cat pword.txt into a variable in the script when needed for login.
- 将密码保存在文件中:pword.txt
- chmod 700 pword.txt(删除除文件所有者之外的所有权限)
- 当需要登录时,将 pword.txt 放入脚本中的变量中。
but I don't feel that this is very secure either (something about keeping passwords in the clear makes me queasy).
但我也不觉得这很安全(将密码保持清晰让我感到不安)。
So how should I go about safeguarding password that will be used in an automated script on Linux?
那么我应该如何保护将在 Linux 上的自动脚本中使用的密码?
采纳答案by AJ.
One way you can obfuscate the password is to put it into an options file. This is usually located in ~/.my.cnfon UNIX/Linux systems. Here is a simple example showing user and password:
混淆密码的一种方法是将其放入选项文件中。这通常位于UNIX/Linux 系统上的~/.my.cnf中。这是一个显示用户和密码的简单示例:
[client]
user=aj
password=mysillypassword
回答by Norman Ramsey
The only truly safe way to guard your password is to encrypt it. But then you have the problem of safeguarding the encryption key. This problem is turtles all the way down.
保护密码的唯一真正安全的方法是对其进行加密。但是随后您就会遇到保护加密密钥的问题。这个问题是乌龟一路下来。
When the good people who build OpenSsh tackled this problem, they provided a tool called ssh-agentwhich will hold onto your credentials and allow you to use them to connect to a server at need. But even ssh-agentholds a named socket in the filesystem, and anybody who can get access to that socket can act using your credentials.
当构建 OpenSsh 的好人解决这个问题时,他们提供了一个名为的工具,该工具ssh-agent将保留您的凭据并允许您在需要时使用它们连接到服务器。但即使ssh-agent在文件系统中拥有一个命名套接字,任何可以访问该套接字的人都可以使用您的凭据进行操作。
I think the only two alternatives are
我认为唯一的两个选择是
Have a person type a password.
Trust the filesystem.
让一个人输入密码。
信任文件系统。
I'd trust only a local filesystem, not a remote mounted one. But I'd trust it.
我只信任本地文件系统,而不信任远程安装的文件系统。但我会相信它。
Security is hell.
安全是地狱。
回答by ghostdog74
Please see the doc for some guidelines. an extra step you can take is to restrict the use of ps command for normal users, if they have the permission to access the server.
请参阅文档了解一些指南。您可以采取的额外步骤是限制普通用户使用 ps 命令,前提是他们有权访问服务器。
回答by Tor Valamo
I'll agree with Norman that you should have someone type the password. If you just supply the -pflag without an accompanying password, it will prompt the user for it.
我同意诺曼的意见,你应该有人输入密码。如果您只提供-p标志而不附带密码,它会提示用户输入密码。
