When discussing this issue with a colleague recently, we came to the question of how you protect a password that you need to access another password and he observed that, “before you know it, it’s Turtles all the way!“
Regular reader will be unsurprised to learn that I immediately thought of this…
… which may explain some of the more obscure references that might creep into what follows. Look, I’ll do my best not to get turtly carried away.
You may well have stumbled across this post because you’re supporting a venerable ETL application running on Oracle which employs a number Linux shell scripts. These scripts connect to the database via SQL*Plus. The password is hard-coded ( or possibly stored in an environment variable). Either way, it’s available in the application in clear-text and you’d like to do something about it.
Additionally you’ve probably just found out that the database schema’s password, that hasn’t changed for about 15 years, is now going to change once a month and you need a way stopping your scripts from breaking every time this happens.
In summary then, we want to harden our application and specifically :
- protect access to the database from the box that our shell scripts are executing on
- protect the database logon credentials themselves from being exposed
We’re going to start by looking at a typical shell script setup, complete with clear text password.
We’ll then look at the biggest single step we can take to make it more secure.
We’ll then review some the options available to remove the password from our shell scripts altogether.
The Discworld philosopher Didactylos is on record as saying you can’t trust anyone further than you can throw them. Bearing this in mind, we’ll take a look at the security limitations inherent in each solution.
The options we’re going to look at are :
- OS Authentication
- OpenSSL
- Oracle Wallet
We’ll conclude by looking at an architectural approach which does not render the application vulnerable in the same way.
Continue reading “Turtles All the Way ! Removing Clear Text passwords from bash scripts invoking SQL*Plus”