Best practices for holding passwords in shell / Perl scripts?

Question

I\'ve recently had to dust off my Perl and shell script skills to help out some colleagues. The colleagues in question have been tasked with providing some reports from an inter

Answer 1

I have / had a similar issue with developers deploying SQL code to MSSQL (in fact to any database on that MSSQL server, so role had to be SysAdmin) using ANT from a Solaris server. Again I did not want to store the username and password in the ANT build.xml files so my solution, which I know is not ideal, is as follows:

1. Store name / value pairs for username and password in a plain text file
2. Encrypt file (on Solaris) and use a pass phrase only known to certain admins
3. Leave only the encrypted file on the Solaris system
4. ANT build.xml runs a sudo decrypt and prompts for pass phrase, which is entered by admin
5. ANT sources decrypted file loading username and password as variables for the SQL string
6. ANT immediately deleted the plaintext file
7. ANT deploys code and exits

This all happens in a matter of seconds, and the sql username and password is never visibly accessible on the server. As the code is deployed by allowed admins in production, the developers never need to include it in their code.

I am sure it could be better, but...

JB