Getting Data In

How to hide the password in the script when I use a curl command?

kamal_jagga
Contributor

I am using a curl command to reschedule alerts. I am using a shell script for this, but for executing the curl command, I need to enter username and password.

eg.

curl -ku admin:changeme https://localhost:8089/services/saved/searches/Rescheduling_POC_Alert1/reschedule -d schedule_time=2016-01-4T10:50:00Z -X POST

Now, I don't want anyone else to see this password. How should I hide my password? I have tried to use the 64bit unix encoder, but that somehow doesn't seem to be running fine. Kindly advise.

Tags (4)
0 Karma
1 Solution

jkat54
SplunkTrust
SplunkTrust

Is writing the script in python an option? If so I can probably help you encrypt the password and use requests lib vs curl.

Another option is to keep the password in encrypted file, read the file with bash, unencrypt with bash, and then use it with the curl command.

http://stackoverflow.com/questions/3318853/hide-encrypt-password-in-bash-file-to-stop-accidentally-s...

Still have to encrypt/decrpyt but here is an example where you create a session key in python, then use it to create a Message Of The Day.

def getSession(username,password):
 uri = "https://localhost:8089/services/auth/login"
 r = requests.get(uri, data={'username':username,'password':password}, verify=False)
 sessionkey = re.sub('"',"",json.dumps(re.sub('<response>\n\s+<sessionKey>|<\/sessionKey>\n<\/response>\n',"",r.text)))
 return sessionkey

def createMessage(sessionkey, title="Default Title",message="Default Message", severity="warn"):
 uri = "https://localhost:8089/services/messages/new"
 headers = {'Authorization':''}
 headers['Authorization'] = 'Splunk ' + sessionkey
 data ={'name':title,'value':message,'severity':severity}
 r = requests.post(uri, headers=headers, data=data, verify=False)
 if r.status_code<300:
  return True
 else:
  return r.status_code

def run():
 import requests
 import re
 sessionkey=getSession("admin","password") #this should be your user/pass
 createMessage(sessionkey, title="AWESOME Title",message="AWESEOME Message", severity="warn")

run()

View solution in original post

kuja
Splunk Employee
Splunk Employee

This might get you most of the way there, depends though on if you are comfortable with passwords being stored in a flat file ...otherwise I'm thinking Python...

https://coderwall.com/p/dsfmwa/securely-use-basic-auth-with-curl

HTH

0 Karma

jkat54
SplunkTrust
SplunkTrust

Is writing the script in python an option? If so I can probably help you encrypt the password and use requests lib vs curl.

Another option is to keep the password in encrypted file, read the file with bash, unencrypt with bash, and then use it with the curl command.

http://stackoverflow.com/questions/3318853/hide-encrypt-password-in-bash-file-to-stop-accidentally-s...

Still have to encrypt/decrpyt but here is an example where you create a session key in python, then use it to create a Message Of The Day.

def getSession(username,password):
 uri = "https://localhost:8089/services/auth/login"
 r = requests.get(uri, data={'username':username,'password':password}, verify=False)
 sessionkey = re.sub('"',"",json.dumps(re.sub('<response>\n\s+<sessionKey>|<\/sessionKey>\n<\/response>\n',"",r.text)))
 return sessionkey

def createMessage(sessionkey, title="Default Title",message="Default Message", severity="warn"):
 uri = "https://localhost:8089/services/messages/new"
 headers = {'Authorization':''}
 headers['Authorization'] = 'Splunk ' + sessionkey
 data ={'name':title,'value':message,'severity':severity}
 r = requests.post(uri, headers=headers, data=data, verify=False)
 if r.status_code<300:
  return True
 else:
  return r.status_code

def run():
 import requests
 import re
 sessionkey=getSession("admin","password") #this should be your user/pass
 createMessage(sessionkey, title="AWESOME Title",message="AWESEOME Message", severity="warn")

run()

View solution in original post

kamal_jagga
Contributor

Thanks for sharing the code. But i am not good in python so would stick to shell.

0 Karma

comjb
Loves-to-Learn Lots

This is horrible advice. Base64 is not encryption, but obfuscation. Very simple to decode.

0 Karma

kamal_jagga
Contributor

Hi,

I found a solution for this.

a. Create base 64 encrypted password.
eg
$ echo "kamal" |base64
a2FtYWwK
$

b. Save this encrypted password in a password file.

c. In your script, add the below code to fetch the password and then decrypt it.
source /path of password file/fileName
DB_PASSWORD=echo $PASSWORD|base64 -d

Decrypted password is placed in variable DB_PASSWORD.
d. Give both the files permissions 700.

Hope this helps.

0 Karma

tstaberow
Engager

Just to be clear here, base64 is a reversible binary encoding algorithm and not an encryption algorithm. It will in no way secure stored passwords.

thambisetty
Super Champion

yes, you are right. I tried decryption of the encryption password its giving plain text.

————————————
If this helps, give a like below.
0 Karma

jkat54
SplunkTrust
SplunkTrust

This is the exact solution i gave you in my answer...

To help the community, do you mind posting this as a comment on my answer and then marking my answer as the correct one? I gave 2 methods to solve this problem. 1. flat file that has password within and encoded. 2. python script that pulls session from splunkd and uses the session as the authorization header.

jkat54
SplunkTrust
SplunkTrust

Help me out here please @ppablo_splunk

0 Karma

ppablo
Community Manager
Community Manager

done 🙂 and thanks for the nice comment here @jkat54 https://answers.splunk.com/answers/12059/unanswered-questions.html#comment-394864

When I am summoned, just fyi it might take me a couple days to see that notification email. I get hundreds of emails a week for all follow up comments/answers on questions I've edited and followed which is usually 99.9% of all posts, that is, unless I take PTO and there's no way for me to catch up on everything that came up while I was gone. I'm currently the only Splunker that reviews and edits content extensively on Answers, so most priority goes to new questions that are posted daily. Then, when/if I have time towards the end of the day, I go through emails to review all follow up activity. Sometimes, if I have other projects I have to work on, my backlog of emails can pile up and it will take me longer to revisit everything.

So until we get more folks on the community team to help with monitoring content on Answers, just be patient with me 🙂 Will do my best to get back to you.

Cheers!

Patrick

jkat54
SplunkTrust
SplunkTrust

@ppablo_splunk I got nothing but love and patience for you sir! It's not often that I review previous answers but when I do and find extraordinary situations I'll be sure to tag you and wait. Maybe one day i'll have your direct line / email and can reach you that way, until then I'll be patient and not complain about your performance in any way because its nothing but good and steady work from what I've seen following you.

0 Karma

javiergn
SplunkTrust
SplunkTrust

Hi, i know it might not be a valid option for you but I use CyberArk AIM on my scripts:

http://www.cyberark.com/products/privileged-account-security-solution/application-identity-manager/

0 Karma

kamal_jagga
Contributor

Thanks, but that will involve lengthy process of enrolling/buying the product 😞

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Perhaps you could pass your password as an argument to the script?

---
If this reply helps you, an upvote would be appreciated.
0 Karma

kamal_jagga
Contributor

But still i will have to save the password in some file ?

There is another option, which i thought of. Giving my file only 700 permission but this will still have my non-encrypted password.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

If the script is launched manually, you enter the password when you start the script. Another possible solution is to encode the password and decode it before passing to curl as described here, but it only protects against casual viewers of the script.

---
If this reply helps you, an upvote would be appreciated.
0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!