Solved: How to hide the password in the script when I use ...

kamal_jagga · ‎01-04-2016

I am using a curl command to reschedule alerts. I am using a shell script for this, but for executing the curl command, I need to enter username and password.

eg.

curl -ku admin:changeme https://localhost:8089/services/saved/searches/Rescheduling_POC_Alert1/reschedule -d schedule_time=2016-01-4T10:50:00Z -X POST

Now, I don't want anyone else to see this password. How should I hide my password? I have tried to use the 64bit unix encoder, but that somehow doesn't seem to be running fine. Kindly advise.

jkat54 · ‎01-05-2016

Is writing the script in python an option? If so I can probably help you encrypt the password and use requests lib vs curl.

Another option is to keep the password in encrypted file, read the file with bash, unencrypt with bash, and then use it with the curl command.

http://stackoverflow.com/questions/3318853/hide-encrypt-password-in-bash-file-to-stop-accidentally-s...

Still have to encrypt/decrpyt but here is an example where you create a session key in python, then use it to create a Message Of The Day.

def getSession(username,password):
 uri = "https://localhost:8089/services/auth/login"
 r = requests.get(uri, data={'username':username,'password':password}, verify=False)
 sessionkey = re.sub('"',"",json.dumps(re.sub('<response>\n\s+<sessionKey>|<\/sessionKey>\n<\/response>\n',"",r.text)))
 return sessionkey

def createMessage(sessionkey, title="Default Title",message="Default Message", severity="warn"):
 uri = "https://localhost:8089/services/messages/new"
 headers = {'Authorization':''}
 headers['Authorization'] = 'Splunk ' + sessionkey
 data ={'name':title,'value':message,'severity':severity}
 r = requests.post(uri, headers=headers, data=data, verify=False)
 if r.status_code<300:
  return True
 else:
  return r.status_code

def run():
 import requests
 import re
 sessionkey=getSession("admin","password") #this should be your user/pass
 createMessage(sessionkey, title="AWESOME Title",message="AWESEOME Message", severity="warn")

run()

View solution in original post

kuja · ‎01-05-2016

This might get you most of the way there, depends though on if you are comfortable with passwords being stored in a flat file ...otherwise I'm thinking Python...

https://coderwall.com/p/dsfmwa/securely-use-basic-auth-with-curl

HTH

jkat54 · ‎01-05-2016

Is writing the script in python an option? If so I can probably help you encrypt the password and use requests lib vs curl.

Another option is to keep the password in encrypted file, read the file with bash, unencrypt with bash, and then use it with the curl command.

http://stackoverflow.com/questions/3318853/hide-encrypt-password-in-bash-file-to-stop-accidentally-s...

Still have to encrypt/decrpyt but here is an example where you create a session key in python, then use it to create a Message Of The Day.

def getSession(username,password):
 uri = "https://localhost:8089/services/auth/login"
 r = requests.get(uri, data={'username':username,'password':password}, verify=False)
 sessionkey = re.sub('"',"",json.dumps(re.sub('<response>\n\s+<sessionKey>|<\/sessionKey>\n<\/response>\n',"",r.text)))
 return sessionkey

def createMessage(sessionkey, title="Default Title",message="Default Message", severity="warn"):
 uri = "https://localhost:8089/services/messages/new"
 headers = {'Authorization':''}
 headers['Authorization'] = 'Splunk ' + sessionkey
 data ={'name':title,'value':message,'severity':severity}
 r = requests.post(uri, headers=headers, data=data, verify=False)
 if r.status_code<300:
  return True
 else:
  return r.status_code

def run():
 import requests
 import re
 sessionkey=getSession("admin","password") #this should be your user/pass
 createMessage(sessionkey, title="AWESOME Title",message="AWESEOME Message", severity="warn")

run()

kamal_jagga · ‎01-05-2016

Thanks for sharing the code. But i am not good in python so would stick to shell.

comjb · ‎09-10-2018

This is horrible advice. Base64 is not encryption, but obfuscation. Very simple to decode.

kamal_jagga · ‎01-05-2016

Hi,

I found a solution for this.

a. Create base 64 encrypted password.
eg
$ echo "kamal" |base64
a2FtYWwK
$

b. Save this encrypted password in a password file.

c. In your script, add the below code to fetch the password and then decrypt it.
source /path of password file/fileName
DB_PASSWORD=echo $PASSWORD|base64 -d

Decrypted password is placed in variable DB_PASSWORD.
d. Give both the files permissions 700.

Hope this helps.

tstaberow · ‎03-01-2016

Just to be clear here, base64 is a reversible binary encoding algorithm and not an encryption algorithm. It will in no way secure stored passwords.

thambisetty · ‎02-12-2018

yes, you are right. I tried decryption of the encryption password its giving plain text.

————————————
If this helps, give a like below.

jkat54 · ‎01-06-2016

This is the exact solution i gave you in my answer...

To help the community, do you mind posting this as a comment on my answer and then marking my answer as the correct one? I gave 2 methods to solve this problem. 1. flat file that has password within and encoded. 2. python script that pulls session from splunkd and uses the session as the authorization header.

jkat54 · ‎04-18-2016

Help me out here please @ppablo_splunk

ppablo · ‎04-19-2016

done 🙂 and thanks for the nice comment here @jkat54 https://answers.splunk.com/answers/12059/unanswered-questions.html#comment-394864

When I am summoned, just fyi it might take me a couple days to see that notification email. I get hundreds of emails a week for all follow up comments/answers on questions I've edited and followed which is usually 99.9% of all posts, that is, unless I take PTO and there's no way for me to catch up on everything that came up while I was gone. I'm currently the only Splunker that reviews and edits content extensively on Answers, so most priority goes to new questions that are posted daily. Then, when/if I have time towards the end of the day, I go through emails to review all follow up activity. Sometimes, if I have other projects I have to work on, my backlog of emails can pile up and it will take me longer to revisit everything.

So until we get more folks on the community team to help with monitoring content on Answers, just be patient with me 🙂 Will do my best to get back to you.

Cheers!

Patrick

jkat54 · ‎04-19-2016

@ppablo_splunk I got nothing but love and patience for you sir! It's not often that I review previous answers but when I do and find extraordinary situations I'll be sure to tag you and wait. Maybe one day i'll have your direct line / email and can reach you that way, until then I'll be patient and not complain about your performance in any way because its nothing but good and steady work from what I've seen following you.

javiergn · ‎01-04-2016

Hi, i know it might not be a valid option for you but I use CyberArk AIM on my scripts:

http://www.cyberark.com/products/privileged-account-security-solution/application-identity-manager/

kamal_jagga · ‎01-04-2016

Thanks, but that will involve lengthy process of enrolling/buying the product 😞

richgalloway · ‎01-04-2016

Perhaps you could pass your password as an argument to the script?

---
If this reply helps you, Karma would be appreciated.

kamal_jagga · ‎01-04-2016

But still i will have to save the password in some file ?

There is another option, which i thought of. Giving my file only 700 permission but this will still have my non-encrypted password.

richgalloway · ‎01-05-2016

If the script is launched manually, you enter the password when you start the script. Another possible solution is to encode the password and decode it before passing to curl as described here, but it only protects against casual viewers of the script.

---
If this reply helps you, Karma would be appreciated.

How to hide the password in the script when I use a curl command?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

AppDynamics is now part of Splunk Ideas

Advanced Splunk Data Management Strategies