On Thu, Oct 19, 2017 at 9:24 AM, Linda Hagedorn <[email protected]> wrote:
> Hi, > > I need a referral about remediating AIX scripting that was written with > passwords in clear text. These are maintenance scripts, batch jobs, etc. > > I have a inherited an AIX platform with scripts with passwords in clear > text. They are now hashed, but that is insufficient and they need to be > encrypted. > > My background is mainframe DB2, not AIX security protocols, so am asking > IBM-main for assistance. > > In AIX, there are groups and users, and/or AD groups and users. > How do I cause the scripts to read an encrypted password file instead of > using the password in clear text or hashed? > Well, in a sense, a script does not use passwords. A script is a series of commands. The _commands_ may use passwords. But how they accept them is up to the command. Some may allow the password to be supplied on the command line itself. I know of a number which read "special" files, such as ~/.netrc (ftp client) or ~/.pgpass (psql command - PostgreSQL client). Others may unconditionally try to read from /dev/tty (the user's terminal, bypassing any redirection). And I think that I've read of some which can use an environment variable, but my memory is fuzzy on this one. You don't say how the "clear text" passwords is given to the commands. The simplest I can think of would be: echo password | some-cmd. You also not say what encryption functions are available to you, such as gpg2 (GNU Privacy Guard). But, at least to me, most of this is moot. If you put the password in the script, even if encrypted, then it is not secure. It is more secure than plain text, but the script must decrypt it in order to send it to the program somehow. Anyone with any real smarts (like a decent cracker) will just see what you do in the script to decrypt the password and do that themselves. I can think of a way to make it much harder, but it would require writing C code and doing some "nasty" (unusual) things with pseudo terminals. This is not the kind of thing that many companies like they administrators messing around with. > Are there special flags on AIX or AD groups to make id's non-logon, like > RACF with no TSO profile? > I know nothing about AD (MS Active Directory, that is). I doubt that many here are AIX literate. I am just barely able to spell it. But I can do Google searches rather well. Basically, this may be of some help: http://public.dhe.ibm.com/systems/power/docs/aix/53/security_pdf.pdf There is a file, /etc/security/user which can be used. It is composed of "stanzas" which define the security for a user. For example, if you want "bubba" to not be able to log in (I think that means not have a shell session), you have a "stanza" similar to: bubba: login = false admin = false su = false daemon = false rlogin = false Another way, which generally works on any *IX system is to make the user's shell program be /bin/false. Some *IX systems suggest /bin/nologin as the "no login" shell program. > > I'm investing in doing it right going forward. > > References and best practice advice is sincerely appreciated. > I've never even smelled an AIX system, so I have not practical advice. And I'm not all that practical any way. > > Thanks, Linda > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN > -- I just child proofed my house. But the kids still manage to get in. Maranatha! <>< John McKown ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
