CentOS - Dec 2009 - best practises for avoiding to write passwords in shell scripts (example sqlplus from Oracle)

Hi folks

I have here a CentOS box where i need to setup cronjob (with session
to remote Oracle instance). On the remote DB i have no access, expect
limited user.

How to avoid putting passwords in shell scripts?

The solution doesn't need to be perfect, only better than plain text
passwords in scripts.
Mostly remote host only support password authentication (no
certificates and so on).

cheers
Sven

On Tue, Dec 1, 2009 at 16:48, Sven Aluoor <aluoor at gmail.com>
wrote:
> Hi folks
>
> I have here a CentOS box where i need to setup cronjob (with session
> to remote Oracle instance). On the remote DB i have no access, expect
> limited user.
>
> How to avoid putting passwords in shell scripts?
>
> The solution doesn't need to be perfect, only better than plain text
> passwords in scripts.
> Mostly remote host only support password authentication (no
> certificates and so on).
I'm a little unclear on exactly what you're asking. Do you want the
job to run in the crontab of the remote (Oracle DB) host, or in the
crontab of your own (local) machine?

Also, how are you accessing the Oracle DB? Are you running a DB client
on your local machine and connecting to the DB over the network? Or
are you logging into the remote host (with SSH, telnet, etc.) and then
opening a local DB connection?

-Ryan

Sven Aluoor wrote:
> Hi folks
>
> I have here a CentOS box where i need to setup cronjob (with session
> to remote Oracle instance). On the remote DB i have no access, expect
> limited user.
>
> How to avoid putting passwords in shell scripts?
>
> The solution doesn't need to be perfect, only better than plain text
> passwords in scripts.
> Mostly remote host only support password authentication (no
> certificates and so on).
>   
postgresql supports a .pgpasswd file in the users home directory thats 
permission 600, so only the owner can access it.    
Maybe Oracle has something similar?

Sven Aluoor wrote:
> Hi folks
>
> I have here a CentOS box where i need to setup cronjob (with session
> to remote Oracle instance). On the remote DB i have no access, expect
> limited user.
With sqlplus and oracle I pretty much always ran scripts
as sysdba

from one of my scripts that fires up Oracle ASM:
# Set variables for ASM sid (first)
su $ORACLE_USERNAME -c "echo "startup" | sqlplus / as
sysdba" | tee
$ASM_STARTUP_LOG

another example -
        su $ORACLE_USERNAME -c "sqlplus / as sysdba 
@/home/oracle/sql/snapshot-restore/restore-from-prod-oracle-change-passwords.sql"
| tee -a $FINAL_SQL_LOG

If I needed to login as a specific user to oracle I would login
as sysdba and run

alter session set current_schema=OTHER_USER_NAME;

to change the user name after login.

So no passwords needed.

For servers, everything automated relies on ssh key based auth.

I'm no Oracle expert by any means!

nate