Hello, I would like to password protect my .sh file. Thanks
Is possible ?
Hello, I would like to password protect my .sh file. Thanks
Is possible ?
Out of the box, OpenWRT runs everything as root. If you have shell access you can access the filesystem. Best advice is to use openssh or dropbear from local network using a key file rather than password. I never looked into running non-root stuff, might be possible. What is your use case?
Not really.
Yes, it's technically possible to add a self-extracting decryptor to your program -including shell implementations- but that's usually more common in malware or proprietary circles (and easier to accomplish for binary executables than shell scripts) and severely raises the complexity of your shell script and its fragility (the loader mustn't clobber the environment of the actual payload) and would still be prone to being decoded on execution.
No, I don't have pointers to example implementations of this, but it's possible (with the caveats mentioned above - and probably a few more).
Thanks for your response all
This idea interested me so I looked for a solution and found one that seems to fit my threat model and it might be of interest to you or others. I tried a simple shell script and being new to linux and OpenWrt, I don't know if the shell pipeline works with more complex shell syntax.
I found a similar solution at stackoverflow for how to execute gpg encrypted shell files using the command gpg -qd script.sh.gpg 2>/dev/null | bash -
. I also found a small encryption program called ccrypt which is available for my OpenWrt arch with opkg list |grep crypt
. It is 46k installed. I installed it with opkg install ccrypt
.
I wrote a simple test script test.sh, made a backup, encrypted it with ccencrypt test.sh
which created a file named test.sh.cpt
, and I ran it successfully with ccat test.sh.cpt | ash -
. Both encrypting and decrypting prompted me to enter the password. Keeping 2>/dev/null
hides the password prompt. Details on ccrypt are at http://ccrypt.sourceforge.net/
Here is the output of ccrypt --help
on my OpenWrt router:
ccrypt 1.11. Secure encryption and decryption of files and streams.
Usage: ccrypt [mode] [options] [file...]
ccencrypt [options] [file...]
ccdecrypt [options] [file...]
ccat [options] file...
Modes:
-e, --encrypt encrypt
-d, --decrypt decrypt
-c, --cat cat; decrypt files to stdout
-x, --keychange change key
-u, --unixcrypt decrypt old unix crypt files
Options:
-h, --help print this help message and exit
-V, --version print version info and exit
-L, --license print license info and exit
-v, --verbose print progress information to stderr
-q, --quiet run quietly; suppress warnings
-f, --force overwrite existing files without asking
-m, --mismatch allow decryption with non-matching key
-E, --envvar var read keyword from environment variable (unsafe)
-K, --key key give keyword on command line (unsafe)
-k, --keyfile file read keyword(s) as first line(s) from file
-P, --prompt prompt use this prompt instead of default
-S, --suffix .suf use suffix .suf instead of default .cpt
-s, --strictsuffix refuse to encrypt files which already have suffix
-F, --envvar2 var as -E for second keyword (for keychange mode)
-H, --key2 key as -K for second keyword (for keychange mode)
-Q, --prompt2 prompt as -P for second keyword (for keychange mode)
-t, --timid prompt twice for encryption keys (default)
-b, --brave prompt only once for encryption keys
-y, --keyref file encryption key must match this encrypted file
-r, --recursive recurse through directories
-R, --rec-symlinks follow symbolic links as subdirectories
-l, --symlinks dereference symbolic links
-T, --tmpfiles use temporary files instead of overwriting (unsafe)
-- end of options, filenames follow
Enjoy.
it's very interresting thanks
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.