Woland99 said:
Howdy - I want my script to make connection to FTP server and get some
files. I need that script to run everyday automatically on machine
that many people
have access to - but I do not want them to know the username or
password for that
FTP server. Is there a way to save encrypted password with the script
but prevent
people form modifying script to access the FTP server for different
purposes?
JT
FTP is clear text, you can't encrypt it, unless you decrypt somewhere in
the process (or on the other end), which probably defeats the purpose,
since that's the method someone else would just be able to use anyway.
I could only suggest using sftp, scp or rsync over SSH with a trusted
key. Of course, the problem is, if people have access to the system,
it doesn't matter a whole lot, since the trusted key allows them access
without a password. Otherwise, they can see the password in plain
text, which means they have the same trusted access once authenticated
-- and besides having that access, they have the password as well.
You can also time it with firewalls to only allow connections from the
system to the server at certain times. The best solution, is if you're
uploading from the system, is to find the most secure way of doing it,
but make it so that the FTP account it uploads to, is separate from
anything else (not full or other access to the remote account you
upload to). Make it so you can only upload (the files can be hidden
from view on the client end once they are uploaded). For the script
initiating this, you can try and hide the file name, the job, and also
make it so only your user has read permissions on the script used (the
last part is the most important -- how are you at risk of others
reading the script or being able to log into your account that runs
this process? That's the biggest problem you should find a resolution
for). You make it sound like this is a system that anyone can access,
is that the case? If so, what's stopping people from reading any of
your data or modifying that data?
Ultimately, if this is a system where anyone can access and somehow view
or gain access to the script or password, you should initiate the FTP
session (or better yet, a more secure method) from the _server_ side
(where you want the files stored) and have it connect to the system and
transfer the files _from_ it, which is the best scenario in this case
regardless of how people can access it (assuming the other end is more
secure). That way, none of the other users on the system you're
wanting to transfer files from, will have a way to access the server
end. You can do that with trusted keys or some more secure transfer
method, but FTP will work fine as well, assuming the server end can be
trusted with the same dilemma you have on the system in question.