0

I use the following script to change Open Directory (Apple's LDAP) passwords.

I don't like leaving the actual password within the script -- is there any way to hide or masquerade this so the script can be used by other users, but in a way they can't see the password?

#!/bin/bash
PATH=/bin:/usr/bin:/sbin:/usr/sbin export PATH
echo
echo Enter username you\'d like to change password for:
read USERNAME 
echo
echo Enter New Password for "$USERNAME"
read PASSWORD
dscl -u diradmin -P 'secretpasswordhere' /LDAPv3/127.0.0.1 passwd /Users/$USERNAME $PASSWORD
echo Password successfully changed for $USERNAME to $PASSWORD
Dan
  • 141
  • 1
  • 6

2 Answers2

1

You could have the script run as Set-GID and then get the password information from a file protected under this group. The group of course should have limited access and membership. This is a very simple answer.

Another idea is to have the user enter a decrypt code for the scrambled password contained in the scripting. Thus only authorized users (those with the decrypt code) could run the script.

mdpc
  • 11,856
  • 28
  • 53
  • 67
1

have a look at shc

http://www.thegeekstuff.com/2012/05/encrypt-bash-shell-script/

 The whole logic behind the shc is to convert the random.sh 
   shell script to random.sh.x.c C program (and of course compile that
   to generate the random.sh.x executable)
  • random.sh is the original unencrypted shell script
  • random.sh.x is the encrypted shell script in binary format
  • random.sh.x.c is the C source code of the random.sh file. This C source code is compiled to create the above encrypted random.sh.x file.
MDMarra
  • 100,734
  • 32
  • 197
  • 329
Nikolaidis Fotis
  • 2,032
  • 11
  • 13
  • SHC looks like an elegant solution, but alas it doesn't appear to compile properly in OSX...rats – Dan Oct 15 '12 at 21:56
  • Maybe it uses some linux-specific system calls. But in any case you got the idea. It should not be very difficult to create your own version. – Nikolaidis Fotis Oct 15 '12 at 22:39