0

I want to execute Ant with the verbose option but I don't want the arguments passed into the Exec task to be displayed in situations where they are sensitive (i.e. user/password).

An example is where there's a connection to a database:

<exec executable="/bin/sh" failonerror="true">
    <arg line="/opt/blah/blah/bin/frmcmp_batch.sh Module=blah Userid=username/mypassword@blah Module_Type=blah"/>
</exec>

I don't want the arguments (specifically "Userid=username/mypassword@blah" showing up in the log).

What is the best way to hide/secure the arguments?

Jesse
  • 1,603
  • 19
  • 20

2 Answers2

1

Best way to secure the password is not to use one :-) The following answer describes how to setup an SSH key:

The ANT sshexec command supports a "keyfile" attribute.

Update

Ahhh, scripting sudo can be a royal pain.

Here are solutions which have worked for me in the past.

  1. Configure the user to not require a password. See "sudoers" file. In our setup we grant this special access to users in an admin user group. (See Ant build.xml requires user input, but Eclipse has no tty)
  2. Use SSH :-) Logging into the local machine is a perfectly valid way to automate a process. Enables us to use SSH keys to control access and possible to restrict the commands a user runs (via little known features of the authorized_keys file)
  3. Use an automation tool like rundeck. It has useful support for sudo built in. Passwords can be configured as options that are specified at runtime (GUI) but not saved anywhere. There is a command-line and REST API available for invoking jobs. This solution is possibly least useful, but I mention it because it's such a useful tool for automating operations tasks.

It seems you're concerned about the password appearing in a log file? My fixation is to never write my password down or hard-code it within a script....

Community
  • 1
  • 1
Mark O'Connor
  • 76,015
  • 10
  • 139
  • 185
  • Thank you for the response but this isn't what I'm looking for. I'm not looking to run a command on a remote host. I'm looking to execute a command on the host where the Ant script is running which requires sensitive arguments. I've updated the question to explain this in greater detail. – Jesse Apr 10 '13 at 02:34
  • Thank you again Mark but I'm already using NOPASSWD so I don't need to enter a password to execute the sudo command. My question pertains to how to hide "Userid=username/mypassword@blah" in the example. I've removed sudo from my example to clear this up. – Jesse Apr 10 '13 at 14:51
0

Currently I'm using the following workaround (described here) to hide "mypassword" but I was wondering if there's a more elegant solution?

build.xml

<?xml version="1.0" encoding="UTF-8"?>
<project default="test">

    <target name="test" depends="">
        <echo message="Testing..."/>

        <echo message="Turning verbose off... you should NOT see the arguments..."/>

        <script language="javascript">
            var logger = project.getBuildListeners().firstElement();
            // 2 works to turn off verbose
            logger.setMessageOutputLevel(2);
        </script>

        <exec dir="." executable="cmd">
            <arg line="/c dummy.bat mypassword"/>
        </exec>

        <echo message="Turning verbose on... you should see the arguments..."/>

        <script language="javascript">
            var logger = project.getBuildListeners().firstElement();
            // 3 works to turn verbose back on
            logger.setMessageOutputLevel(3);
        </script>

        <exec dir="." executable="cmd">
            <arg line="/c dummy.bat mypassword"/>
        </exec>

    </target>
</project>

dummy.bat

@echo off
echo dummy

Output

test:
     [echo] Testing...
     [echo] Turning verbose off... you should NOT see the arguments...
     [exec] dummy
     [echo] Turning verbose on... you should see the arguments...
     [exec] Current OS is Windows XP
     [exec] Executing 'cmd' with arguments:
     [exec] '/c'
     [exec] 'dummy.bat'
     [exec] 'mypassword'
     [exec]
     [exec] The ' characters around the executable and arguments are
     [exec] not part of the command.
     [exec] dummy
Community
  • 1
  • 1
Jesse
  • 1,603
  • 19
  • 20