LinuxSecurity.com
Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Advisory Watch: August 15th, 2014
Linux Advisory Watch: August 8th, 2014
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
Encrypting Shell Scripts Print E-mail
User Rating:      How can I rate this item?
Source: Duane Dunston - Posted by Duane Dunston   
Article Index
Encrypting Shell Scripts
Page 2
Features Do you have scripts that contain sensitive information like passwords and you pretty much depend on file permissions to keep it secure? If so, then that type of security is good provided you keep your system secure and some user doesn't have a "ps -ef" loop running in an attempt to capture that sensitive info (though some applications mask passwords in "ps" output). There is a program called "shc" that can be used to add an extra layer of security to those shell scripts. SHC will encrypt shell scripts using RC4 and make an executable binary out of the shell script and run it as a normal shell script. This utility is great for programs that require a password to either encrypt, decrypt, or require a password that can be passed to a command line argument.

Download shc (http://www.datsi.fi.upm.es/~frosal/) and untar it:

tar -xzvf shc-X.X.tgz
cd shc-X.X/
make
make install

A binary named "shc" will be created along with some test programs. Let's give it a try.

Create a file called: "script.sh" and add the following contents:

############################### script.sh ##############################
#!/bin/sh

echo "I love Duane's articles and will send him a donation via PayPal."

############################### script.sh ##############################

Now run the command:

shc -f script.sh

The switch "-f" specifies the source script to encrypt. The above command will create two files: script.sh.x.c and script.sh.x.

The program "shc" creates C source code out of your shell script then encrypts it (script.sh.x.c). The encrypted shell script is: script.sh.x. Run that binary and see the output:

./script.sh.x
I love Duane's articles and will send him a donation via PayPal.

Now copy the original "script.sh" file to a floppy disk or some other system for backup or in case you need to edit it in the future. Then, delete it from the server and delete the "script.sh.x.c" file it creates.

Neat feature

You can also specify a time limit on the shell script so that it will no longer execute after a certain date and you can specify a custom message to echo back to the user. Run this command on the "script.sh" file we created earlier in this tut:

shc -e 09/10/2004 -m "Dude it is too late to run this script." -f script.sh
./script.sh.x
./script.sh.x has expired!
Dude it is too late to run this script.

In the above command the date October 9, 2004 is set as the expiration date (-e 09/10/2004) and the custom message was set to display to the user (-m "Dude it is too late to run this script.") when the binary is executed. Note the date format is dd/mm/yyyy.

Check out the man pages for more info on "shc". Remember that the binary is only encrypted on the local system. If you encrypt a script that transmits sensitive information in clear text across a network, you will need some other encrypted communication channel to transmit that information.


Duane Dunston received his B.A. and M.S. degrees from Pfeiffer University and he has his GSEC certification from SANS. Hey,Ann Curry"!

 

Comments
compatible in all llinux platforms?Written by Prasanna Hegde on 2006-03-13 01:55:53
Hi If I now compile this code on one platform and move the generated script to other Linux distro Is it suposed to work.?
Written by Anonymous Coward on 2006-03-25 20:38:25
You will, more than likely, want to compile the binary as static. 
 
CFLAGS=-static shc -r -f script.sh
ThanxWritten by Aliane on 2006-04-19 12:19:16
Thank you very much. I installed it in : 
Linux version 2.4.21-27.EL ((gcc version 3.2.3 20030502 (Red Hat Linux 3.2.3-47)) and it works perfectly. It is exactly what I need in my tasks.
How to reverse the encryption?Written by Jason on 2006-04-25 13:29:55
Lets say I encrypt a few files. I remove the source file and misplace it. Is there a way to reverse the encryption?
Binary to texformat in linuxWritten by saravanakumar on 2006-05-01 07:35:54
i need the linux decoding software for linux.
Unable to make in Soslaris platformWritten by Saju Francis on 2006-07-20 11:41:11
Make failed in Solaris platform . Would like to know id there any steps to follow specific to solaris systems? 
 
hiWritten by chetan muneshwar on 2006-08-31 07:45:44
hi i like it .................. 
 
 
thanks guru
It seems to work...Written by midget on 2006-09-27 10:24:19
After a quick test, seems that do the job. 
Thanx
Issues on using SHC.Written by Bharani Kumar on 2006-10-26 06:09:06
I'm able to un-archive and install the package 
in a Red Hat Linux 8.0 System. Installed on  
path : "/usr/local/bin/". 
 
I wrote a simple shell script (Script.sh) like below : 
--------------------------- 
#!/bin/sh 
 
echo "Hi, How are you" 
--------------------------- 
and tried the command "shc -f Script.sh" 
in shell prompt. Which created two files 
named as "Script.sh.x.c" and "Script.sh.x" 
then i tried executing the file "Script.sh.x" 
in the shell prompt like "./Script.sh.x". 
After this my terminal stops responding and 
i have'nt received any response nearly 
for a day. 
 
Can you please let me know whether i need 
to follow any other steps to make this work or 
is there any other software version dependencies. 
 
Timely reply will be very much helpful for me. 
 
Thankyou. 
 
Best Regards, 
Bharani
Written by wzis on 2006-11-23 01:14:23
shc can't provide good security protection for your script: using gdb or other debugger tools, the original script can be retrieved from the running interpretor for sure. 
wzshSDK gives much strong protection.
goodWritten by best on 2008-04-19 08:07:05
I'm agree with you.



 
< Prev   Next >
    
Partner

 

Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
Attackers Can ‘Steal’ Bandwidth From BitTorrent Seeders, Research Finds
Linux Kernel Development Gets Two-Factor Authentication
Hacking cars and traffic lights at Def Con
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2014 Guardian Digital, Inc. All rights reserved.