GithubHelp home page GithubHelp logo

scriptsandthings / encrypted-script-parameters Goto Github PK

View Code? Open in Web Editor NEW

This project forked from mensooree/encrypted-script-parameters

0.0 1.0 0.0 204 KB

Functions for generating strings and decrypting them for use as script parameters

Shell 41.18% Python 58.82%

encrypted-script-parameters's Introduction

Encrypted Script Parameters

What were we trying to solve?

A standard practice when running a script in a policy that needs to interact with an API is to pass the username and password for the service as parameters. All staff at JAMF Software have read access to the majority of objects in the production JSS (we refer to the main IT managed JSS as the "production JSS" since over half the company runs their own for testing and demos!). This presents the challenge of maintaining security around these API accounts in a very transparent environment.

Our Information Security department provided a solution to IT that was adapted into standard functions used for our Bash and Python scripts. Using the openssl binary, we encrypt the strings for these username and password parameters, generating unique salt and passphrase values that we hardcode into the uploaded script. Without access to both the policy and the script, the strings cannot be decrypted and used.

What does it do?

There are two functions to this: the encryption function (called GenerateEncryptedString) that generates the encrypted string with the salt and passphrase values, and the decryption function (called DecryptString) which is embedded into a script that has the salt and passphrase values hardcoded to decrypt the string that is passed as a parameter. Because staff can access policy data in the JSS, but not the script data, they don't have all the pieces to decrypt the account credentials.

How to use these scripts with policies

Here is an example of using these functions to generate the encrypted strings and then using the resulting values with a policy and script.

  1. Use GenerateEncryptedString to encrypt the username and/or password values
~$ GenerateEncryptedString "Captain Hammer"
Encrypted String: U2FsdGVkX18/iRQ6O7Hr+pouW8TAl0RcrUByBUzavuY=
Salt: 3f89143a3bb1ebfa | Passphrase: 67a61589eb6fb3874052333b
  1. Embed the DecryptString function with the "salt" and "passphrase" values into the script that will take the encrypted string above as a parameter
#!/bin/bash

function DecryptString() {
    echo "${1}" | /usr/bin/openssl enc -aes256 -d -a -A -S "${2}" -k "${3}"
}
username=$(DecryptString $4 '3f89143a3bb1ebfa' '67a61589eb6fb3874052333b') 
...
  1. Add the script to a policy and paste the encrypted string into the corresponding parameter field

Screenshot

The Python functions are wrappers to openssl using the subprocess module and are used the same way:

>>> import subprocess
>>> GenerateEncryptedString("Doctor Horrible")
Encrypted String: U2FsdGVkX1/+1bcze4/E7R3wCfEru9qnHWG5da7p+bg=
Salt: fed5b7337b8fc4ed | Passphrase: bbf59ee05d84e8c8d5190b31
>>> DecryptString('U2FsdGVkX1/+1bcze4/E7R3wCfEru9qnHWG5da7p+bg=', 'fed5b7337b8fc4ed', 'bbf59ee05d84e8c8d5190b31')
'Doctor Horrible'

License

Copyright (c) 2015, JAMF Software, LLC. All rights reserved.

Redistribution and use in source and binary forms, with or without modification, are
permitted provided that the following conditions are met:

    * Redistributions of source code must retain the above copyright notice, this
      list of conditions and the following disclaimer.
    * Redistributions in binary form must reproduce the above copyright notice, this
      list of conditions and the following disclaimer in the documentation and/or
      other materials provided with the distribution.
    * Neither the name of the JAMF Software, LLC nor the names of its contributors
      may be used to endorse or promote products derived from this software without
      specific prior written permission.
      
THIS SOFTWARE IS PROVIDED BY JAMF SOFTWARE, LLC "AS IS" AND ANY EXPRESS OR IMPLIED
WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL JAMF SOFTWARE,
LLC BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

encrypted-script-parameters's People

Watchers

avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.