|
Home > Archive > SQL Anywhere database > June 2005 > dbisql with encrypted password
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
dbisql with encrypted password
|
|
|
| What is the syntax to invoke dbisql (-nogui) with an
encrypted password. I don't want to include the password in
a file or in my script.
Thanks!
| |
| Nick Elson 2005-06-13, 8:23 pm |
| You have numerous ways of doing the same thing.
1 - Create the ODBC DSN and check the "[X] Encrypt password"
checkbox to store only the encrypted password. To connect,
specify the DSN= in your -c connection string.
2 - Do the above to create the encrypted password, use the registry
editor to pull this out from the registry, and specify the ENP=
connection parameter in you connection string. If using a File DSN
edit the file.
or
3 - Possibly better yet, utilize DBFHide to hide the whole command
line, hiding not only your password but any means of guessing it.
Then connect using the @file ability.
Whenever a file is used (whether a File DSN or @file included file) using
the security of the OS to lock it down to specific users or groups (only
permitting minimum necessary access). For DSNs only create a USER
DSN for your own account, so others will not be able to get to it.
<Ellen> wrote in message news:42adcf8f.135a.1681692777@sybase.com...
> What is the syntax to invoke dbisql (-nogui) with an
> encrypted password. I don't want to include the password in
> a file or in my script.
> Thanks!
| |
| Joshua Savill 2005-06-14, 9:23 am |
| Option 3 from my understanding will not work. The dbisql utility does not
support the @file [@data] parameter. Option 1 and 2 should work.
--
Joshua Savill
iAnywhere Solutions - Product Support Analyst
"Nick Elson" < no_spam_nicelson@syb
ase.com> wrote in message
news:42ae051d$1@foru
ms-1-dub...
> You have numerous ways of doing the same thing.
>
> 1 - Create the ODBC DSN and check the "[X] Encrypt password"
> checkbox to store only the encrypted password. To connect,
> specify the DSN= in your -c connection string.
>
> 2 - Do the above to create the encrypted password, use the registry
> editor to pull this out from the registry, and specify the ENP=
> connection parameter in you connection string. If using a File
> DSN
> edit the file.
> or
> 3 - Possibly better yet, utilize DBFHide to hide the whole command
> line, hiding not only your password but any means of guessing it.
> Then connect using the @file ability.
>
> Whenever a file is used (whether a File DSN or @file included file) using
> the security of the OS to lock it down to specific users or groups (only
> permitting minimum necessary access). For DSNs only create a USER
> DSN for your own account, so others will not be able to get to it.
>
> <Ellen> wrote in message news:42adcf8f.135a.1681692777@sybase.com...
>
>
| |
| Ellen 2005-06-14, 11:23 am |
| But, am I correct that creating the ODBC connection cannot
be done from a script? I would like to do all this via a
script.
| |
| Joshua Savill 2005-06-14, 8:23 pm |
| I am not aware of anyway this can currently be done using a script with an
encrypted password, aside from suggestions 1) and 2) provide by Nick.
<Ellen> wrote in message news:42af0426.6c1.1681692777@sybase.com...
> But, am I correct that creating the ODBC connection cannot
> be done from a script? I would like to do all this via a
> script.
| |
| Jeff Albion \(iAnywhere Solutions\) 2005-06-14, 8:23 pm |
| To clarify, you CAN create the DSN without sending any clear text to
machines via intermediate registry scripts. Then simply connect using the -c
DSN= option.
To create the DSN with an encrypted password, you can do this:
1. Create the DSN with the encrypted password option checked on one machine.
2. Extract the appropriate registry key using RegEdit:
HKEY_CURRENT_USER\So
ftware\ODBC\ODBC.INI\(DSN name) for User DSNs,
HKEY_LOCAL_MACHINE\S
oftware\ODBC\ODBC.INI\(DSN name) for System DSNs
3. On all client machines, add the .reg script by transferring the .reg file
via a network share or similar and add the command:
regedit /s <registry.reg>
in a login-script of some type.
The .reg script only has the encrypted password stored so it is impossible
to extract the original password is. Everything else is like Nick said.
--
Jeff Albion
Product Support Analyst
iAnywhere Solutions
"Joshua Savill" <jsavill@ianywhere.com> wrote in message
news:42af2744$1@foru
ms-2-dub...
> I am not aware of anyway this can currently be done using a script with an
> encrypted password, aside from suggestions 1) and 2) provide by Nick.
>
> <Ellen> wrote in message news:42af0426.6c1.1681692777@sybase.com...
>
>
| |
| Volker Barth 2005-06-15, 7:23 am |
| Jeff,
just in order to avoid any misunderstanding:
I have learned from other threads on this issue that the ENP
connection parameter is not intended for "real security"
purposes.
First, - using the ODBC Administrator - one can always
restore the decrypted PWD by unchecking the encryption
option - this will reveal the decrypted PWD in the
corresponding registry entries.
Second, one can use the ENP parameter and the corresponding
registry value directly to connect to the database via -c
"ENP=...".
If I remember right, Nick or Reg once wrote that ENP is
primarily aimed at hindering someone looking over one's
shoulder to catch sight of passwords - the encrypted value
makes it harder to guess.
Therefore I once made the following suggestion in the
"product future" newsgroup:
"Let dbisqlg/dbisqlc accept a @filename parameter"
Please let me know if I have missed the point in your
suggestion.
Thanks
Volker
Jeff Albion wrote:
> To clarify, you CAN create the DSN without sending any
> clear text to machines via intermediate registry scripts.
> Then simply connect using the -c DSN= option.
>
> To create the DSN with an encrypted password, you can do
> this:
>
> 1. Create the DSN with the encrypted password option
> checked on one machine.
>
> 2. Extract the appropriate registry key using RegEdit:
>
> HKEY_CURRENT_USER\So
ftware\ODBC\ODBC.INI\(DSN name) for
> User DSNs, HKEY_LOCAL_MACHINE\S
oftware\ODBC\ODBC.INI\(DSN
> name) for System DSNs
>
> 3. On all client machines, add the .reg script by
> transferring the .reg file via a network share or similar
> and add the command:
>
> regedit /s <registry.reg>
>
> in a login-script of some type.
>
> The .reg script only has the encrypted password stored so
> it is impossible to extract the original password is.
> Everything else is like Nick said.
>
> --
> Jeff Albion
> Product Support Analyst
> iAnywhere Solutions
>
> "Joshua Savill" <jsavill@ianywhere.com> wrote in message
> news:42af2744$1@foru
ms-2-dub...
> suggestions 1) and 2) provide by Nick. >
> script. >
>
>
| |
| Jeff Albion \(iAnywhere Solutions\) 2005-06-15, 8:24 pm |
| My mistake - yes, I forgot that the registry could be *decrypted* via the
checkbox. :)
Nick's advice is best.
--
Jeff Albion
Product Support Analyst
iAnywhere Solutions
<Volker Barth> wrote in message news:42afef5d.f3c.1681692777@sybase.com...[color=darkred]
> Jeff,
>
> just in order to avoid any misunderstanding:
>
> I have learned from other threads on this issue that the ENP
> connection parameter is not intended for "real security"
> purposes.
>
> First, - using the ODBC Administrator - one can always
> restore the decrypted PWD by unchecking the encryption
> option - this will reveal the decrypted PWD in the
> corresponding registry entries.
>
> Second, one can use the ENP parameter and the corresponding
> registry value directly to connect to the database via -c
> "ENP=...".
>
> If I remember right, Nick or Reg once wrote that ENP is
> primarily aimed at hindering someone looking over one's
> shoulder to catch sight of passwords - the encrypted value
> makes it harder to guess.
>
> Therefore I once made the following suggestion in the
> "product future" newsgroup:
> "Let dbisqlg/dbisqlc accept a @filename parameter"
>
> Please let me know if I have missed the point in your
> suggestion.
>
> Thanks
>
> Volker
>
>
>
> Jeff Albion wrote:
|
|
|
|
|