Sunday, September 13, 2009

Compare secure values in a script

I am always leery of putting a password into a script in case someone gets into the script and can see the text.  One thing you can do is read a value and encrypt it with openssl (included with OSX).  This allows you to encrypt the results of a command and then you can compare that encrypted result with a known good encrypted result.

echo "123456abc" | openssl dgst -sha1

this results in the following


Now, if you run the above command ahead of time on a known good value, you can put this all in a script like the following..
_______ 8< snip ____________
test=`echo "123456abc" | openssl dgst -sha1`
if [ "$test" = "$good" ]; then
echo "they match"
echo "they don't match"