Sunday, September 13, 2009

Compare secure values in a script

I am always leery of putting a password into a script in case someone gets into the script and can see the text.  One thing you can do is read a value and encrypt it with openssl (included with OSX).  This allows you to encrypt the results of a command and then you can compare that encrypted result with a known good encrypted result.

echo "123456abc" | openssl dgst -sha1

this results in the following

6dd9b0fde6acb54d86ffe02dad8c587646f6ba87

Now, if you run the above command ahead of time on a known good value, you can put this all in a script like the following..
_______ 8< snip ____________
#!/bin/sh
test=`echo "123456abc" | openssl dgst -sha1`
good="6dd9b0fde6acb54d86ffe02dad8c587646f6ba87"
if [ "$test" = "$good" ]; then
echo "they match"
else
echo "they don't match"
fi