Passwordless authentication within SAS pass-through statements?

3
votes

Thanks to SAS's Personal Login Manager, the initial connection to the remote server works without password (or password hash). However, it seems to be necessary to specify the passwords of the individual databases (user xxuser password xxpwd, see example below).

Is there a way connecting to different databases on a database server without password (hash) in the SAS code?

/* Connect to database server works without password 
   thanks to SAS's Personal Login Manager */
%dosignon(srvcomponent=xxxremoteSAS);

/* SQL direct pass-through to server */ 
rsubmit;

    /* Define SAS-libraries (on server) */
    libname remote_db_a db2 dsn=dbxa schema=xxschema1 user=xxuser password= "xxpwd";
    libname remote_db_b db2 dsn=dbxa schema=xxschema2 user=xxuser password= "xxpwd";
endrsubmit;

/* Link local library names with the ones the server */
libname remote_db_a a libref=remote_db_a server=&sessid.;
libname remote_db_b a libref=remote_db_b server=&sessid.;

A work-around is to encode the password string with proc pwencode in="plaintextPassword"; run; and to use this hash instead of xxpwd in the soruce code. A potential attacker can now no longer use the password to access other accounts, but of course can still access any database.

PS: I am new to SAS, so the SAS documentation looks like a book with seven seals to me. I asked various SAS experts, but I am not satisfied with the password-hashing suggestion.

Related questions and answers:

1
authenticationsassas-macro

1 Answers

2
votes

I am not an expert on how SAS Metadata Manager manages access credentials, but as long as the "remote" SAS session also uses Metadata Manager then you should be able to use it to make your connections.

Here is a blog post about the Personal Login Manager you mentioned. https://platformadmin.com/blogs/paul/2010/11/sas-personal-login-manager/

At the end of the discussion there is an example of how to create a libref using the metadata manager to supply the credentials

From a user perspective to use the (outbound login) credentials to get access to third party systems look for authentication domain support in the SAS feature you are using. For example SAS/ACCESS AUTHDOMAIN= LIBNAME Option.

https://documentation.sas.com/?cdcId=pgmsascdc&cdcVersion=9.4_3.4&docsetId=acreldb&docsetTarget=n0aiq25zc8u8u6n1i81my0a24sd3.htm&locale=en

Example from that page:

options metauser="metadata-userid"  metapass="metadata-password"
                metaport=8561               metaprotocol=bridge
                metarepository="metadata-repository"
                metaserver="server-name";

libname A1 saphana server=mysrv1 port=30015 authodomain="hanaauth";