1

I tried searching SO for a similar question, but nothing really helpful came up.

I would like to send multiple PUT / DELETE requests using cURL without having to type a password every time. I already know I can pass the user and password information inline like -u user:password when running the command, but I believe this will save the password to the shell history.

Is there any other, more secure way to do this? I am using the Fish shell, but any other answers based in other shells are welcome.

Andrew Barber
  • 39,603
  • 20
  • 94
  • 123
  • See [Using curl with a username and password?](http://stackoverflow.com/questions/2594880/using-curl-with-a-username-and-password) for more info. – Jorge Bucaran Dec 23 '14 at 18:55

2 Answers2

2

curl -K, --config <config file>

Specify which config file to read curl arguments from. The config file is a text file in which command line arguments can be written which then will be used as if they were written on the actual command line.

Yes, it is very possible to do so using the -K --config option. Click the link above, ⌘ F to find and enter -K, --config to read the help.

Basically, you will need to create a file with the user and password information such as -u user:password and pass it along to your DELETE request like:

curl $url -X DELETE -K $passfile

curl $url -X PUT ... -K $passfile

Further Reading

If you don't want to keep a file with your or your user's password hanging around in your file system, you can create one temporarily, read the password once, save and delete after your curl request is finished.

Reading the Password

To silent read from stdin in I use my own (probably someone else's too) qread:

function qread -d "Quiet read."
  stty -echo
  head -n 1 | read -l line
  stty echo
  printf $line
end

See How do I echo stars (*) when reading password with `read`? to learn how to do the same in other shells.

Creating a Temporary File

You can use mktemp to generate a temporary file with a unique name.

For example, mktemp .XXXXXXXXX creates a hidden file like .qIFR5mYBO.

mktemp also prints the name of the new file to stdout. Save this to a variable and pass it to cURL after the -K. 

set -l passfile (mktemp .XXXXXXXXX)

Deleting the File

FWIW, you could later use a secure file removal tool like srm to delete the file. 

srm $passfile

Other Security Ideas

Your password will be freely discoverable while cURL runs your requests. There are a few measures you can take to improve security, but nothing too difficult to crack anyway.

  1. Restrict the number of requests. The least requests the less time wrongdoers have to get the password.

  2. Create several decoy -u user:password files along besides the real one. Use both a weak and strong password generator for fake passwords (HTTP request are not cheap, so consider having this logic built-in your application).

  3. Create the temporary/decoy files right before cURL runs and delete them securely as soon as it's finished.

  4. Use a random location to store the files. These locations could also be created before / deleted after running cURL.

Community
  • 1
  • 1
Jorge Bucaran
  • 5,588
  • 2
  • 30
  • 48
0

I don't know about fish but in zsh/bash you can configure history to not record commands with a leading space, e.g. (leading space before command) curl $URL -u $user:$password

Francisco
  • 3,980
  • 1
  • 23
  • 27