12

i'm writing a python application that uses a command line utility (propietary so it can't be modified) to do part of its work. The problem is that I have to pass the password as a command line argument to the tool which would easily be seen by any user doing 'ps ax'. How can I send the password to the command line tool safely from within python (or a shell script)?

theprole
  • 2,274
  • 23
  • 25
  • It strongly depends on how the tool you want to call accepts passwords. For example, `ssh` accepts it from stdin, if it is a terminal. – khachik Dec 10 '10 at 11:09

6 Answers6

5

If the application has some interactive mode, you can use something like pyexpect.

If it only accepts passwords on command line the application was DESIGNED to be vulnerable to 'ps ax', how are you expected to overcome original bad design? It is propietary, complaints should go to the guilty^H^H^H^H^H^Hauthor.

Paulo Scardine
  • 73,447
  • 11
  • 124
  • 153
2

If the password is only accepted on the command line, you're pretty much out of luck. Are you absolutely sure there's no option to send the password in another way? If you can send it over the process's stdin, you can talk to it via a pipe, and send the password securely in that way.

SingleNegationElimination
  • 151,563
  • 33
  • 264
  • 304
  • i'll look into it, but i'm unsure if it's possible. – theprole Dec 12 '10 at 18:44
  • Are you sure that passing passwords into programs via pipes is secure? See my new question http://stackoverflow.com/questions/6321353/securely-passing-password-to-openssl-via-stdin maybe you can grab some points there. – Enchilada Jun 12 '11 at 10:02
0

You may be able to gain more security by having an encrypted password argument and passing an encrypted password, and the program can de-crypt it. At least there would be no plain-text password floating around. I used this method when launching a process via another process and passing it arguments. It may not be feasible in your case though.

0

Write another python script that will accept password from command prompt using getpass.getpass() and store it in a variable. Then call the command from the script with that variable having password as parameter.

Rag Sagar
  • 2,314
  • 1
  • 18
  • 21
0

You can force an inline shell wrapper like follows

somecommand --password=$(echo "Enter Password: " >&2;read -s PASSWORD;echo $PASSWORD)

The password entry will populate the command before executing it

The password will NOT appear in your shell history

But it WILL appear in your 'ps' output

Steven
  • 1
  • Needs more quotes. `--password="$(...; echo "$PASSWORD")"` if you don't want passwords with spaces or which can be interpreted as glob expressions to be munged. (And better to use `printf '%s\n' "$PASSWORD"` instead of `echo`; otherwise `-n` disappears, passwords with literal backslashes have undefined behavior, etc). – Charles Duffy May 25 '19 at 19:33
0

What about this in bash:

command_asking_for_password < <(command_that_prints_a_password; printf "\r")
David Hogan
  • 549
  • 6
  • 6
  • 1
    Better to use `printf` -- the behavior of `echo` when given a format string using backslashes -- or, for that matter, the `-n` argument -- is [undefined by POSIX](http://pubs.opengroup.org/onlinepubs/9699919799/utilities/echo.html), and varies in practice between common shells (behavior of ash and dash is different from bash with a default config, which is different from bash with the `xpg_echo` flag enabled). – Charles Duffy Nov 14 '17 at 23:56