I am writing a shell script which executes a command which requires a password. I cannot put password in plain text in the script. I read about openssl encrypt decrypt mechanism but for encrypting a file again I need a password which again I cannot put in the script. I am clueless what is the best way to have a script execute a command using a secure password.
Asked
Active
Viewed 1.4k times
2
-
2If the script contains the information *it* needs to figure out the password, then it also contains the information someone looking at the script needs to figure out the password. Unless there's some way to give the running script access to info that someone reading it can't get at, I don't think there's a way to do what you want. – Gordon Davisson Feb 21 '18 at 06:20
-
2Can you be a little more specific? Do all users need to be able to run the script? Why does the command require a password? If it's `ssh`, you can avoid the need by requiring users to have pubkey authentication; if it's `sudo`, look at editing your `/etc/sudoers`, etc. As a last resort, you could arrange for the script to read a password from a file provided by each user (e.g. in `$HOME/.secret/myapp`), and if you're feeling nice, you could even check it's not readable by others. – Toby Speight Feb 21 '18 at 09:22
-
1This is not for user authentication. I need to execute a script which takes a password as argument. So my script needs to execute another script which takes a password as command line argument – codec Feb 21 '18 at 10:36
-
Maybe you can take advantage from [hide/encrypt password in bash file to stop accidentally seeing it](https://stackoverflow.com/a/48916341/6771046). – U880D Sep 05 '19 at 14:49
-
"...which takes a password as command line argument." -- **This is an extremely bad idea**. A password on the command line will be visible *for all users of the system*, for the full length the process is running, by doing nothing more sinister than looking at the process list (`ps` or `top` will do). – DevSolar Feb 07 '22 at 18:51
2 Answers
2
After reading about "Using OpenSSL to encrypt messages and files on Linux", the following approach might work for you.
Assuming you have private and public key generated for your machine
openssl genrsa -out passwordPrivKey.pem 2048
openssl rsa -in passwordPrivKey.pem -out passwordPubKey.pem -outform PEM -pubout
OpenSSL could be used than to encrypt and decrypt a password. Providing a script stub which will demonstrate how to use the command.
#!/bin/bash
echo -n "password" > PASSWORD.plain
# To encrypt
openssl rsautl -encrypt -inkey ./passwordPubKey.pem -pubin -in PASSWORD.plain -out PASSWORD.dat
# To decrypt
DECRYPTED=$(openssl rsautl -decrypt -inkey ./passwordPrivKey.pem -in PASSWORD.dat)
echo $DECRYPTED
On the machine where the password is needed unencrypted later, only PASSWORD.dat and passwordPrivKey.pem would be stored.
You may also be interested in "Hiding Password in Shell Scripts", "Password encryption and decryption", "How does OpenSSL decrypt a password", "How to get a password from a shell script without echoing" or "How to decrypt an AES password in Bash scripting?".
U880D
- 8,601
- 6
- 24
- 40
-
1You confused one thing: The encryption is done with the public key and the decryption is done with the private key. So simply change the referenced files. Everything else works fine. – rudi Sep 24 '21 at 06:56
-
1Oh, one more. To store the password in the plain file, use "echo -n", otherwise the linebreak becomes part of the password. – rudi Sep 24 '21 at 06:57
-2
Try openssl. It is a command available on UNIX and it can hash your password for you.
-
While this link may answer the question, it is better to include the essential parts of the answer here and provide the link for reference. Link-only answers can become invalid if the linked page changes. – Sneha Feb 21 '18 at 06:16
-
Hash will create a password hashed but will I be able to use it while executing the command? for eg: `./test.sh -p "myhashedpassword"` – codec Feb 21 '18 at 06:46