2

I have the following bash script to insert blowfish automatically into config.inc.php for phpMyAdmin:

#!/bin/bash

randomBlowfishSecret=$(openssl rand -base64 32)
echo "BlowFish Value: ${randomBlowfishSecret}"
replace_pma_blowfish="\$cfg['blowfish_secret'] = '${randomBlowfishSecret}'; \/* YOU MUST FILL IN THIS FOR COOKIE AUTH! *\/"
sed -i "s/\$cfg\[.blowfish_secret.\]\s*=.*/${replace_pma_blowfish}/" /var/www/html/phpMyAdmin/config.inc.php

It works but if the blowfish key contains this character '/', I will get sed error like:

root@test:./test
BlowFish Value: omaRJZpTeWZPQU+dqDc7UlrXZnL6j8i0wSE/3kTnjLU=
sed: -e expression #1, char 99: unknown option to `s'

Is there a way to generate openssl 32 character and without this character '/' or maybe how do we allow certain set of characters in openssl like this set of character:

!#%+23456789:=?@ABCDEFGHJKLMNPRS

To prevent bug in script, I want to avoid using certain characters like '/' '$' and others. I know escaping the slash is working but I don't want to use this character because it's going to have bug with another codes and I don't want to change the other codes an example of this would be roundcube that won't accept character ':' and '@' and I think this character '/' would have problem with another codes as well. So I don't want openssl to generate this character '/'

Requirements:

  1. Allow some special characters like '[' ']' '?' and avoid some characters like '/' '$'
  2. Password length is 32
MaXi32
  • 632
  • 9
  • 26
  • 1
    Switch fom `s///` syntax to `s|||`, e.g. See: [Escaping forward slashes in sed command](https://stackoverflow.com/q/40714970/3776858) – Cyrus Jan 01 '21 at 07:48
  • I mean I don't really want to include that slash in password and only want the password without '/' , If I get an idea how to generate openssl without '/' I can try to exclude other characters because I know there are some other characters that will cause this error (and not all special characters should be excluded) – MaXi32 Jan 01 '21 at 07:52
  • This really seems like a duplicate of [Using different delimiters in sed commands and range addresses](https://stackoverflow.com/questions/5864146/using-different-delimiters-in-sed-commands-and-range-addresses) right now. Better leave the bash-sed part out. – oguz ismail Jan 01 '21 at 08:00
  • Let me check if that is duplicated. @oguzismail – MaXi32 Jan 01 '21 at 08:02
  • 1
    It seems like link is talking about replacing the '/' using sed with some other characters, but this is not fully random password right ? Also, I really don't want to use certain special characters like '/' '$' in openssl password, how to generate that password RANDOMLY without these characters. – MaXi32 Jan 01 '21 at 08:05
  • 1
    Keep generating new passwords until you get one without `/`? – Cyrus Jan 01 '21 at 08:14
  • @Cyrus well that is a good idea that I never thought about it -_-. Let me try to check this. – MaXi32 Jan 01 '21 at 08:15
  • Got it using while loop but maybe a little bit performance lag because sometimes it took 3-4 times to get the right password. What if it took 1000 times to get the password without / .. who knows this can happen.. hopefully I got the alternative. – MaXi32 Jan 01 '21 at 08:23
  • 1
    Theoretically, it can take an infinitely long time until you get a password without `/`. – Cyrus Jan 01 '21 at 08:34
  • I'm going to stick with your answer about 'keep checking the password'. Hopefully I won't get infinite delay with this check. – MaXi32 Jan 01 '21 at 09:03

2 Answers2

4

Switch from -base64 to -hex to avoid / in generated passord.

Cyrus
  • 84,225
  • 14
  • 89
  • 153
  • But which one is more secure? based64 or hex? The blowfish length requirement is maximum 32 character. Is it good to use -hex with 32 character long. – MaXi32 Jan 01 '21 at 08:42
  • 2
    @MaXi32: It doesn't matter, because both are just a different representation of a 32-character password. – Cyrus Jan 01 '21 at 12:38
1

sed will always fail if unescaped delimiter character is found in generated value. You can use this gnu awk that does it with replacement as plain text:

awk -i inplace 'BEGIN {val=ARGV[2]; --ARGC} /\$cfg\[.blowfish_secret.\][[:blank:]]*=/ {$0=val} 1' /var/www/html/phpMyAdmin/config.inc.php "$replace_pma_blowfish"

To make it readable:

awk -i inplace 'BEGIN {
   val = ARGV[2]
   --ARGC
}
/\$cfg\[.blowfish_secret.\][[:blank:]]*=/ {
   $0 = val
} 1' /var/www/html/phpMyAdmin/config.inc.php "$replace_pma_blowfish"
anubhava
  • 761,203
  • 64
  • 569
  • 643
  • 2
    Thanks this is a good alternative answer if I want to use '/' in password but I don't really want to use '/' character because I need this value of `randomBlowfishSecret` in the future for other codes that might not accept '/' even with escaping. There is a case like roundcube cannot accept ':' and '@' password. BTW, What is `i is not in place` error – MaXi32 Jan 01 '21 at 08:48
  • To save changes in line – anubhava Jan 01 '21 at 08:49