All geek questions in one place

How to provide password in shell script?

In the shell script file, I use some commands like scp and make install that ask for my password.

I run a shell script to compile a large project, and after a while it asks for my password to use scp . I need to wait for this process and give a password after that.

I just want to make it all a shell script without interaction, so how can I avoid asking for a password here?

+4
source share
5 answers

If you cannot use the ssh trust and must enter the password later in the script, use read -s -p "Password:" USER_PASSWORD to read quietly in the password. You can then export USER_PASSWORD expect a script, avoiding displaying it in ps :

  #!/usr/bin/expect -f spawn scp some.file USER@otherhost :~ expect "assword:" send -- "$env(USER_PASSWORD)\r" expect eof
+4
source

Short answer: NOT

Use public key authentication for SCP and sudo with the NOPASSWD directive for make install

+8
source

I think it's better to generate an authentication key and use this key- based authentication instead of writing text passwords to your scripts.

+5
source

No, you will not find any way to use the SSH configuration files or the command-line option so that the password is hard-coded, and I'm sure this is by design.

If the environment is difficult, it might be useful to know that the script can specify the identifier file using the -i argument so that you do not need to set the entire home directory or something like that. There are other options that help use key authentication, which ssh really encourages password authentication.

If you use this for several users who do not want to worry about creating keys and copying them to the server, you could also script. It is easy to check the existing key and perform a quick test to find out if you can establish a connection with it. If you can’t do without a password, then you must transfer ssh-copy-id to the server, asking for the ssh password, which once and at the beginning of the script there will be a very slight lag between starting and running the script and this will be only once. You can even configure a separate key for each user only for the script in your own directory ~ / .script / key / so that you prevent users from accessing the SSH server.

If you really want to limit what can be done on the remote server to this user, you can use rssh as a shell on the remote account, which will restrict user access to file transfers.

+2
source

In a good way that we did in the past to provide passwords for the necessary scenarios when using key-based authentication, it was impossible or necessary to use passwords for applications, services, mysql, regardless ... we saved the passwords in an encrypted file, and then decrypted this file at run time to provide a password for scripts.

Decrypting the password for the script, let it call yourcreds.rb, was limited only to root, and unencrypted passwords were not stored anywhere. For example, you can run:

root @host: ~ # yourcreds.rb | grep mysql | awk {'print $ 3'}

Which without awk, for example, prints a stored string: service | user | password | description | etc ... mysql mysqluser password ....

With yourcreds.rb (or whatever), you can only display the password and easily include this method in scripts / cron jobs in larger or more complex environments.

Also, if I remember correctly, we did not have to use grep / awk or anything else. We just programmed in the parse options, for example: yourcreds.rb list mysql or yourcreds.rb -l, etc.

We used blowfish and yamls to store encrypted passwords. I am sure you can be creative. Just make sure it's a bullet of evidence for everyone but root.

+1
source

Source: https://habr.com/ru/post/1397390/

More articles:


All Articles