Saturday, December 17, 2011

Using passwords securely in bash

Watching a video over on Hak5 about bash history fixing reminded me I've been trying to find a way to securely enter passwords in bash commands and scripts.

Some tools require passwords to be entered as commandline arguments. Which is great if you're using the tool in a script, but when calling the tool from the commandline this will result in having the password exposed in the bash history. This might not be a big issue in some cases, but I just can't stand having password shown in plaintext anywhere. (Expect maybe the occasional temporary, random, auto generated passwords in e-mail when registering for websites.)

Meimi039 suggested to Hak5 to use a setting so any command starting with a space won't show up in the history. Eventhough I don't want my passwords in the history, I do like to have my commands in my history file.

So here are my solutions to prevent passwords from being exposed in bash history or in scripts.

Commandline
When invoking commands that require passwords on the command line I use variables.
Let's say "tool" requires a parameter "-p <PASSWORD>". I've used the following method for a few years:
$ read -s PASS
$ tool -p $PASS
When done using the $PASS variable, I'd unset it
$ unset PASS
This method I use in scripts is derived from this.

After watching the video on Hak5 I was thinking about how to make this password usage require less typing. Here's my solution.

In my .bashrc I've included a new alias passpr (from 'password prompt')
alias passpr='read -p "Password: " -s pass; echo $pass; unset $pass'
Now I can call the example "tool" like this
$ tool -p `passpr`
Script
In scripts I prefer to use a method derived from the first example of safely using passwords on the commandline.
An script could for example look like this
#!/usr/bin/bash
read -s -p "Password for tool: " PASS
tool -p $PASS
unset PASS
Finally I'd like to mention that Hak5 has collected a few tips on how to remove passwords from the history when they have accidentally been entered on the commandline in their video.

No comments:

Post a Comment