Securely Reading and Passing Passwords on Commandline in Bash Scripts
Author(s):
Muhammad Akbar
Publish date: Jun 19, 2019
Publish date: Jun 19, 2019
Passwords should not be read from commandline arguments. Instead you should read them interactively via stdin.
read -s PASSWORD
Passwords should not be passed to other scripts/cli verbatim on commandline or via printf/echo commands. It can be passed via builtin echo command if it is in a variable already (e.g. read from a file earlier), as echo won’t show up in list of running processes. cat with here-document can be used as well if a variable is used for password. Another way is to use file descriptor as shown below.
( exec 3<<<"$PASSWORD"; cat /proc/$BASHPID/fd/3 | cli-that-takes-password-on-stdin )
Some applications accept filedescriptors directly. For example, if you are passing password to openssl, you can just pass fd:3 in place of password.
Please take a moment to share this post:
Twitter,
LinkedIn.
.
Thank you!
.
Thank you!