You are not logged in.

#1 2009-05-27 01:20:21

fflarex
Member
Registered: 2007-09-15
Posts: 466

is there a safe way to get a password using bash?

Hey, I need to safely get a password in my bash script for encrypting some files. Currently my script just listens on a named pipe for something to come through and uses that for encrypting (I wasn't sure if it was safe to type a password in a shell script).

I would prefer something non-interactive if at all possible. This is going to be a cron job, so if it has to be interactive, it should be able to get my input without a terminal emulator. Any suggestions?

Offline

#2 2009-05-27 03:42:39

fukawi2
Ex-Administratorino
From: .vic.au
Registered: 2007-09-28
Posts: 6,231
Website

Re: is there a safe way to get a password using bash?

Non-interactive is counter-intuitive to what passwords are for...

What is the problem you're trying to solve?

Offline

#3 2009-05-27 03:56:42

xstaticxgpx
Member
Registered: 2008-10-22
Posts: 48

Re: is there a safe way to get a password using bash?

</dev/urandom tr -dc [:graph:] | head -c<length of desired password>

Last edited by xstaticxgpx (2009-05-27 03:59:02)

Offline

#4 2009-05-27 04:12:01

djgera
Developer
From: Buenos Aires - Argentina
Registered: 2008-12-24
Posts: 723
Website

Re: is there a safe way to get a password using bash?

read -s
              -s     Silent mode.  If input is coming from a terminal, characters are not echoed.

wink

Offline

#5 2009-05-27 06:48:51

fflarex
Member
Registered: 2007-09-15
Posts: 466

Re: is there a safe way to get a password using bash?

fukawi2 wrote:

Non-interactive is counter-intuitive to what passwords are for...

What is the problem you're trying to solve?

I need a cron job to encrypt something with a password. If I store the password in plain text, I lose security. If it requires input, then it's not very useful to schedule it. I wasn't really thinking that hard when I asked this question. I should have known that there wasn't really any way to reconcile these two needs.

Maybe I'll just go with the "security through obscurity" route... my root partition is encrypted anyways, and with proper permissions on the file I could be pretty sure that nobody will read the password. Throw in some obfuscated code and hope that nobody really, really smart gets ahold of my computer while it's running.

Offline

#6 2009-05-27 07:38:44

bender02
Member
From: UK
Registered: 2007-02-04
Posts: 1,328

Re: is there a safe way to get a password using bash?

If you could use gpg then it would solve your problem - for encryption only the public key is required.

Offline

#7 2009-05-27 07:43:32

fflarex
Member
Registered: 2007-09-15
Posts: 466

Re: is there a safe way to get a password using bash?

Well yes, but it's a backup script. I can't count on having my private key if I lose all my files. I may end up using gpg anyway though... all the solutions here are less than ideal.

Last edited by fflarex (2009-05-27 07:46:14)

Offline

#8 2009-05-27 07:58:11

bender02
Member
From: UK
Registered: 2007-02-04
Posts: 1,328

Re: is there a safe way to get a password using bash?

You can create a special key for backups (so that you can't  compromise your usual key) and then print the private key on paper - I know, not ideal, but it should be good enough for backups.

Offline

#9 2009-05-27 08:29:27

fukawi2
Ex-Administratorino
From: .vic.au
Registered: 2007-09-28
Posts: 6,231
Website

Re: is there a safe way to get a password using bash?

There's a thing called the Law of Diminishing Returns too...

Offline

#10 2009-05-27 09:57:25

bender02
Member
From: UK
Registered: 2007-02-04
Posts: 1,328

Re: is there a safe way to get a password using bash?

fukawi2 wrote:

There's a thing called the Law of Diminishing Returns too...

Well he has to decide what's more important: having the backups well encrypted or having them easily available but with the password not so well hidden [I mean running without user interaction means that the password has to be written somewhere. Although since the root is encrypted, it is probably sufficient to actually have it written somewhere on disk - after all the secret gpg key is also written somewhere on the disk and protected by a password. If the main concern is not compromised machine but backups stored somewhere else, then it's about the same level of safety.]

Offline

Board footer

Powered by FluxBB