This is a small tip when dealing with interactive shell scripting on how to hide sensitive information displaying on the terminal.
Scenario: Suppose you want to connect some site using username and password in a shell script, you can use read command to take input from a user. By default whatever you type read command will print in plain text on the screen. This is a security issue, and we have to hide that sensitive information not to write on the screen.
Example:
My code in my script is
read -p "Please provide bitbucket username(Ex. surendra.anne): " userName read -p "Please provide bitbucket password: " passWord
Output when executing the entire script:
surendra@sanne-linuxnix:~$ bash push_fpga.sh
Please provide bitbucket username(Ex. surendra.anne): surendra.anne
Please provide bitbucket password: XYZabc123
--2017-03-21 12:50:30-- https://bitbucket.org/linuxnix/sw_daffy/downloads/mypackage.tar.gz
Resolving bitbucket.org (bitbucket.org)... 104.192.143.3, 104.192.143.2, 104.192.143.1, ...
Connecting to bitbucket.org (bitbucket.org)|104.192.143.3|:443... connected.
HTTP request sent, awaiting response... 401 Unauthorized
Authentication selected: Basic realm="Bitbucket.org HTTP"
Reusing existing connection to bitbucket.org:443.
HTTP request sent, awaiting response... 302 Found
Location: https://bbuseruploads.s3.amazonaws.com/adsfawdfas/downloads/qerqdfasdf/mypackage.tar.gz?Signature=nGupkqNe8Da9ZfGJMfrBN5ljAq8%3D&Expires=1490062832&AWSAccessKeyId=qerzxcqew&versionId=Hwf0V2olr_g.7OGBuhnLJxy8aYEG4bBy&response-content-disposition=attachment%3B%20filename%3D%22mypackage.tar.gz%22 [following]
--2017-03-21 12:50:32-- https://bbuseruploads.s3.amazonaws.com/adsfawdfas/downloads/qerqdfasdf/mypackage.tar.gz?Signature=nGupkqNe8Da9ZfGJMfrBN5ljAq8%3D&Expires=1490062832&AWSAccessKeyId=qerzxcqew&versionId=Hwf0V2olr_g.7OGBuhnLJxy8aYEG4bBy&response-content-disposition=attachment%3B%20filename%3D%22mypackage.tar.gz%22
Resolving bbuseruploads.s3.amazonaws.com (bbuseruploads.s3.amazonaws.com)... 52.216.192.24
Connecting to bbuseruploads.s3.amazonaws.com (bbuseruploads.s3.amazonaws.com)|52.216.192.24|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1494336 (1.4M) [application/x-tar]
Saving to: '/tmp/mypackage.tar.gz’
mypackage.tar.gz 100%[=======================================================>] 1.42M 231KB/s in 7.3s
2017-03-21 12:50:41 (201 KB/s) - '/tmp/mypackage.tar.gz’ saved [1494336/1494336]
If you observe the password(XYZabc123) for my account is plain text.
This can be avoided using the silent option with the read command.
From read help page:
-s do not echo input coming from a terminal
When using this command, the output of the script look like
read -p "Please provide bitbucket username(Ex. surendra.anne): " userName
read -ps "Please provide bitbucket password: " passWordOutput when executing the entire script:
surendra@sanne-linuxnix:~$ bash push_fpga.sh Please provide bitbucket username(Ex. surendra.anne): surendra.anne Please provide bitbucket password: --2017-03-21 12:50:30-- https://bitbucket.org/linuxnix/sw_daffy/downloads/mypackage.tar.gz Resolving bitbucket.org (bitbucket.org)... 104.192.143.3, 104.192.143.2, 104.192.143.1, ... Connecting to bitbucket.org (bitbucket.org)|104.192.143.3|:443... connected. HTTP request sent, awaiting response... 401 Unauthorized Authentication selected: Basic realm="Bitbucket.org HTTP" Reusing existing connection to bitbucket.org:443. HTTP request sent, awaiting response... 302 Found Location: https://bbuseruploads.s3.amazonaws.com/adsfawdfas/downloads/qerqdfasdf/mypackage.tar.gz?Signature=nGupkqNe8Da9ZfGJMfrBN5ljAq8%3D&Expires=1490062832&AWSAccessKeyId=qerzxcqew&versionId=Hwf0V2olr_g.7OGBuhnLJxy8aYEG4bBy&response-content-disposition=attachment%3B%20filename%3D%22mypackage.tar.gz%22 [following] --2017-03-21 12:50:32-- https://bbuseruploads.s3.amazonaws.com/adsfawdfas/downloads/qerqdfasdf/mypackage.tar.gz?Signature=nGupkqNe8Da9ZfGJMfrBN5ljAq8%3D&Expires=1490062832&AWSAccessKeyId=qerzxcqew&versionId=Hwf0V2olr_g.7OGBuhnLJxy8aYEG4bBy&response-content-disposition=attachment%3B%20filename%3D%22mypackage.tar.gz%22 Resolving bbuseruploads.s3.amazonaws.com (bbuseruploads.s3.amazonaws.com)... 52.216.192.24 Connecting to bbuseruploads.s3.amazonaws.com (bbuseruploads.s3.amazonaws.com)|52.216.192.24|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 1494336 (1.4M) [application/x-tar] Saving to: '/tmp/mypackage.tar.gz’ mypackage.tar.gz 100%[=======================================================>] 1.42M 231KB/s in 7.3s 2017-03-21 12:50:41 (201 KB/s) - '/tmp/mypackage.tar.gz’ saved [1494336/1494336]
If you observe there is no password shown on the screen though I typed it. I indicated -s in red so that it is easily visible to readers. Hope this helps someone who requires hiding passwords or some sensitive information in shell scripts.
The following two tabs change content below.
Mr Surendra Anne is from Vijayawada, Andhra Pradesh, India. He is a Linux/Open source supporter who believes in Hard work, A down to earth person, Likes to share knowledge with others, Loves dogs, Likes photography. He works as Devops Engineer with Taggle systems, an IOT automatic water metering company, Sydney . You can contact him at surendra (@) linuxnix dot com.
Latest posts by Surendra Anne (see all)
- Docker: How to copy files to/from docker container - June 30, 2020
- Anisble: ERROR! unexpected parameter type in action:
Fix - June 29, 2020 - FREE: JOIN OUR DEVOPS TELEGRAM GROUPS - August 2, 2019
- Review: Whizlabs Practice Tests for AWS Certified Solutions Architect Professional (CSAP) - August 27, 2018
- How to use ohai/chef-shell to get node attributes - July 19, 2018
