What is most secure and simplest way to have a user-typed password on bash become part of stdin to a program?

by

I’m looking for the (1) most secure and (2) simplest way to have a user type a password on a bash shell prompt and to have that password become part of stdin to a program.

This is what the stdin needs to look like: {"username":"myname","password":"<my-password>"}, where <my-password> is what was is typed into the shell prompt. If I had control over the the program the stdin, then I could modify it to securely prompt for a password and put it into place, but the downstream is a standard general purpose command.

I have considered and rejected approaches that use the following:

  • the user typing the password into the command line: the password
    would be shown on the screen and would also visible to all users via
    “ps”
  • shell variable interpolation into a argument to an external program (e.g., ...$PASSWORD...): the password would still be visible to all
    users via “ps”
  • environment variables (if they are left in the environment): the password would be visible to all child processes; even trustworthy
    processes might expose the password if they dump core or dump
    environment variables as part of a diagnostic
  • the password sitting in a file for an extended period of time, even a file with tight permissions: the user may accidentally expose the password and the root user might accidentally see the password

I’ll put my current solution as an answer below, but will happily select a better answer if someone comes up with one. I’m thinking there should be something simpler or maybe someone sees a security concern that I have missed.

Contents hide
Answers:
Method 1
Method 2
Method 3

Answers:

Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.

Method 1

With bash or zsh:

unset -v password # make sure it's not exported
set +o allexport  # make sure variables are not automatically exported
IFS= read -rs password < /dev/tty &&
  printf '{"username":"myname","password":"%s"}n' "$password" | cmd

Without IFS=, read would strip leading and trailing blanks from the password you type.

Without -r, it would process backslashes as a quoting character.

You want to make sure you only ever read from the terminal.

echo can’t be used reliably. In bash and zsh, printf is builtin so that command line wouldn’t show in the output of ps.

In bash, you need to quote $password as otherwise the split+glob operator is applied to it.

That’s still wrong though as you’d need to encode that string as JSON. For instance, double-quote and backslash at least would be a problem. You probably need to worry about the encoding of those characters. Does your program expect UTF-8 strings? What does your terminal send?

To add a prompt string, with zsh:

IFS= read -rs 'password?Please enter a password: '

With bash:

IFS= read -rsp 'Please enter a password: ' password

Method 2

Here’s the solution I have (it’s been tested):

$ read -s PASSWORD
<user types password>
$ echo -n $PASSWORD | perl -e '$_=<>; print "{"username":"myname","password":"$_"}"'

Explanation:

  1. read -s reads a line of stdin (the password) without echoing the line to the screen. It stores is in the shell variable PASSWORD.
  2. echo -n $PASSWORD puts the password on stdout without any newline. (echo is a shell built-in command so no new process is created so (AFAIK) the password as an argument to echo will not be shown on ps.)
  3. perl is invoked and reads the password from stdin to $_
  4. perl puts the password in $_ into the full text and prints it to stdout

If this is going to a HTTPS POST, the second line would be something like:

echo -n $PASSWORD | perl -e '$_=<>; print "{"username":"myname","password":"$_"}"' | curl -H "Content-Type: application/json" <a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="ebc68fabc6">[email protected]</a> -X POST <url-to-post-to>

Method 3

If your version of read doesn’t support -s you try the POSIX compatible way seen in this answer.

echo -n "USERNAME: "; read uname
echo -n "PASSWORD: "; set +a; stty -echo; read passwd; command <<<"$passwd"; set -a; stty echo; echo
passwd= # get rid of passwd possibly only necessary if running outside of a script

The set +a is supposed to prevent auto “export” of a variable to the environment. You should check out the man pages for stty, there are lots of options available. The <<<"$passwd" is quoted because good passwords can have spaces. The last echo after enabling the stty echo is to have the next command/output start on a new line.


All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

0 0 votes
Article Rating
Subscribe
Notify of
guest

0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x