Pages: Welcome | Projects

Passwords and Command Line

2015/6/4
Tags: [ Ideas ] [ security ] [ shell ]

I've got a service I need to query. It's faster to do it from a nice shell script. However the server is password protected and, say you want to use curl, you are going to type something like this in your terminal:

$ curl -u goofy:'your goat stinks' ...

…where goofy is your user name and your goat stinks is your password.

This means your nice password is going to be stored into the shell history. You probably want to clear the history afterwards. Yeah, maybe you've got an encrypted hard drive, but still you don't want to accidentally show your password while back-searching in your shell history.

You may supply just the user to curl:

$ curl -u goofy

And curl will ask you for the password.

You will need to type it in every single query you send. Which is plain boring, especially if your password is long.

How about copy-and-pasting it? The clipboard buffer is bit better, maybe. But still you get your password wiped every time you copy something different.

How about an environment variable?

$ PASS='your goat stinks'
$ clear
$ curl -u goofy:$PASS ...
$ curl -u goofy:$PASS ...
$ curl -u goofy:$PASS ...

Much better!

Of course that one is going to be recorded in your history, but just once. After that you can simply edit your .bash_history (or .zsh_history, ...or your history file in general) and drop the single PASS= line.

Magic trick: with the most common shells you can avoid history for some commands.

In Bash use the HISTCONTROL environment variable. From the manual:

[...]
HISTCONTROL
        A colon-separated list of values controlling  how  commands  are
        saved  on  the  history  list.   If  the list of values includes
        ignorespace, lines which begin with a space  character  are  not
        saved  in  the history list. [...]

If you are using Zsh you can simply set the hist_ignore_space option in your .zshrc.

At this point you can simply register the password once, but without saving it in history (note the leading space in PASS)

$  PASS='your goat stinks'
$ clear
$ curl -u goofy:$PASS ...
$ curl -u goofy:$PASS ...
$ curl -u goofy:$PASS ...

It works just fine!

Of course here we don't mind about the questionable idea of keeping the password in memory, but I guess it depends on how paranoid you are. The copy-and-paste thing is just the same.