How to Obscure Command Line Passwords

Jul 06, '10 07:30:00AM

Contributed by: SOX

Many command line programs, such as mySQL and Apple's Xgrid, are not OS X Keychain savvy, and require passwords in plaintext on the command line. This can also be true when entering things like SMB and AFP disk mounts from the command line. Command line text will not only appear in plain view on your screen and terminal scroll-back but it persists indefinitely in your bash history file on disk. It can even sometimes be viewed in process monitors that show your executing commands to other users. Here is a way to avoid that pitfall.

A common approach is to put the passwords in environment variables the commands will access. For example, Xgrid will access the environment variable XGRID_CONTROLLER_PASSWORD if it is defined. However this does not solve the problem of how you get the password into the environment variable. Using the command line obviously is out. You can put it in your .profile or .bashrc in plain text, but this is again persistent on disk and your Time Machine backups and those are exposed to any program you run and to admin users.

I found a versatile solution in the OSX xgrid users wiki atTenGrid.com which suggests the following code:

`perl -we 'eval {system("stty -echo");$x=<>}; system("stty echo"); print "export XGRID_CONTROLLER_PASSWORD=$x"'`

When you run that from the command line, it lets you type in the password invisibly and then it puts it in the shell's environment for you. It's only accessible from within that shell, so other programs can't see it. When you eventually close that shell all traces of it vanish and at no time is it stored (directly at least) in plain text on disk. Of course, anyone with keyboard access to that terminal could probe your environment variables, but if that is true, this may be the least of your problems. You can automate this command by setting up an alias in the .bashrc or .profile like this (keep the escaped characters!)

alias xgpwd=\`perl\ \-we\ \'eval\ \{system\(\"stty\ \-echo\"\)\;\$x\=\<\>\}\;\ system\(\"stty\ echo\"\)\;\ \ print\ \"export\ XGRID_CONTROLLER_PASSWORD\=\$x\"\'\`
Now typing xgpwd and pressing return will let you set the password environment variable with no onscreen echo. Obviously you will need to edit this for other environment variable names by replacing the one used by Xgrid.

The code above does not support spaces in the password and it's written assuming a bash shell syntax. Since you may be tempted to improve it, note the eval statement. This is critical to assure that if you control-c the process that you are not returned to the command prompt without the tty echoing the keys you press!

Note that even if your command line program itself does not use the environment variables, as Xgrid does, you can still use this approach by letting the shell interpolate the variables for you like this:

dumb_command -pass $MY_ENV_PASSWORD

The shell will do the lookup and replacement of the $MY_ENV_PASSWORD corresponding environment variable's value that you previously stored. So dumb_command need not explicitly use environment variables to make this hint work. Once again a hat tip to the extensive OSX Xgrid wiki at TenGrid.com and to all it's contributors for solving this age-old dilemma!

[crarko adds: I haven't tested this one.]

Comments (16)


Mac OS X Hints
http://hints.macworld.com/article.php?story=20100702095749620