6

I have a password stored in an environment variable.

read -s passwd
export passwd

Bad: Using echo $passwd

Now I want to pipe it to a command accepting the password through stdin (e.g., kinit). However, if bash has set -x enabled, then this will leak the password.

(warning: will leak password if set -x is enabled)
$ echo $passwd | kinit [email protected]

+ kinit [email protected]
+ echo secretpassword
...(kinit output)...

Alternative: Using printenv passwd

So I used printenv to write the password to stdin, instead of echo.

(is this ok?)
$ printenv passwd | kinit [email protected]

+ kinit [email protected]
+ printenv passwd
...(kinit output)...

This doesn't print the password to the bash output when I tried it.

Question: Is it OK to use printenv?

But is this actually secure? Is there a configuration of bash that could leak the password somewhere?

Edit: don't think set -x prints to stdout/stderr, fixed.

Improve this question
3
  • if it's an environmental variable anyone could just echo $passwd or run env Commented Dec 16, 2020 at 18:30
  • 1
    I'm more concerned with password leaking into files/logs/etc, not concerned with someone hijacking my shell session. This would be run in a CI/CD pipeline so I have some confidence that the build machine is not compromised. Commented Dec 16, 2020 at 18:32
  • I wanted to see if there are any more "gotchas" like set -x that make it bad to run a command with printenv passwd Commented Dec 16, 2020 at 18:34

2 Answers 2

Reset to default
4

With printenv, the variable has to be exported, which means you're exposing it to other commands in the script, any of which could potentially leak it. But if there's no other command between exporting the variable and using it as input, and you unset it immediately after use, it would be unlikely to be dumped in the log accidentally.

If you're using bash, you could use a herestring instead:

kinit [email protected] <<<"$passwd"

Herestrings aren't included in set -x output, and the variable doesn't need to be exported:

$ bar=abc
+ bar=abc
$ cat <<<"$bar"
+ cat
abc

But herestrings create temporary files, so there's that to consider as a potential source of leakage.

Improve this answer
4
  • 4
    To add more context about the temp files: "Here documents [and herestrings] create temporary files, but these files are deleted after opening and are not accessible to any other process." tldp.org/LDP/abs/html/here-docs.html. Commented Dec 16, 2020 at 20:48
  • I know I'm not supposed to comment this, but thank you for this answer! Commented Dec 16, 2020 at 20:54
  • 4
    In bash 5.1 (just released): "Here documents and here strings now use pipes for the expanded document if it's smaller than the pipe buffer size, reverting to temporary files if it's larger." Commented Dec 16, 2020 at 21:30
  • Some more info on this as I've never seen this type of heredoc. It expands the variable without needing to set start/end markers. Commented Aug 14, 2023 at 19:49
1

I will give you an example with sshpass using a temporary fd to use the password as an argument instead of stdin wit using set -x it won't printed out the password :

#Set the password as an environment variable
export password=MyPassword
#Create the file descriptor 3 and link it to /tmp/pwd, you can use one from 3 to 9.
exec 3<> /tmp/pwd
#Copy the content of password  env variable to /tmp/pwd using dd command
dd of=/tmp/pwd <<< "$password" 
#Here using cat and passing it to xargs so stdout will be catched by stdin of xargs, then the password will be available within the second  curly brackets
cat /tmp/pwd  | xargs -I {} sshpass -p {} ssh <user>@<ip>
#Close the file descriptor
exec 3>&-
#Remove the tmp file
rm -f /tmp/pwd

You can adjust this answer to your use cases.

Improve this answer
5
  • could you add some comments to help explain what is going on in your script? Commented Dec 16, 2020 at 20:40
  • 1
    Thank you for this answer, have to say I don't fully understand all the bash contructs like 3<> and 3>&-. But just wondering, if sshpass fails and the script exits, won't the password remain stored in /tmp/pwd? Commented Dec 16, 2020 at 20:53
  • I have added some comments, here ssh will not be interactive so the commands after will be executed to remove the tmp file. it's just an example to use password as argument instead of stdin : <command> -p <password> Commented Dec 16, 2020 at 21:05
  • 2
    Thanks, I guess why not just pipe the herestring directly into the sshpass command? Commented Dec 16, 2020 at 22:47
  • 1
    Yes possible here, because if no parameter is submitted to sshpass then it will read from stdin then we can use herestring. But i insist that it can be helpfull with other commands like subscription-manager on redhat system that have an option -p to submit the password and subscription-manager does not have a mechanism to read drom stdin. hoping it's clear. thanks Commented Dec 16, 2020 at 23:01

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.