Bash Scripting
  • scripting list
  • How to Make Bash Script Executable Using Chmod
  • Shell Script to Check Linux Server Health
  • How to Concatenate String Variables in Bash [Join Strings]
  • How to Do Bash Variable Substitution (Parameter Substitution)
  • Bash Parameter Expansion with Cheat Sheet
  • Bash getopts with Examples
  • How to Pass all Arguments in Bash Scripting
  • Bash Function Return Value
  • Bash Loop Through Lines in a File
  • Bash readarray with Examples
  • Bash let with Examples
  • Bash expr with Examples
  • Bash read password
  • Bash for Loop Range Variable
  • Bash Arrays Explained
  • Ways to Find Bash Array Length
  • Bash Split String by Delimiter
  • Bash if Options
  • Bash If Statements for String Comparison
  • Debugging Techniques for Bash Scripts
  • Determining if a Bash String is Empty
  • Bash if Statement with Multiple Conditions
  • Meaning of Shebang in Bash Scripts
  • How to Comment Code in Bash Script
  • How to Read CSV File in Bash
  • Bash Scripting: How to Check if File Exists
  • Bash If Else Statements: Examples and Syntax
  • Bash Scripting: How to Check if Directory Exists
  • Bash eval Command with Examples
  • How to Use Sleep Command in Bash Scripting
  • Bash Associative Arrays with Examples
  • Bash Script for Counting Lines in a File
  • How to Use While Loop in Bash for Efficient Scripting
  • Bash basename Command with Examples
  • How to Create Multiline Strings in Bash
  • How to Use Bash if With && Operator
  • 50 Bash Script Examples to Kickstart Your Learning
  • Case statement in Bash Shell Scripting
  • Trimming White Space in Bash
  • How to Extract Filename from Absolute Path in Bash
  • How to Get Directory Path in Bash
  • Extract Extension from File Path in Bash
  • Extract Filename without Extension from Full Path in Bash
  • Bash for Each File in a Directory
  • Bash for Loop with Array
  • Bash Continue – Using with for Loop
  • Bash Backticks vs Dollar Parentheses $()
  • How to Assign Variable in Bash
  • How to Assign Variable in Bash
  • Bash Division Explained
  • Bash Modulo (Division Remainder)
  • Bash While Read Line by Line
  • Bash shift Command
  • Bash Looping Through Array of Strings
  • Bash read Command with Examples
  • Bash Check Empty Array
  • Using Bash For Loops to Iterate Over a List of Strings
  • Bash Break – Using with For Loop
  • How to Use seq With for Loop in Bash
  • How to Use $@ in Bash Scripting
  • Get the Current Script Directory in Bash
Powered by GitBook
On this page
  • How to read passwords in Bash?
  • Secure Read in Bash
  • Conclusion

Bash read password

PreviousBash expr with ExamplesNextBash for Loop Range Variable

Last updated 1 year ago

It isn’t a good idea to put passwords directly in shell scripts. Whenever we provide a password in Linux, it should either be invisible or asterisks (*) should mask our passwords so that it becomes unreadable. In this topic, we will cover the different techniques of reading password using Bash.

How to read passwords in Bash?

Bash has a built-in utility to read input from the user, named read. We can use this tool directly by using certain flags that come with it. By the help of this command, we can also write a script to take the input letter by letter and convert those letters into * on the fly. We also have a widely used command to encrypt and decrypt passwords, thereby further securing them.

Read without displaying the typed characters

When prompted for the password, bash can ensure that the characters being typed are not displayed on the terminal.

#!/bin/bashread -p "Enter name " nameecho "Hi, $name"read -sp "Enter password " passechoecho "$name has provided the password $pass"echo

We are making sure that the user input is not visible while it is getting entered. To achieve that we use the -s flag available with the read command to silent the echo from the user input. This allows working with the read command in a secure way. As a result bash doesn’t display what the user is typing. That input is stored in a variable passed with the read command and can be processed as per the requirements.

The script is taking username and password from the user. The password is silent and anything entered by the user as password isn’t displayed. It is stored in the variable and that variable is printed.

Read with asterisks

When prompted for password, we often see passwords getting replaced by asterisks (*). There is no direct way to do that in Bash. However, we can achieve the same by writing a script.

#!/bin/bashpass=""pass_var="Your password :" # to take password character wisewhile IFS= read -p "$pass_var" -r -s -n 1 letterdo if [[ $letter == $'\0' ]] # if enter is pressed, exit the loop then break fi pass="${pass}$letter" # store the letter in pass, use pass+="$letter" for more concise and readable. pass_var="*" # in place of password the asterisk (*) will be printeddone

We are asking for the user to provide a password. In the while loop we take help of the IFS (Internal Field Separator) to split the characters. The read command with the -r flag will read the password. -s flag will ensure that the password is read silently. To display the input character by character we have supplied the -p flag to the read command. The -n option does not print the trailing newline.

The script is prompting for the password and reading it character by character until the enter button isn’t pressed by the user. For every character that is being supplied from the prompt, the script is replacing it by the asterisk (*).

Read from a file

There have been numerous instances where the user has the password or the key present in a file. Let's first understand how to create a password file.

It is always advised to keep the password file hidden. In Linux, you can do so by creating a file beginning with a dot(.), say .passwd.txt. We will create this file by opening your favorite editor, entering the password and saving it. To secure it even further, change the permissions on the file so that no one else can access it. To achieve that we will use the chmod tool. We can verify the permissions on this file using the ls -al command. Here’s how we do it:

echo "password123" > .passwd.txt #Writing the content to filechmod 600 .passwd.txt # Giving suitable permissionsls -al .passwd.txt #Check permissions

Once the password file is ready, here’s an example to read the contents directly from there.

#!/bin/bashpassFile=".passwd.txt"pass=`cat $passFile`echo Password read from the $passFile is $pass

<Screenshot bash-read-pass-042023-03.png>

The script reads the password from the file passwd.txt using the cat command. It will store the password in the variable pass. Once the password is assigned to the variable, we can do any further processing as per the needs.

Secure Read in Bash

It is always advised to have passwords encrypted in Linux bash shell scripts. Keeping passwords as plain text puts the sensitive data at serious risk.

Encrypt the read password

If we store a password in clear, readable text, anyone with access to our system can read it. Hence, it is always a good practice to encrypt our passwords. There is a command line tool called openssl providing us with cryptography functions of OpenSSL’s crypto library from the shell.

#!/bin/bashread -sp "Enter your password: " passencryptedPass=`echo $pass | openssl enc -aes-256-cbc -md sha512 -a -pbkdf2 -iter 100000 -salt -pass pass:'An0terS3cr3t'`echoecho "Encrypted password is " $encryptedPass

The input password is encrypted using the openssl tool. Many parameters are passed with it. Let’s understand the purpose of each.

Parameter
Used for

enc -aes-256-cbc

It represents the encoding type. We are using 256 block Advanced Encryption Standard with Cipher Block Chaining(CBC)

md sha512

It represents the message digest type. In our case, we employ the SHA512 cryptographic algorithm

a

It represents encoding and decoding in base64 formation. It performs encoding the operation after encryption and decoding before the decryption

pbkdf2

It represents the Password-Based Key Derivation Function 2(PBKDF2) which ensures that the brute force attacks are more difficult

iter

It represents the number of computations that will be used by the PBKDF2. In our case, we have considered 1000

salt

It represents random data which ensures that the encrypted data differs every time, even for the same password

pass

It represents the password or the key that will be used to encrypt the data. We have taken it as 'An0terS3cr3t'

We have supplied the password as ABCdef1@ to the script and stored it in a variable. We perform an echo on the password and pipe the output as an input to the openssl command. The openssl then, with the mentioned parameters, encrypts the password.

Decrypt the encrypted password

Just as we tried encrypting the password, we can decrypt the same. We will again use the openssl command in a similar manner.

#!/bin/bash read -sp "Enter your password: " passencryptedPass=`echo $pass | openssl enc -aes-256-cbc -md sha512 -a -pbkdf2 -iter 100000 -salt -pass pass:'An0terS3cr3t'`echoecho "Encrypted password is " $encryptedPass decryptedPass=`echo $encryptedPass | openssl enc -aes-256-cbc -md sha512 -a -pbkdf2 -iter 100000 -salt -pass pass:'An0terS3cr3t' -d`echoecho "Decrypted password is " $decryptedPass

The decryption of password, using openssl, works exactly in the same manner as the encryption. The data taken as input is given to the open ssl command along with the parameters. The result of this operation is assigned to a variable which holds the decrypted data.

When prompted for the password, we gave ABCdef1@. The password is then encrypted just as we did in the last case. This data, stored in a variable, is then piped as input to the openssl command. The openssl, with the described parameters, decrypts the password back to its original form. We are finally displaying the decrypted value on the screen.

Conclusion

  • Passwords as plain texts pose quite a serious and basic security flaw.

  • The read command can be used to read passwords by using its flags.

  • We have learned how to create and read hidden password files.

  • The openssl utility is a widely used tool for encryption and decryption.