Bash read password
Last updated
Last updated
It isn’t a good idea to put passwords directly in shell scripts. Whenever we provide a password in Linux, it should either be invisible or asterisks (*) should mask our passwords so that it becomes unreadable. In this topic, we will cover the different techniques of reading password using Bash.
Bash has a built-in utility to read input from the user, named read. We can use this tool directly by using certain flags that come with it. By the help of this command, we can also write a script to take the input letter by letter and convert those letters into * on the fly. We also have a widely used command to encrypt and decrypt passwords, thereby further securing them.
When prompted for the password, bash can ensure that the characters being typed are not displayed on the terminal.
#!/bin/bashread
-p "Enter name "
nameecho
"Hi, $name"read
-sp "Enter password "
passechoecho
"$name has provided the password $pass"echo
We are making sure that the user input is not visible while it is getting entered. To achieve that we use the -s flag available with the read command to silent the echo from the user input. This allows working with the read command in a secure way. As a result bash doesn’t display what the user is typing. That input is stored in a variable passed with the read command and can be processed as per the requirements.
The script is taking username and password from the user. The password is silent and anything entered by the user as password isn’t displayed. It is stored in the variable and that variable is printed.
When prompted for password, we often see passwords getting replaced by asterisks (*). There is no direct way to do that in Bash. However, we can achieve the same by writing a script.
#!/bin/bashpass=""pass_var="Your password :"
# to take password character wisewhile
IFS= read
-p "$pass_var"
-r -s -n 1 letterdo if
[[ $letter == $'\0'
]] # if enter is pressed, exit the loop then break fi
pass="${pass}$letter"
# store the letter in pass, use pass+="$letter" for more concise and readable. pass_var="*"
# in place of password the asterisk (*) will be printeddone
We are asking for the user to provide a password. In the while loop we take help of the IFS (Internal Field Separator) to split the characters. The read command with the -r flag will read the password. -s flag will ensure that the password is read silently. To display the input character by character we have supplied the -p flag to the read command. The -n option does not print the trailing newline.
The script is prompting for the password and reading it character by character until the enter button isn’t pressed by the user. For every character that is being supplied from the prompt, the script is replacing it by the asterisk (*).
There have been numerous instances where the user has the password or the key present in a file. Let's first understand how to create a password file.
It is always advised to keep the password file hidden. In Linux, you can do so by creating a file beginning with a dot(.), say .passwd.txt. We will create this file by opening your favorite editor, entering the password and saving it. To secure it even further, change the permissions on the file so that no one else can access it. To achieve that we will use the chmod tool. We can verify the permissions on this file using the ls -al command. Here’s how we do it:
echo
"password123"
> .passwd.txt #Writing the content to filechmod
600 .passwd.txt # Giving suitable permissionsls
-al .passwd.txt #Check permissions
Once the password file is ready, here’s an example to read the contents directly from there.
#!/bin/bashpassFile=".passwd.txt"pass=`cat $passFile`echo Password read from the $passFile is $pass
<Screenshot bash-read-pass-042023-03.png>
The script reads the password from the file passwd.txt using the cat command. It will store the password in the variable pass. Once the password is assigned to the variable, we can do any further processing as per the needs.
It is always advised to have passwords encrypted in Linux bash shell scripts. Keeping passwords as plain text puts the sensitive data at serious risk.
If we store a password in clear, readable text, anyone with access to our system can read it. Hence, it is always a good practice to encrypt our passwords. There is a command line tool called openssl providing us with cryptography functions of OpenSSL’s crypto library from the shell.
#!/bin/bashread -sp "Enter your password: " passencryptedPass=`echo $pass | openssl enc -aes-256-cbc -md sha512 -a -pbkdf2 -iter 100000 -salt -pass pass:'An0terS3cr3t'`echoecho "Encrypted password is " $encryptedPass
The input password is encrypted using the openssl tool. Many parameters are passed with it. Let’s understand the purpose of each.
enc -aes-256-cbc
It represents the encoding type. We are using 256 block Advanced Encryption Standard with Cipher Block Chaining(CBC)
md sha512
It represents the message digest type. In our case, we employ the SHA512 cryptographic algorithm
a
It represents encoding and decoding in base64 formation. It performs encoding the operation after encryption and decoding before the decryption
pbkdf2
It represents the Password-Based Key Derivation Function 2(PBKDF2) which ensures that the brute force attacks are more difficult
iter
It represents the number of computations that will be used by the PBKDF2. In our case, we have considered 1000
salt
It represents random data which ensures that the encrypted data differs every time, even for the same password
pass
It represents the password or the key that will be used to encrypt the data. We have taken it as 'An0terS3cr3t'
We have supplied the password as ABCdef1@ to the script and stored it in a variable. We perform an echo on the password and pipe the output as an input to the openssl command. The openssl then, with the mentioned parameters, encrypts the password.
Just as we tried encrypting the password, we can decrypt the same. We will again use the openssl command in a similar manner.
#!/bin/bash
read
-sp "Enter your password: "
passencryptedPass=`echo
$pass | openssl enc -aes-256-cbc -md sha512 -a -pbkdf2 -iter 100000 -salt -pass pass:'An0terS3cr3t'`echoecho
"Encrypted password is "
$encryptedPass
decryptedPass=`echo
$encryptedPass | openssl enc -aes-256-cbc -md sha512 -a -pbkdf2 -iter 100000 -salt -pass pass:'An0terS3cr3t'
-d`echoecho
"Decrypted password is "
$decryptedPass
The decryption of password, using openssl, works exactly in the same manner as the encryption. The data taken as input is given to the open ssl command along with the parameters. The result of this operation is assigned to a variable which holds the decrypted data.
When prompted for the password, we gave ABCdef1@. The password is then encrypted just as we did in the last case. This data, stored in a variable, is then piped as input to the openssl command. The openssl, with the described parameters, decrypts the password back to its original form. We are finally displaying the decrypted value on the screen.
Passwords as plain texts pose quite a serious and basic security flaw.
The read command can be used to read passwords by using its flags.
We have learned how to create and read hidden password files.
The openssl utility is a widely used tool for encryption and decryption.