How to provide password to a command that prompts

2019-01-04 00:37发布

站内问答 / 前沿技术
994 7 5

I'm writing a UNIX shell function that is going to execute a command that will prompt the user for a password. I want to hard-code the password into the script and provide it to the command. I've tried piping the password into the command like this: 

function() {
    echo "password" | command
}

This may not work for some commands as the command may flush the input buffer before prompting for the password.

I've also tried redirecting standard input to a file containing the password like this, but that doesn't work either:

function() {
    echo "password" > pass.tmp
    command < pass.tmp
    rm pass.tmp
}

I know that some commands allow for the password to be provided as an argument, but I'd rather go through standard input.

I'm looking for a quick and dirty way of piping a password into a command in bash.

7条回答
太酷不给撩
2楼-- · 2019-01-04 01:12

Secure commands will not allow this, and rightly so, I'm afraid - it's a security hole you could drive a truck through.

If your command does not allow it using input redirection, or a command-line parameter, or a configuration file, then you're going to have to resort to serious trickery.

Some applications will actually open up /dev/tty to ensure you will have a hard time defeating security. You can get around them by temporarily taking over /dev/tty (creating your own as a pipe, for example) but this requires serious privileges and even it can be defeated.

查看更多
0人赞 添加讨论(0) 举报
淡お忘
3楼-- · 2019-01-04 01:19

Programs that prompt for passwords usually set the tty into "raw" mode, and read input directly from the tty. If you spawn the subprocess in a pty you can make that work. That is what Expect does...

查看更多
0人赞 添加讨论(0) 举报
4楼-- · 2019-01-04 01:22

Simply use :

echo "password" | sudo -S mount -t vfat /dev/sda1 /media/usb/;
if [ $? -eq 0 ]; then
    echo -e '[ ok ] Usb key mounted'
else
    echo -e '[warn] The USB key is not mounted'
fi

This code is working for me, and its in /etc/init.d/myscriptbash.sh

查看更多
0人赞 添加讨论(0) 举报
Melony?
5楼-- · 2019-01-04 01:23

How to use autoexpect to pipe a password into a command:

These steps are illustrated with an Ubuntu 12.10 desktop. The exact commands for your distribution may be slightly different.

This is dangerous because you risk exposing whatever password you use to anyone who can read the autoexpect script file.

DO NOT expose your root password or power user passwords by piping them through expect like this. Root kits WILL find this in an instant and your box is owned.

EXPECT spawns a process, reads text that comes in then sends text predefined in the script file.

  1. Make sure you have expect and autoexpect installed:

    sudo apt-get install expect
sudo apt-get install expect-dev

  2. Read up on it:

    man expect
man autoexpect

  3. Go to your home directory:

    cd /home/el

  4. User el cannot chown a file to root and must enter a password:

    touch testfile.txt
sudo chown root:root testfile.txt 
   [enter password to authorize the changing of the owner]

  5. This is the password entry we want to automate. Restart the terminal to ensure that sudo asks us for the password again. Go to /home/el again and do this:

    touch myfile.txt

autoexpect -f my_test_expect.exp sudo chown root:root myfile.txt

    [enter password which authorizes the chown to root]

autoexpect done, file is my_test_expect.exp

  6. You have created my_test_expect.exp file. Your super secret password is stored plaintext in this file. This should make you VERY uncomfortable. Mitigate some discomfort by restricting permissions and ownership as much as possible:

    sudo chown el my_test_expect.exp     //make el the owner.
sudo chmod 700 my_test_expect.exp    //make file only readable by el.

  7. You see these sorts of commands at the bottom of my_test_expect.exp:

    set timeout -1
spawn sudo chown root:root myfile.txt
match_max 100000
expect -exact "\[sudo\] password for el: "
send -- "YourPasswordStoredInPlaintext\r"
expect eof

  8. You will need to verify that the above expect commands are appropriate. If the autoexpect script is being overly sensitive or not sensitive enough then it will hang. In this case it's acceptable because the expect is waiting for text that will always arrive.

  9. Run the expect script as user el:

    expect my_test_expect.exp 
spawn sudo chown root:root myfile.txt
[sudo] password for el:

  10. The password contained in my_test_expect.exp was piped into a chown to root by user el. To see if the password was accepted, look at myfile.txt:

    ls -l
-rw-r--r--  1 root root          0 Dec  2 14:48 myfile.txt

It worked because it is root, and el never entered a password. If you expose your root, sudo, or power user password with this script, then acquiring root on your box will be easy. Such is the penalty for a security system that lets everybody in no questions asked.

查看更多
0人赞 添加讨论(0) 举报
相关推荐>>
6楼-- · 2019-01-04 01:29

Take a look at autoexpect (decent tutorial HERE). It's about as quick-and-dirty as you can get without resorting to trickery.

查看更多
0人赞 添加讨论(0) 举报
混吃等死
7楼-- · 2019-01-04 01:31

You can use the -S flag to read from std input. Find below an example:

function shutd()
{
  echo "mySuperSecurePassword" | sudo -S shutdown -h now
}
查看更多
0人赞 添加讨论(0) 举报
1 2 下一页
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(5)