Bash – Sudo-like remembrance of passwords for own scripts

bashpasswordpython

I have a script which requires a password for authenticating a web service. A single password for a pre-defined user will suffice, and the password should if possible be stored securely (not plain text).

Obviously I don't want to write the password in clear text in the script for security reasons, so I have the script ask me the password, but entering the password every single time is a drag.

So how can I make it so I don't have to enter the password every time I run the script (like sudo)?

The script in this particular case is Python, but I guess it's better to implement it as a generic solution in Bash, so it can be reused for different languages like PHP or Ruby.

Pseudo-code:

#!/bin/bash
pw = cache.load() or {
  pw = ask_user()
  cache.save(pw, 15min)
}
myscript.py pw

Best Answer

Don't reinvent your own password store. Use an existing one. The Linux world has mostly converged on GNOME Keyring. Seahorse provides a convenient GUI for exploring and modifying the keyring and setting a master password. The keyring can be queried from the command line with the secret-tool utility.

secret-tool store --label='Foobar webservice' service foobar account bob

pw=$(secret-tool lookup service foobar account bob)

The password in the store doesn't expire automatically, but the permission to access the store can.

Related Solutions

Can I automate mounting a cifs share without storing the password in plaintext

The Gnome keyring can store passwords. You can enter the password in your Gnome keyring, or if you use the Gnome keyring for other things, you can put a master password and save the keyring to disk.

GVFS, the Gnome virtual filesystem framework, queries the Gnome keyring for passwords if it's available.

From the command line, you can perform a Samba mount with gvfs-mount:

gvfs-mount smb://username\;workgroupname@hostname/sharename

You have no control on the mount point: it's ~/.gvfs/sharename\ on\ hostname. And I don't think that you can control mount options such as permission mappings (but I could be wrong: gvfs-mount is not documented and I haven't explored its internals).

You'll need D-bus. See Samba mount with password prompt as non-root user

Bash – Graphically ask for password in a bash script and retain default sudo timeout setting

I add this to my bash script:

# ask for password up-front.
sudo -v
# Keep-alive: update existing sudo time stamp if set, otherwise do nothing.
while true; do sudo -n true; sleep 60; kill -0 "$$" || exit; done 2>/dev/null &

Found it here:

https://serverfault.com/questions/266039/temporarlly-increasing-sudos-timeout-for-the-duration-of-an-install-script

https://gist.github.com/cowboy/3118588

I use another script to launch my main script and I use a .desktop file to launch that helper script. It's not very straightforward, but it can be made to work 100% GUI. I'm still looking for the perfect solution, but this is doing the trick for now.

Best Answer

Related Solutions

Can I automate mounting a cifs share without storing the password in plaintext

Bash – Graphically ask for password in a bash script and retain default sudo timeout setting

Related Question