busybox passwd can't use --stdin option, when i excute passwd,it need to input password twice,
i want to write a shell script to change auto because some reason.
i do passwd manual,it works fine。
your textbut when i write a script like this
#!/bin/sh
passwd << EOF
<new password>
<new password>
EOF
when i sh this script,the result is password for root is unchanged.
is there some wrong,i am a shell rookie,hope someone can help me,thank you!
i want sh script success!
While it is possible you just need to add a line with the current pass,
THIS IS VERY DANGEROUS especially for the root user.
the script would look like this:
#!/bin/sh
passwd << EOF
<current pass>
<new pass>
<new pass>
EOF
there is probably a much safer methode to do the thing you want to do,
feel free to send me a message.
Related
I'm writing script to test unix commands. one of them is the SCP command, where the certs are set up , so it did not ask for the password on normal scenario.
scp /tmp/test.txt $userid#$hostname:$path
But assume scenario like certs were deleted or the user id is wrong then the script is not getting completed as scp asks for password
On the terminal
scp /tmp/test.txt $userid#$hostname:$path
Password:
So how can i force not to prompt for password and just fail in case it can not validate.
The scp command was stored in a variable line and is executed as below
`$line`
Typically:
scp -o BatchMode=yes ..
Taken from the scp man pages:
-B Selects batch mode (prevents asking for passwords or
passphrases).
I have a unique need to execute "vncpasswd" as a different user in a script.
It also needs to be non-interactive and automatic.
I'm using redirect and also as a different user.
Using info from (trying to combine)
Thank you.
https://unix.stackexchange.com/questions/91534/how-to-pipe-to-bash-as-a-different-user
and
How to set Vncserver in bash script (redhat6)
Tried variations of
#!/bin/sh
'vncpasswd << EOF
tvnc1234
tvnc1234
EOF' | sudo -u vnc bash
and
#!/bin/sh
sudo -u vnc bash 'vncpasswd' << EOF
tvnc1234
tvnc1234
EOF
Necessary Info:
I'm trying to use expect to automate a password involving a command with PostgreSQL in a BASH script. I've tried mimicking several examples I found here on StackOverflow.com and also other resources on the internet with no success.
Issue: I'm still getting prompted for input.
Code:
Extra Info: password is a global variable not shown in this snippet
database_work(){
sudo -u postgres createdb tinyows
sudo python /$1/database.py
expect <<- DONE
spawn sudo -u postgres psql -U postgres -d tinyows < `pg_config --sharedir`/contrib/postgis-2.1/postgis.sql
expect "*?assword:*"
send -- "$password\r"
send -- "\r"
expect eof
DONE
expect <<- DONE
spawn sudo -u postgres psql -U postgres -d tinyows < `pg_config --sharedir`/contrib/postgis-2.1/spatial_ref_sys.sql
expect "*?assword:*"
send -- "$password\r"
send -- "\r"
expect eof
DONE
}
Ending Note: I appreciate any help and advice anyone gives, thank you.
You're trying to solve your carpentry problem with a welder.
This won't work for a number of reasons.
sudo intentionally prevents you from redirecting its stdin, instead reading it from the terminal. This is partly to make password stealing wrappers harder, but is mostly useful so that things like some-command | sudo othercommand work even if sudo has to prompt for a password. To disable this you must pass the --stdin flag to sudo, explicitly telling it you want it to read a password from stdin.
sudo may or may not actually prompt for a password at each invocation, depending on its settings, whether the user ran it recently, etc. expect won't like that.
The better way to do this is to set up sudo so that you don't have to supply a password to perform the desired action, or get the user to run your whole script under sudo first so they can interactively respond to the prompt. Then use a regular shell script, or preferably an automation tooling framework like Ansible or Puppet.
BTW, on anything except ancient PostgreSQL releases you should be using CREATE EXTENSION postgis; not running a loader script through psql.
In my shell script I am running a command which is asking me for input.
How can I give the command the input it needs automatically?
For example:
$cat test.sh
ssh-copy-id tester#10.1.2.3
When running test.sh:
First, it will ask:
Are you sure you want to continue connecting (yes/no)?
Then, it will ask me to input the password:
tester#10.1.2.3's password:
Is there a way to input this automatically?
For simple input, like two prompts and two corresponding fixed responses, you could also use a "here document", the syntax of which looks like this:
test.sh <<!
y
pasword
!
The << prefixes a pattern, in this case '!'. Everything up to a line beginning with that pattern is interpreted as standard input. This approach is similar to the suggestion to pipe a multi-line echo into ssh, except that it saves the fork/exec of the echo command and I find it a bit more readable. The other advantage is that it uses built-in shell functionality so it doesn't depend on expect.
For general command-line automation, Expect is the classic tool. Or try pexpect if you're more comfortable with Python.
Here's a similar question that suggests using Expect: Use expect in bash script to provide password to SSH command
There definitely is... Use the spawn, expect, and send commands:
spawn test.sh
expect "Are you sure you want to continue connecting (yes/no)?"
send "yes"
There are more examples all over Stack Overflow, see:
Help with Expect within a bash script
You may need to install these commands first, depending on your system.
Also you can pipe the answers to the script:
printf "y\npassword\n" | sh test.sh
where \n is escape-sequence
ssh-key with passphrase, with keychain
keychain is a small utility which manages ssh-agent on your behalf and allows the ssh-agent to remain running when the login session ends. On subsequent logins, keychain will connect to the existing ssh-agent instance. In practice, this means that the passphrase must be be entered only during the first login after a reboot. On subsequent logins, the unencrypted key from the existing ssh-agent instance is used. This can also be useful for allowing passwordless RSA/DSA authentication in cron jobs without passwordless ssh-keys.
To enable keychain, install it and add something like the following to ~/.bash_profile:
eval keychain --agents ssh --eval id_rsa
From a security point of view, ssh-ident and keychain are worse than ssh-agent instances limited to the lifetime of a particular session, but they offer a high level of convenience. To improve the security of keychain, some people add the --clear option to their ~/.bash_profile keychain invocation. By doing this passphrases must be re-entered on login as above, but cron jobs will still have access to the unencrypted keys after the user logs out. The keychain wiki page has more information and examples.
Got this info from;
https://unix.stackexchange.com/questions/90853/how-can-i-run-ssh-add-automatically-without-password-prompt
Hope this helps
I have personally been able to automatically enter my passphrase upon terminal launch by doing this: (you can, of course, modify the script and fit it to your needs)
edit the bashrc file to add this script;
Check if the SSH agent is awake
if [ -z "$SSH_AUTH_SOCK" ] ; then
exec ssh-agent bash -c "ssh-add ; $0"
echo "The SSH agent was awakened"
exit
fi
Above line will start the expect script upon terminal launch.
./ssh.exp
here's the content of this expect script
#!/usr/bin/expect
set timeout 20
set passphrase "test"
spawn "./keyadding.sh"
expect "Enter passphrase for /the/path/of/yourkey_id_rsa:"
send "$passphrase\r";
interact
Here's the content of my keyadding.sh script (you must put both scripts in your home folder, usually /home/user)
#!/bin/bash
ssh-add /the/path/of/yourkey_id_rsa
exit 0
I would HIGHLY suggest encrypting the password on the .exp script as well as renaming this .exp file to something like term_boot.exp or whatever else for security purposes. Don't forget to create the files directly from the terminal using nano or vim (ex: nano ~/.bashrc | nano term_boot.exp) and also a chmod +x script.sh to make it executable. A chmod +r term_boot.exp would be also useful but you'll have to add sudo before ./ssh.exp in your bashrc file. So you'll have to enter your sudo password each time you launch your terminal. For me, it's more convenient than the passphrase cause I remember my admin (sudo) password by the hearth.
Also, here's another way to do it I think;
https://www.cyberciti.biz/faq/noninteractive-shell-script-ssh-password-provider/
Will certainly change my method for this one when I'll have the time.
You can write the expect script as follow:
$ vi login.exp
#!/usr/bin/expect -f
spawn ssh username#machine.IP
expect "*assword: "
send -- "PASSWORD\r"
interact
And run it as:
$ expect login.exp
I'm writing a UNIX shell function that is going to execute a command that will prompt the user for a password. I want to hard-code the password into the script and provide it to the command. I've tried piping the password into the command like this:
function() {
echo "password" | command
}
This may not work for some commands as the command may flush the input buffer before prompting for the password.
I've also tried redirecting standard input to a file containing the password like this, but that doesn't work either:
function() {
echo "password" > pass.tmp
command < pass.tmp
rm pass.tmp
}
I know that some commands allow for the password to be provided as an argument, but I'd rather go through standard input.
I'm looking for a quick and dirty way of piping a password into a command in bash.
How to use autoexpect to pipe a password into a command:
These steps are illustrated with an Ubuntu 12.10 desktop. The exact commands for your distribution may be slightly different.
This is dangerous because you risk exposing whatever password you use to anyone who can read the autoexpect script file.
DO NOT expose your root password or power user passwords by piping them through expect like this. Root kits WILL find this in an instant and your box is owned.
EXPECT spawns a process, reads text that comes in then sends text predefined in the script file.
Make sure you have expect and autoexpect installed:
sudo apt-get install expect
sudo apt-get install expect-dev
Read up on it:
man expect
man autoexpect
Go to your home directory:
cd /home/el
User el cannot chown a file to root and must enter a password:
touch testfile.txt
sudo chown root:root testfile.txt
[enter password to authorize the changing of the owner]
This is the password entry we want to automate. Restart the terminal to ensure that sudo asks us for the password again. Go to /home/el again and do this:
touch myfile.txt
autoexpect -f my_test_expect.exp sudo chown root:root myfile.txt
[enter password which authorizes the chown to root]
autoexpect done, file is my_test_expect.exp
You have created my_test_expect.exp file. Your super secret password is stored plaintext in this file. This should make you VERY uncomfortable. Mitigate some discomfort by restricting permissions and ownership as much as possible:
sudo chown el my_test_expect.exp //make el the owner.
sudo chmod 700 my_test_expect.exp //make file only readable by el.
You see these sorts of commands at the bottom of my_test_expect.exp:
set timeout -1
spawn sudo chown root:root myfile.txt
match_max 100000
expect -exact "\[sudo\] password for el: "
send -- "YourPasswordStoredInPlaintext\r"
expect eof
You will need to verify that the above expect commands are appropriate. If the autoexpect script is being overly sensitive or not sensitive enough then it will hang. In this case it's acceptable because the expect is waiting for text that will always arrive.
Run the expect script as user el:
expect my_test_expect.exp
spawn sudo chown root:root myfile.txt
[sudo] password for el:
The password contained in my_test_expect.exp was piped into a chown to root by user el. To see if the password was accepted, look at myfile.txt:
ls -l
-rw-r--r-- 1 root root 0 Dec 2 14:48 myfile.txt
It worked because it is root, and el never entered a password. If you expose your root, sudo, or power user password with this script, then acquiring root on your box will be easy. Such is the penalty for a security system that lets everybody in no questions asked.
Take a look at autoexpect (decent tutorial HERE). It's about as quick-and-dirty as you can get without resorting to trickery.
You can use the -S flag to read from std input. Find below an example:
function shutd()
{
echo "mySuperSecurePassword" | sudo -S shutdown -h now
}
Secure commands will not allow this, and rightly so, I'm afraid - it's a security hole you could drive a truck through.
If your command does not allow it using input redirection, or a command-line parameter, or a configuration file, then you're going to have to resort to serious trickery.
Some applications will actually open up /dev/tty to ensure you will have a hard time defeating security. You can get around them by temporarily taking over /dev/tty (creating your own as a pipe, for example) but this requires serious privileges and even it can be defeated.
with read
Here's an example that uses read to get the password and store it in the variable pass. Then, 7z uses the password to create an encrypted archive:
read -s -p "Enter password: " pass && 7z a archive.zip a_file -p"$pass"; unset pass
But be aware that the password can easily be sniffed.
Programs that prompt for passwords usually set the tty into "raw" mode, and read input directly from the tty. If you spawn the subprocess in a pty you can make that work. That is what Expect does...
Simply use :
echo "password" | sudo -S mount -t vfat /dev/sda1 /media/usb/;
if [ $? -eq 0 ]; then
echo -e '[ ok ] Usb key mounted'
else
echo -e '[warn] The USB key is not mounted'
fi
This code is working for me, and its in /etc/init.d/myscriptbash.sh
That's a really insecure idea, but:
Using the passwd command from within a shell script