I am struggling with some bash script that generates some Environment Variables for me. I am using it in .travis.yml file later.
My encrypted key looks like that:
someRandomCharacters
withNewLine
In Terminal I checked three possibilities.
echo "someRandomCharacters
withNewLine" | openssl enc -aes-128-cbc -a -salt -pass pass:SomePassword -base64 -d
and
echo "someRandomCharacters\nWithNewLine" | openssl enc -aes-128-cbc -a -salt -pass pass:SomePassword -base64 -d
will give me correct output.
echo "someRandomCharactersWithNewLine" | openssl enc -aes-128-cbc -a -salt -pass pass:SomePassword -base64 -d
This one above will return error reading input file
So far so good - I understand why it works like that. But when I try to enter any of abovementioned options - for example like that:
- SOME_ENV=`echo "someRandomCharacters\nWithNewLines" | openssl enc -aes 128-cbc -a -salt -pass pass:SomePassword -base64 -d`
into travis.yml, two last options will return error reading input file and the first one will crash the whole build due to incorrect .yaml syntax.
I've tried to use any of these three above + many more for example with "\n" as special character as I found in examples here on STO. Any of them would return error reading input file and none of them returned me decrypted SOME_ENV into travis. Is there any solution for that? Or maybe my poor experience with BASH and YAML blocks me for seeing obvious mistake?
While it's hard to tell what exactly the problem is given fake data, here are some data points:
dash (the shell you get if you just run sh on modern Linux distros) and bash behave differently in certain cases.
You should never assume that a code snippet runs with bash, because any number of reasons can cause it to be run with sh instead, and it's sometimes hard to tell.
Here's a script containing a \n sequence that works with sh but fails with bash:
$ cat myfile
echo "U2FsdGVkX19EB+D8no\n9+9bnl4dE5H2WbOUSvsGZjK7s=" | openssl enc -aes-128-cbc -a -salt -pass pass:MyPassword -base64 -d
$ sh myfile
My test data
$ bash myfile
error reading input file
If we instead use echo -e, we get the opposite result where dash fails and bash works:
$ cat myfile
echo -e "U2FsdGVkX19EB+D8no\n9+9bnl4dE5H2WbOUSvsGZjK7s=" | openssl enc -aes-128-cbc -a -salt -pass pass:MyPassword -base64 -d
$ sh myfile
error reading input file
$ bash myfile
My test data
This is why POSIX recommends not using echo. If we instead use printf, it works on both:
$ cat myfile
printf "U2FsdGVkX19EB+D8no\n9+9bnl4dE5H2WbOUSvsGZjK7s=\n" | openssl enc -aes-128-cbc -a -salt -pass pass:MyPassword -base64 -d
$ sh myfile
My test data
$ bash myfile
My test data
However, the line feed sequence in the middle is optional for openssl, and can just be removed (even though you seem to say that this doesn't work: maybe you removed the \ but not the n?)
$ cat myfile
echo "U2FsdGVkX19EB+D8no9+9bnl4dE5H2WbOUSvsGZjK7s=" | openssl enc -aes-128-cbc -a -salt -pass pass:MyPassword -base64 -d
$ sh myfile
My test data
$ bash myfile
My test data
Related
i have a bash script to dump mysql and making tar and protect it with openssl
tar -cf ${DB}_${DATE}.tar *.sql | openssl enc -aes-256-cbc -pbkdf2 -e > ${DB}_${DATE}.tar.gz.enc > /dev/null 2>&1
but my bash script will stop because of ask password
how can i fill the passwords in bash script ?
As the manual tells you, -pass source specifies a location from which openssl will read the password to use.
Assuming this is a bash script instead of a sh script, you can use process substitution:
tar -czf "${DB}_${DATE}.tar" *.sql |
openssl enc -aes-256-cbc -pbkdf2 -e -pass file:<(echo "password") \
>"${DB}_${DATE}.tar.gz.enc" 2>/dev/null
Note that redirecting stderr to /dev/null is a bad idea -- I'm doing it because it's what your original code did, but it makes it impossible to troubleshoot failures.
I am trying to use an expect script to pull configs from cisco devices. Dont ask why the client does not use a standard tool.
My issue is that they wish to use encrypted passwords for the session. I can encrypt and salt the password into a file and then use cat within the expect script to pull out the password into a variable... see code below, however, the exec command puts the string value into single quotes. Expect scripts I believe treat single quotes differently to double and certainly not like a string.
I can validate that the rest of the code works by putting the raw password into the script as a substitude and if I use 'puts' to display the variable it displays
'password'
My thought as I said is that the exec command is then putting the string back with the single quotes around them.
I have tried SED and TR piped into the end of the command string but that still gives the same result as I would expect.
Any thoughts
set salt "mrsalty"
set admincmd "cat /mrpwd.txt | openssl enc -aes-256-cbc -md sha512 -a -d -salt -pass pass:$salt"
set password [ exec sh -c $admincmd ]
(This is not really an answer, more of a long, formatted comment)
the exec command puts the string value into single quotes
No it does not.
A demo:
First, create an encrypted password file in the shell
$ salt=mrsalty
$ echo MyPass1234 | openssl enc -aes-256-cbc -md sha512 -a -e -salt -pass pass:$salt > pw.encrypted
$ cat pw.encrypted
U2FsdGVkX18bFSAmQbXqGjeSBVtE8AzJ2K8Lif4muB8=
Now in expect
expect1.1> set salt mrsalty
mrsalty
expect1.2> set file pw.encrypted
pw.encrypted
expect1.3> set password [exec openssl enc -aes-256-cbc -md sha512 -a -d -salt -pass pass:$salt -in $file]
MyPass1234
No single quotes there.
Even with storing the command in a variable and using sh
expect1.4> set admincmd "cat $file | openssl enc -aes-256-cbc -md sha512 -a -d -salt -pass pass:$salt"
cat pw.encrypted | openssl enc -aes-256-cbc -md sha512 -a -d -salt -pass pass:mrsalty
expect1.5> set password [exec sh -c $admincmd]
MyPass1234
How are you using $password later in the expect code?
For background, I am working through the Matasano Crypto Challenges. One of the problems (Set1, Challenge 7) is to decrypt an AES-128 ECB mode file with a given key, YELLOW SUBMARINE.
The file is base64 encoded and I can decrypt the file in Python but I cannot using the Windows 10 openssl command line tool.
The command I am running is:
openssl aes-128-ecb -d -a -in 7.txt -pass pass:"YELLOW SUBMARINE"
When I run this I am told that I have a bad magic number.
Does anyone have an idea of why I am getting this error?
Looks like the -pass option doesn't like the space in the passphrase.
You can use the option -K with the hexadecimal key like this:
openssl aes-128-ecb -d -a -K 59454c4c4f57205355424d4152494e45 -in 7.txt
Or use the passphrase directly with this command:
openssl aes-128-ecb -d -a -in 7.txt -K $(echo -n "YELLOW SUBMARINE" | hexdump -v -e '/1 "%02X"')
Just for completeness: encrypting with -a params ( Perform base64 encoding/decoding (alias -base64) ) and decrypting without it ( or vice-versa ), bad magic number given.
I want to encode randomly generated token with aes-256-cbc in bash. When I write this code in shell:
echo -n 8724eb94-ff8f-441e-81a7-bc4282f7c342 | openssl enc -a -e -aes-256-cbc -nosalt -pass pass:fzJKp5/vYUWZUZ1hVSXycdmskKcSNtmZoFhPv5UtWGuoV9yH61JCjKzXUWmRCJJ9FITOi66ANSDpBJZKjrRFjA==
I get: HdkTpAnsJ+bHi0DggaQq3iJMh0mrgcohOiJDeGzpqLFdvZUEXaD3YBEqGa4rBB7Y - and it is the same as in Node.js crypto module.
But! When I write this code in bashscript:
hash=$(echo -n 8724eb94-ff8f-441e-81a7-bc4282f7c342 | openssl enc -a -e -aes-256-cbc -nosalt -pass pass:fzJKp5/vYUWZUZ1hVSXycdmskKcSNtmZoFhPv5UtWGuoV9yH61JCjKzXUWmRCJJ9FITOi66ANSDpBJZKjrRFjA==);
echo ${hash}
I get alphrNunU02O4Xxw+qVgaEEaZGTrdGenvgsGnt0lczOkGKX5l6rAQTY3EJ8VA0iB and I have no idea why and where is bug. I have tried using ``, but with same wrong encoded value.
I have never write anything in bash, so I have no idea about some "tricks".
Thank you for any answers!
I figured it out. I have using:
'sh script.sh'
to run my script. But when I have done this:
'bash script.sh'
everything works perfectly. I have no idea why (yet) and now I will look for answer for 'What is thy difference between 'sh' and 'bash' '.
Thank you for some suggestions!
How can I trick the -in argument of the OpenSSL command line tool in order to get data from string instead a file?
Normally, I could use echo command to do it:
echo 'test string 1' | openssl enc -aes-256-cbc -a -salt -pass pass:mypassword
Is there a way I can do it without echo and pipe? Similar to the -pass pass: argument?
Thanks in advance!
If your shell is bash and your OS supports it, you can use process substitution:
openssl enc -in <(echo 'test string 1') -aes-256-cbc -a -salt -pass pass:mypassword
I found a way to go around this! Instead of passing everything before and since openssl has an interactive mode, it's possible to run the command without input:
openssl enc -aes-256-cbc -a -salt -pass pass:mypassword
And OpenSSL will be waiting for data to encrypt. This can be also useful for streams!
Then type in the string or data you want to encrypt and send a EOT (End of Transmission) in Terminal is usual ^D Control+D it it will output to stdout the encrypted string!
Hope this may help someone some day!