Bash script, appropriate variable to store password
Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Bash script, appropriate variable to store password
Hello,
I have a script that connect to remote devices using ssh, the script knows my username, but always asks my password.
I want the script to ask it once, put it in a variable only accessible by my user and I want the variable to remain so that it would be recognized every time I call the script.
If my session ends, I want the variable to be reset.
Is there such variable? If so, how do I call it in my script?
I don't manage the distant servers, I have to use usernames provided.
I only embed the usernames in my script, written on the HDD, that's why I want to store the password in a variable in RAM (and be asked the passwords every time I log in, but not everytime I use the script).
An example would be:
-I'm in my linux session
-I start the script to connect to cisco switch A
-I start the script to connect to cisco switch B
-I start the script to connect to cisco router X
-I start the script to connect to server Y
The script knows my different usernames and choose the appropriate ones according to the device type. It would be nice to find a secure way to also store the passwords at the beginning of a user session in linux.
I don't manage the distant servers, I have to use usernames provided.
I only embed the usernames in my script, written on the HDD, that's why I want to store the password in a variable in RAM (and be asked the passwords every time I log in, but not every time I use the script).
An example would be:
-I'm in my linux session
-I start the script to connect to cisco switch A
-I start the script to connect to cisco switch B
-I start the script to connect to cisco router X
-I start the script to connect to server Y
The script knows my different usernames and choose the appropriate ones according to the device type. It would be nice to find a secure way to also store the passwords at the beginning of a user session in linux.
Script made by a colleague, I simplified it to the bare minimum before publication, it only knows my usernames (written in the script on the HDD), not my passwords:
The script knows my different usernames and choose the appropriate ones according to the device type. It would be nice to find a secure way to also store the passwords at the beginning of a user session in linux.
Again, the safe way to do that would be to use keys and then load the keys into your agent. With an agent, you will enter the private key's passphrase once per desktop session. As far as I know, all major desktops now have an agent running for you by default. And unless things are weird there on the server, you don't need any special modifications to the remote system to use keys. Just stock the remote file authorized_keys appropriately with the right public key. Lots of tutorials exist to get you there.
Instead of a script, the custom shortcuts can be put in your SSH client's configuration file ~/.ssh/config which is what it's for. The configuration includes specifying unique keys and unique usernames for the different remote hosts. A guess would be something like this:
Code:
Host router
HostName router.example.com
User shawn_router
IdentitiesOnly yes
IdentityFile /home/shawn/.ssh/rsa_router_key
Host switcha
HostName switcha.example.com
User shawn_switcha
IdentitiesOnly yes
IdentityFile /home/shawn/.ssh/rsa_switcha_key
Host switchb
HostName switchb.example.com
User shawn_switchb
IdentitiesOnly yes
IdentityFile /home/shawn/.ssh/rsa_switchb_key
Host server
HostName server.example.com
User shawn_server
IdentitiesOnly yes
IdentityFile /home/shawn/.ssh/rsa_server_key
See the manual page for "ssh_config" for the details of what your options are and what they do. The utility "ssh-keygen" will get you the keys you need. Be sure to look at the options -f and -C in the manual page.
With the right keys and the shortcut in ~/.ssh/config you would be able to access server.example.com just by typing ssh server, for example, and the right key, user name, and address would be used.
( I've left out the StrictHostKeyChecking=no part because that is sketchy and leaves you potentially vulnerable to MitM. What problem are you trying to solve with it? I am fairly sure there is another way around it. )
Last edited by Turbocapitalist; 09-08-2016 at 11:35 AM.
I am trying to understand what you say, but I am not familiar with the KEYs, I have to assume that you are asking me to get some Keys for every devices and put it in a directory in my linux client.
The script exists because I have thousands of devices to navigate into, I need a centralized solution.
Most of them are Cisco IOs devices, not openssh, I can't mess with the routers and switch configs (I could but not on a large scale).
I don't know if that makes sense, but I am trying to adapt to the tools that have been given to me and make my life easier.
Ok, sure, but do I have to change the Cisco device's configs?
-Yes
Then I should not make changes to thousands of configs, I am not allowed.
-No
Then I am interested but:
Do I have to copy a key from each of the thousands of devices to my linux client?
-no
Then could you tell me the exact name of this process so that I could search about the subject on google?
-Yes
Then, I am looking for a centralized management system, just like opening a SSH session with my username and password (the devices use tacacs)
Could you help be find a way to ask the password only once during the course of a user's session?
Thank you
I am trying to understand what you say, but I am not familiar with the KEYs, I have to assume that you are asking me to get some Keys for every devices and put it in a directory in my linux client.
Yes. The public keys go on the remote device, the private keys go into a directory on your linux client.
Quote:
Originally Posted by s-h-a-w-n
The script exists because I have thousands of devices to navigate into, I need a centralized solution.
Most of them are Cisco IOs devices, not openssh, I can't mess with the routers and switch configs (I could but not on a large scale).
I've been able to avoid Cisco all these years but it does look like even they can do keys. That link and that of jpollard point to that ability even with Cisco.
Quote:
Originally Posted by s-h-a-w-n
I don't know if that makes sense, but I am trying to adapt to the tools that have been given to me and make my life easier.
It does but it is more common to offload as much onto the SSH client as possible. The configuration file (~/.ssh/config) can take care of the shortcuts, such as associating a custom user name with a particular remote device. The remaining questions are about whether you can use keys for authentication.
If you do the password approach (I think not recommended by anyone here), a barrier is that OpenSSH doesn't read the password from stdin. You'd have to use the utility "expect" or else try a kludge with a shell script and using the $SSH_ASKPASS variable to access that script. But I'd recommend very highly seeing if you can get keys going on the devices.
So, the only option is to collect the private keys of all the hundreds of cisco devices individually and store a copy in my client... that's not practical.
Besides, i cannot create local users, I still need to authenticate through a tacacs server managed by the security team, so I guess that makes it impossible.
I have seen that in another forum, what do you think?:
So, the only option is to collect the private keys of all the hundreds of cisco devices individually and store a copy in my client... that's not practical.
Besides, i cannot create local users, I still need to authenticate through a tacacs server managed by the security team, so I guess that makes it impossible.
Using keys would work with the existing users and not necessitate the creation of local users. If the remote user is different from the local user, then you can set the User option in the configuration file to whatever the remote system needs. See the example earlier above.
Quote:
Originally Posted by s-h-a-w-n
I have seen that in another forum, what do you think?:
So, the only option is to collect the private keys of all the hundreds of cisco devices individually and store a copy in my client... that's not practical.
NOT the private keys. The public keys. YOUR public key goes on the Cisco.
Quote:
Besides, i cannot create local users, I still need to authenticate through a tacacs server managed by the security team, so I guess that makes it impossible.
I have seen that in another forum, what do you think?:
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.