[SOLVED] Suppressing Password Value from Command Line while Keeping Other Output Visible

devUnix · 04-20-2017, 01:02 AM

Hi,

Here is an XML that is parsed to execute the commands (on the console) shown below.

My to-the-point question is: When password is passed as an argument to the command vmmanager, it is shown up in plain text format ( or as it is passed) in the deployment tool that uses the XML to execute the commands on the remote console. To suppress the password data, I am using stty -echo just before it and then re-enabling it.

However, the reviewer is not looking happy with this approach to suppress the password. There is a point in his comment that disabling echo also suppresses output from the command and if there is anything that needs attention for troubleshooting purpose, will be missed altogetherly.

I did check the vmmanager command which is a script and is calling a Java program. There is no help document to suggest if a file containing the password can be passed to it and the other parameters cane be passed at the command line as they are currently.

So, is there a way to suppress the vale of only one parameter while other parameters' values are okay to be shown up at the command-line?

Code:

 stty -echo
      /opt/vmmanager/bin/vmmanager --url &quot;https://@{set_variable_vchost}/sdk&quot; --username &quot;@{set_variable_vcuser}&quot; --password &quot;@{set_variable_vcpass}&quot; --operation &quot;ovfImport&quot; --hostIp "@{set_variable_vcblade}"  --ovf &quot;@{select_file_ovffile}&quot; --vmName &quot;@{set_variable_vmname}&quot; --properties &quot;@{select_file_deployfile}&quot; --datastore &quot;@{set_variable_vcdatastore}&quot; --network &quot;@{set_variable_vcpgmain}&quot; --vmFolder &quot;@{set_variable_vcpath}&quot;;
      stty echo

TB0ne · 04-20-2017, 07:42 AM

Quote:

Originally Posted by devUnix

Hi,
Here is an XML that is parsed to execute the commands (on the console) shown below.

My to-the-point question is: When password is passed as an argument to the command vmmanager, it is shown up in plain text format ( or as it is passed) in the deployment tool that uses the XML to execute the commands on the remote console. To suppress the password data, I am using stty -echo just before it and then re-enabling it.

However, the reviewer is not looking happy with this approach to suppress the password.

Not surprised one bit there.

Quote:

There is a point in his comment that disabling echo also suppresses output from the command and if there is anything that needs attention for troubleshooting purpose, will be missed altogetherly.

...and that anyone who looks at the script can see the password to do whatever they want with the virtual machines...

Quote:

I did check the vmmanager command which is a script and is calling a Java program. There is no help document to suggest if a file containing the password can be passed to it and the other parameters cane be passed at the command line as they are currently.

So, is there a way to suppress the vale of only one parameter while other parameters' values are okay to be shown up at the command-line?

No, there isn't. Just because this uses some different variables/values as input, doesn't make the scripting different. Apply what you've been told/shown after asking about scripting here for the past seven years.

Basic system security says you don't put user names/passwords in scripts, ever. But you mention this vmmanager script and don't tell us where you got it (is this the IBM one? Oracle? Some other?). You say it's calling a Java program....what is the name of that program?

devUnix · 04-27-2017, 01:36 AM

The XML tool they use has a feature that can hide the stdout wherever required. Just before running the actual command, I am echoing the command with the password being masked as "???" so that we can check later what we might have run (the command line) and run it later to reproduce any issue. Besides, using the XML tool that command line is being written to a separate script on the fly and being executed. Well, I have been able to achieve what was needed. However, it is not clear yet how their XML tool works or does things.