[CLUE-Tech] Bash and password entry (extended)

Jed S. Baer thag at frii.com
Sun Mar 24 15:03:45 MST 2002 

On Sun, 24 Mar 2002 14:16:43 -0700
"Timothy C. Klein" <teece at silverklein.net> wrote:

> * Matt Gushee (mgushee at havenrock.com) wrote:
> > Hi, all--
> > 
> > I was wondering how you can handle password entry in a shell script.
> > I was thinking about writing a script that would synchronize certain
> > directories on 2 hosts, using scp
> > 
> > I now realize that for this particular problem the easiest and
> > probably best solution is just to run the script in an ssh-agent
> > session. But I've thought in the past about automating various tasks
> > that involve passwords
> 
> You could use Expect, or you could write a 'here document' that
> contained input for scp, including the password.  This would involve
> having your password lying around in plain text, though.  I would
> definitely go with ssh-agent.  You can get a utility from the Gentoo
> Linux guy called 'keychain'
> 
> http://www.gentoo.org/projects/keychain
> 
> You put a reference to this in your bash_login and xinit/xsession
> scripts, and it will prompt you for a password once, if no ssh-agent is
> running, and start one up.  If ssh-agent is running, it will contact the
> agent and set up bash/X to use that agent

One alternative for the 'here document' approach would be to generate the
scp script on the fly, and delete it after running it. Then, the password
could be prompted for only once per invocation, at least.

I've been wondering somewhat along the same lines for various things,
including scp. But perhaps going outside of what can be done with
ssh-agent or expect (I haven't used either of them, except the expect in a
chat script). I'm thinking about things like my dialup-ip script and my
mail program both storing paswords for my ISP account, plus having it
sitting in chap-secrets. It would be nice to have a repository where it
could be safely stored and retrieved, more for the convenience of having
to change it in only one place locally when I change it at my ISP. Of
course, that assumes my mail program would have such capability. I don't
know how I'd get it into chap-secrets for each invocation of ppp, except
for generating chap-secrets at invocation time, and having ip-up.local
delete it. Seems too cumbersome.

-- 
"Those who expect to reap the blessings of freedom must, like men,
 undergo the fatigue of supporting it."
 - Thomas Paine

More information about the clue-tech mailing list