securely passing password through bash

Question

I am building a bash script for my work to make initial setup and windows-domain join for our Ubuntu machines easy enough for someone who knows nothing about Linux can do it. I have found a lot of people that say that you shouldn't pass passwords through a script but to be efficient, I have to. The script prompts for info and credentials in the beginning and it needs to be able to be left to do it's job without interaction. I can't have it visible through ps when I pass it and I can't have it stored as an unsecured variable. Any suggestions?

Answer 1

If you really must do this, you can read the credentials into variables with read -s early in the script and then pass those values to the prompts. For example:

read -p "Enter your username: " username
read -sp "Enter your password: " password
echo

I included the blank echo because the -s option for read prevents the user's typing from appearing in the terminal, including the new line usually created after a user presses Enter when answering a prompt.

You can then use the $username and $password variables for the rest of your script and the credentials will not have to be stored outside of memory, meaning they will be lost/destroyed after the script completes.

However, note that any programs or utilities which take the credentials as command-line arguments will display those to other users on the machine running the script. For example, if I were to run a MySQL query using this method, I could do:

mysql -u "${username}" -p"${password}" -e "SHOW DATABASES;"

Other users on the machine could see the credentials while that was running with something like ps:

ps -ef | grep mysql
...
watrudoin   29512 29443  0 12:57 pts/4    00:00:00 mysql -u MyUserName -phunter2 -e SHOW DATABASES

You just need to be aware that what you are doing is not necessarily secure, but it seems that you already are.