Write to stdin which asks for password - linux

I am working on a bash script to configure openldap and add ldif script with users and groups.
How can I write the password from the bash script ?
This is the script I run when it asks for password:
ldapadd -h localhost -D "cn=admin,dc=sysadmin1,dc=hioa,dc=no" -W -x -f /etc/ldap/base.ldif
EDIT:
I tried this and created a passwd.txt file with the password:
ldapadd -h localhost -D "cn=admin,dc=sysadmin1,dc=hioa,dc=no" -W -x -y'passwd.txt' -f /etc/ldap/base.ldif
But gets this error:
Warning: Password file passwd.txt is publicly readable/writeable
ldap_bind: Invalid credentials (49)

man ldapadd.
-W
Prompt for simple authentication. This is used instead of specifying the password on the command line.
-w passwd
Use passwd as the password for simple authentication.
-y passwdfile
Use complete contents of passwdfile as the password for simple authentication.
So seems you are looking for option of -w or -y, not -W

There're two possibilities:
ldapadd reads the password from the standard input.
ldapadd reads the password directly from the current TTY.
In the first case it's enough to use something like this echo 'MySecretPassword' | ldapadd -h localhost -D "cn=admin,dc=sysadmin1,dc=hioa,dc=no" -W -x -f /etc/ldap/base.ldif. The second one is more complicated because you need a tool like expect. Check if the simple redirection works first.

Related

How to fix conflicting source password error?

I'm trying to set up a gitlab CI/CD.
1 of the script I use is :
sshpass -p $PRIVATE_KEY ssh -p $PORT -o StrictHostKeyChecking=no $USER#$SERVER01 "cd /var/www/html/app && export HISTIGNORE='*sudo -S*' && echo "$PRIVATE_KEY" | ( sudo -S -k git fetch && sudo -S -k git pull )"
as you can see I'm trying to update the application in my server.
FYI, I have already set up the variables in the gitlab CI/CD settings page.
But, when the job runs, it always returns this error message :
Conflicting password source
Usage: sshpass [-f|-d|-p|-e] [-hV] command parameters
-f filename Take password to use from file
-d number Use number as file descriptor for getting password
-p password Provide password as argument (security unwise)
-e Password is passed as env-var "SSHPASS"
With no parameters - password will be taken from stdin
-P prompt Which string should sshpass search for to detect a password prompt
-v Be verbose about what you're doing
-h Show help (this screen)
-V Print version information
At most one of -f, -d, -p or -e should be used
I have already googled around, but found no clue.
Any clue would be much appreciated.
I finally found the solution.
So the above command worked for master branch, but it didn't work for develop, knowing this pattern, I checked the variables settings, then found out that I turned on the Protect variable flag, the flag says Export variable to pipelines running on protected branches and tags only.
Since develop is not a protected branch, I was thinking that the variable values were not passed into the pipeline.
So, I unchecked this flag for all variables and finally got it working.

curl download with username and password in varible

Hi I am writing a auto script in test.sh , attempting to download a file. It works fine when I use all hard code string. But it does not work with variables. Belong are my code example:
#!/bin/bash
USER="admin"
PWD="adminpass"
curl -v -k -u ${USER}:${PWD} ${NEXUS_URL}/${SP1}/60/${SP1}-60.zip --output ${SP1}-60.zip
Above code not working not able to download my file, but if I put it as :
curl -v -k -u "admin":"adminpass" ${NEXUS_URL}/${SP1}/60/${SP1}-60.zip
--output ${SP1}-60.zip
Then it works. So how do I get the variable credential working with this curl command?
Thanks
Option 1
The parameter expansion will not include the double quotes. You can use:
#!/bin/bash
USER='"'admin'"' #single quote, double quote, single quote
PASS='"'adminpass'"'
curl -v -k -u ${USER}:${PASS} ${NEXUS_URL}/${SP1}/60/${SP1}-60.zip
Option 2
Alternatively, you can create a .netrc file and use curl -n as follows:
Documentation from https://ec.haxx.se/usingcurl-netrc.html
Create .netrc containing the following and place it in your home directory.
machine http://something.com
login admin
password adminpass
Run the command
curl -n -k --output ${SP1}-60.zip
curl will automatically look for the .netrc file. You can also specify the file path with curl --netrc-file <netrc_file_path>

squid basic_ldap_auth strip nt domain from usernames

I need to migrate from a windows based proxy to a linux one.
In the old server Squid uses mswin_auth.exe to authenticate user against an Active Directory domain. For this reason my users now enter ntdomain\username in the browser popup for proxy authentication.
In the linux Centos server Squid will use basic_ldap_auth, in this case the ntdomain must not be entered by the user. It will be very annoying for my users to change the old habit. Is there a way to automatically remove the ntdomain from the entered username?
In squid.conf I have
auth_param basic program /usr/lib64/squid/basic_ldap_auth -R -b "dc=ntdomain,dc=parentd,dc=it" -D "CN=squid,OU=Squid,OU=Sede,DC=ntdomain,DC=parentd,DC=it" -W /etc/squid/squid.adpwd -f sAMAccountName=%s -h vfdc1.ntdomain.parentd.it
...
external_acl_type ldap_group %LOGIN /usr/lib64/squid/ext_ldap_group_acl -R -b "dc=ntdomain,dc=parentd,dc=it" -D "CN=squid,OU=Squid,OU=Sede,DC=ntdomain,DC=parentd,DC=it" -W /etc/squid/squid.adpwd -f "(&(objectclass=person) (sAMAccountname=%u)(memberof:1.2.840.113556.1.4.1941:=cn=%g,OU=Squid,OU=Sede,DC=ntdomain,DC=parentd,DC=it))" -h vfdc1.ntdomain.parentd.it -S
thanks in advance
Use -K option in your request (it Strip Kerberos realm from usernames):
external_acl_type ldap_group %LOGIN /usr/lib64/squid/ext_ldap_group_acl -R -K -b "dc=ntdomain,dc=parentd,dc=it" -D "CN=squid,OU=Squid,OU=Sede,DC=ntdomain,DC=parentd,DC=it" -W /etc/squid/squid.adpwd -f "(&(objectclass=person) (sAMAccountname=%u)(memberof:1.2.840.113556.1.4.1941:=cn=%g,OU=Squid,OU=Sede,DC=ntdomain,DC=parentd,DC=it))" -h vfdc1.ntdomain.parentd.it and all be fine.
This is my solution: I created to small bash script based on sed to strip the domain and used it squid.conf as in
auth_param basic program /usr/local/bin/squid_auth
where the file /usr/local/bin/squid_auth is
#!/bin/bash
/usr/bin/sed -u "s/^ve[\\]//i"|/usr/bin/sed -u "s/^ve%5c//i"|/usr/lib64/squid/basic_ldap_auth -R -b "dc=ve,dc=dipvvf,dc=it" -D "CN=squid,OU=Squid,OU=Sede,DC=ve,DC=dipvvf,DC=it" -W /etc/squid/squid.adpwd -f sAMAccountName=%s -h vfdc1.ve.dipvvf.it
The domain name is ve

How do you keep the password hidden when invoked during the su command?

This is the first time it has happened to me where I am using the su command and it actually displays the password on the terminal and doesn't stay hidden. Here is my code snippet:
sshpass -p "password" ssh -q username#74.11.11.11 "su -lc 'mkdir temp/'"
Code explanation: I am accessing a remote server and trying be root on that server to create a folder. In doing so I have to use the su command and it prompts me for the password. When I enter the password, it gets displayed and doesn't stay hidden. How do I fix that?
The solution is to allocate a pseudo TTY (using the -t option on ssh):
sshpass -p "password" ssh -t -q username#74.11.11.11 "su -lc 'mkdir temp/'"
Without this, there's no "terminal" in this context and su is unable to disable echo of the password.
Just like I replied to you here.
It's possible to keep it "hidden" from the command line:
Edit your /etc/profile and paste there:
export SSHPASS='my_pass_here'
Use the -e argument with sshpass command
$ sshpass -e ssh usernmane#hosting.example 'ls -ll'
Another option is to save your password in a different file and use the -f argument:
$ sshpass -f password_filename ssh usernmane#hosting.example 'ls -la'
But the best solution is to follow the #Hristo Mohamed suggestion:
In general please AVOID using sshpass with a password.
You can set up easily a generate ssh key just to do this job and then remove it.

How to pass the password to su/sudo/ssh without overriding the TTY?

I'm writing a C Shell program that will be doing su or sudo or ssh. They all want their passwords in console input (the TTY) rather than stdin or the command line.
Does anybody know a solution?
Setting up password-less sudo is not an option.
expect could be an option, but it's not present on my stripped-down system.
For sudo there is a -S option for accepting the password from standard input. Here is the man entry:
-S The -S (stdin) option causes sudo to read the password from
the standard input instead of the terminal device.
This will allow you to run a command like:
echo myPassword | sudo -S ls /tmp
As for ssh, I have made many attempts to automate/script it's usage with no success. There doesn't seem to be any build-in way to pass the password into the command without prompting. As others have mentioned, the "expect" utility seems like it is aimed at addressing this dilemma but ultimately, setting up the correct private-key authorization is the correct way to go when attempting to automate this.
I wrote some Applescript which prompts for a password via a dialog box and then builds a custom bash command, like this:
echo <password> | sudo -S <command>
I'm not sure if this helps.
It'd be nice if sudo accepted a pre-encrypted password, so I could encrypt it within my script and not worry about echoing clear text passwords around. However this works for me and my situation.
For ssh you can use sshpass: sshpass -p yourpassphrase ssh user#host.
You just need to download sshpass first :)
$ apt-get install sshpass
$ sshpass -p 'password' ssh username#server
For sudo you can do this too:
sudo -S <<< "password" command
I've got:
ssh user#host bash -c "echo mypass | sudo -S mycommand"
Works for me.
The usual solution to this problem is setuiding a helper app that performs the task requiring superuser access:
http://en.wikipedia.org/wiki/Setuid
Sudo is not meant to be used offline.
Later edit: SSH can be used with private-public key authentication. If the private key does not have a passphrase, ssh can be used without prompting for a password.
Maybe you can use an expect command?:
expect -c 'spawn ssh root#your-domain.com;expect password;send "your-password\n";interact
That command gives the password automatically.
This can be done by setting up public/private keys on the target hosts you will be connecting to.
The first step would be to generate an ssh key for the user running the script on the local host, by executing:
ssh-keygen
Enter file in which to save the key (/home/myuser/.ssh/id_rsa): <Hit enter for default>
Overwrite (y/n)? y
Then enter a blank password. After that, copy your ssh key onto the target host which you will be connecting to.
ssh-copy-id <remote_user>#<other_host>
remote_user#other_host's password: <Enter remote user's password here>
After registering the ssh keys, you would be able to perform a silent ssh remote_user#other_host from you local host.
When there's no better choice (as suggested by others), then man socat can help:
(sleep 5; echo PASSWORD; sleep 5; echo ls; sleep 1) |
socat - EXEC:'ssh -l user server',pty,setsid,ctty
EXEC’utes an ssh session to server. Uses a pty for communication
between socat and ssh, makes it ssh’s controlling tty (ctty),
and makes this pty the owner of a new process group (setsid), so
ssh accepts the password from socat.
All of the pty,setsid,ctty complexity is necessary and, while you might not need to sleep as long, you will need to sleep. The echo=0 option is worth a look too, as is passing the remote command on ssh's command line.
Take a look at expect linux utility.
It allows you to send output to stdio based on simple pattern matching on stdin.
ssh -t -t me#myserver.io << EOF
echo SOMEPASSWORD | sudo -S do something
sudo do something else
exit
EOF
Set SSH up for Public Key Authentication, with no pasphrase on the Key. Loads of guides on the net. You won't need a password to login then. You can then limit connections for a key based on client hostname. Provides reasonable security and is great for automated logins.
echo <password> | su -c <command> <user>
This is working.
a better sshpass alternative is: passh
https://github.com/clarkwang/passh
Login to a remote server
$ passh -p password ssh user#host
Run a command on remote server
$ passh -p password ssh user#host date
other methods to pass the password
-p The password (Default: `password')
-p env: Read password from env var
-p file: Read password from file
here I explained why it is better than sshpass, and other solutions.
You can also pass various parameters as follows:
echo password | echo y | sudo -S pacman -Syu
(Although that's a bad idea, it's just an example)
I had the same problem. dialog script to create directory on remote pc.
dialog with ssh is easy. I use sshpass (previously installed).
dialog --inputbox "Enter IP" 8 78 2> /tmp/ip
IP=$(cat /tmp/ip)
dialog --inputbox "Please enter username" 8 78 2> /tmp/user
US=$(cat /tmp/user)
dialog --passwordbox "enter password for \"$US\" 8 78 2> /tmp/pass
PASSWORD = $(cat /tmp/pass)
sshpass -p "$PASSWORD" ssh $US#$IP mkdir -p /home/$US/TARGET-FOLDER
rm /tmp/ip
rm /tmp/user
rm /tmp/pass
greetings from germany
titus
Building on #Jahid's answer, this worked for me on macOS 10.13:
ssh <remote_username>#<remote_server> sudo -S <<< <remote_password> cat /etc/sudoers
I once had a use case where I needed to run Sudo and ssh in the same command without stdin specifying all the variables needed.
This is the command I used
echo sudopassword | sudo -S -u username sshpass -p extsshpassword ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no username#ipaddress " CMD on external machine"
Breaking that command into pieces!
This will allow you to run commands through your machine using Superuser:
echo password | sudo -S -u username
This will allow you to pass ssh password and execute commands on external machines:
sshpass -p sshpassword ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no username#ipaddress " CMD on external machine"
make sure you install the sudo and openssh packages on your machine.
One way would be to use read -s option .. this way the password characters are not echoed back to the screen. I wrote a small script for some use cases and you can see it in my blog:
http://www.datauniv.com/blogs/2013/02/21/a-quick-little-expect-script/
USE:
echo password | sudo command
Example:
echo password | sudo apt-get update; whoami
Hope It Helps..
You can provide password as parameter to expect script.
su -c "Command" < "Password"
Hope it is helpful.

Resources