6

I have a script which requires a password for authenticating a web service. A single password for a pre-defined user will suffice, and the password should if possible be stored securely (not plain text).

Obviously I don't want to write the password in clear text in the script for security reasons, so I have the script ask me the password, but entering the password every single time is a drag.

So how can I make it so I don't have to enter the password every time I run the script (like sudo)?

The script in this particular case is Python, but I guess it's better to implement it as a generic solution in Bash, so it can be reused for different languages like PHP or Ruby.

Pseudo-code:

#!/bin/bash
pw = cache.load() or {
  pw = ask_user()
  cache.save(pw, 15min)
}
myscript.py pw
Improve this question
2
  • 1
    Do you only need to store a single password, or is it a password per service, per user? Commented Apr 29, 2016 at 5:46
  • Single user will suffice. Commented Apr 29, 2016 at 5:50

3 Answers 3

Reset to default
5

Don't reinvent your own password store. Use an existing one. The Linux world has mostly converged on GNOME Keyring. Seahorse provides a convenient GUI for exploring and modifying the keyring and setting a master password. The keyring can be queried from the command line with the secret-tool utility.

secret-tool store --label='Foobar webservice' service foobar account bob

pw=$(secret-tool lookup service foobar account bob)

The password in the store doesn't expire automatically, but the permission to access the store can.

Improve this answer
1
  • This is something along the lines I'm looking for! However, I'm on OS X, and Homebrew doesn't carry secret-tool. How do I do the same thing on OS X (which is BSD-based). Commented Apr 30, 2016 at 8:53
1

I had a similar situation and used (abused?) gpg with public/private key encryption. The nice thing is that on most systems things are set up so that the access restricting password for a particular key is kept for 5 or 10 minutes, so you only have to type the password once then can go keep on using it and on non-use it will expire, much like sudo

You can easily get the result into bash or Python (subprocess.check_output()). For encryption, i.e. storing, a new password you don't need even need to give the access restricting password.

I didn't use my usual public/private keypair for this, because I don't in general want to keep access to that pair available. I later found pass works in much the same way, managing multiple password files, and moulded the python program I use on several off the same principles as that program uses.

Improve this answer
0

Here you go:

#!/bin/bash

newTS=`date +%s`

if test -r ~/.password
then
        . ~/.password
else
        TS=0
fi

if test `expr $newTS - $TS` -gt 900
then
        # outdated password record
        rm -f ~/.password

        printf "Please enter your password: "
        read password

        printf "export TS=$newTS\nexport password=$password\n" > ~/.password
fi


echo "using password: $password"

Note: The previous code will overwrite the file ~/.password unless you rename it.

Improve this answer
2
  • Oh. I forgot to mention that the password should be stored a similar or identical vault like UNIX stores the sudo password. But maybe this isn't possible? Commented Apr 29, 2016 at 6:15
  • 2
    Everything is possible, but I don't see much benefit to it since it would be stored in your home directory. That said, sudo doesn't store a password, it just keeps track of when your privilege expires. Commented Apr 29, 2016 at 6:26

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.