如何在shell脚本中输入密码？

Question

In a shell script file I am using some commands like scp and make install which ask for my password.

I run a shell script to compile a big project, and after some time it asks for my password for using scp . I need to wait for that process and give the password after that.

I just want to do it all by shell script without interaction, so how can I avoid being prompted for the password here?

Answer 1

Short answer: DON'T

Use public key authentication for SCP and sudo with NOPASSWD directive for make install

Answer 2

我认为生成身份验证密钥更好，并使用此基于密钥的身份验证，而不是将纯文本密码写入脚本。

Answer 3

If you can't use ssh trust and must enter the password later on in your script, use read -s -p "Password:" USER_PASSWORD to silently read in the password. You can then export USER_PASSWORD to an expect script, avoiding it being displayed in ps :

    #!/usr/bin/expect -f
    spawn scp some.file USER@otherhost:~
    expect "assword:"
    send -- "$env(USER_PASSWORD)\r"
    expect eof

Answer 4

No, you won't find any method to use SSH config files or a command line option to have a password hard coded and I'm sure this is by design.

If you environment makes this difficult, perhaps it would be helpful to know that the script can specify an identity file using the -i argument so you don't have to have a whole home directory setup or anything like that. There are other options that help use the key authentication that ssh really encourages over password authentication.

If you are using this across several users who you don't want to be bothered to create keys and copy them to the server, you could script that also. It wouldn't be hard to check for an existing key and do a quick test to see if you can make a connection with it. If you can't without a password, then you'd ssh-copy-id to the server asking for the ssh password that one time and at the beginning of the script so very little lag would occur between starting and running the script and it would be only once. You could even setup a separate key for each user for just the script in their own ~/.script/key/ directory so that you would discourage users access to the SSH server.

If you want to really restrict what can be done on the remote server by that user, you could use rssh as the shell on the remote account which will limit the user access to transferring files.

Answer 5

A good way we did this in the past to provide passwords to needed scripts when using key based authentication was impossible or needed to use passwords for apps, services, mysql, whatever...we stored passwords in an encrypted file and then decrypted this file at runtime to provide the password to the scripts.

The password decryption script, let's call it, yourcreds.rb, was restricted to root use only of course and the unencrypted passwords wern't stored anywhere. So for example you could run:

root@host:~# yourcreds.rb | grep mysql | awk {'print $3'}

Which without awk would for example output the stored line: service | user | password | description | etc... mysql mysqluser password ....

With yourcreds.rb (or whatever) you can output just the password and easily incorporate this method into scripts / cron jobs in larger or more complex environments.

Also if I remember correctly we didn't have to use grep / awk or anything. We just programmed in opts parse stuff like: yourcreds.rb list mysql or yourcreds.rb -l, etc.

We used blowfish and yamls to store the encrypted passwords. I'm sure you can be creative. Just make sure it's bullet proof to anyone but root.