Linux: Hide Your Shell Passwords with sshpass
At some point in your interactions with Linux, you will write a shell script, Bash or otherwise. It could be as simple as a single line or as complex as any program you’ve ever written. Either way, they help to make Linux the most flexible and powerful operating system on the planet.
The deeper you dive into shell scripting in Linux, you might run into a situation where you need to include a password in a script. When that happens, you certainly don’t want to hard-code that password.
Or, if you wind up getting prompted for the password, you can’t automate the script. Anyone who gains access to your machine could view that script and then have access to whatever account that password is associated with. Also, cron jobs for that script will fail.
For example, you might create a backup script that uses rsync over a network and requires a user password for security purposes. Say, for example, you have the /data directory which houses specific information for which you need to have a regular backup. You’ve set it up such that it has all the necessary permissions and the last thing to do is create a backup that will save the contents to a remote machine.
Such a script might look something like this:
rsync -av /data USER@SERVER:/home/USER/databackup
Where USER is the remote username and SERVER is the IP address or domain of the remote server. When you run the script, you’ll be prompted for a password.
How do you get around such a situation?
With a Little Help from sshpass…
The application sshpass was created specifically for the purpose of password automation. This non-interactive tool makes it possible to automate shell scripts, even if they require a password.
Let me show you how it works..
To use sshpass, you’ll need a running Linux distribution. I’m going to demonstrate with Ubuntu Server 22.04 but the app can be installed on Fedora-based distributions as well. You’ll also need a user with sudo privileges.
To install sshpass on a Ubuntu-based distribution, open a terminal window and issue the command:
sudo apt-get install sshpass -y
For Fedora-based distributions, that command would be:
sudo dnf install sshpass -y
That’s it for the installation.
We’re going to stick with our backup script idea. The first thing we must do is create an encrypted file that will hold our password. Create the file with the command:
Name that file whatever you like, but I would suggest making it hidden by using a period at the beginning of the filename.
In that file add the password for the account used in the shell script and save it with the Ctrl-x keyboard shortcut.
Encrypt the file with:
gpg -c ~/.password
You’ll be prompted to type and verify a password for the encryption.
The above command will create a new file, named .password.gpg that has the encrypted version of the password. You can then delete the ~/.password file.
Creating the Shell Script
Remember, we’re sticking with our simple backup script. First, I’m going to demonstrate how to simply pass the password with the sshpass command (so you can see how it works). For example, an rsync backup command that requires user authentication would look like this:
sshpass -p "PASSWORD" rsync -av /data USER@SERVER:/home/USER/databackup
Where PASSWORD is the remote user password, USER is the remote username, and SERVER is the IP address or domain of the remote server. The sshpass app will pass the password to the rync command and everything should work as expected.
Of course, you don’t want to hard-code that password, right? To avoid that, you have to get a bit creative with the script, and here’s what it would look like:
gpg -d -q ~/.password.gpg | sshpass rsync -av /data USER@SERVER:/home/USER/databackups
Where USER is the remote username and SERVER is the IP address or domain of the remote server.
What we’ve done here is first decrypt the .password.gpg file and send the output of that to sshpass which then is used by rsync to connect to the remote server for the backup.
It’s a bit tricky but it works.
With the help of sshpass, you can create shell scripts that can work with an encrypted password, passing it to sshpass within the script and never having to hard-code a password or interact with the script.
By doing this you add a layer of security to the system while also making it possible to create automated scripts to do just about anything you need.