Linux 如何在shell脚本中提供密码?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/9358509/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How to give password in shell script?
提问by Jeegar Patel
In a shell script file I am using some commands like scpand make installwhich ask for my password.
在 shell 脚本文件中,我使用了一些命令,例如scp和make install要求我输入密码。
I run a shell script to compile a big project, and after some time it asks for my password for using scp. I need to wait for that process and give the password after that.
我运行一个 shell 脚本来编译一个大项目,一段时间后它要求我输入密码以使用scp. 我需要等待该过程并在此之后提供密码。
I just want to do it all by shell script without interaction, so how can I avoid being prompted for the password here?
我只想在没有交互的情况下通过 shell 脚本完成这一切,那么如何避免在此处提示输入密码?
采纳答案by Alex
If you can't use ssh trust and must enter the password later on in your script, use read -s -p "Password:" USER_PASSWORDto silently read in the password. You can then export USER_PASSWORDto an expect script, avoiding it being displayed in ps:
如果您不能使用 ssh trust 并且稍后必须在脚本中输入密码,请使用read -s -p "Password:" USER_PASSWORD静默读入密码。然后您可以export USER_PASSWORD使用期望脚本,避免它显示在ps:
#!/usr/bin/expect -f
spawn scp some.file USER@otherhost:~
expect "assword:"
send -- "$env(USER_PASSWORD)\r"
expect eof
回答by Kimvais
Short answer: DON'T
简短回答:不要
Use public key authenticationfor SCP and sudowith NOPASSWDdirective for make install
回答by KARASZI István
I think it's a better idea to generate an authentication key, and use this key based authentication instead of writing plain text passwords into your scripts.
我认为生成身份验证密钥并使用基于此密钥的身份验证而不是将纯文本密码写入脚本是一个更好的主意。
回答by Josiah
No, you won't find any method to use SSH config files or a command line option to have a password hard coded and I'm sure this is by design.
不,您找不到任何使用 SSH 配置文件或命令行选项来硬编码密码的方法,我确定这是设计使然。
If you environment makes this difficult, perhaps it would be helpful to know that the script can specify an identity file using the -i argument so you don't have to have a whole home directory setup or anything like that. There are other options that help use the key authentication that ssh really encourages over password authentication.
如果您的环境使这变得困难,那么知道脚本可以使用 -i 参数指定身份文件可能会有所帮助,这样您就不必设置整个主目录或类似的东西。还有其他选项可以帮助使用 ssh 真正鼓励的密钥身份验证而不是密码身份验证。
If you are using this across several users who you don't want to be bothered to create keys and copy them to the server, you could script that also. It wouldn't be hard to check for an existing key and do a quick test to see if you can make a connection with it. If you can't without a password, then you'd ssh-copy-id to the server asking for the ssh password that one time and at the beginning of the script so very little lag would occur between starting and running the script and it would be only once. You could even setup a separate key for each user for just the script in their own ~/.script/key/ directory so that you would discourage users access to the SSH server.
如果您在多个用户之间使用它,您不想打扰他们创建密钥并将它们复制到服务器,您也可以编写脚本。检查现有密钥并进行快速测试以查看是否可以与其建立连接并不难。如果你不能没有密码,那么你会向服务器 ssh-copy-id 询问一次和在脚本开头的 ssh 密码,所以在启动和运行脚本之间会发生很少的延迟和它将只有一次。您甚至可以为每个用户在他们自己的 ~/.script/key/ 目录中为脚本设置一个单独的密钥,这样您就不会阻止用户访问 SSH 服务器。
If you want to really restrict what can be done on the remote server by that user, you could use rssh as the shell on the remote account which will limit the user access to transferring files.
如果您想真正限制该用户可以在远程服务器上执行的操作,您可以使用 rssh 作为远程帐户上的 shell,这将限制用户对传输文件的访问。
回答by David Cahill
A good way we did this in the past to provide passwords to needed scripts when using key based authentication was impossible or needed to use passwords for apps, services, mysql, whatever...we stored passwords in an encrypted file and then decrypted this file at runtime to provide the password to the scripts.
我们过去这样做的一个好方法是在使用基于密钥的身份验证不可能或需要为应用程序、服务、mysql 等使用密码时为所需脚本提供密码……我们将密码存储在加密文件中,然后解密该文件在运行时为脚本提供密码。
The password decryption script, let's call it, yourcreds.rb, was restricted to root use only of course and the unencrypted passwords wern't stored anywhere. So for example you could run:
密码解密脚本,我们称之为 yourcreds.rb,当然仅限于 root 使用,未加密的密码不会存储在任何地方。例如,您可以运行:
root@host:~# yourcreds.rb | grep mysql | awk {'print $3'}
root@host:~# yourcreds.rb | grep mysql | awk {'打印 $3'}
Which without awk would for example output the stored line: service | user | password | description | etc... mysql mysqluser password ....
例如,没有 awk 会输出存储的行: service | 用户 | 密码 | 说明 | 等等... mysql mysqluser 密码....
With yourcreds.rb (or whatever) you can output just the password and easily incorporate this method into scripts / cron jobs in larger or more complex environments.
使用 yourcreds.rb(或其他),您可以只输出密码,并轻松地将此方法合并到更大或更复杂环境中的脚本/cron 作业中。
Also if I remember correctly we didn't have to use grep / awk or anything. We just programmed in opts parse stuff like: yourcreds.rb list mysql or yourcreds.rb -l, etc.
另外,如果我没记错的话,我们不必使用 grep / awk 或任何东西。我们只是在 opts parse 中编程,例如:yourcreds.rb list mysql 或 yourcreds.rb -l 等。
We used blowfish and yamls to store the encrypted passwords. I'm sure you can be creative. Just make sure it's bullet proof to anyone but root.
我们使用河豚和 yamls 来存储加密的密码。我相信你可以很有创意。只要确保它对除 root 之外的任何人都是防弹的。
