Piping to doveadm pw
Kevin N.
kevin at notscheduled.eu
Wed Jun 16 23:44:13 EEST 2021
Bernardo Reino <reinob at bbmk.org> wrote:
> On Wed, 16 Jun 2021, Kevin N. wrote:
>
> > Thanks. Reading the manual was the first thing I did before posting to the
> > list.
> >
> > I'm not sure if this is relevant for the question, but I forgot to mention
> > that the user enters it's password through a 'dialog --passwordbox'.
> >
> > I guess my question is: it possible to pipe that into 'doveadm pw' directly
> > from memory, without using any kind of on-disk temp file?
>
> $ dialog --passwordbox .. | sed p | doveadm pw
>
> with "sed p" you print explicitly (p) and implicitly (default in sed) the input
> lines (i.e. whatever dialog returns), so doveadm gets the same line twice, as
> required.
>
> Cheers.
Thanks Bernardo. The "sed p" seems to do the trick.
I do have to do some validation before I pass the password to "doveadm pw", so my code looks something like:
-----
input_password=$(dialog --passwordbox ...)
#... some validation here ...
hashed_password=$(echo "${input_password}" | sed p | doveadm pw -s SHA512-CRYPT)
-----
In this case will the password still be safe and hidden from a "ps" for example?
I am still new to all this and I wouldn't want to end up with a false sense of security regarding this password passing :)
Doing an 'strace' on the script does show up the password in some reads, in the form of: read(3, "password_here", ....),
but not in execve(...) as parameter.
Cheers.
More information about the dovecot
mailing list