Hello everybody,
I am using 'doveadm pw' from inside a bash script to generate the salted hash for a user provided password. I call it like: doveadm pw -s SHA256-CRYPT -u $user -p $password
Is there any possible way to use piping (so it won't show up in ps for example) to pass the username and password to 'doveadm pw' instead of using arguments?
Dovecot version: 2.3.14
Many thanks,
Kevin
On 2021-06-16 5:23 a.m., Kevin N. wrote:
I am using 'doveadm pw' from inside a bash script to generate the salted hash for a user provided password. I call it like: doveadm pw -s SHA256-CRYPT -u $user -p $password
Is there any possible way to use piping (so it won't show up in ps for example) to pass the username and password to 'doveadm pw' instead of using arguments?
% man doveadm-pw
-p password The plain text password for which the hash should be generated. If no password was given doveadm(1) will prompt interac‐ tively for one. -u user When the DIGEST-MD5 scheme is used, also the user name must be given... (so -u not needed here)
% doveadm pw -s SHA256-CRYPT Enter new password: ****** Retype new password: ****** {SHA256-CRYPT}$5$yatls3zWaSMgSrue$FOlWYSb.......
% cat /tmp/test test123 test123
% cat /tmp/test | doveadm pw -s SHA256-CRYPT {SHA256-CRYPT}$5$rq.EciaKLycIT61g$smeKtkpQ........
Oscar del Rio <delrio@mie.utoronto.ca> wrote:
On 2021-06-16 5:23 a.m., Kevin N. wrote:
I am using 'doveadm pw' from inside a bash script to generate the salted hash for a user provided password. I call it like: doveadm pw -s SHA256-CRYPT -u $user -p $password
Is there any possible way to use piping (so it won't show up in ps for example) to pass the username and password to 'doveadm pw' instead of using arguments?
% man doveadm-pw
-p password ?????????????????????????? The plain text password for which the hash should be generated.?? If no password was given doveadm(1)?? will?? prompt interac??? ?????????????????????????? tively for one. -u user ?????????????????????????? When the DIGEST-MD5 scheme is used, also the user name must be given...?? (so -u not needed here)
% doveadm pw -s SHA256-CRYPT Enter new password: ****** Retype new password: ****** {SHA256-CRYPT}$5$yatls3zWaSMgSrue$FOlWYSb.......
% cat /tmp/test test123 test123
% cat /tmp/test | doveadm pw -s SHA256-CRYPT {SHA256-CRYPT}$5$rq.EciaKLycIT61g$smeKtkpQ........
Thanks. Reading the manual was the first thing I did before posting to the list.
I'm not sure if this is relevant for the question, but I forgot to mention that the user enters it's password through a 'dialog --passwordbox'.
I guess my question is: it possible to pipe that into 'doveadm pw' directly from memory, without using any kind of on-disk temp file?
On Wed, 16 Jun 2021, Kevin N. wrote:
Thanks. Reading the manual was the first thing I did before posting to the list.
I'm not sure if this is relevant for the question, but I forgot to mention that the user enters it's password through a 'dialog --passwordbox'.
I guess my question is: it possible to pipe that into 'doveadm pw' directly from memory, without using any kind of on-disk temp file?
$ dialog --passwordbox .. | sed p | doveadm pw
with "sed p" you print explicitly (p) and implicitly (default in sed) the input lines (i.e. whatever dialog returns), so doveadm gets the same line twice, as required.
Cheers.
Bernardo Reino <reinob@bbmk.org> wrote:
On Wed, 16 Jun 2021, Kevin N. wrote:
Thanks. Reading the manual was the first thing I did before posting to the list.
I'm not sure if this is relevant for the question, but I forgot to mention that the user enters it's password through a 'dialog --passwordbox'.
I guess my question is: it possible to pipe that into 'doveadm pw' directly from memory, without using any kind of on-disk temp file?
$ dialog --passwordbox .. | sed p | doveadm pw
with "sed p" you print explicitly (p) and implicitly (default in sed) the input lines (i.e. whatever dialog returns), so doveadm gets the same line twice, as required.
Cheers.
Thanks Bernardo. The "sed p" seems to do the trick.
I do have to do some validation before I pass the password to "doveadm pw", so my code looks something like:
input_password=$(dialog --passwordbox ...) #... some validation here ...
hashed_password=$(echo "${input_password}" | sed p | doveadm pw -s SHA512-CRYPT)
In this case will the password still be safe and hidden from a "ps" for example?
I am still new to all this and I wouldn't want to end up with a false sense of security regarding this password passing :)
Doing an 'strace' on the script does show up the password in some reads, in the form of: read(3, "password_here", ....), but not in execve(...) as parameter.
Cheers.
participants (3)
-
Bernardo Reino
-
Kevin N.
-
Oscar del Rio