I'm making a shell script that reached out to a web service with basic auth. I don't want to have to put in my username and password every time the script runs, but I also don't want to have the combo in plain text inside the script. I know the username and password get base64 encoded before they're sent across the network. Is there any way I could encode it beforehand and include that in the shell script?
Asked
Active
Viewed 7,713 times
2 Answers
3
No.
Well, technically you could pass the raw Authorization header using --header. But the usefulness of that would be exactly zero. Base64 is only an encoding used to avoid corruption of binary data, but it does not hide anything – it can be reversed in moments, such as by using the base64 command, by anyone reading your script.
In other words, even if you do this, the password will still be in plain text.
grawity
- 501,077
2
You could have the script read the password from a file. You can ensure the script is run with an effective userid that gives it read access to that file and set permissions so that no one else does.
You may have to jump through some hoops to be able to use setuid, which would mean that users who can read and execute the script could not read the password file. Unix.stackexchange has a good answer on this subject. In your case, don't elevate effective UID to root, just use an ordinary ID created for this purpose only (e.g. script runs as wally, wally owns password.txt (r--------) wally has no special priviliges but those needed to write logs or output files to be shared with others)
RedGrittyBrick
- 85,717