This is a small tip when dealing with interactive shell scripting on how to hide sensitive information displaying on the terminal.

Scenario: Suppose you want to connect some site using username and password in a shell script, you can use read command to take input from a user. By default whatever you type read command will print in plain text on the screen. This is a security issue, and we have to hide that sensitive information not to write on the screen.

Example:

My code in my script is

read -p "Please provide bitbucket username(Ex. surendra.anne): " userName
read -p "Please provide bitbucket password: " passWord

Output when executing the entire script:

[email protected]:~$ bash push_fpga.sh
Please provide bitbucket username(Ex. surendra.anne): surendra.anne
Please provide bitbucket password: XYZabc123
--2017-03-21 12:50:30-- https://bitbucket.org/linuxnix/sw_daffy/downloads/mypackage.tar.gz
Resolving bitbucket.org (bitbucket.org)... 104.192.143.3, 104.192.143.2, 104.192.143.1, ...
Connecting to bitbucket.org (bitbucket.org)|104.192.143.3|:443... connected.
HTTP request sent, awaiting response... 401 Unauthorized
Authentication selected: Basic realm="Bitbucket.org HTTP"
Reusing existing connection to bitbucket.org:443.
HTTP request sent, awaiting response... 302 Found
Location: https://bbuseruploads.s3.amazonaws.com/adsfawdfas/downloads/qerqdfasdf/mypackage.tar.gz?Signature=nGupkqNe8Da9ZfGJMfrBN5ljAq8%3D&Expires=1490062832&AWSAccessKeyId=qerzxcqew&versionId=Hwf0V2olr_g.7OGBuhnLJxy8aYEG4bBy&response-content-disposition=attachment%3B%20filename%3D%22mypackage.tar.gz%22 [following]
--2017-03-21 12:50:32-- https://bbuseruploads.s3.amazonaws.com/adsfawdfas/downloads/qerqdfasdf/mypackage.tar.gz?Signature=nGupkqNe8Da9ZfGJMfrBN5ljAq8%3D&Expires=1490062832&AWSAccessKeyId=qerzxcqew&versionId=Hwf0V2olr_g.7OGBuhnLJxy8aYEG4bBy&response-content-disposition=attachment%3B%20filename%3D%22mypackage.tar.gz%22
Resolving bbuseruploads.s3.amazonaws.com (bbuseruploads.s3.amazonaws.com)... 52.216.192.24
Connecting to bbuseruploads.s3.amazonaws.com (bbuseruploads.s3.amazonaws.com)|52.216.192.24|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1494336 (1.4M) [application/x-tar]
Saving to: '/tmp/mypackage.tar.gz’

mypackage.tar.gz 100%[=======================================================>] 1.42M 231KB/s in 7.3s

2017-03-21 12:50:41 (201 KB/s) - '/tmp/mypackage.tar.gz’ saved [1494336/1494336]

 

Related concept:   Luke Kanies is no more Puppet CEO

If you observe the password(XYZabc123) for my account is plain text.

This can be avoided using the silent option with the read command.

From read help page:

-s do not echo input coming from a terminal

When using this command, the output of the script look like

read -p "Please provide bitbucket username(Ex. surendra.anne): " userName
read -ps "Please provide bitbucket password: " passWord

Output when executing the entire script:

[email protected]:~$ bash push_fpga.sh
Please provide bitbucket username(Ex. surendra.anne): surendra.anne
Please provide bitbucket password:
--2017-03-21 12:50:30-- https://bitbucket.org/linuxnix/sw_daffy/downloads/mypackage.tar.gz
Resolving bitbucket.org (bitbucket.org)... 104.192.143.3, 104.192.143.2, 104.192.143.1, ...
Connecting to bitbucket.org (bitbucket.org)|104.192.143.3|:443... connected.
HTTP request sent, awaiting response... 401 Unauthorized
Authentication selected: Basic realm="Bitbucket.org HTTP"
Reusing existing connection to bitbucket.org:443.
HTTP request sent, awaiting response... 302 Found
Location: https://bbuseruploads.s3.amazonaws.com/adsfawdfas/downloads/qerqdfasdf/mypackage.tar.gz?Signature=nGupkqNe8Da9ZfGJMfrBN5ljAq8%3D&Expires=1490062832&AWSAccessKeyId=qerzxcqew&versionId=Hwf0V2olr_g.7OGBuhnLJxy8aYEG4bBy&response-content-disposition=attachment%3B%20filename%3D%22mypackage.tar.gz%22 [following]
--2017-03-21 12:50:32-- https://bbuseruploads.s3.amazonaws.com/adsfawdfas/downloads/qerqdfasdf/mypackage.tar.gz?Signature=nGupkqNe8Da9ZfGJMfrBN5ljAq8%3D&Expires=1490062832&AWSAccessKeyId=qerzxcqew&versionId=Hwf0V2olr_g.7OGBuhnLJxy8aYEG4bBy&response-content-disposition=attachment%3B%20filename%3D%22mypackage.tar.gz%22
Resolving bbuseruploads.s3.amazonaws.com (bbuseruploads.s3.amazonaws.com)... 52.216.192.24
Connecting to bbuseruploads.s3.amazonaws.com (bbuseruploads.s3.amazonaws.com)|52.216.192.24|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1494336 (1.4M) [application/x-tar]
Saving to: '/tmp/mypackage.tar.gz’

mypackage.tar.gz 100%[=======================================================>] 1.42M 231KB/s in 7.3s

2017-03-21 12:50:41 (201 KB/s) - '/tmp/mypackage.tar.gz’ saved [1494336/1494336]

If you observe there is no password shown on the screen though I typed it. I indicated -s in red so that it is easily visible to readers. Hope this helps someone who requires hiding passwords or some sensitive information in shell scripts.

Related concept:   10 ping, hping, fping command examples in Linux/Unix