This is a small tip when dealing with interactive shell scripting on how to hide sensitive information displaying on the terminal.

Scenario: Suppose you want to connect some site using username and password in a shell script, you can use read command to take input from a user. By default whatever you type read command will print in plain text on the screen. This is a security issue, and we have to hide that sensitive information not to write on the screen.

Example:

My code in my script is

read -p "Please provide bitbucket username(Ex. surendra.anne): " userName
read -p "Please provide bitbucket password: " passWord

Output when executing the entire script:

[email protected]:~$ bash push_fpga.sh
Please provide bitbucket username(Ex. surendra.anne): surendra.anne
Please provide bitbucket password: XYZabc123
--2017-03-21 12:50:30-- https://bitbucket.org/linuxnix/sw_daffy/downloads/mypackage.tar.gz
Resolving bitbucket.org (bitbucket.org)... 104.192.143.3, 104.192.143.2, 104.192.143.1, ...
Connecting to bitbucket.org (bitbucket.org)|104.192.143.3|:443... connected.
HTTP request sent, awaiting response... 401 Unauthorized
Authentication selected: Basic realm="Bitbucket.org HTTP"
Reusing existing connection to bitbucket.org:443.
HTTP request sent, awaiting response... 302 Found
Location: https://bbuseruploads.s3.amazonaws.com/adsfawdfas/downloads/qerqdfasdf/mypackage.tar.gz?Signature=nGupkqNe8Da9ZfGJMfrBN5ljAq8%3D&Expires=1490062832&AWSAccessKeyId=qerzxcqew&versionId=Hwf0V2olr_g.7OGBuhnLJxy8aYEG4bBy&response-content-disposition=attachment%3B%20filename%3D%22mypackage.tar.gz%22 [following]
--2017-03-21 12:50:32-- https://bbuseruploads.s3.amazonaws.com/adsfawdfas/downloads/qerqdfasdf/mypackage.tar.gz?Signature=nGupkqNe8Da9ZfGJMfrBN5ljAq8%3D&Expires=1490062832&AWSAccessKeyId=qerzxcqew&versionId=Hwf0V2olr_g.7OGBuhnLJxy8aYEG4bBy&response-content-disposition=attachment%3B%20filename%3D%22mypackage.tar.gz%22
Resolving bbuseruploads.s3.amazonaws.com (bbuseruploads.s3.amazonaws.com)... 52.216.192.24
Connecting to bbuseruploads.s3.amazonaws.com (bbuseruploads.s3.amazonaws.com)|52.216.192.24|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1494336 (1.4M) [application/x-tar]
Saving to: '/tmp/mypackage.tar.gz’

mypackage.tar.gz 100%[=======================================================>] 1.42M 231KB/s in 7.3s

2017-03-21 12:50:41 (201 KB/s) - '/tmp/mypackage.tar.gz’ saved [1494336/1494336]

 

Related concept:   12 examples to decode man pages in Linux/Unix

If you observe the password(XYZabc123) for my account is plain text.

This can be avoided using the silent option with the read command.

From read help page:

-s do not echo input coming from a terminal

When using this command, the output of the script look like

read -p "Please provide bitbucket username(Ex. surendra.anne): " userName
read -ps "Please provide bitbucket password: " passWord

Output when executing the entire script:

[email protected]:~$ bash push_fpga.sh
Please provide bitbucket username(Ex. surendra.anne): surendra.anne
Please provide bitbucket password:
--2017-03-21 12:50:30-- https://bitbucket.org/linuxnix/sw_daffy/downloads/mypackage.tar.gz
Resolving bitbucket.org (bitbucket.org)... 104.192.143.3, 104.192.143.2, 104.192.143.1, ...
Connecting to bitbucket.org (bitbucket.org)|104.192.143.3|:443... connected.
HTTP request sent, awaiting response... 401 Unauthorized
Authentication selected: Basic realm="Bitbucket.org HTTP"
Reusing existing connection to bitbucket.org:443.
HTTP request sent, awaiting response... 302 Found
Location: https://bbuseruploads.s3.amazonaws.com/adsfawdfas/downloads/qerqdfasdf/mypackage.tar.gz?Signature=nGupkqNe8Da9ZfGJMfrBN5ljAq8%3D&Expires=1490062832&AWSAccessKeyId=qerzxcqew&versionId=Hwf0V2olr_g.7OGBuhnLJxy8aYEG4bBy&response-content-disposition=attachment%3B%20filename%3D%22mypackage.tar.gz%22 [following]
--2017-03-21 12:50:32-- https://bbuseruploads.s3.amazonaws.com/adsfawdfas/downloads/qerqdfasdf/mypackage.tar.gz?Signature=nGupkqNe8Da9ZfGJMfrBN5ljAq8%3D&Expires=1490062832&AWSAccessKeyId=qerzxcqew&versionId=Hwf0V2olr_g.7OGBuhnLJxy8aYEG4bBy&response-content-disposition=attachment%3B%20filename%3D%22mypackage.tar.gz%22
Resolving bbuseruploads.s3.amazonaws.com (bbuseruploads.s3.amazonaws.com)... 52.216.192.24
Connecting to bbuseruploads.s3.amazonaws.com (bbuseruploads.s3.amazonaws.com)|52.216.192.24|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1494336 (1.4M) [application/x-tar]
Saving to: '/tmp/mypackage.tar.gz’

mypackage.tar.gz 100%[=======================================================>] 1.42M 231KB/s in 7.3s

2017-03-21 12:50:41 (201 KB/s) - '/tmp/mypackage.tar.gz’ saved [1494336/1494336]

If you observe there is no password shown on the screen though I typed it. I indicated -s in red so that it is easily visible to readers. Hope this helps someone who requires hiding passwords or some sensitive information in shell scripts.

Related concept:   Linux directory structure: /lib explained