Re: maybe a bug in bash?

[Greg Wooledge]

On Fri, Jun 30, 2023 at 03:49:23PM +0200, Sebastian Luhnburg wrote:
> You suggest to use an argument, to pass the password. Please correct me if I
> be wrong, but to write one or more password(s) in clear text as an argument
> in the terminal (./myscript.sh password1 password2) is not the best practice
> (the Bash history save the last x commands). To get the input via an
> password manager (like Bitwarden CLI) is at this point the better way I
> think (code injection stay be a problem, if I use the passwords in an
> awkward way in my script).

I described a way for your *script* to send the password to the remote
system, for use by whatever remote command needs it.  How your script
gets that password in the first place is a separate question.

In one model, you could simply prompt the user for it.  Then the user
can retrieve the password from your password manager, and paste it.


#!/bin/bash

read -rsp 'Mysql password: ' pass
echo

ssh remoteuser@remotehost bash -s "${pass@Q}" <<'EOF'
echo 'select something from sometable ...' |
    mysql -p"$1" mydatabase
EOF



Here, the (shell-quoted) password is passed as an argument to ssh.
Ssh concatenates "bash", "-s" and the password argument together to
form a command, which is passes to the remote host for execution.

This is one of the ways that you can send a password to a remote system
over an ssh connection, without fear of mangling it, or causing an
unwanted code injection.  It's the way that I would choose if you are
in fact feeding this password to some arbitrary program (such as mysql)
on the remote host.

If you are using the password for ssh to create the connection in the
first place, then everything changes.  I've already stated my opinions
about that in my previous email, and I won't cover it here.