How to go passwordless for shell scripts in Linux

How to go passwordless for shell scripts in Linux

Jack Wallen shows how you can create a Linux shell script that requires a password without having to save a password within the script.

ssh - secure shell
Image: dennizn/Adobe Stock

Linux is the most flexible operating system on the market; there’s very little you cannot do with this platform. One only needs to look at shell scripting to realize just how powerful and customizable Linux is. Although shell scripting is certainly not a feature used by those new to the operating system, any admin fully understands their necessity.

At some point, you might run into a situation where you need to create a shell script that requires a password. If you don’t want to save that password in the script, what can you do?

SEE: 40+ open source and Linux terms you need to know (TechRepublic Premium)

One solution is to turn to sshpass, which makes it possible to use a password in a shell script without saving the password within the script. That’s exactly what I’m going to show you how to do.

What you’ll need to go passwordless for Linux shell scripts

The only thing you need to follow along with my example is two Linux machines and a user with sudo privileges. I’ll be demonstrating with Ubuntu Desktop 22.04 and Pop!_OS 22.04, so if you’re using an RHEL-based distribution, you’ll need to substitute apt-get with dnf.

How to install sshpass

First, install sshpass. This only needs to be installed on the machine you’ll be running the script from so in my case Ubuntu Desktop 22.04. We’ll create a simple script that’ll use rsync to back up the ~/Documents directory for my user account in Ubuntu.

After logging in, open a terminal window and create the script file with:

nano ~/backup

In that file, paste the following:

!/bin/bash
#Copy data to a remote server
rsync -av Documents USER@IP:/home/USER/Backup

Where USER is your username and IP is the IP address of the machine that will house the backup.

Save and close the file.

Give the script executable permission with:

chmod u+x ~/backup

Now, if you run the script, you’ll be prompted for your remote user password. We don’t want that.

What if you used sshpass here? That script would look like this:

!/bin/bash
#Copy data to a remote server
sshpass -p "PASSWORD" rsync -av Documents USER@IP:/home/USER/Backup

Where PASSWORD is your remote user password, USER is your username, and IP is the IP address of the machine that will house the backup.

We don’t want that. What do we do? We encrypt the password.

How to encrypt your password for sshpass

Our next step is to encrypt the password. Create a hidden file with the command:

nano ~/.secrets

In that file add the password for your remote user. Save and close the file.

Next, you need to encrypt the file with:

gpg -c ~/.secrets

This command will create a new file, .secrets.gpg, which will contain an encrypted version of the password.

Now, we need to alter our backup script, which will now look like this:

!/bin/bash
#Copy data to a remote server
gpg -dq /home/USER/.secrets.gpg | sshpass -p "PASSWORD" rsync -av Documents USER@IP:/home/USER/Backup

Now, when you run the command ./backup you won’t be asked for the password and you don’t have to worry about anyone being able to view the password. To ensure that, delete the original .secrets file with the command:

rm ~/.secrets

And there you go. You can now go passwordless in your Linux shell scripts. Enjoy that added layer of security.

Subscribe to TechRepublic’s How To Make Tech Work on YouTube for all the latest tech advice for business pros from Jack Wallen.

Source of Article