How to go passwordless for shell scripts in Linux
Jack Wallen shows how to create a Linux shell script that requires a password without having to store a password within the script.
Linux is the most flexible operating system on the market; There is very little you cannot do with this platform. One only has to look at shell scripting to realize how powerful and customizable Linux is. While shell scripting is certainly not a feature used by operating system newbies, every administrator fully understands its necessity.
At some point, you might run into a situation where you need to create a shell script that requires a password. What can you do if you don’t want to store this password in the script?
SEE: 40+ Open Source and Linux Terms You Need to Know (TechRepublic Premium)
One solution is sshpass, which allows using a password in a shell script without storing the password inside the script. That’s exactly what I’m going to show you how to do.
What you need to go passwordless for Linux shell scripts
The only things you need to follow my example are two Linux machines and a user with sudo privileges. I will be demonstrating with Ubuntu Desktop 22.04 and Pop!_OS 22.04. So if you’re using a RHEL-based distribution, you’ll need to replace apt-get with dnf .
How to install sshpass
Install sshpass first. This just needs to be installed on the computer you are running the script from, so in my case Ubuntu Desktop 22.04. We’ll create a simple script that uses rsync to back up the ~/Documents directory for my user account in Ubuntu.
Once logged in, open a terminal window and create the script file with:
nano ~/backup
In this file, paste the following:
!/bin/bash
#Copy data to a remote server
rsync -av Documents USER@IP:/home/USER/Backup
Where USER is your username and IP is the IP address of the computer storing the backup.
Save and close the file.
Give the script execute permission with:
chmod u+x ~/backup
Now when you run the script, you will be prompted for your remote user password. We don’t want that.
What if you used sshpass here? This script would look like this:
!/bin/bash
#Copy data to a remote server
sshpass -p "PASSWORD" rsync -av Documents USER@IP:/home/USER/Backup
Where PASSWORD is your remote user password, USER is your username, and IP is the IP address of the computer storing the backup.
We don’t want that. What do we do? We encrypt the password.
How to encrypt your password for sshpass
Our next step is to encrypt the password. Create a hidden file with the command:
nano ~/.secrets
In this file add the password for your remote user. Save and close the file.
Next you need to encrypt the file with:
gpg -c ~/.secrets
This command creates a new file, .secrets.gpg, containing an encrypted version of the password.
Now we need to change our backup script, which will now look like this:
!/bin/bash
#Copy data to a remote server
gpg -dq /home/USER/.secrets.gpg | sshpass -p "PASSWORD" rsync -av Documents USER@IP:/home/USER/Backup
Now when you run the ./backup command, you won’t be asked for the password and you don’t have to worry about someone seeing the password. To ensure this, delete the original .secrets file with the command:
rm ~/.secrets
And here we go. You can now work without a password in your Linux shell scripts. Enjoy this extra layer of security.
Subscribe to TechRepublic’s How To Make Tech Work on YouTube for the latest tech advice for business professionals from Jack Wallen.