Results 1 to 7 of 7

Thread: Shell Script Question

  1. #1
    Join Date
    Jun 2008
    Location
    Dublin, Ireland
    Posts
    298

    Default Shell Script Question

    Hi,

    I am trying to pass two parameters to the openssl command from a shell script. When you run the openssl command as follows:

    Code:
    openssl req -new -sha1 -newkey rsa:1024 -keyout client.key -out client.pem -subj "/O=Company Name/OU=Administration/CN=$1 $2" <<EOF
    ${password}
    ${password}
    EOF
    It expects two things, your password, hit return, followed by password confirmation, hit return. I tried to use EOF to pass the password out to the openssl command but it doesn't pick it up.

    Anyone know how to do this?

    /jlar

  2. #2
    Join Date
    Jun 2008
    Location
    UTC+10
    Posts
    9,686
    Blog Entries
    4

    Default Re: Shell Script Question

    The problem is that the way you have invoked openssl, it's not reading the passwords from stdin but from the terminal directly, which is why it does not echo. You should read the section on PASS PHRASE ARGUMENTS in man openssl for how to get it to read stdin.

  3. #3
    Join Date
    Jun 2008
    Location
    Oklahoma, US
    Posts
    822

    Default Re: Shell Script Question


    For security reasons, most programs requesting passwords will not read from
    anything but a terminal by default.

    To input the password/passphrase as you desire, you'll need to slightly
    adjust your command line in your script.

    From the openssl man page (man openssl):

    =====
    PASS PHRASE ARGUMENTS
    Several commands accept password arguments, typically using -passin and
    -passout for input and output passwords respectively. These allow the
    password to be obtained from a variety of sources. Both of these
    options take a single argument whose format is described below. If no
    password argument is given and a password is required then the user is
    prompted to enter one: this will typically be read from the current
    terminal with echoing turned off.
    passassword
    the actual password is password. Since the password is
    visible to utilities (like 'ps' under Unix) this form should
    only be used where security is not important.
    env:var
    obtain the password from the environment variable var. Since
    the environment of other processes is visible on certain
    platforms (e.g. ps under certain Unix OSes) this option
    should be used with caution.
    fileathname
    the first line of pathname is the password. If the same
    pathname argument is supplied to -passin and -passout
    arguments then the first line will be used for the input
    password and the next line for the output password. pathname
    need not refer to a regular file: it could for example refer
    to a device or named pipe.
    fd:number
    read the password from the file descriptor number. This can
    be used to send the data via a pipe for example.
    stdin
    read the password from standard input.
    =====

    So you have a variety of methods to choose from. For ease of use,
    pass:xxx would work nicely in your situation:

    openssl req -new -sha1 -newkey rsa:1024 -keyout client.key -out \
    client.pem -subj "/O=Company Name/OU=Administration/CN=$1 $2" \
    -passin pass:${password}

    should work.

    or even piping it through stdin:

    echo ${password} | openssl ... -passin stdin

    --
    L R Nix
    lornix@lornix.com

  4. #4
    Join Date
    Jun 2008
    Location
    Dublin, Ireland
    Posts
    298

    Default Re: Shell Script Question

    Hi,

    Thanks for your replies... I tried what you suggested with passin as below:

    Code:
    openssl req -new -sha1 -newkey rsa:1024 -keyout client.key -out \
    client.pem -subj "/O=Company Name/OU=Administration/CN=$1 $2" \
    -passin pass:${password}
    but it still prompts for the pass phrase.

    /jlar

  5. #5
    Join Date
    Jun 2008
    Location
    UTC+10
    Posts
    9,686
    Blog Entries
    4

    Default Re: Shell Script Question

    One has to read the man page to understand the subtleties. The reason there are two options, -passin and -passout, is that passin is used when the input file is password protected and a password needs to be supplied to unlock it, and passout is used when password protecting the output file. Since "req" simply generates output, what you need is -passout, not -passin.

  6. #6
    Join Date
    Jun 2008
    Location
    Dublin, Ireland
    Posts
    298

    Default Re: Shell Script Question

    As usual ken_yap you are right ... this works:

    Code:
    openssl req -new -sha1 -newkey rsa:1024 -keyout client.key -out \
    client.pem -subj "/O=Company Name/OU=Administration/CN=$1 $2" \
    -passout pass:password

  7. #7
    Join Date
    Jun 2008
    Location
    Oklahoma, US
    Posts
    822

    Default Re: Shell Script Question

    eeijlar wrote:

    >
    > As usual ken_yap you are right ... this works:
    >
    >
    > Code:
    > --------------------
    > openssl req -new -sha1 -newkey rsa:1024 -keyout client.key -out \
    > client.pem -subj "/O=Company Name/OU=Administration/CN=$1 $2" \
    > -passout passassword
    > --------------------
    >
    >


    Uh, that'd be my fault then. {Grin} Thank you ken.

    Loni

    --
    L R Nix
    lornix@lornix.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •