Shell Script Question

Hi,

I am trying to pass two parameters to the openssl command from a shell script. When you run the openssl command as follows:

openssl req -new -sha1 -newkey rsa:1024 -keyout client.key -out client.pem -subj "/O=Company Name/OU=Administration/CN=$1 $2" <<EOF
${password}
${password}
EOF

It expects two things, your password, hit return, followed by password confirmation, hit return. I tried to use EOF to pass the password out to the openssl command but it doesn’t pick it up.

Anyone know how to do this?

/jlar

The problem is that the way you have invoked openssl, it’s not reading the passwords from stdin but from the terminal directly, which is why it does not echo. You should read the section on PASS PHRASE ARGUMENTS in man openssl for how to get it to read stdin.

For security reasons, most programs requesting passwords will not read from
anything but a terminal by default.

To input the password/passphrase as you desire, you’ll need to slightly
adjust your command line in your script.

From the openssl man page (man openssl):

=====
PASS PHRASE ARGUMENTS
Several commands accept password arguments, typically using -passin and
-passout for input and output passwords respectively. These allow the
password to be obtained from a variety of sources. Both of these
options take a single argument whose format is described below. If no
password argument is given and a password is required then the user is
prompted to enter one: this will typically be read from the current
terminal with echoing turned off.
pass:password
the actual password is password. Since the password is
visible to utilities (like ‘ps’ under Unix) this form should
only be used where security is not important.
env:var
obtain the password from the environment variable var. Since
the environment of other processes is visible on certain
platforms (e.g. ps under certain Unix OSes) this option
should be used with caution.
file:pathname
the first line of pathname is the password. If the same
pathname argument is supplied to -passin and -passout
arguments then the first line will be used for the input
password and the next line for the output password. pathname
need not refer to a regular file: it could for example refer
to a device or named pipe.
fd:number
read the password from the file descriptor number. This can
be used to send the data via a pipe for example.
stdin
read the password from standard input.

So you have a variety of methods to choose from. For ease of use,
pass:xxx would work nicely in your situation:

openssl req -new -sha1 -newkey rsa:1024 -keyout client.key -out
client.pem -subj “/O=Company Name/OU=Administration/CN=$1 $2”
-passin pass:${password}

should work.

or even piping it through stdin:

echo ${password} | openssl … -passin stdin


L R Nix
lornix@lornix.com

Hi,

Thanks for your replies… I tried what you suggested with passin as below:

openssl req -new -sha1 -newkey rsa:1024 -keyout client.key -out \
client.pem -subj "/O=Company Name/OU=Administration/CN=$1 $2" \
-passin pass:${password}

but it still prompts for the pass phrase.

/jlar

One has to read the man page to understand the subtleties. The reason there are two options, -passin and -passout, is that passin is used when the input file is password protected and a password needs to be supplied to unlock it, and passout is used when password protecting the output file. Since “req” simply generates output, what you need is -passout, not -passin.

As usual ken_yap you are right :)… this works:

openssl req -new -sha1 -newkey rsa:1024 -keyout client.key -out \
client.pem -subj "/O=Company Name/OU=Administration/CN=$1 $2" \
-passout pass:password

eeijlar wrote:

>
> As usual ken_yap you are right :)… this works:
>
>
> Code:
> --------------------
> openssl req -new -sha1 -newkey rsa:1024 -keyout client.key -out
> client.pem -subj “/O=Company Name/OU=Administration/CN=$1 $2”
> -passout pass:password
> --------------------
>
>

Uh, that’d be my fault then. {Grin} Thank you ken.

Loni


L R Nix
lornix@lornix.com