Auto answering password for OPENSSL using HEREDOC

linux bash here-document

5,140

Solution 1

You have to add -pass stdin for openssl to read from stdin, or else, as @XTian says, it will read the password directly from the associated tty or pts device. No shell redirection will solve this.

From the same section of man page that @XTian, gave:

stdin read the password from standard input.

You can do something like this:

cd /etc/postfix/ssl/ &&
  openssl genrsa  -passout stdin -des3 -rand /etc/hosts -out smtpd.key 1024 <<PASS
password
PASS

You can also specify the password using -passout pass:, but this is even less secure since the password can be seen by any user using ps (see the man page section in @XTian's post).

Solution 2

This is because openssl deliberately opens /dev/tty the controlling terminal, to prevent exactly what you are trying to do.

However there are several mechanisms to specify a password, the following option is just the first from the manual page (see below), choose which one is most appropriate for you.

-passout pass:abcd

From man openssl

PASS PHRASE ARGUMENTS Several commands accept password arguments, typically using -passin and -passout for input and output passwords respectively. These allow the password to be obtained from a variety of sources. Both of these options take a single argument whose format is described below. If no password argument is given and a password is required then the user is prompted to enter one: this will typically be read from the current terminal with echoing turned off.
   pass:password
             the actual password is password. Since the password is visible to utilities (like
             'ps' under Unix) this form should only be used where security is not important.

   env:var   obtain the password from the environment variable var. Since the environment of
             other processes is visible on certain platforms (e.g. ps under certain Unix OSes)
             this option should be used with caution.

   file:pathname
             the first line of pathname is the password. If the same pathname argument is
             supplied to -passin and -passout arguments then the first line will be used for
             the input password and the next line for the output password. pathname need not
             refer to a regular file: it could for example refer to a device or named pipe.

   fd:number read the password from the file descriptor number. This can be used to send the
             data via a pipe for example.

   stdin     read the password from standard input.

5,140

Author by

MLSC

Updated on September 18, 2022

Comments

MLSC over 1 year
I have the following command but it doesn't work for me...
```
cd /etc/postfix/ssl/ && openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024 <<PASS
password
password
PASS
```
The output is:
```
109 semi-random bytes loaded
Generating RSA private key, 1024 bit long modulus
...............................++++++
...........++++++
e is 65537 (0x10001)
Enter pass phrase for smtpd.key:
```
It should auto answer the question and put password automaticaly.

I always use HEREDOC for automating my Q&A on bash and work fine...

What is the problem here?

May be because of security issues, but how can we deal with such issues?

I also know about this question but not able to resolve it.

I am trying this one: (no result)
```
#!/bin/bash
PASS="password"
printf '%s\n' "$PASS" | {
    openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024 -passout fd:3
} 3<&0
```
any ideas?
- devnull about 10 years
  
  Cross-posted at stackoverflow.com/questions/22169829/…
- MLSC about 10 years
  
  Yes...There where no answer @devnull. What shall I do?
- devnull about 10 years
  
  What do you expect? That the community is out here to resolve your problems instantly?
- MLSC about 10 years
  
  Ok...I try to be more patient...Thanks myfriend
MLSC about 10 years

even no answer with printf '%s\n' "$PASS" | { openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024 -passout fd:3 } 3<&0
MLSC about 10 years

I also tried this one: openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024 -passout "pass:mypassword"
X Tian about 10 years

Very strange, I just tried openssl genrsa -des3 -passout pass:abcd -rand /etc/hosts -out smtpd.key 1024 and that works !
MLSC about 10 years

I have a question///How can I do that by doing What I tried in origin questin(no result)
MLSC about 10 years

pardon which one is correct? cd /etc/postfix/ssl/ && openssl genrsa -passout stdin -des3 -rand /etc/hosts -out smtpd.key 1024 <<PASS password password PASSW OR cd /etc/postfix/ssl/ && openssl genrsa -passout stdin -des3 -rand /etc/hosts -out smtpd.key 1024 <<PASS password PASSW with one password
Graeme about 10 years

@Morteza, sorry, that answer was incomplete. I have intermittent internet issues just now, I think some of it actually got chopped off!. As I said you need -passout stdin or openssl will ignore the here document on stdin and read direct from the terminal.
MLSC about 10 years

So What should I do last? Is your answer correct with heredoc? I use two password works//1 password works...two password with different values also works :)
Graeme about 10 years

@Morteza, actually you only need one password when reading from stdin, although it won't complain if you give two.
Graeme about 10 years

@Morteza, there is no confirmation reading from stdin, so the second one is just ignored.
MLSC about 10 years

pardon..how about this one? openssl req -new -key smtpd.key -out smtpd.csr and openssl x509 -req -days 365 -in smtpd.csr -signkey smtpd.key -out smtpd.crt and openssl rsa -in smtpd.key -out smtpd.key.unencrypted