Auto answering password for OPENSSL using HEREDOC
Solution 1
You have to add -pass stdin
for openssl
to read from stdin
, or else, as @XTian says, it will read the password directly from the associated tty
or pts
device. No shell redirection will solve this.
From the same section of man
page that @XTian, gave:
stdin read the password from standard input.
You can do something like this:
cd /etc/postfix/ssl/ &&
openssl genrsa -passout stdin -des3 -rand /etc/hosts -out smtpd.key 1024 <<PASS
password
PASS
You can also specify the password using -passout pass:
, but this is even less secure since the password can be seen by any user using ps
(see the man page section in @XTian's post).
Solution 2
This is because openssl deliberately opens /dev/tty
the controlling terminal, to prevent exactly what you are trying to do.
However there are several mechanisms to specify a password, the following option is just the first from the manual page (see below), choose which one is most appropriate for you.
-passout pass:abcd
From man openssl
PASS PHRASE ARGUMENTS Several commands accept password arguments, typically using -passin and -passout for input and output passwords respectively. These allow the password to be obtained from a variety of sources. Both of these options take a single argument whose format is described below. If no password argument is given and a password is required then the user is prompted to enter one: this will typically be read from the current terminal with echoing turned off.
pass:password the actual password is password. Since the password is visible to utilities (like 'ps' under Unix) this form should only be used where security is not important. env:var obtain the password from the environment variable var. Since the environment of other processes is visible on certain platforms (e.g. ps under certain Unix OSes) this option should be used with caution. file:pathname the first line of pathname is the password. If the same pathname argument is supplied to -passin and -passout arguments then the first line will be used for the input password and the next line for the output password. pathname need not refer to a regular file: it could for example refer to a device or named pipe. fd:number read the password from the file descriptor number. This can be used to send the data via a pipe for example. stdin read the password from standard input.
MLSC
Updated on September 18, 2022Comments
-
MLSC over 1 year
I have the following command but it doesn't work for me...
cd /etc/postfix/ssl/ && openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024 <<PASS password password PASS
The output is:
109 semi-random bytes loaded Generating RSA private key, 1024 bit long modulus ...............................++++++ ...........++++++ e is 65537 (0x10001) Enter pass phrase for smtpd.key:
It should auto answer the question and put password automaticaly.
I always use
HEREDOC
for automating my Q&A on bash and work fine...What is the problem here?
May be because of security issues, but how can we deal with such issues?
I also know about this question but not able to resolve it.
I am trying this one: (no result)
#!/bin/bash PASS="password" printf '%s\n' "$PASS" | { openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024 -passout fd:3 } 3<&0
any ideas?
-
devnull about 10 yearsCross-posted at stackoverflow.com/questions/22169829/…
-
MLSC about 10 yearsYes...There where no answer @devnull. What shall I do?
-
devnull about 10 yearsWhat do you expect? That the community is out here to resolve your problems instantly?
-
MLSC about 10 yearsOk...I try to be more patient...Thanks myfriend
-
-
MLSC about 10 yearseven no answer with
printf '%s\n' "$PASS" | { openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024 -passout fd:3 } 3<&0
-
MLSC about 10 yearsI also tried this one:
openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024 -passout "pass:mypassword"
-
X Tian about 10 yearsVery strange, I just tried
openssl genrsa -des3 -passout pass:abcd -rand /etc/hosts -out smtpd.key 1024
and that works ! -
MLSC about 10 yearsI have a question///How can I do that by doing What I tried in origin questin(no result)
-
MLSC about 10 yearspardon which one is correct?
cd /etc/postfix/ssl/ && openssl genrsa -passout stdin -des3 -rand /etc/hosts -out smtpd.key 1024 <<PASS password password PASSW
ORcd /etc/postfix/ssl/ && openssl genrsa -passout stdin -des3 -rand /etc/hosts -out smtpd.key 1024 <<PASS password PASSW
with one password -
Graeme about 10 years@Morteza, sorry, that answer was incomplete. I have intermittent internet issues just now, I think some of it actually got chopped off!. As I said you need
-passout stdin
oropenssl
will ignore the here document onstdin
and read direct from the terminal. -
MLSC about 10 yearsSo What should I do last? Is your answer correct with heredoc? I use two password works//1 password works...two password with different values also works :)
-
Graeme about 10 years@Morteza, actually you only need one password when reading from
stdin
, although it won't complain if you give two. -
Graeme about 10 years@Morteza, there is no confirmation reading from
stdin
, so the second one is just ignored. -
MLSC about 10 yearspardon..how about this one?
openssl req -new -key smtpd.key -out smtpd.csr
andopenssl x509 -req -days 365 -in smtpd.csr -signkey smtpd.key -out smtpd.crt
andopenssl rsa -in smtpd.key -out smtpd.key.unencrypted