Repeatable command history with hidden passwords
Repeatable command history with hidden passwords
When running commands that require a password, it's a bad idea to type the password in the shell. Your password will be stored in your history file.
$ mysql -u MyUser -pMyPassword MyDB -e "SELECT * FROM myTable"
$ curl -u MyUser:MyPassword https://mysite.com
$ mysql -u MyUser -p MyDB -e "SELECT * FROM myTable"
$ curl -u MyUser https://mysite.com
Those are great options when supported. However, not all programs will have that options.
HISTCONTROL
There is an option in bash call HISTCONTROL. This setting affects what bash stores in the history. There are 2 settings that can be configured in HISTCONTROL.
ignoredups
$ HISTCONTROL=ignoredups
ignoredups essentially makes the history file not write duplicate identical lines to the history file. I personally love having this set. It can speed up looking back through your history for a specific command. This is the default in Red Hat based systems.
ignorespace
$ HISTCONTROL=ignorespace
This is the setting that is needed for this tutorial to work. It tells bash not to record any command you run that started with a space.
ignoreboth
$ HISTCONTROL=ignoreboth
This is just a third option for HISTCONTROL that turns on both of the settings mentioned above. This is the default in Debian based systems (including Ubuntu)
You can check what your user's setting is by running
$ echo $HISTCONTROL
You can set whichever one of those you want in you ~/.bashrc file. In order to keep your password out of your history, you will need to make sure it is either set to ignorespace or ignoreboth
Hiding your password
Instead of running a command like the ones mentioned above:
$ curl -u MyUser:MyPassword https://mysite.com
Of course this doesn't hide the password from your screen like the prompting method does. If you are worried that someone is watching over your screen, the prompt might still be better. You could also run 'clear' if you are only concerned that someone might soon walk by your screen.
If you want to run the command multiple times now, there is still one more problem. You will notice that if you press up on your keyboard, it will only show the command you ran before this last one. That is because your command is not in the history. In that case, the trick is to store your password in a variable, and use space to hide the command where you store the variable.
$ thePass=MyPassword
$ curl -u MyUser:$thePass
Now if you press up, your curl call is in your history, but if you press up a second time, you will notice your password variable assigning command is not. You can now easily run that curl call (or variations of it) quickly and easily.
If someone might access your current session, they could echo your password, make sure to "unset thePass", exit bash, lock your workstation, or logout before you walk away. You should always be doing one of those last 2 options anyways if you are somewhere that someone might use your workstation.
There are other options to achieve the goal of this tutorial. You could put your password in a file and source the file, you could put your password and commands in a shell script, or various other methods. But those both require more work and time. This tip is just meant as a quick little trick you can use regularly as needed.