Repeatable command history with hidden passwords

Repeatable command history with hidden passwords

When running commands that require a password, it's a bad idea to type the password in the shell. Your password will be stored in your history file.

Couple example commands with passwords in command 
$ mysql -u MyUser -pMyPassword MyDB -e "SELECT * FROM myTable"

$ curl -u MyUser:MyPassword https://mysite.com
You should avoid doing this
Some commands have the ability to prompt for the password: 
$ mysql -u MyUser -p MyDB -e "SELECT * FROM myTable"

$ curl -u MyUser https://mysite.com
These usually don't echo out to the screen and are not in your history

Those are great options when supported. However, not all programs will have that options.

HISTCONTROL

There is an option in bash call HISTCONTROL. This setting affects what bash stores in the history. There are 2 settings that can be configured in HISTCONTROL.

ignoredups

$ HISTCONTROL=ignoredups

ignoredups essentially makes the history file not write duplicate identical lines to the history file. I personally love having this set. It can speed up looking back through your history for a specific command. This is the default in Red Hat based systems.

ignorespace

$ HISTCONTROL=ignorespace

This is the setting that is needed for this tutorial to work. It tells bash not to record any command you run that started with a space.

ignoreboth

$ HISTCONTROL=ignoreboth

This is just a third option for HISTCONTROL that turns on both of the settings mentioned above. This is the default in Debian based systems (including Ubuntu)

You can check what your user's setting is by running

$ echo $HISTCONTROL

You can set whichever one of those you want in you ~/.bashrc file. In order to keep your password out of your history, you will need to make sure it is either set to ignorespace or ignoreboth

Hiding your password

Instead of running a command like the ones mentioned above:

$  curl -u MyUser:MyPassword https://mysite.com
Notice the space at the beginning.

Of course this doesn't hide the password from your screen like the prompting method does. If you are worried that someone is watching over your screen, the prompt might still be better. You could also run 'clear' if you are only concerned that someone might soon walk by your screen.

If you want to run the command multiple times now, there is still one more problem. You will notice that if you press up on your keyboard, it will only show the command you ran before this last one. That is because your command is not in the history. In that case, the trick is to store your password in a variable, and use space to hide the command where you store the variable.

$  thePass=MyPassword

$ curl -u MyUser:$thePass
Once again, notice the space at the beginning of the first line

Now if you press up, your curl call is in your history, but if you press up a second time, you will notice your password variable assigning command is not. You can now easily run that curl call (or variations of it) quickly and easily.

If someone might access your current session, they could echo your password, make sure to "unset thePass", exit bash, lock your workstation, or logout before you walk away. You should always be doing one of those last 2 options anyways if you are somewhere that someone might use your workstation.

There are other options to achieve the goal of this tutorial. You could put your password in a file and source the file, you could put your password and commands in a shell script, or various other methods. But those both require more work and time. This tip is just meant as a quick little trick you can use regularly as needed.