dsfmwa
Last Updated: August 25, 2017
·
19.8K
· destructuring
087d6ec9eb970bf7a6047974b9b0fd78

Securely use basic auth with curl

Two areas where a plain text password can easily be seen: the http protocol and the host running the web client. Using https addresses plain text over http, but most scripts still supply the password on the command line or in an environment variable. Running "ps auxfwww" will show the command line and environment are available to any local user.

Fortunately, curl lets you configure command line options through stdin. To insecurely pass the --user option to curl:

echo 'user = "defn:password"' | curl -K - https://googles

To avoid generating the password on the command line, let's say the username:password pair is in a file readable only by the user:

{ echo -n 'user = "'; cat password.txt; echo '"'; }

Or it's emitted by a sudo command:

{ echo -n 'user = "'; sudo get-password; echo '"'; }

Any command that emits the password to stdin will do.

Say Thanks
Respond

7 Responses
Add your response

5358
Default profile 1 normal

Just a note: On Linux, at least from what I've read and on my own machine only root can see environment variables for all users. Otherwise a user can see their own environment. Your ps command didn't show me any environment info, even as root. I used 'ps -e -o pid,user,cmd e' instead.

Just check out the permissions in /proc/pid/environ. It's set chmod 400

Otherwise, great tip!
-Fletcher

over 1 year ago ·
7119

{ echo -n 'user = "'; cat password.txt; echo '"'; } - this one didn't work for me ( and curl :))<br>
I used this syntax to pass the file with the credentials to curl <br>
cat password.txt | sed 's/^/user=":/;s/$/\"/' | curl ... -K

over 1 year ago ·
12847
0 in1uqzkgd2x4pvezsrlhqv 1fa39lxsztqfxqr1hriz6mrs47kibhuba38td zungva5wydke6tz

You can also use gpg to encrypt the password and then pass it as a variable to curl:

to encrypt:
gpg -c $FILE
this creates $FILE.gpg - encrypted password.

get password

PWFILE=~/<file>
gpg --batch $PWFILE.gpg
PASSWORD=cat $PWFILE
rm -f $PWFILE

curl -sL -k -u user:${PASSWORD} http://.........

over 1 year ago ·
17641

Like goshaf, I couldn't get this to work:
{ echo -n 'user = "'; cat password.txt; echo '"'; }

I found a (simpler?) alternative, which works as long as you're using bash:

curl -u $(< password.txt) https://googles

over 1 year ago ·
18165
9589c674c943d4220415132f08ff249a

@geezer: well, but -u user:${PASSWORD} is show as user:xxxxx in ps
@ianab: same for $(< password.txt)

over 1 year ago ·
29248

Thank you for these tips!
The reason the example with cat is not working as it is, is that cat prints out a newline from the file.
By removing the newline, the code will work:
{ echo -n 'user = "'; cat password.txt | tr -d '\n'; echo '"'; }
tr -d '\n' deletes the newline from the (end of the) data.

3 months ago ·
29249

After a careful read of man curl, it appears that this might actually be the best way:
curl -K curlconfig.cfg http://www.googles

Then you insert this line to curlconfig.cfg (or what ever filename you like):
user = "defn:password"

Works like a charm. Also, you can add other curl options to that file as well as separate lines.

3 months ago ·
Filed Under