From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <zsh-users-return-15754-mason-zsh=primenet.com.au@zsh.org>
Received: (qmail 1416 invoked by alias); 1 Feb 2011 22:40:32 -0000
Mailing-List: contact zsh-users-help@zsh.org; run by ezmlm
Precedence: bulk
X-No-Archive: yes
List-Id: Zsh Users List <zsh-users.zsh.org>
List-Post: <mailto:zsh-users@zsh.org>
List-Help: <mailto:zsh-users-help@zsh.org>
X-Seq: 15754
Received: (qmail 13974 invoked from network); 1 Feb 2011 22:40:30 -0000
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on f.primenet.com.au
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=ham
	version=3.3.1
Received-SPF: pass (ns1.primenet.com.au: SPF record at benizi.com designates 64.130.10.15 as permitted sender)
Date: Tue, 1 Feb 2011 17:40:01 -0500 (EST)
From: "Benjamin R. Haskell" <zsh@benizi.com>
To: Julien Nicoulaud <julien.nicoulaud@gmail.com>
cc: Mikael Magnusson <mikachu@gmail.com>, zsh-users <zsh-users@zsh.org>
Subject: Re: Commands with passwords as options
In-Reply-To: <AANLkTikajPjd=r1CSrZnPCLnNFMS-y7KX1TKskQVvv1X@mail.gmail.com>
Message-ID: <alpine.LNX.2.01.1102011726120.2792@hp>
References: <AANLkTi=vmDkSaef2r-gaMK=6en=EYyCsWbVppRsPwF5r@mail.gmail.com> <AANLkTik-C+PD67k2FTySFCfpcZe4yTfDTWwRWp9DaB5A@mail.gmail.com> <AANLkTikajPjd=r1CSrZnPCLnNFMS-y7KX1TKskQVvv1X@mail.gmail.com>
User-Agent: Alpine 2.01 (LNX 1266 2009-07-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed

On Tue, 1 Feb 2011, Julien Nicoulaud wrote:

> OK, but at least it is hidden from the shell "UI". Take it as 
> "man-looking-over-your shoulder" protection :-) For example you show 
> something to  someone, you do a backward history search and a command 
> with a clear text password you forgot to exclude from history pops 
> out...

In general, just avoid ever using such options.  But, if you get lazy, 
two ways around it that I use:

# method 1, use a var:
$ read DBPASSWORD
*password*here*
$ <ctrl-l> to clear screen
$ mysql -u username -p$DBPASSWORD [...etc...]

# method 2, use a file:
$ cat > passfile
*password*here*
$ <ctrl-l> to clear screen (or just have the file from a past session)
$ mysql -u username -p$(<passfile) [...etc...]

Neither is "secure", in the way Mikael points out.  (The command as it's 
being run has the password visible.)  And the first is really for 
one-off,but-frequent situations.  (i.e. when you're really just sick of 
typing the same password over and over.)  The second method I use quite 
a bit, for not-actually-secure passwords.

Generally (but not always) things that allow you to specify the password 
on the command line also let you specify a password file on the command 
line, which is at least one step better.

e.g. mysql has ~/.my.cnf
rsync has --password-file=
ldapsearch has -y
smbclient has -A

For SSH/GPG passwords, there are ssh-agent and gpg-agent.  Other 
programs have similar things.  That lets you avoid typing the password 
over-and-over at the risk of requiring the password only once during a 
given time period or login session.

For anything for which you want *real* security, the answer is to, of 
course, type it every time you need it.  (For my money, ssh-agent makes 
the best security vs. convenience tradeoff.)

-- 
Best,
Ben