search

plyint / encpass.sh

Lightweight solution for using encrypted passwords in shell scripts
MIT License
598 stars 43 forks source link

encpass in script #16

Closed przytula closed 4 years ago

przytula commented 4 years ago

when I use encpass from command line : no problem

!/bin/sh

label=$1 . ./encpass.sh password=$(get_secret $label) echo "passw $password [dbadmin@luechdb61 scripts]$ ./secret.sh dbllud1 passw VCYzqhvc8C1XMW6Uvfzc [dbadmin@luechdb61 scripts]$ ./secret.sh dbllud2 passw TgdTi4WJec3x55J17AwF password is correctly retrieved now I call it from another script ...... usr_name=$(echo ${server_name} |cut -d ':' -f3) echo "handling script_name ${Scr_nme} for server_name : ${srv_name=} dbname : ${db_name} " . ./encpass.sh password=$(get_secret ${usr_name}) .... in this case : I also echoed the input and is correct but get_secret does not recognize this and wants to create a new entry although the entry is correctly displayed [dbadmin@luechdb61 scripts]$ ./db2Deploy.sh -s scr.sql -m deploy.lst -e d handling script_name scr.sql for server_name : luechdb61 dbname : IEEINT xdbllud1x <--- echo from script x${usr_name}x Enter dbllud1: stty: standard input: Inappropriate ioctl for device stty: standard input: Inappropriate ioctl for device what could be the reason for this ? thanks for all answer best regards, Guy

ahnick commented 4 years ago

Hey @przytula It looks like the secret is being created with the bucket (buckets used to be called labels) name of "secret.sh". You can confirm this by running

./encpass.sh show

you should see something like the following

secret.sh:
dbllud1 = VCYzqhvc8C1XMW6Uvfzc

The problem though is that you have a different script called "db2Deploy.sh" where you try and use this secret by calling password=$(get_secret ${usr_name}). This causes encpass.sh to look in a bucket named "db2Deploy.sh" for the secret; however, it was previously created in the bucket named "secret.sh".

You have a couple of different options:

If you want the secret to be created in the bucket db2Deploy.sh, then you can modify the call to get_secret in secret.sh as follows:

password=$(get_secret db2Deploy.sh $label)

Alternatively, you can modify the db2Deploy.sh script to use the secret from the secret.sh bucket, by modifying the get_secret call in db2Deploy.sh as follows:

password=$(get_secret secret.sh ${usr_name})

Also, I'm not sure of the purpose of secret.sh here. If you are only using it to create the secrets for db2Deploy.sh you might be able to get rid of it entirely. encpass.sh allows you to create secrets directly from the command line. You could accomplish the same thing secret.sh does in your example, by issuing the following command to encpass.sh

./encpass.sh add db2Deploy.sh dbllud1

that command will then prompt you to enter your password and your secret will be created in a bucket named db2Deploy.sh and it should automatically work in your db2Deploy.sh script without prompting for the secret again.

Hopefully that helps. Let me know if anything is unclear.

przytula commented 4 years ago

thanks for the update. I applied the changes and all seems ok best regards, Guy