# Password in Script



## daBee (Aug 15, 2018)

Hi folks.

I'm in a situation where I want to use rsync to back up the whole system to a LAN mounted volume.  This requires a password for the remote workstation it's mounted on.  Is there a way to provide a password without hard coding it in a bash script on the FreeBSD box?  I'm hoping there's a small conf file that I can use.   

Cheers


----------



## aragats (Aug 15, 2018)

It's not clear what do you mean.
If it's `rsync` which asks for password, you should consider adding your SSH public key to the remote system's  ~/.ssh/authorized_keys.
If it's a password for an SMB share mount, you can use /etc/nsmb.conf:
	
	



```
....
[MYHOST:MYUSER]
password=MySecretPassword
```


----------



## daBee (Aug 15, 2018)

I guess it's a bit unclear.  The target is a Mac workstation.  There is no such file in that directory.  I'm assuming this will work regardless.  Yes, it is rsync from my FreeBSD box to the Mac.

Edit:  So inserted that structure on the Mac after touching the file, and it was still asking for the password.


----------



## ShelLuser (Aug 15, 2018)

Even if you'd use a config file you'd probably still be somewhat hardcoding in the password. Anyway, what kind of service are you using on that Mac to dump the files to? Is this NFS based or another kind of sharing?

Worst case scenario could be to set up a dedicate service for this and then limiting access using a firewall.

Note: I don't have hands on experience with a Mac so I have no idea what it can and cannot do.

(edit)

According to this article (/blog) it should be possible to set up SSH and keybased authentication on Mac OS X. That is by far your best choice because it secures everything and you can use this setup without passwords.


----------



## rigoletto@ (Aug 15, 2018)

You can store the password in an encrypted file and run something like "`gpg2 -qd [FILE]password-file.gpg[/FILE]`" from the script to get the password.


----------



## daBee (Aug 15, 2018)

Just the normal Mac volume mounting system.  It's a mounted volume on my workstation, nothing special.  

There is no firewall.  The volume is viewable.  Let's not create scenarios.  There is nobody else on the LAN.  I don't want to start using keys to protect from a lack of people, just see if I can do this using a file somehow that needs a password, by using a file either on the target OS or in FreeBSD.  I find keys confusing.  




ShelLuser said:


> Even if you'd use a config file you'd probably still be somewhat hardcoding in the password. Anyway, what kind of service are you using on that Mac to dump the files to? Is this NFS based or another kind of sharing?
> 
> Worst case scenario could be to set up a dedicate service for this and then limiting access using a firewall.
> 
> ...


----------



## daBee (Aug 15, 2018)

lebarondemerde said:


> You can store the password in an encrypted file and run something like "`gpg2 -qd [FILE]password-file.gpg[/FILE]`" from the script to get the password.



I'm sure there are options like this, but I was looking for something that might be a go-to before writing workarounds.  That's all.  Thank you.


----------



## aragats (Aug 15, 2018)

daBee said:


> Just the normal Mac volume mounting system. It's a mounted volume on my workstation, nothing special.


daBee , you do not explain clearly, _what_ is mounted and _where_.
Is it a shared folder on your Mac which is mounted in your FreeBSD box? If yes, what kind of share is it: SMB, NFS etc? What command do you use to mount it?
If it's already mounted you shouldn't be asked for a password.
It's hard to help without knowing the technical details, the "normal Mac volume" is not a technical term, sorry.


----------



## daBee (Aug 15, 2018)

[FreeBSD Box]----router----[Mac OS Box with volume]  
On the Mac:  /Volumes/mounted_volume

It is not mounted in my FreeBSD box.  It is available to the LAN as a shared volume, using a username and password, my username on the Mac box.  I don't use a command to mount anything on my Mac.  That's the Mac OS. You don't use commands to share anything on a Mac.  File Sharing is paramount, so my admin account shares all volumes.  

Yes, for any volume on a Mac, you have to log into the box in order to get at any shared volumes.  I'm using `rsync` on the FreeBSD box, not the Mac.  

I don't know how much more I can give you.  This is the same when it's all Macs on a LAN.  You need a password to mount someone else's machine, and all of their mounted volumes on that Mac.


----------



## ShelLuser (Aug 15, 2018)

Sharing of filesystems is handled by software which performs a service. And that's what we're trying to find out here: which service provides all this and what protocols are being used. Because when we know what service(s) you're using then we may be able to come up with suitable alternatives.

This isn't stuff which "just" happens, it's software which sets it all up.

Anyway, it's obvious that you're not very familiar with all this and this is going nowhere I think.

So lets try something else: what is the _exact_ rsync command which you use to connect to your Mac?


----------



## daBee (Aug 15, 2018)

OK let me introduce you to the Mac.  It's a Graphical User Interface which needs no software to set it up.  Many operating systems behave this way.  Seeing that you are unfamiliar with these operating systems, you'll have to take my word for it.  It does "just happen".  See, they have buttons and checkboxes that you use to change things.  These items use the software underneath that users never ever see.  Ever.  You use a mouse to click such items.  I am very familiar with this as I've been writing software since the early 80's and never once have I ever had to install any filesharing software on any Apple product.  Nobody has, as it's built into the operating system.  Here's a quick link for you to read:

https://support.apple.com/kb/ph25605?locale=en_US">

So, here is the request I'm using now, which works:

`sudo rsync -avz --delete / rich@mybox.local:/Volumes/Dragon2/FreeBSD_backups/$fname`


----------



## Deleted member 45312 (Aug 15, 2018)

daBee said:


> So, here is the request I'm using now, which works:
> 
> `sudo rsync -avz --delete / rich@mybox.local:/Volumes/Dragon2/FreeBSD_backups/$fname`


It seems you are using SSH, so like aragats said upper, try using ~/.ssh/authorized_keys in your remote system's home directory.
There is no magic in operating systems (Apple included), they are using protocols for network communication.


----------



## Deleted member 45312 (Aug 15, 2018)

Strength of open source is you can see what an OS is doing behind your back.


----------



## daBee (Aug 15, 2018)

dlegrand said:


> It seems you are using SSH, so like aragats said upper, try using ~/.ssh/authorized_keys in your remote system's home directory.
> There is no magic in operating systems (Apple included), they are using protocols for network communication.



Didn't work.  I like FreeBSD for obvious reasons.  That's why I'm here.  I never stated there's any magic.  I know there's underlying BSD in the Mac OS, but it's what I sit on, as do many developers.  But it's what I'm stuck with and I'm not starting from fresh simply because I want to back up something.  You work with what you have, and there's nothing wrong with what I have to begin with.


----------



## ShelLuser (Aug 15, 2018)

If it doesn't work then check the configuration for the SSH daemon. On FreeBSD you can find this in /etc/ssh/sshd_config where you can set this up using options like PubkeyAuthentication, AuthorizedKeysFile, and so on. See sshd_config(5) for an overview.


----------



## daBee (Aug 15, 2018)

OK, I'll read up on that.


----------



## forquare (Aug 15, 2018)

it could be that the ~/.ssh/authorized_keys file has the wrong permissions. I always use ssh-copy-id(1) from the client (FreeBSD in your case) to copy my public keys across. 

I would remove all directories/files you created on the Mac manually and send the public key via ssh-copy-id(1)


----------



## ekingston (Aug 15, 2018)

lebarondemerde said:


> You can store the password in an encrypted file and run something like "`gpg2 -qd [FILE]password-file.gpg[/FILE]`" from the script to get the password.



I'm curious if someone could explain to me how that actually protects the password? True it is no longer hard coded in the script but anyone who was poking around in the script would see that command and know to run it to get the password anyway. How is that any better than just doing `cat /path/to/password.txt` in a script?

What actual added protection do you get when a single command retrieves the password from a file without any additional authentication? Or, what am I missing?


----------



## Deleted member 45312 (Aug 15, 2018)

ekingston said:


> What actual added protection do you get when a single command retrieves the password from a file without any additional authentication? Or, what am I missing?


You're right, it's crap.


----------



## rigoletto@ (Aug 15, 2018)

Password, and you can use gpg-agent too. Also, you don't have the password in plain text stored around.


----------



## rotor (Aug 16, 2018)

daBee said:


> ...
> 
> So, here is the request I'm using now, which works:
> 
> `sudo rsync -avz --delete / rich@mybox.local:/Volumes/Dragon2/FreeBSD_backups/$fname`




When I was in a similar situation, the first thing I did was simplify the problem.

I knew I wanted to have rsync use ssh's authorized keys, so I took rsync out of the picture.  I tried to set up the authorized keys using a ssh client to connect to a ssh server.  

Once I got that working, rsync using ssh just worked.

I haven't looked in a while, but i am sure there are at least a few tutorials on the web that explain how to set up ssh communications using authorized keys instead of passwords.

Hope this helps,sorry I couldn't be more specific.


----------

