Beefy Boxes and Bandwidth Generously Provided by pair Networks
Clear questions and runnable code
get the best and fastest answer
 
PerlMonks  

Re: passwords with special characters are trying to kill me... no seriously!

by rmcgowan (Sexton)
on Feb 04, 2011 at 04:54 UTC ( [id://886130]=note: print w/replies, xml ) Need Help??


in reply to passwords with special characters are trying to kill me... no seriously!

I'm posting as a direct response, as I think it fits better here, but some of the comments by BrowserUk (specifically Re^5) points in the right direction.

I modified calmthestorm's original code to print out, rather than run system, on the string $set_password, which printed: 

/usr/bin/ssh hostname "echo test\$ing | /usr/bin/passwd --stdin bob"

[download]

The second thing to point out comes from perldoc for the 'system' function:

... If there is only one scalar argument, the argument is checked for shell metacharacters, and if there are any, the entire argument is passed to the system's command shell for parsing...

There are shell metacharacters in the string, so what executes is actually: 

/.../bin/sh -c '/usr/bin/ssh hostname "echo test\$ing | /usr/bin/passw
+d --stdin bob"'

[download]

Note that I added the pair of single quotes for clarity, but they do not actually appear, since everything in them is passed as a single string with embedded spaces and so on, by perl. What the shell sees is two arguments, the '-c' and the long string: 

/usr/bin/ssh hostname "echo test\$ing | /usr/bin/passwd --stdin bob"

[download]

The shell then runs 'ssh' with two arguments, 'hostname' and the long string: 

echo test$ing | /usr/bin/passwd --stdin bob

[download]

Notice that both double quotes AND the backslash have been removed! You can verify this happens by doing: 

$ echo 'test\$ing'
test\$ing
$ echo "test\$ing"
test$ing

[download]

The net result is the remote sees a varible name $ing, which almost certainly has no value, and so the password is set to be the initial string, 'test'.

Fix this by changing your quoting for this line: 

  my $set_password = '/usr/bin/ssh ' . $master_host . " \"echo \Q$new_
+password\E | /usr/bin/passwd --stdin \Q$username\E\"";

[download]

so it looks like: 

  my $set_password = '/usr/bin/ssh ' . $master_host . " 'echo \Q$new_p
+assword\E | /usr/bin/passwd --stdin \Q$username\E'";

[download]

In the shell, one type of quotes protects the other type and removes their special meaning, so something like "'$HOME'" will print "plain" single quotes surrounding the value of the $HOME variable, for example '/home/joe', which means in your case, the backslash introduced by \Q...\E will be kept, and will do what you expect on the remote system.

Replies are listed 'Best First'.
Re^2: passwords with special characters are trying to kill me... no seriously!
by Anonyrnous Monk (Hermit) on Feb 04, 2011 at 05:49 UTC 
    my $set_password = '/usr/bin/ssh ' . $master_host . " 'echo \Q$new_pas
+sword\E | /usr/bin/passwd --stdin \Q$username\E'";

    [download]

    Unfortunately, that won't work if the password contains, for example, a single quote. 

    my $master_host  = 'localhost';
my $username     = 'foo';
my $new_password = 'a\'b$c"d|e';

print "pwd: ",$new_password;

my $set_password = '/usr/bin/ssh ' . $master_host . " 'echo \Q$new_pas
+sword\E | /usr/bin/passwd --stdin \Q$username\E'";

print "cmd: ",$set_password;
system $set_password;

__END__
pwd: a'b$c"d|e
cmd: /usr/bin/ssh localhost 'echo a\'b\$c\"d\|e | /usr/bin/passwd --st
+din foo'
sh: Syntax error: Unterminated quoted string

    [download]

    In other words, a simple quotemeta (\Q) is not the appropriate tool to quote arbitrary strings for the shell. You'd have to use more sophisticated techniques.

[reply]
[d/l]
[select]

      It's easy if you build the command in stages. 

      sub text_to_shell_lit(_) {
   return $_[0] if $_[0] =~ /^[a-zA-Z0-9_\-]+\z/;
   my $s = $_[0];
   $s =~ s/'/'\\''/g;
   return "'$s'";
}

my $user   = 'bob';
my $passwd = 'test$ing';

my $echo_cmd = join ' ', map text_to_shell_lit,
   echo => $passwd;

my $passwd_cmd = join ' ', map text_to_shell_lit,
   passwd => '--', $user;

my $ssh_cmd = join ' ', map text_to_shell_lit,
   ssh => 'hostname', "$echo_cmd | $passwd_cmd";

      [download]
      ssh hostname 'echo '\''test$ing'\'' | passwd -- bob'

      [download]

      Note that command lines are readable by anyone on the machine. It is not safe to pass passwords in command lines. Yet another reason why opening a pipe to ssh is better.

[reply]
[d/l]
[select]

In Section Seekers of Perl Wisdom

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Node Status?
node history
Node Type: note [id://886130]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others drinking their drinks and smoking their pipes about the Monastery: (4)
As of 2024-04-20 02:20 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found