I'm posting as a direct response, as I think it fits better here, but some of the comments by BrowserUk (specifically Re^5) points in the right direction.

I modified calmthestorm's original code to print out, rather than run system, on the string $set_password, which printed: 

/usr/bin/ssh hostname "echo test\$ing | /usr/bin/passwd --stdin bob"

[download]

The second thing to point out comes from perldoc for the 'system' function:

... If there is only one scalar argument, the argument is checked for shell metacharacters, and if there are any, the entire argument is passed to the system's command shell for parsing...

There are shell metacharacters in the string, so what executes is actually: 

/.../bin/sh -c '/usr/bin/ssh hostname "echo test\$ing | /usr/bin/passw
+d --stdin bob"'

[download]

Note that I added the pair of single quotes for clarity, but they do not actually appear, since everything in them is passed as a single string with embedded spaces and so on, by perl. What the shell sees is two arguments, the '-c' and the long string: 

/usr/bin/ssh hostname "echo test\$ing | /usr/bin/passwd --stdin bob"

[download]

The shell then runs 'ssh' with two arguments, 'hostname' and the long string: 

echo test$ing | /usr/bin/passwd --stdin bob

[download]

Notice that both double quotes AND the backslash have been removed! You can verify this happens by doing: 

$ echo 'test\$ing'
test\$ing
$ echo "test\$ing"
test$ing

[download]

The net result is the remote sees a varible name $ing, which almost certainly has no value, and so the password is set to be the initial string, 'test'.

Fix this by changing your quoting for this line: 

  my $set_password = '/usr/bin/ssh ' . $master_host . " \"echo \Q$new_
+password\E | /usr/bin/passwd --stdin \Q$username\E\"";

[download]

so it looks like: 

  my $set_password = '/usr/bin/ssh ' . $master_host . " 'echo \Q$new_p
+assword\E | /usr/bin/passwd --stdin \Q$username\E'";

[download]

In the shell, one type of quotes protects the other type and removes their special meaning, so something like "'$HOME'" will print "plain" single quotes surrounding the value of the $HOME variable, for example '/home/joe', which means in your case, the backslash introduced by \Q...\E will be kept, and will do what you expect on the remote system.

In reply to Re: passwords with special characters are trying to kill me... no seriously! by rmcgowan
in thread passwords with special characters are trying to kill me... no seriously! by calmthestorm

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.