Greg Wooledge wrote on Fri, Jun 30, 2023 at 10:36:36AM -0400:
> > then as Greg suggested pass password to bash as argument instead;
> > assuming password has been quoted once as previously:
> > ssh user@machine << EOF
> > bash -c 'echo \$1' -- $password
> > EOF
>
> I never suggested embedding the password inside an unquoted here document.
> My suggestion was more like this:
>
> ssh user@machine bash -s "${password@Q}" <<'EOF'
> echo "$1"
> EOF
hm, this has the password show up in ps on the box executing ssh;
depending on the context that can be bad.
It does simplify the content of the here-doc a bit because it doesn't
require escaping, but the password itself still needs one layer of
escaping (so in his example not ${password@Q} but ${initial_password@Q}
or $password), and we don't know enough to know if showing up in ps can
be important but passwords have generally been recommended to be passed
through stdin
(The here-doc can use a file as backing so it's not necessarily great
either, but hopefully /tmp will be tmpfs and it'll only be readable by
root as opposed to readable by anyone who can read /proc which is pretty
much everyone by default)
Anyway, I agree on need-more-info and I'll probably stop replying to
this; there's been enough helpful answers.
--
Dominique Martinet | Asmadeus
