When working with command lines that require passwords, such as using ldapsearch, it’s crucial to manage these credentials securely. Storing passwords directly in command-line scripts or entering them in ways that leave them accessible in history files poses significant security risks. Such practices can lead to accidental exposure through system logs or even simple copy-paste errors into communications like chats or emails.

Here’s a simple yet effective method to keep your passwords secure:

  1. Secure Input: Use the command read -s w to safely read the password into an environment variable named “w”. The -s option ensures that the input is silent, not displaying the password as you type. 
    $ read -s w
  2. Use the Variable: With the password securely stored in the variable w, you can now use it in your command. Make sure you quote it, since you created a random value and has special characters and/or spaces. For instance: 
    $ ldapsearch -ZH ldap://ldap2.rexpro.local:3892 -w "${w}" -s base -b "cn=Database 1,cn=Databases,cn=Monitor" olmMDBPagesMax olmMDBPagesUsed olmMDBPagesFree

    This command uses the ldapsearch utility to query a database without exposing the password in the history or on the screen.

  1. Best Practices: Ensure that the environment variable is cleared after use to prevent residual risk. This can be done by unsetting the variable (unset w) after the command execution.

Conclusion

Managing passwords securely in command-line environments is essential to maintaining system security. By using environment variables and ensuring they are handled correctly, you can significantly reduce the risk of password exposure.

BONUS POINTS: Get rid of passwords entirely by implementing TLS external authentication with short-lifetime certificates. Please contact chris.paul@rexconsulting.net for more information.