6 Replies Latest reply on Jun 4, 2012 3:51 PM by strngr12

    Passing passwords to Terminal

    strngr12

      Hello everyone,

       

      I have a script that runs an apple script that, in turn, runs a shell script. The problem I have is that the shell script is a proprietary CLI program that asks for a password. Since this is a script that will be shared with many different people I cannot just store the password in teh script or in my keychain.

       

      Is there a way to use FMP to get input from the user and pass it to terminal?

       

      Any help would be greatly appreciated!

       

      Thanks,

       

      Dan

        • 1. Re: Passing passwords to Terminal
          sporobolus

          on 2012-06-04 11:22 strngr12 wrote

          I have a script that runs an apple script that, in turn, runs a shell script.  The problem I have is that the shell script is a proprietary CLI program that asks for a password.  Since this is a script that will be shared with many different people I cannot just store the password in teh script or in my keychain.

           

          Is there a way to use FMP to get input from the user and pass it to terminal?

           

          yes, you can pass a value from FileMaker to a shell script via AppleScript but

          it depends how the shell script is constructed

           

          here are some possible scenarios, though without knowing anything about your

          shell script, it's possible none of these will work; it may be easier or more

          flexible to use one of the plug-ins that gives you direct access to the shell

           

          first, it's possible the shell script will not need to prompt for a password if

          it's run with administrator privileges; if this is the case then this

          AppleScript syntax should work, and doesn't require composing the command

          string via a calculation in FileMaker, so you can use the "Native AppleScript"

          option:

           

          do shell script "myshellscript.sh" with administrator privileges
          

           

          the user will see a dialog box prompting them to enter a password; this is the

          most secure option because the password is then never stored by FileMaker nor

          AppleScript

           

          the following options are less secure and assume you've either stored the user

          name & password in FileMaker, or obtained them via the Show Custom Dialog

          script step, and stored them in script variables; each of these is presented as

          a Calculated AppleScript which means there is awkward escaping of quotes

           

          the first is a variant on the above that avoids the system password prompt:

           

          "do shell script \"myshellscript.sh\" with administrator privileges user name 
          \"" & $username & "\" password \"" & $password & "\""
          

           

          next is the syntax if the password must be entered on the command line as an

          argument, in which case you incorporate the password directly into the command

          string that follows "do shell script":

           

          "do shell script \"myshellscript.sh " & $password & "\""
          

           

          if there is a password prompt after the shell script starts, you may have to

          send the password to the standard input; to find out of that works first try it

          like this in Terminal:

           

          echo mypassword | myshellscript.sh
          

           

           

          and if that works, then you can construct the shell command string via a

          calculation in FileMaker like this:

           

          "do shell script \"echo " & $password & " | myshellscript.sh\""
          

           

          (there could be typos in any of the above examples)

          • 2. Re: Passing passwords to Terminal
            strngr12

            Thanks for the reply.  I tried that last one and never was prompted for a password.  Instead I got "expected string and found end of script."

             

            I'll try to be more clear.  The current code is:

             

            "do shell script " & Quote ("/tmp/pro_sync.sh 2>&1 > /tmp/pro_log.txt")

             

            Based on your answer above I changed it to:

             

            "do shell script \"echo " & $password & " | /tmp/pro_sync.sh 2>&1 > /tmp/pro_log.txt"

             

            The shell script I'm running actually logs into a remote server which asks for a password.  From terminal it looks like this:

             

            Dan-Dows-MacBook-Pro:~ ddan$ pprcli -u ppr_dan --updatexml

            procli version 1.2.3.45

            Copyright © 2008-2012 PRO Systems, LLC.

            Please enter your password:

             

            I can run the script fine on my machine by storing the password in my keychain which it looks to first for a password, but as I mentioned this will not be the case with some people who use the script.  I think I probably need to define the variable $password first, but am unsure how to do that using user input.  Also, as security is an issue, is there a way to encrypt the input so that if someone were to get ahold of it they couldn't glean the password?  If not, is there a way to just pass the password directly to terminal without storing it in a variable first?

             

            Thanks,

             

            Dan

            • 3. Re: Passing passwords to Terminal
              sporobolus

              on 2012-06-04 12:54 strngr12 wrote

              (...) Based on your answer above I changed it to:

               

              "do shell script \"echo "&  $password&  " | /tmp/pro_sync.sh 2>&1>  /tmp/pro_log.txt"

               

              The shell script I'm running actually logs into a remote server which asks for a password.  From terminal it looks like this:

               

              Dan-Dows-MacBook-Pro:~ ddan$ pprcli -u ppr_dan --updatexml

              procli version 1.2.3.45

              Copyright © 2008-2012 PRO Systems, LLC.

              Please enter your password:

               

              I can run the script fine on my machine by storing the password in my keychain which it looks to first for a password,

               

              okay, it looks like the script is internally using ssh, which on a Mac can

              automatically use the keychain; it looks like a user name is entered on the

              command line "-u ppr_dan", which you may need to modify for other users; i

              wonder if there's an option for a password on the command line (e.g. "-p

              password") — that might work if using echo does not

               

               

              I think I probably need to define the variable $password first, but am unsure how to do that using user input.

               

              right — if it's going to work at all; i would first test this command in the

              Terminal:

               

              echo mypassword | /tmp/pro_sync.sh
              

               

              where "mypassword" is the actual password; if this works, then the password is

              accepted via stdin and it's worth setting up in FileMaker …

               

              and yes, $password must be set, but if you're accepting input a global field is

              one less step; do a Show Custom Dialog script step, with the a global field for

              the input value #1, and specify "Use password character (•)":

               

              Show Custom Dialog[mytable::passtemp]
              Perform AppleScript[
                 "do shell script \"echo "&  foo::passtemp &  " | /tmp/pro_sync.sh 2>&1> 
              /tmp/pro_log.txt"
              ]
              Set Field[mytable::passtemp; ""]
              

               

               

              Also, as security is an issue, is there a way to encrypt the input so that if someone were to get ahold of it they couldn't glean the password?

               

              not encrypt, but you can avoid retaining the value; in the above example, if

              passtemp is a global field, other users cannot access the value; along with

              using the bullet display and clearing the global field immediately afterward

              (ideally user error-trapping and clear it even if the AppleScript step throws

              an error), this is "more secure"; anything putting a password on the command

              line, including the following method, carries some risk that the password could

              be logged or observed with a system monitor

               

              to keep the password off the command line, you write the password to a file,

              use the file for stdin, and then securely delete it:

               

              /tmp/pro_sync.sh 2>&1> /tmp/pro_log.txt < mypasswordfile.txt
              srm mypasswordfile.txt
              

               

              If not, is there a way to just pass the password directly to terminal without storing it in a variable first?

               

              yes, the AppleScript itself could request the password instead of FileMaker,

              thus it wouldn't be stored anywhere but within the script temporarily, and it

              wouldn't need to be a Calculated AppleScript; try this as "Native":

               

              display dialog "enter password" default answer "" with hidden answer
              set the_password to text returned of the result
              do shell script "echo " & the_password & " | /tmp/pro_sync.sh 2>&1> 
              /tmp/pro_log.txt"
              

               

              this has the same issue with putting the password on the command line

              • 4. Re: Passing passwords to Terminal
                strngr12

                Thanks again for your help.  I like that last approach using the AppleScript, but the proprietary CLI program doesn't seem to like accepting the password entry from teh echo command.  Is there a way to use applescript to wait until Terminal prompts for a password and then pass it to the terminal rather than getting the password first and then passing it via the echo?  BTW - the test you set up didn't work:

                 

                echo mypassword | /tmp/pro_sync.sh

                 

                Just returned an endless series of asterisks - I assume this is why that last AppleScript option didn't work.

                 

                Thanks!

                • 5. Re: Passing passwords to Terminal
                  sporobolus

                  on 2012-06-04 14:54 strngr12 wrote

                  Thanks again for your help.  I like that last approach using the AppleScript, but the proprietary CLI program doesn't seem to like accepting the password entry from teh echo command.  Is there a way to use applescript to wait until Terminal prompts for a password and then pass it to the terminal rather than getting the password first and then passing it via the echo?  BTW - the test you set up didn't work:

                   

                  echo mypassword | /tmp/pro_sync.sh

                   

                  Just returned an endless series of asterisks - I assume this is why that last AppleScript option didn't work.

                   

                  yeah, i was afraid of that; stdin is cleared before the password is retrieved;

                  you can't use "do shell script" and do the delaying technique you propose

                  because do shell script simply launches a shell process and lets it rip; this

                  is different from having an interactive shell session in an app like Terminal

                   

                  Terminal, the application, can be scripted for interaction, but it will be very

                  visible to your user; the basic approach would be this, to which you could add

                  the password-getting from my previous message

                   

                  tell application "Terminal"
                     set the_window do script "/tmp/pro_sync.sh 2>&1> /tmp/pro_log.txt"
                     delay 5
                     do script "mypassword" in the_window
                  end tell
                  

                   

                  • 6. Re: Passing passwords to Terminal
                    strngr12

                    Thanks again for all your help.  Fortunately I have Most Favored Nation status with the devloper of the CLI so I think I'll take what you have given me and ask that he update the application to accept stdin.

                     

                    Thanks!

                     

                    -Dan