[mdlug] Programatically Answering a Password Prompt

[John Wiersba]

Have you tried the Tcl-based Expect program to handle this?  Expect creates a Pseudo TTY to interact with the password-prompting program.  There are many other programs which more-or-less mimic what Expect does, for the same purposes.

Also, I can't resist:  The practice of writing password-prompting programs to read from /dev/tty without making provision to read from stdin (or some other technique) is a *serious* mistake and a huge PITA.  I could go on and on about this, but thankfully some programs (e.g. GNU passwd vs. shadow-utils passwd) are starting to wise up that there are many legitimate and secure uses for passing a password to a program other than via /dev/tty.  Expect is a wonderful tool to work around programs which haven't thought enough about this.  I'm looking at you, ssh and ssh-agent.  Unfortunately such Expect scripts are fragile and brittle by their very nature, which is one reason why it's much better to provide additional means other than only reading from /dev/tty.

Message: 6
>Date: Fri, 08 Aug 2014 01:52:14 -0400
>From: Aaron Kulkis <akulkis00 at gmail.com>
>To: MDLUG's Main discussion list <mdlug at mdlug.org>
>Subject: Re: [mdlug] Programatically Answering a Password Prompt
>Message-ID: <53E4658E.90108 at gmail.com>
>Content-Type: text/plain; charset=UTF-8; format=flowed
>
>Wojtak, Greg wrote:
>> I?m writing  a python script and part of it is calling kinit to get a kerberos ticket before doing some ldap operations.  I?m trying to find a method to pass the password into my script, and I haven?t been able to reliably do this.  Depending on the distribution of Linux and the version of that distribution, I?ve found that different versions of kinit will read the password:
>>
>>
>>    *   From STDIN
>>    *   From a file descriptor dup()?ed from STDIN
>>    *   By opening /dev/tty and polling directly for key presses/input
>>
>> I have been able to get the first two cases covered, but I am at a loss as to how to get the third case going.  I?ve even tried firing off the kinit and then writing directly to /dev/tty, but as expected, that does not work.  If it helps, I am using the python subprocess module with Popen to run kinit, but as far as I know, there is no method to redirect anything other than file descriptors 0, 1, and 2 with Popen.
>>
>> Does anyone have any insight into this?  Even if you?re not a python programmer, if you know how this is working, any insight you could give would be much appreciated.
>>
>
>Any GOOD password prompter reads directly from the keyboard, not from stdin.
>
>I had to get around a similar issue years ago on a Sequent system.  Unfortunately, I forget what I did in that script 
>exactly, but it did involve the use of a very short-lived named pipe, using the PID as part of the filesystem name
>for the pipe.
>
>The whole purpose was so that I could load up several 6-tape autoloaders on Friday afternoon, and do
>completely automatic backups of a database on Sunday with no need for human activity.
>
>Unfortunately, I do not have a copy of the script.
>
>[That was before I smartened up and started emailing myself at my gmail account any script I wrote]
>