Auto answering password for OPENSSL using HEREDOC

Question

I have the following command but it doesn't work for me...

cd /etc/postfix/ssl/ && openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024 <<PASS
password
password
PASS

UPDATE:

The output is:

109 semi-random bytes loaded
Generating RSA private key, 1024 bit long modulus
...............................++++++
...........++++++
e is 65537 (0x10001)
Enter pass phrase for smtpd.key:

It should auto answer the question and put password automaticaly.

I always use HEREDOC for automating my Q&A on bash and work fine...

What is the problem here?

Answer 1

As @Graeme said HERE

I can do with heredoc like so:

I have to add -passout stdin for openssl to read from stdin.

cd /etc/postfix/ssl/ && openssl genrsa  -passout stdin -des3 -rand /etc/hosts -out smtpd.key 1024 <<PASS
password
PASSW

Answer 2

OpenSSL (and OpenSSH) takes measures to read the password directly from the terminal, rather than from stdin, as a security measure.

However there are a load of ways to supply passwords to OpenSSL. Check man openssl for the section PASS PHRASE ARGUMENTS.

So you could do:

  openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024 -passout "pass:mypassword"

... but per the manpage: "Since the password is visible to utilities (like 'ps' under Unix) this form should only be used where security is not important"

Or you could do:

printf '%s\n' "$PASS" | {
    openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024 -passout fd:3
} 3<&0

... which is supposedly more secure than other options because the password won't show up in ps.