Linux curl basic auth

NOTE: username = joeuser, password = secretpass

Example #1 - using -H

You can put this together into curl like this:

$ curl -H "Authorization: Basic $(base64 <<<"joeuser:secretpass")" http://example.com 

Example #2 - using -u

Most will likely agree that if you're going to bother doing this, then you might as well just use curl 's -u option.

$ curl --help |grep -- "--user " -u, --user USER[:PASSWORD] Server user and password 

$ curl -u someuser:secretpass http://example.com 

But you can do this in a semi-safer manner if you keep your credentials in a encrypted vault service such as LastPass or Pass.

For example, here I'm using the LastPass' CLI tool, lpass , to retrieve my credentials:

$ curl -u $(lpass show --username example.com):$(lpass show --password example.com) \ http://example.com 

Example #3 - using curl config

There's an even safer way to hand your credentials off to curl though. This method makes use of the -K switch.

When used, your details remain hidden, since they're passed to curl via a temporary file descriptor, for example:

+ curl -skK /dev/fd/63 -XGET -H 'Content-Type: application/json' https://es-data-01a.example.com:9200/_cat/health ++ cat +++ lpass show --username example.com +++ lpass show --password example.com 1561075296 00:01:36 rdu-es-01 green 9 6 2171 1085 0 0 0 0 - 100.0% 

NOTE: Above I'm communicating with one of our Elasticsearch nodes, inquiring about the cluster's health.

This method is dynamically creating a file with the contents user = ":" and giving that to curl .

HTTP Basic Authorization

The methods shown above are facilitating a feature known as Basic Authorization that's part of the HTTP standard.

1. The username and password are combined with a single colon (:). This means that the username itself cannot contain a colon.
2. The resulting string is encoded into an octet sequence. The character set to use for this encoding is by default unspecified, as long as it is compatible with US-ASCII, but the server may suggest use of UTF-8 by sending the charset parameter.
3. The resulting string is encoded using a variant of Base64.
4. The authorization method and a space (e.g. "Basic ") is then prepended to the encoded string.

Источник

How to define the basic HTTP authentication using cURL correctly?

I'm learning Apigility (Apigility docu -> REST Service Tutorial) and trying to send a POST request with basic authentication via cURL:

$ curl -X POST -i -H "Content-Type: application/hal+json" -H "Authorization: Basic YXBpdXNlcjphcGlwd2Q api" 

3 Answers 3

curl -u username:password http:// curl -u username http:// 

From the documentation page:

-u, --user

Specify the user name and password to use for server authentication. Overrides -n, --netrc and --netrc-optional.

If you simply specify the user name, curl will prompt for a password.

The user name and passwords are split up on the first colon, which makes it impossible to use a colon in the user name with this option. The password can, still.

When using Kerberos V5 with a Windows based server you should include the Windows domain name in the user name, in order for the server to succesfully obtain a Kerberos Ticket. If you don't then the initial authentication handshake may fail.

When using NTLM, the user name can be specified simply as the user name, without the domain, if there is a single domain and forest in your setup for example.

To specify the domain name use either Down-Level Logon Name or UPN (User Principal Name) formats. For example, EXAMPLE\user and user@example.com respectively.

If you use a Windows SSPI-enabled curl binary and perform Kerberos V5, Negotiate, NTLM or Digest authentication then you can tell curl to select the user name and password from your environment by specifying a single colon with this option: "-u :".

If this option is used several times, the last one will be used.

Note that you do not need --basic flag as it is the default.

Источник

Curl With Basic Auth

Basic Access Authentication is an HTTP authentication scheme, which consists in a client providing a username and a password when making a request to a server, to prove who they claim to be in order to access protected resources. Note that performing Basic Access Authentication with cURL differs from the idea of authorization in the sense that the latter is performed by the server in order to determine users' access rights - i.e. authorization is what happens after authentication.

The short answer

To perform Basic Access Authentication with [.inline-code]cURL[.inline-code], you can use the [.inline-code]-u[.inline-code] option flag (short for [.inline-code]--user[.inline-code]) as follows:

 $ curl -u username:password url

Where the [.inline-code]username[.inline-code] and the [.inline-code]password[.inline-code] are separated by a colon character ([.inline-code]:[.inline-code]).

Alternatively, if you only specify the [.inline-code]username[.inline-code], [.inline-code]cURL[.inline-code] will prompt you for a password:

[#insert-authorization]Using this command inserts an “Authorization” header under the hood[#insert-authorization]

[.inline-code]cURL[.inline-code] will encode the [.inline-code]username:password[.inline-code] string using the Base64URL encoding scheme and include this value in the [.inline-code]Basic[.inline-code] authorization header of the HTTP request. For example, the [.inline-code]johndoe:password[.inline-code] string will be converted by [.inline-code]cURL[.inline-code] into the following HTTP header:

 Authorization: Basic am9obmRvZTpwYXNzd29yZA==

[#recall-syntax]Remind yourself of the syntax using AI Command Search[#recall-syntax]

If you’re using Warp as your terminal, you can easily retrieve this command using the Warp AI Command Search feature:

Entering [.inline-code]basic authentication curl[.inline-code] in the AI Command Search prompt results in exactly [.inline-code]curl -u username:password url[.inline-code], which you can then quickly insert into your shell by doing [.inline-code]CMD+ENTER[.inline-code].

[#escaping-special-chars]Escaping special characters in [.inline-code]curl[.inline-code] (such as your password)[#escaping-special-chars]

When using cURL for authentication, you may need to escape certain characters in your username or password.

To escape special characters, you can either use a backslash character ([.inline-code]\[.inline-code]).

 $ curl -u johndoe:h\&llo https://example.com

Or you can wrap your string in single quotes, which will cause all special characters to lose their meaning and prevent the shell from performing expansions.

 $ curl -u johndoe:'h&llo' https://example.com

Here are some characters that should be escaped:

• Colon ([.inline-code]:[.inline-code]): the colon is used to separate the username and the password; note that this character shouldn't exist in your [.inline-code]username[.inline-code], and should be escaped if it exists in your [.inline-code]password[.inline-code].
• Ampersand ([.inline-code]&[.inline-code]): the ampersand is used by the shell to send a process to the background.
• Percent ([.inline-code]%[.inline-code]): the percent sign is used to encode special characters in URLs, which may cause encoding errors.
• Space: the space character is used by the shell to separate command-line arguments and options.

[#use-https]Use HTTPS (not HTTP) with your [.inline-code]curl[.inline-code] requests[#use-https]

Generally speaking, it is never a good idea to pass your credentials in clear text over the network using an unsecured protocol such as HTTP.

When available, you should always use the HTTPS endpoint of the service you are trying to authenticate to, by specifying the [.inline-code]https[.inline-code] scheme in the target URL as follow:

 $ curl -u username:password https://example.com

This will add a strong layer of encryption on top of HTTP that guarantees that your credentials are safe even if they were to fall into the wrong hands.

[#secure-curl-credentials]Secure your [.inline-code]curl[.inline-code] credentials in a [.inline-code].netrc[.inline-code] file[#secure-curl-credentials]

In general, performing an authentication by typing your credentials in clear text in the command-line constitutes a significant security risk.

The reason for that lies in the fact that, just like your browser saves the searches you perform, the shell keeps an internal history list of all the commands you run.

These commands are temporarily stored in the RAM until you log out of your current shell session, which will cause the history list to be physically written to the disk in a file located in your home directory (e.g. [.inline-code].bash_history[.inline-code] for Bash, [.inline-code].zsh_history[.inline-code] for ZSH, etc).

Because of that, other users registered on the system might be able to access this file and steal your credentials.

You can of course clear specific entries of the history before it is written to the disk using the [.inline-code]history[.inline-code] command:

However, a better way to secure your credentials is to retrieve them from a file only you can access.

[#netrc]The .netrc file[#netrc]

In order to avoid passing your credentials in clear text to the [.inline-code]cURL[.inline-code] command, you can store them in a file named [.inline-code].netrc[.inline-code] located in your home directory:

 default login john@example.com password h3lloJ0hn

And then use the [.inline-code]-n[.inline-code] option flag (short for [.inline-code]--netrc[.inline-code]) to perform an authentication:

Note that if you want to keep this file in another directory, you can use the [.inline-code]--netrc-file[.inline-code] option flag instead to specificity its path:

 $ curl --netrc-file path/to/file url

For obvious security reasons, this file should only be readable and writable by you, which can be achieved using the following [.inline-code]chmod[.inline-code] command:

You can learn more about changing the access rights and ownership of files on Linux by reading our articles on the chmod command and the chown command.

Источник