Command-line options for runwithpass
The following are the command-line options for runwithpass:
runwithpass.exe [ -conf <file> ] -res <resource ID> -acct <account ID> [ -expirecache ][ -keyword <string> ][ -replace <inputfile> <outputfile> ][ -v ][ -initial ][ -randomize ][ -override <password> ] [ -downloadfile <attributekey> ][ -downloaddir <directory> ] [ -downloadfilepassword ][-- <client cmd> ]
Argument | Description |
|---|---|
-conf <filename> | Specify a configuration file. The default is config.ini. |
-res <resource ID> | The ID of the system from which the password will be fetched. |
-acct <account ID> | The ID of the account for which the password will be fetched. |
-expirecache | Treat cached credential as expired. See Section 1.10 for more information. |
-keyword <string> | String to replace with password in client command arguments or input file. |
-replace <inputfile> <outputfile> | Search/replace on the given input/output files. <inputfile> may be - meaning stdin. <outputfile> may be - meaning stdout. |
-v | Attempts to obtain more detailed error information when available. |
-initial | Set the initial passwords as encrypted. Using this argument will prompt for the following:
|
-override <password> | Set the account’s password to the specified value. |
-randomize | Set the account’s password to a random value. |
-downloadfile <attributekey> | Download the large credential file using this attribute key. |
-downloaddir <directory> | Download the large credential file to a specific directory. By default, the current directory will be used. |
-downloadfilepassword | Fetch the password associated with the large credential file, if one exists. Must be used in conjunction with -downloadfile. |
-- | Client command line and arguments to run follow the --. If the client command is omitted and no replacement is specified, the password is sent to stdout. |
The command line, including the password if it was substituted, executed by runwithpass may be visible to other users of the system. Using -replace to pass the password to the program’s standard input is recommended.
It is recommended that you use full path names in all arguments.
Examples
To fetch the password for psadmin on target system SSH:
runwithpass.exe -conf config.ini -res SSH -acct psadmin
To replace PWD in template.txt with the password for account APISVCACCT on system PAMSYSID01:
runwithpass -conf config.ini -keyword PWD -res PAMSYSID01 -acct APISVCACCT -replace template.txt - -- /bin/cat
To pass a password on the command-line to /usr/local/bin/somecommand:
runwithpass -conf config.ini -keyword PASSWORD -res PAMSYSID01 -acct APISVCACCT -- /usr/local/bin/somecommand -u APISVCACCT@myserver -p PASSWORD
Note that running ’ps -ef’ will display the password unless /usr/local/bin/somecommand removes it from its process space.
There is no portable way for processes to hide their own command-line arguments and none at all for a parent process to rewrite command-line arguments after passing them to a child process.
To initialize the credential passwords with useargskey encryption:
runwithpass -res AD -acct Administrator -initial
To set the password of an account to a specified value:
runwithpass -res AD -acct Administrator -override newPassword
To randomize the password of an account:
runwithpass -res AD -acct Administrator -randomize
To download a large credential file to the current directory:
runwithpass -res TESTSYS -acct vaultfile -downloadfile LC_FILE
To download a large credential file to a specified directory:
runwithpass -res TESTSYS -acct vaultfile -downloadfile LC_FILE -downloaddir /home/psadmin
To download a large credential file that is associated with a password:
runwithpass -res TESTSYS -acct vaultfile -downloadfile LC_FILE -downloadfilepassword