redis-cli how to AUTH using password and issue a command?

M

4

5

When no password is set, we can issue for instance;

>> redis-cli keys *

or

>> redis-cli config set requirepass "aaaaaa"

However, after we have have issued the latter, the first no longer works and results in:

>> redis-cli keys *
  (error) NOAUTH Authentication required.

We need to authenticate. Sure.

>> redis-cli AUTH aaaaaa
   OK
>> redis-cli keys *
   (error) NOAUTH Authentication required.

How do we authenticate and then able to execute a command?

Is this not possible? Heredocs only?

I've tried:

>> redis-cli AUTH aaaaaa && config set requirepass "aaaaaa"

But did not work. Also semicolon after aaaaaa. Not work.

How?

Meanly answered 9/2, 2021 at 10:38 Comment(0)

M

9

The AUTH commands only last for the duration of the tcp connection. Each new invocation of redis-cli creates a new connection, thus you have to authenticate at each invocation.

It is possible to execute several redis commands on one invocation of redis-cli: they must be separated by \n

Thus this would work:

echo -e 'AUTH aaaaaa\nkeys *' | redis-cli

Note: The other answer also provides a way to pass arguments separated by \n to redis-cli

Medicine answered 9/2, 2021 at 11:4 Comment(2)

Yes, thank you. I tried to redis-cli 'AUTH aaaaaa\nkeys *' but did not work last time. Will try again. Albeit, I was able to get it to work with EOF below. – Meanly 9/2, 2021 at 11:16

@mmm The problem with redis-cli 'AUTH aaaaaa\nkeys *' is that the shell doesn't understand that \nmeans a new line. When you do that you literally send the characters \ then n. Also please accept the answer if it solved your issue – Medicine 9/2, 2021 at 12:24

A

11

You can pass the -a argument for authenticating the redis-cli command like this:

redis-cli -h 127.0.0.1 -p 6379 -a mypassword keys *

Antifebrile answered 9/2, 2021 at 11:51 Comment(1)

this is correct, but I was looking for a way to load it through a config file, because it's considered unsafe to do in the terminal through the -a flag ... guess there is no way to do that...? – Derisive 19/1, 2023 at 16:51

M

9

The AUTH commands only last for the duration of the tcp connection. Each new invocation of redis-cli creates a new connection, thus you have to authenticate at each invocation.

It is possible to execute several redis commands on one invocation of redis-cli: they must be separated by \n

Thus this would work:

echo -e 'AUTH aaaaaa\nkeys *' | redis-cli

Note: The other answer also provides a way to pass arguments separated by \n to redis-cli

Medicine answered 9/2, 2021 at 11:4 Comment(2)

Yes, thank you. I tried to redis-cli 'AUTH aaaaaa\nkeys *' but did not work last time. Will try again. Albeit, I was able to get it to work with EOF below. – Meanly 9/2, 2021 at 11:16

@mmm The problem with redis-cli 'AUTH aaaaaa\nkeys *' is that the shell doesn't understand that \nmeans a new line. When you do that you literally send the characters \ then n. Also please accept the answer if it solved your issue – Medicine 9/2, 2021 at 12:24

L

1

Assign your password to REDISCLI_AUTH env var (and export it). The docs say:

NOTE: For security reasons, provide the password to redis-cli
automatically via the REDISCLI_AUTH environment variable.

Lone answered 24/5 at 9:49 Comment(5)

Won't echo $REDISCLI_AUTH just print it then ? – Meanly 27/5 at 14:32

@Meanly There's no need to echo it, redis-cli is programmed to read it in automatically. – Lone 28/5 at 18:14

but iam saying its exposed once you have server access now. why even have a password if thats the case? – Meanly 28/5 at 18:38

While some schools promote env vars as more secure, I won't go there because I can't provide sources. Security aside, env vars are just handy to use because you only launch your client without piping auth material into it or passing extra args. This is especially handy with containers and k8s where I set up the auth env var once and then reuse it for all liveness/readiness/startup checks or when exec-ing into the container to debug something. – Lone 29/5 at 9:57

Yes, I guess in some cases it might be handy, but a developer with access will be able to read all of the data with ease, while piping the password could in theory be done through some other source that is harder to access and provided through a sourced bash function but i have had some development productivity issues due to AUTH on to be honest so might be useful. But I guess the remote call to the server will at least with protected in this case, which I am guessing is not the case if AUTH is off completely instead so it might be handy but an attacker will look at these known places first. – Meanly 29/5 at 14:1

M

0

This seems to work:

redis-cli <<- 'EOF'
        AUTH aaaaaa
        config set requirepass aaaaaa
EOF

Meanly answered 9/2, 2021 at 10:43 Comment(0)

Recommended topics

Hot tags