stdin.write echos password during paramiko ssh login

Question

The script provided by TechJS: (https://stackoverflow.com/users/5252192/techjs) in their answer on (How to run sudo with paramiko? (Python)) works perfectly for me.

However, it echos the password in the command line after my additions and i know that's not a good idea. I imagine its from the stdin.write() but i have no idea how to do it differently.

Can anyone suggest a more secure way of storing and inputting the server password? I'm still pretty new and would love a good lesson on proper password security protocol in these situations :)

Thanks so much to any and all help!

import paramiko
import re
import <passwords file> #did chmod 400 for this file

ssh_client= None
server_address='<removed for security>'
server_username='<removed for security>'
server_pass = <password file>.<this server password from passwords file>
command = "<removed for security>"

def main(command, server_address, server_username, server_pass):
    try:
        ssh = paramiko.SSHClient()
        ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
        ssh.connect(hostname=server_address,
                username=server_username,
                password=server_pass)
        session = ssh.get_transport().open_session()
        session.set_combine_stderr(True)
        session.get_pty()
        session.exec_command("sudo bash -c \"" + command + "\"")
        stdin = session.makefile('wb', -1)
        stdout = session.makefile('rb', -1)
        stdin.write(server_pass + '\n')
        stdin.flush()
        print(stdout.read().decode("utf-8"))

    except Exception as e:
        print("The following error has occurred during your requested process")
        print(e.message)    
    finally:
        if ssh:
            session.close()
            ssh.close()


if __name__ == '__main__':
    main(command, server_address, server_username, server_pass)

Answer 1

After a lot of research I believe I have an acceptable answer, however please take this with skepticism as I am NOT an expert in this field. You have been advised.

This also did NOT fix the printing of the stdin problem, but i have just removed the print() function all together to remove the issue. This answer is for the password security part ONLY.

tl:dr here is the answer https://alexwlchan.net/2016/11/you-should-use-keyring/ but i will explain in more detail and provide examples below of my code used to store and use passwords while never plain texting them.

LONG ANSWER: Python has a package that is build for this purpose specifically called keyring(). It allows you to store and call on passwords with relative security. It works off of your login credentials so unfortunately if someone gains access to your account they will have access to this information, but without that you should theoretically be secure (or as secure as one can be i guess)

Keyring() plus a package called getpass() allow for a user to input a password into their system without committing it to plain text and thus preventing accidental leaking through file sharing or the like.

Here is a very simple script I wrote to automatically prompt you through your choices and store the password without ever needing to store it in plain text

import keyring
import getpass

def main():

    system = input('System:')
    username = input('Please input username:')
    keyring.set_password(system,username,getpass.getpass())
    print('The password for ' +username+' in '+system+' has been set.\nPlease do not misplace, you will not be able to recover at this point.\nFor misplaced passwords, please resubmit new entry with the same details, it will overwrite the previous entry.')

if __name__=='__main__':
    print('Please input the system in which the password will be used,\nand corresponding username.')
    main()

(if you're using Python 2 then it needs to be raw_input() )

This is done in an entirely different script so you DO NOT NEED TO HAVE THEM TOGETHER, run one script to set the password, then to call on the corresponding password is very simple in your main script from that point forward.

passwd = keyring.get_password('<system you inputed>','<username you inputed>')

And you're done!

p.s. I personally have placed a bash file on my PATH that runs this script so that if i ever need to create a password it can be done from any directory within the machine, and thus reinforcing good security procedures.