Secure Wget Authentication: How to Pass Credentials from a File Instead of Command Line


2 views

When automating file downloads with wget in cron jobs or scripts, passing credentials via --user and --password parameters poses security risks. These credentials become visible in process listings (ps -ef) and command history, creating potential exposure.

The most secure method is utilizing wget's native support for .netrc files:

machine example.com
login your_username
password your_password

Save this as ~/.netrc with permissions 600, then use:

wget --netrc https://example.com/protected/file.zip

For per-session credentials without modifying system files:

echo "user = username:password" > temp_wgetrc
wget --config=temp_wgetrc https://example.com/protected/file.zip
rm temp_wgetrc

Store credentials in environment variables:

export WGET_USER="username"
export WGET_PASS="password"
wget --user="$WGET_USER" --password="$WGET_PASS" https://example.com/file
unset WGET_USER WGET_PASS

For scheduled downloads, combine environment variables with restricted permissions:

# In crontab
0 3 * * * . /path/to/credentials.env && wget --user="$USER" --password="$PASS" https://example.com/file

Where credentials.env contains:

USER="secure_username"
PASS="complex_password"
  • Always set file permissions to 600 for credential files
  • Use unset or rm immediately after credential use
  • Consider using API tokens instead of passwords when possible
  • For production systems, explore secret management solutions like Vault

If authentication fails:

wget --debug https://example.com

Check for:

  • Incorrect file permissions (must be 600)
  • Newline characters in credential files
  • Special characters requiring escaping

When automating file downloads with wget in cron jobs or scripts, passing credentials via --user and --password flags poses security risks. The credentials become visible in:

  • Process listings (ps -ef)
  • Shell history files
  • System logs

The most secure method is using ~/.netrc (or _netrc on Windows):

machine example.com
login myusername
password mypassword

Then run wget with:

wget --netrc https://example.com/protected/file.zip

For more control, create a credential file and use --load-cookies:

# Create cookie file (one-time setup)
wget --save-cookies cookies.txt \
     --keep-session-cookies \
     --post-data "user=myuser&pass=mypass" \
     https://example.com/login

Subsequent downloads:

wget --load-cookies cookies.txt \
     https://example.com/protected/file.zip

For scripting environments where files aren't ideal:

# Store credentials
export WGET_USER="myuser"
export WGET_PASS="mypass"

# Usage
wget --user="$WGET_USER" --password="$WGET_PASS" \
     https://example.com/file.zip
  • Set strict file permissions: chmod 600 ~/.netrc
  • Consider using app-specific credentials instead of personal accounts
  • Rotate credentials regularly when possible