How to use wget with a netrc file?

This article provides a quick overview and practical guide on how to instruct the wget command-line utility to automatically read login credentials from a .netrc file. Utilizing a .netrc file allows you to securely store your usernames and passwords for various websites and FTP servers, eliminating the need to expose sensitive data in plain text within your terminal history or automated scripts.

Understanding the .netrc File

The .netrc file is a standard configuration file used by various networking programs to automatically log into remote machines. Instead of typing your password every time you connect to a server, or passing it directly via command-line arguments, you store the credentials in this file located in your user’s home directory.

Setting Up Your .netrc File

Before instructing wget to use the file, you must create it and format it correctly. The file must reside in your home directory (~/.netrc) and should contain specific keywords: machine, login, and password.

Here is an example of how the content should look:

machine example.com
login myusername
password mysecurepassword

machine ftp.another-site.org
login ftpuser
password ftppassword

Securing Your Credentials

Because the .netrc file contains sensitive passwords in plain text, you must restrict its permissions so that other users on the system cannot read it. You can achieve this by running the following command in your terminal:

chmod 600 ~/.netrc

Important Note: If the permissions are too open (e.g., readable by anyone), wget may refuse to read the file for security reasons.

Instructing wget to Read the .netrc File

By default, GNU wget is programmed to look for a .netrc file in your home directory automatically whenever a server requests authentication. However, you can explicitly manage this behavior using specific command-line flags.

Explicitly Enabling netrc Reading

If you want to ensure wget looks for the file, or if it has been disabled in your global configuration, use the --netrc=on flag:

wget --netrc=on https://example.com/protected-file.zip

Specifying a Custom netrc File Path

If your credentials file is named differently or located outside your home directory, you can direct wget to the exact path using the --config flag or by setting the NETRC environment variable. Alternatively, you can use the environment variable approach directly before the command:

NETRC=/path/to/custom/netrc_file wget https://example.com/protected-file.zip

Disabling netrc Reading

If you have a .netrc file but want to bypass it for a specific request—perhaps to enter temporary credentials manually—you can turn the feature off using:

wget --netrc=off https://example.com/protected-file.zip